Data Protection Policy
Emmaus Hampshire needs to hold and process personal data about individuals. These can be companions, current and former employees, volunteers, donors and supporters.
The Data Protection Act 1998 states that an individual has the right to expect that personal information is protected by an organisation, that it is fairly and lawfully obtained and processed in accordance with legitimate business and legal requirements, securely held and not shared with third parties without the individual’s consent. Emmaus Hampshire will comply with the Data Protection Act (1998). The Act applies whether the data is stored electronically, on paper or in any other way.
This policy provides a framework by which personal data will be managed at Emmaus Hampshire in order to be compliant with the DPA and the GDPR.
The ‘Data Controller’ is Emmaus Hampshire. Data will be processed by appointed representatives within Emmaus Hampshire, including managers and any individuals with specific responsibility for data processing. Agents acting on behalf of Emmaus Hampshire may also be data controllers. The Data Protection Officer is the person who is responsible in Emmaus Hampshire for ensuring that Emmaus Hampshire complies with the DPA and the GDPR. Emmaus Hampshires Data Protection Officer is the CEO.
This Policy covers the Data Protection principles and an individual’s rights and responsibilities as set down in the DPA and the GDPR.
2. Data protection principles
There are six data protection principles
- Processed fairly and lawfully and in a transparent manner in relation to the data subject
- Collected for specified, explicit and legitimate purposes and not further processed in any manner incompatible with those purposes
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
- Accurate and, where necessary, kept up to date
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed
- Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures
3. Data Definitions
3.1 Personal Data
Personal data is that which relates to a living individual who can be identified from the data or from a combination of that data with other information in the possession, or likely to come into the possession, of the holder. Data does not have to be private or sensitive in order to constitute personal data and includes information such as names, addresses, telephone numbers. The GDPR has increased the scope of the definition to include identifiers, such as location data and online identifiers, and now also includes genetic data.
Personal data covers both facts and opinions that are held about an individual. It also includes information regarding Emmaus Hampshire intentions towards the individual. Data relates to any information held on a computer including e-mails and photographs, image or voice recordings, or manually held paper records that have been stored in a structured way so that information can be found easily or manual records which are due to be stored.
4.2 Sensitive Personal Data and Special Categories of Personal Data
Sensitive personal data is defined under the DPA as information about an individual’s:
- Racial or ethnic origin;
- Political opinions;
- Religious beliefs or other beliefs of a similar nature;
- Trade union membership or non-membership;
- Physical or mental health or condition; and
- Sex life;
Where as special categories of personal data as defined in the GDPR includes in addition to the above:
- Biometric data; and
- Genetic data.
4.3 Criminal or alleged criminal offences or any proceedings for an offence or alleged offence
Emmaus can runs DBS checks on all new staff on the basis that Emmaus Hampshire staff will be required to work with vulnerable adults.
Emmaus Hampshire asks Companions to provide details of unspent convictions in order to risk assess and tailor support for Companions.
5.1 Data security
Emmaus Hampshire will ensure that appropriate technical and organisational measures are taken to safeguard personal data. All personal data will be password protected and only accessed by those staff who have a particular operational need to do so.
All members of the Emmaus Hampshire team have a personal responsibility to ensure that any information of a personal or sensitive personal nature to which they have access in the course of their work with Emmaus Hampshire is protected from unauthorised access and disclosure. This applies equally to data relating to companions, employees, volunteers, agency workers, trustees, donors, customers, consultants and contractors.
In particular, staff must observe the following rules:
- Electronic storage of such material must have limited access and system passwords must be changed every six months.
- Take responsibility for the security of their workstation, keeping their password safe and locking it when they are not at their desk.
- Label personal information sent by post as ‘Private & Confidential’ and send it via courier or recorded delivery.
- Write ‘Private and Confidential in the subject when sending personal information via email.
- Not disclose information about Emmaus Hampshire or any personal information about individuals other than in the course of proper performance of duties and or to authorised colleagues.
- Take particular care when exchanging information with third parties to check that the person requesting information is who they claim to be and that there is proper authorisation or consent.
- Not use information for purposes other than that for which it was intended.
- Sign a confidentiality clause as part of their contract of employment with Emmaus Hampshire
- Pass on a request for information under the Data Protection Act or the GDPR or a request by a data subject in respect of their rights under the GDPR.
