The Core Team and Borough Leads at East Sussex Community and Faith Action (For Vulnerable Syrian Families) from now on referred to as ESCAFA is required to access and store personal information about its members and volunteers.
General Data Protection Regulation 2018 (the GDPR) contains principles affecting personal records not only personal data held on computer but also certain manual records containing personal data, such as personnel files.
These guidelines ensure that you do not breach the GDPR. If you are in any doubt about what you can or cannot disclose and to whom, do not disclose the personal information until you have sought further advice.
You should be aware that, under the GDPR, you are personally accountable for your actions and can be held criminally liable if you knowingly, or recklessly, breach it.
The data protection principles
There are eight data protection principles that are central to the GDPR. The Borough Leads and Core Team at ESCAFA must comply with these principles at all times. In brief, the principles say that personal data must be:
- Processed fairly and lawfully and must not be processed unless certain conditions are met. These are that the subject has given consent to the processing, or the processing is necessary for the various purposes set out in the GDPR. Sensitive personal data may only be processed with the explicit consent of the subject and consists of information relating to:
- race or ethnic origin
- religious or other beliefs
- physical or mental health or condition
- criminal offences, both committed and alleged.
- Obtained only for one or more specified and lawful purposes, and not processed in a manner incompatible with those purposes.
- Adequate, relevant and not excessive.
- Accurate and kept up-to-date. If personal information changes, the ESCAFA borough lead must be informed so that records can be updated. ESCAFA will not be held responsible for any errors if volunteers fail to do so.
- Not kept for longer than is necessary. Different categories of data will be retained for different time periods, depending on legal, operational and financial requirements. Any data that is no longer needed will be destroyed.
- Processed in accordance with the rights of the subject under the GDPR.
- Appropriate technical and organisational measures will be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. Only authorised employees have access to these files. Files will not be removed from their normal place of storage without good reason. Personal data stored on discs, memory sticks, portable hard drives or other removable storage media will be kept in locked filing cabinets or locked drawers when not in use by authorised employees. Data held on computer will be stored confidentially by means of password protection, encryption or coding, and again only authorised employees have access to that data. The Trust has network backup procedures to ensure that data on computer cannot be accidentally lost or destroyed.
- Not transferred to a country or territory outside the European Economic Area unless that country ensures an adequate level of protection for the processing of personal data.
Volunteers consent to personal information being held
ESCAFA holds personal data about its volunteers. By registering as a volunteer with ESCAFA you have consented to that data being processed by the Trust for any purpose related to your voluntary role. It also includes supplying ESCAFA with any additional personal requested from you from time to time as is necessary.
The right to access personal information
Volunteers have the right, on request, to receive a copy of the personal information that ESCAFA holds about them and to demand that any inaccurate data be corrected or removed.
Volunteers also have the right on request to:
- Be told by ESCAFA whether and for what purpose personal data about them is being processed
- Be given a description of the data and the recipients to whom it may be disclosed
- Have communicated in an intelligible form the personal data concerned, and any information available as to the source of the data
- Be informed of the logic involved in computerised decision-making.
Upon request, ESCAFA will provide a statement regarding the personal data held. It will state all the types of personal data ESCAFA holds and processes and the reasons for which they are processed. To access a copy of any personal data the subject must make a written request for this and ESCAFA reserves the right to charge a fee of up to £10.
If you wish to make a complaint that these rules are not being followed you should raise the matter with your borough lead who will then forward it to the Core Group.
Your obligations in relation to personal information
If, as part of your job duties and responsibilities, you collect personal information about employees, guests or other customers, you must comply with this policy. This includes ensuring the information is processed in accordance with the GDPR, is only processed for the purposes for which it is held, is kept secure and is not kept for longer than necessary. You must also comply with the following guidelines at all times:
- Do not disclose confidential personal information to anyone except the volunteer. In particular, it should not be:
given to someone from the same family
passed to any other unauthorised third party
placed on ESCAFA’s website
posted on the Internet in any form
unless the data subject has given their explicit prior written consent to this
- Be aware that those seeking information sometimes use deception in order to gain access to it. Always verify the identity of the individual and the legitimacy of the request before releasing personal information, particularly by phone or email etc.
- Only transmit personal information between locations by fax or e-mail if a secure network is in place, for example, a confidential fax machine or encryption is used for e-mail.
- Ensure any personal data you hold is kept securely, either in a locked filing cabinet or, if computerised, it is password protected.
- Do not access another employee’s records without authority as this will be treated as gross misconduct and it is a criminal offence
- Do not remove personal information from the workplace with the intention of processing it elsewhere unless this is absolutely necessary.
- Ensure that, when working on personal information as part of your job duties when away from your workplace you continue to observe the terms of this policy and the GDPR, in particular in matters of data security
- Ensure that hard copy personal information is disposed of securely, for example cross-shredded
Remember that compliance with the GDPR is your personal responsibility. If you have any questions or concerns about the interpretation of these rules, please contact the Data Protection Officer immediately.
If you have any concerns about this policy or your rights, please email email@example.com or write to the address below. We aim to respond within 30 days of receipt.
In brief, these are your rights:
To request details regarding the information, we hold about you free of charge
To request correction of any inaccurate information
To request deletion of your consent or data no longer needed
To request temporary restriction of your information pending resolution of any problems
To request personal information in a structured, commonly used and machine-readable format
You have the right to complain to the Information Commissioner’s Office if you are unhappy with the way we handle your personal information. the Information Commissioner’s Office, https://ico.org.uk/
Access to your personal information:
You have the right to request access to a copy of the information that we hold about you.
You may request information on what personal information we use, who we share it with, how we will use it, how long we keep it. You may request access to your information free of charge. Please make all requests for access in writing providing us with evidence of your identity. Our address is below.
Policy last reviewed 22nd May 2018