The Inspire Quill
Data Protection Policy (reviewed 2.12.2024)
Policy statement
The Inspire Quill and the sister organizations (her displayed as The Inspire Quill) recognises that its priority is to avoid causing harm to individuals.
The Inspire Quill and the sister organizations will:
• comply with both the law, the Data Protection Act 2018 is the UK’s implementation of the General Data Protection Regulation (GDPR) and good practice
• respect individuals’ rights
• be open and honest with individuals whose data is held
• provide training and support for staff and volunteers who handle personal and sensitive data, so that they can act confidently and consistently.
Data Protection
Brief introduction to the General Data Protection Regulation 2018.
The General Data Protection Regulations gives individuals the right to know what information is held about them and provides a framework to ensure that personal information is handled properly.
The Regulations works in two ways.
Firstly, it states that anyone who processes personal information must comply with data protection principles as follows:
a) processed lawfully, fairly and in a transparent manner in relation to individuals.
b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes.
c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Article 5(2) requires that:
“The controller shall be responsible for, and be able to demonstrate, compliance with the principles.”
Secondly, the Regulations gives the following rights to individuals: -
1. The right to be informed
2. The right of access
3. The right to rectification
4. The right to erasure
5. The right to restrict processing
6. The right to data portability
7. The right to object
8. Rights in relation to automated decision making and profiling.
Definitions
The Data Controller is the legal ‘person’, or organisation, that determines the purposes and means of collecting personal data. The data controller is responsible for complying with the General Data Protection Regulations 2018. The Inspire Quill is the Data Controller and is registered under the General Data Protection Regulations.
The Data Protection Officer is the name given to the person in organisations who is the central point of contact for all data compliance issues.
The Data Processor is the person responsible for processing data on behalf of the controller and has to comply with specific legal obligations.
The Data Subject is the individual whose personal data is being processed. Examples include staff, volunteers, trustees, job applicants, clients, some members & member organisations, project beneficiaries and some suppliers. See appendix one for a full analysis of Data Subjects.
Processing means the use made of personal data including:
• collecting and retrieving
• storing, whether in hard copy or electronically, and including backup copies
• accessing, using (sorting/analysing) or sharing, including outside of the organisation
• disposing of data
Responsibilities
The Inspire Quill recognises its overall responsibility for ensuring compliance with its legal obligations.
Bridget as the Data Protection Officer, has the following responsibilities:
• Briefing the board on Data Protection responsibilities
• Reviewing Data Protection and related policies
• Advising other staff on Data Protection issues
• Ensuring that Data Protection induction and training takes place
• Handling subject access requests
• Approving unusual or controversial disclosures of personal data
• Ensuring contracts with Data Processors have appropriate data protection clauses
• Ensuring electronic security
• Approving data protection-related statements on publicity materials and letters
All staff and volunteers at The Inspire Quill who handle personal data must comply with the organisation’s operational procedures for handling personal data (including undertaking appropriate induction and training) to ensure that good Data Protection practice is established and followed. All staff and volunteers are required to read, understand and accept any policies and procedures that relate to the personal data they may handle in the course of their work.
Significant breaches of this policy will be handled under The Inspire Quill disciplinary procedures.
Data Processing Recording and storage
(insert your organisation) will only process information when it has a legal basis to do so, namely:
1. Consent – genuine consent that offers individuals real choice and control
2. Contract – processing to fulfil contractual obligations
3. Legal obligation – processing in order to comply with a common law or statutory obligation
4. Vital interests – i.e. to protect someone’s life
5. Public task - - the exercise of public authority
6. Legitimate interests – using people’s data in ways that they would reasonably expect and would have minimum privacy impact.
The Inspire Quill databases hold basic information about all clients and volunteers. The back-up discs of data are encrypted and kept securely.
The Inspire Quill will regularly review its procedures for ensuring that its records remain accurate and consistent and, in particular:
• The database systems are reviewed and re-designed, where necessary, to encourage and facilitate the entry of accurate data.
• Data on any individual will be held in as few places as necessary, and all staff and volunteers will be discouraged from establishing unnecessary additional data sets.
• Effective procedures are in place so that all relevant systems are updated when information about any individual changes.
• Staff and volunteers who keep more detailed information about individuals will be given additional guidance on accuracy in record keeping.
• If specific additional data sets are needed, then only staff or volunteers who need that data will be able to access it.
• Data will be corrected if shown to be inaccurate.
The Inspire Quill stores archived paper records of clients and volunteers securely in the building. Archived paper records are retained for the length of time required by regulators and the law and are then disposed of confidentially.
Security issues relating to personal data
Any recorded information on clients, volunteers and staff will be:
• Kept in locked cabinets
• Limited to only what is required and justifiably needs to be recorded
• Protected by the use of passwords if kept on computer
• Destroyed confidentially if it is no longer needed
Access to IT systems is password protected and within those systems, access to information on the databases is controlled by a password and only those needing access are given the password. Staff and volunteers should be careful about information that is displayed on their computer screen and make efforts to ensure that no unauthorised person can view the data when it is on display.
Notes regarding personal data of clients should be shredded or destroyed.