All Emmaus Hampshire employees will be required to complete data protection training as part of their induction.
5.2 Data Processing
5.2.1 General guidelines for processing data
Staff who process personal data must comply with the following:
- Where specific personal information is sought from an individual, the individual must be informed as to the purposes for which that data will be used.
- Personal data obtained for a specified purpose must not be used for another purpose without the individual’s consent.
- Any personal data processed must be adequate, relevant and not excessive in relation to the purpose for which it is held.
- Personal data must be accurate and kept up to date. The CEO may remind employees from time to time to check those of their personal details which are subject to change e.g. personal details such as home address.
- Any data no longer needed must be disposed of securely.
- Financial information from donors and supporters must always be destroyed or suitably redacted as soon as possible.
- High-risk processing must not be carried out unless a Data Protection Impact Assessment has been carried out.
- Consider to what extent pseudonymisation (replacing identifying fields with pseudonyms) and minimisation can be applied.
5.2.2 Retention of personal data
Personal data must not be retained for longer than is necessary. Information must only be retained where there is a genuine organisational need to do so.
When data is retained, it must be stored securely. Electronic data must always be stored somewhere with restricted access or password protected. Hard copy data must be locked away. If a former companion requests that their data is removed from the Emmaus Hampshire systems, then it must be removed or anonymised so it cannot be traced to that individual. If a current companion asks for information to be deleted because they believe it to be incorrect, it must be looked at by the Data Protection Officer and determined if this is the case. If it is incorrect it must be revised, if not, it must be made clear to the companion that the information must be retained until they leave Emmaus Hampshire.
5.2.3 Legal basis for processing
Personal data and special categories of personal data must only be processed where there is a legal basis for processing that data.
The legal basis for processing personal data of Companions is to protect the vital interests of the data subject.
When processing special categories of personal data, such processing is carried out in the course of its legitimate activities with appropriate safeguards in place.
The legal basis for processing personal data of employees is because the processing is necessary for the performance of their employment contract.
When processing special categories of personal data, such processing is necessary for the purposes of carrying out specific rights of Emmaus in the field of employment.
The legal basis for processing personal data of other individuals, such as volunteers, donors and supporters is because the processing is necessary for the purposes of the legitimate interests pursued by Emmaus.
In the unlikely event that Emmaus processes special categories of personal data in respect of such individuals, this will be carried out in the course of Emmaus' legitimate activities with appropriate safeguards in place.
5.2.4 Unauthorised disclosure
Individuals must be aware that disclosure of information in contravention of this policy will be treated by Emmaus Hampshire as a serious disciplinary offence which may result in gross misconduct, and further that under the Data Protection Act individuals can be prosecuted for an improper use or unauthorised disclosure of such data.
5.2.5 Taking data off site
Personal information must never be taken home by an employee, emailed to a personal account or stored on a personal computer. Doing so may result in gross misconduct. If personal information needs to be transported to another location, it is the responsibility of the employee to ensure it is stored securely at all times.
5.3 Individual data rights
Individuals on whom Emmaus Hampshire have data have the following rights under the GDPR:
- Consent. Where processing is carried out on the basis of consent, individuals can withdraw their consent at any time.
- Subject Access. Individuals can make a request to view or to have a copy of their personal data. This includes employees, volunteers, companions, donors, supporter and any other party that Emmaus Hampshire records information on.
- Data Portability. Under the GDPR individuals have a right to be provided with, or have another organisation provided with, a copy of any data in a structured, commonly used and machine readable form where the lawful ground for processing is consent or where processing is necessary for the performance of a contract and the processing is carried out by automated means.
- Objecting. Individuals have the right to object to Emmaus Hampshire processing for marketing purposes and can object generally to Emmaus Hampshire processing personal data.
- Automated decision making. Individuals have the right not to be subject to a decision when it is based on automated processing and it produces a legal effect or similar significant effect on the individual unless it is necessary for entering into or performance of a contract, is authorised by law or is based on explicit consent.
The Data Protection Officer should keep a log of all requests made and all responses to these requests.
5.3.1 Informal requests
A current companion can request to see all data that Emmaus Hampshire has on them by requesting this from the Senior Support Manager. The staff member must put this request forward to the Data Protection Officer who must make an arrangement with the companion to show this information to them.