Access to data
All clients and customers have the right to request access to all information stored about them. Any subject access requests will be handled by the Data Protection Officer within one month.
Subject access requests must be in writing, this can include e-mail. All staff and volunteers are required to pass on anything which might be a subject access request to the Data Protection Officer without delay.
All those making a subject access request will be asked to identify any other individuals who may also hold information about them, so that this data can be retrieved.
Where the individual making a subject access request is not personally known to the Data Protection Officer their identity will be verified before handing over any information.
The required information will be provided in permanent form unless the applicant makes a specific request to be given supervised access in person. This information will be provided free of charge unless it is manifestly unfounded or excessive, particularly if it is repetitive.
All individuals have the right to request verbally or in writing for inaccurate information to be rectified and or completed if inaccurate and The Inspire Quill will respond within one calendar month. Individuals have the right to request verbally or in writing for their information to be permanently deleted and The Inspire Quill will respond within one calendar month.
The Inspire Quill will provide details of information to service users who request it unless the information may cause harm to another person.
Staff have the right to access their file to ensure that information is being used fairly. If information held is inaccurate, the individual must notify the Birgit Allport so that this can be recorded on file.
The Inspire Quill will keep a register of Access Requests.
Working from home
All staff and volunteers who work from home will be required to access any files through the remote server which is encrypted. Everyone will have their own access to the server with username and password which must not be shared with anyone else and files will be restricted to those that are of relevance to their work.
Any data should not be stored on personal computers and documentation with any personal or sensitive data should be kept in a locked cabinet and transferred to the office as soon as is reasonably practical. USB memory devices should not be used for any personal or sensitive data. Any data transfer should only be completed through the remote server and never on personal e-mails or via any other means. Employees and staff should not use their own personal mobile for e-mails or any other data transfer mechanism. Those that are given work mobiles should ensure that a pin or similar locking device is used, and this should not be shared with anyone else.
Sharing with others
Data will only be shared with partner organisations when required and when there is explicit consent from individuals to do so. The Inspire Quill) will adhere to the Data Sharing Code of Practice which states:
• We will review what we receive from other organisations and ensure we know the origin and conditions attached
• Review what personal data we share with other organisations, making sure we know who has access to it and what it will be used for
• Ensure that any particularly sensitive data we hold is only shared with the highest level of security
• Identify who has access to information that other organisations have shared with us; ‘need to know’ principles should be adopted and only give access to staff and volunteers’ information that they need to know in order to carry out their job
Transparency and Consent
The Inspire Quill is committed to ensuring that in principle Data Subjects are aware that their data is being processed and
• for what purpose it is being processed.
• what types of disclosure are likely; and
• how to exercise their rights in relation to the data.
Information will be clear and prominent; give sufficient information in order for individuals to make a choice; explain how the data will be processed and how their data will be used.
Data Subjects will generally be informed in the following ways:
• Staff: in the staff terms and conditions
• Volunteers: in the volunteer welcome/support pack
• Clients: when they request services
Standard statements will be provided to staff for use on forms where data is collected, in instances when those forms are created by us.
Whenever data is collected, the number of mandatory fields will be kept to a minimum and Data Subjects will be informed which fields are mandatory and why. We will always ask individuals to positively opt-in.
DP consent statement
We will use your data in relation to statistics and updating you on our activities and news via newsletter. We will not sell or give your data away to third parties.
Direct marketing / Mass Marketing
The Inspire Quill will treat the following unsolicited direct communication with individuals as marketing:
• inviting donations and other financial support.
• promoting any The Inspire Quill services.
• promoting The Inspire Quill events.
• promoting membership to supporters.
• promoting sponsored events and other fundraising exercises.
• marketing on behalf of any other external company or voluntary organisation.
Whenever data is first collected which might be used for any marketing purpose, this purpose will be made clear, and the Data Subject will be given a clear opt in.
The Inspire Quill will only carry out telephone marketing where consent has been given in advance, or the number being called has been checked against the Telephone Preference Service.
Whenever e-mail addresses are collected, any future use for marketing will be identified, and the provision of the address made optional.
Staff training and acceptance of responsibilities
All staff and volunteers who have access to any kind of personal data will be given copies of all relevant policies and procedures during their induction process, including the Information Management Policy and operational procedures for handling personal data. All staff and volunteers will be expected to adhere to all these policies and procedures.
The Inspire Quill will provide opportunities for staff and volunteers to explore Data Protection issues through training, team meetings, and supervisions.
Personal Data Breaches
Upon suspicion of evidence of a breach, The Inspire Quill will attempt to contain it and assess the potential adverse consequences for the individual, based on how likely and serious they are. If it is determined there is a likelihood of a serious risk to people’s rights and freedoms then the Information Commissioners Office will be informed, within 72 hours if feasible.
We will also inform individuals concerned directly and without delay. We will provide them with the details of the Data Protection Officer, a description of the likely consequences of the breach and a description of the measures taken, or proposed to be taken, that might mitigate any possible adverse effects.
©Copyright. All rights reserved.
We need your consent to load the translations
We use a third-party service to translate the website content that may collect data about your activity. Please review the details in the privacy policy and accept the service to view the translations.