An employee may make an informal request to view a particular file that the CEO or their line manager holds on them. The Data Protection Officer must arrange this at both parties earliest convenience.
If the employee requests to see their personnel file, it is important to ensure that the employee is only interested in viewing this file, rather than any other information held on them. If this is the case, a suitable time must be arranged for the employee to view their file with the CEO, and or may request copies of any documents contained within the paper based file or print out of pages from within the computerised file.
If an employee, volunteer or companion wishes to make a more comprehensive search thereby invoking the Act, the formal request process must be followed. Current employees, volunteers or companions will not be charged to make a formal request but will need to put the request in writing as outlined below.
5.3.2 Formal Requests
Requests by any individual who has had any dealings with Emmaus Hampshire but is not a current employee or companion must always be considered as a formal request. This includes requests from donors and supporters former staff, volunteers and companions.
Under the Act any individual is entitled:
- To be told whether anyone in Hampshire is holding any of their personal data;
- If so, to be given a description of:
- The personal data held;
- The purposes for which the data is being processed; and
- Those to whom the information is, has or may be disclosed.
If an individual wants to make a formal request for access to any information held on them by Emmaus Hampshire:
- The individual should be advised to put a request in writing to the Data Protection Officer, Bar End Rd, Winchester, SO23 9BN. On receipt of the fee the Data Protection Officer will check to ensure that the individual is who they claim to be, validate their right to gain access to the data and consider the appropriateness of the request in line with the Act.
- The Data Protection Officer will contact the appropriate individuals within Emmaus Hampshire and, where appropriate, any external organisations and request access to or copies of the relevant information held on that individual within any system or manual file.
- The information, once collated, must be made available within 40 days from receipt of the fee, unless the burden of providing the information is excessive. The Data Protection Officer must respond within a month, with a possibility to extend this period up to a further 2 months for particularly complex requests.
- If a request is "manifestly unfounded or excessive" the Data Protection Officer can charge a fee or refuse to respond but will need to be able to provide evidence of how the conclusion was reached.
In some circumstances it may be appropriate for the Data Protection Officer to agree an appropriate time for the individual to review the information held on file, and take copies of documents, as appropriate. Where appropriate, any inaccuracies identified by the requesting individual will subsequently be amended.
5.3.3 Exemptions from Disclosure
In line with the DPA and the GDPR Emmaus Hampshire will not disclose information in the following circumstances:
- Confidential references provided by Emmaus Hampshire for current or ex-employees.
- References supplied to Emmaus Hampshire, unless the provider has consented or disclosure is otherwise reasonable in the circumstances.
- Personal data processed for the purposes of management forecasting or planning, if disclosure would prejudice the conduct of Emmaus Hampshire.
- Records of Emmaus Hampshires intention in connection with negotiations with the individual, if disclosure might prejudice those negotiations.
Various exemptions for certain crime and taxation purposes, where compliance with the provision would be likely to prejudice the crime or taxation purpose.
5.3.4 Deleting data
Any individual has the right to ask that their data is no longer used by Emmaus Hampshire or that the reasons for which it is used are amended. The right to erasure however is limited and any such requests should be considered by the data officer.
5.4 Companion data
When companions join the community they are asked to provide both personal data and sensitive/special categories of personal data, including:
- Date of birth
- National Insurance number
- Medical history
- Housing history
Companions will also be asked to provide details of any criminal convictions and informed of the legal ground for obtaining this information.
On their arrival at Emmaus Hampshire it will be made clear to companion through the induction process what personal data the community will store, the legal basis for the processing, their rights in respect of their personal data, for what purpose their information will be used and under what circumstances their information will be shared and why. This information will be documented in the companion registration document.
The exception to this is a situation when there is a significant concern for welfare or potential threat to life. In these circumstances companion information may be shared in order to safeguard the individual or other members of the community. Information may also be shared if requested by court order.
Companions must be informed that they have the right to request all data that is collected about them, this includes: notes of individual meetings; support plans; referral forms and risk assessments. This list is not exhaustive.
5.4.2 Sharing companion information within the UK Federation
From time to time, a companion may move to another community within the United Kingdom, for example to take up a staff or companion role. In these cases it may be appropriate to provide information about the companion to ensure safeguarding needs are met and to ensure the receiving community is able to support the individual appropriately and as part of their risk assessment processes.
Any employee who does not comply with this will become subject to proceedings under the Disciplinary Procedure.
5.5 Donor and supporter data
5.5.1 Funding Regulator Code of Fundraising Practice
Emmaus Hampshire is registered with the Fundraising Regulator and adheres to its code of fundraising practice which requires all fundraising organisations to be legal, honest, open and respectful.
5.5.2 Collecting donor and supporter data
Emmaus Hampshire relies on donations from individuals to support its work. This can be both cash donations or furniture donations. Whenever donor information is collected, we provide an opportunity to opt-in to email marketing communications and provide relevant information about our mail marketing with the option to opt-out. Where we take a telephone number, this will only be used for the purposes of arranging the delivery or collection of furniture and never for marketing purposes. Tthe donor will be offered the opportunity to set their contact preferences, opting out if they prefer not to be contacted further. All donor and supporter data will be stored securely.
5.5.4 Sharing donor data
Emmaus Hampshire will never sell or share donor or supporter data with third party organisations, unless they are carrying out work on behalf of Emmaus Hampshire. Companies working on behalf of Emmaus Hampshire, such as printers, will be given access to donor data in order to complete the task they have been appointed to do, but in these circumstances Emmaus Hampshire remains the data controller.
Where information is shared with suppliers working on behalf of Emmaus Hampshire, it will be password protected and sent using secure methods.
All suppliers carrying out work on behalf of Emmaus Hampshire who handle personal data will be required to provide their own data protection policy and a contract clearly stating how they will use and dispose of any data provided.
Every time data is shared with a supplier working on behalf of Emmaus Hampshire, it will be logged on the data sharing worksheet.
5.5.5 Donor welfare
No-one employed by Emmaus Hampshire will accept a donation from anyone they feel may be vulnerable and lack the capacity to make an informed decision about their donation. More information can be found in the Emmaus Ethical Fundraising Policy.
5.5.6 Changing contact preferences
A donor has the right to change their contact preferences at any time. This can be done by contacting Emmaus Hampshire. Any request to change contact preferences will be made with immediate effect.
5.6 Employee data
This specifically relates to any data held about potential, current or former employees, trustees and volunteers at Emmaus Hampshire.
Emmaus Hampshire recruitment processes are maintained to ensure they meet the Data Protection Act and the GDPR and are designed to ensure that applicants:
- Are treated in a fair, timely and efficient manner;
- Are only considered for the vacancy or vacancies they have applied for, or consent is sought before considering them for other vacancies inside or outside Emmaus Hampshire
- Understand the rationale used in assessing applications.
5.6.1 Personal data
Personal data which may be held by the Emmaus Hampshire includes:
- Personal files and information held by Management;
- List of names and addresses whether on spreadsheet, paper or card indexes;
- List of names, telephone numbers and or email addresses held by managers;
- Paper based employee files containing employment records held by Managemenrt (contracts, appraisals, letters of communication etc.);
- References provided to, or received from, external sources;
- Training records, including personal development plans;
- Support and Supervision records held by line managers;
- Payroll and pension records held by Finance Admin Manager Information contained on e-mail which mentions the individual’s name and of which they are the specific focus;
- Computerised files holding information focusing on a specific individual; and
- Health records submitted to Emmaus Hampshire with the permission of the individual which may include medical certificates, medical appointment letters and Occupational Health reports.
This list is not exhaustive and will be subject to change.
Emmaus Hampshire will hold and process personal data provided by an employee for all purposes related to their employment including, but not limited to:
- Administering and maintaining personnel records;
- Paying and reviewing salary and other remuneration and benefits;
- Providing and administering benefits (including pension, life assurance and permanent health insurance);
- Undertaking performance appraisals and reviews, including talent review and succession planning;
- During performance, absence, disciplinary, harassment and bullying, grievance and redundancy proceedings;
- Providing references and information to future employers, and, if necessary, governmental and quasi-governmental bodies for social security and other purposes, the Inland Revenue and the DWP;
- Providing information to funders or potential funders
- Providing information to potential merger partners with Emmaus Hampshire.
5.6.2 Processing Sensitive Personal Data and Special Categories of Personal Data
Sensitive personal data and special categories of personal data will be processed as follows:
- Managers will process racial or ethnic origin, sex, sexuality, age and disability for statistical monitoring purposes, in accordance with the Commission on Racial Equality and Disability Discrimination Act guidelines. This data will be used to measure Emmaus Hampshires diversity profile in line with our diversity strategy.
- Senior Support Manager will process data on an employee’s health for the purposes of maintaining sickness or other absence records, and taking decisions as to an employee’s fitness for work and entitlement to related benefits (e.g. SSP). Details of work related injuries or illnesses will also be provided to the Health and Safety TU rep where requested and will be reported in accordance with Emmaus Hampshires’s legal requirements.
- CEO will process information on criminal offences (spent and unspent) in order to determine suitability for employment or continued employment, where appropriate. Please see above comments on the legal basis for such processing.
Sensitive personal data/special categories of personal data may also be processed, in accordance with data protection legislation, to exercise or perform a right or obligation conferred or imposed by law on Emmaus Hampshire in connection with employment; in connection with legal proceedings or for the purpose of obtaining legal advice; or for administration of justice.
5.6.3 Sharing employee information
Information and the sharing of information are critical to the running of Emmaus Hampshire. Employees and third parties with whom Emmaus Hampshire has a business relationship, including arrangements which directly benefit employees, rely on fast, reliable access to information. For this reason personal data is shared with and may be obtained from:
- Payroll Bureau
- Pensions Advisor and Pension Organisations and Trustees
- Occupational Health
- Statutory Authorities
- Government Agencies
- Legal Advisors
- TU Officials
- Insurance Advisors and companies
This list is not exhaustive and will be subject to change.
5.6.4 Processing of personal data on recruitment applications
All responses to advertisements, whether electronic or paper-based, will be submitted and processed on the basis stipulated at Section 5.2.3 above. .
Emmaus Hampshire uses manual systems to consider applications against advertised positions using the relevant person specification and other similar vacancies where consent is given within Emmaus Hampshire.
The process for the receipt and distribution of applications is as follows:
a) Applications are accepted via mail (e-mail and postal mail) for specific positions. For some positions, Emmaus Hampshire may request responses via external agencies.
b) Speculative applications are also accepted via both types of mail but the applicant is either contacted to complete a full application where a suitable vacancy is available or the application is destroyed.
c) Copying of applications may be carried out by Emmaus Hampshire or an agent acting on behalf of Emmaus Hampshire.
d) Applicants are selected for positions based on skills, qualifications experience and competencies required by the job person specification.
e) Applications are reviewed by recruitment panel members (managers and staff) and in some cases external recruitment consultants.
f) Applications for a specific vacancy (including supplementary data produced by the process (e.g. marking sheet, interview notes, completed tests and results) will be retained by Emmaus Hampshire on paper, with basic details being entered into the recruitment database and on a test spreadsheet where applicable.
g) If an application matches the criteria for another position (the criteria being that specified in the person specification), the applicant may be contacted to ascertain whether they are interested in the position and data will only be processed if consent is given.
h) Applications may be electronically or manually shared between Emmaus Hampshire sites.
i) Application data is reported on, in terms of volumes received from various sources of advert (e.g. newspaper, internet site, agency, recruitment fair, speculative etc.).
5.6.5 Processing of sensitive personal data/special categories of personal data for recruitment and subsequent employee monitoring
Sensitive personal data/special categories of personal data is not used in the decision making process, except where the following circumstances are relevant to the position being considered:
- Details that the applicant has declared about any support, modifications, adjustments, or special equipment needed to assist them in carrying out the duties of the post taking into account Emmaus Hampshires obligations under the Equality Act 2010; and
- Details of criminal offences spent and unspent convictions due to Emmaus Hampshiress Vulnerable Adult Client group.
Emmaus Hampshire will also process information on racial or ethnic origin, gender, sexuality, age and disability for statistical monitoring purposes only, in accordance with the Equality Act 2010 and other relevant guidelines.
5.6.6 Employee Monitoring
Emmaus Hampshire has the means, automated and otherwise, of monitoring individual usage of property and equipment including E-mail and the Internet. All traffic is automatically recorded to ensure that it is being used appropriately and Emmaus Hampshire may retrieve and read all this information at any time. In order to protect Emmaus Hampshires’s charitable resources we reserve the right to use appropriate monitoring systems and information, and such information may form part of the evidence in any disciplinary or other management action that may be taken in connection with:
- Any breach of our rules relating to personal use of property, equipment and time
- Any other matter upon which individual usage of property, equipment and time has a bearing.