HOPE (Hope for Paediatric Epilepsy) London
Registered Charity No. 1192441
HOPE (Hope for Paediatric Epilepsy) London Data Protection Policy – October 2020
Data Protection Policy Approved: Trustees DATE October 2020.
Review due: By October 2022.
This policy outlines the key requirements placed upon HOPE (Hope for Paediatric Epilepsy) London by General Data Protection Regulation (GDPR), and data retention legislation, with regards to receiving, recording, organising, storing, protecting and destroying data concerning its service users, employees and volunteers.
Responsibilities and monitoring
Monitor: Data Protection Officer
Approve: Board of Trustees
Draft and review: Development Officer
Policy and Procedure
HOPE (Hope for Paediatric Epilepsy) London will ensure it meets its legal responsibilities as outlined in the Data Protection Act (2018), commonly referred to as General Data Protection Regulation (GDPR). The purpose of the GDPR is to protect an individual’s rights and freedoms and to ensure that personal data is not processed without their knowledge, and, wherever possible, that it is processed with their consent. HOPE (Hope for Paediatric Epilepsy) London will abide by the GDPR principles of:
•Lawfulness, fairness and transparency
•Integrity and confidentiality.
Governance, Compliance and Accountability:
HOPE (Hope for Paediatric Epilepsy) London is a data controller and data processor under the GDPR. The Trustees, Data Protection Officer (DPO) and volunteers are responsible for developing and encouraging good information handling practices within the organisation.
Compliance with data protection legislation is the responsibility of all trustees, members of staff and volunteers who process personal data as part of their work for the charity. The DPO will have responsibility for overall supervision and ongoing compliance with data protection laws. Trustees and volunteers are responsible for ensuring that the personal data they provide to the charity is, to the best of their knowledge, accurate and up-to-date.
All service users, members of staff, potential employees and volunteers have the following rights concerning their data:
•To be informed about the collection and use of their personal data at the time it is collected, along with how it will be processed and who will have access to it;
•To have access to any personal information that the charity holds about them;
•To correct any inaccurate information, or update their personal information;
•To erase personal data, in accordance with data protection laws, as well as to object to any direct marketing from the charity, and to be informed about any automated decision making that is used;
•To restrict the processing of personal data. The charity may still retain the data, in accordance with data protection laws, but not use it;
•To portability of personal data, allowing the individual to obtain and reuse their personal data for their own purposes across different services;
•To object to the processing of personal data.
If the charity receives a request to exercise any of the above rights, verification of identity may be asked for before acting on the request; this is to ensure that data is kept protected and secure. All requests to exercise rights will be given to the DPO, who will oversee all related investigations and resulting changes.
A privacy notice outlines how, why and when we gather and process personal information in compliance with the relevant data protection regulation, as well as providing an outline of the necessary information regarding rights and obligations.
Documenting Lawful Basis:
When processing personal data, the charity will always identify and establish the legal basis for doing so. This is determined by the purpose of processing the data and the relationship with the individual, and may include:
•Protecting the vital interests of a data subject e.g. providing medical information in an emergency;
•Legal obligation e.g. carrying out enhanced DBS checks on all members of staff and volunteers;
•Legitimate interests e.g. where people would expect us to process data, such as contact details of a service user.
HOPE (Hope for Paediatric Epilepsy) London understands consent to mean that it has been explicitly and freely given by statement or a clear affirmative action, signifying agreement to the processing of personal data. In most instances, consent to process personal and sensitive data is obtained routinely using standard consent documents e.g. booking conditions for a service. For sensitive data, explicit written consent must be obtained, unless an alternative legitimate basis for processing exists. Consent can be withdrawn at any time.
A personal data breach is defined as a security incident that has affected the confidentiality, integrity or availability of personal data. This might include personal data being lost, corrupted or being accessed by someone without the correct authorisation. If a security incident takes place, the DPO must be informed immediately. The DPO should assess the immediacy and severity of the situation, and establish whether a personal data breach has occurred. Where immediate action needs to be taken, the DPO will instruct this, including advising of changes to procedures if necessary. The DPO will also identify whether the Information Commissioner’s Office (ICO) should be informed. If so, this must occur within 72 hours of discovery of the breach. In making this decision, the DPO must assess the potential negative consequences for individuals of the data breach, namely if there is a risk to people’s rights and freedoms. In the aftermath of a data breach, an investigation should be carried out, led by the DPO or a Trustee as appropriate. Investigation findings will include recommendations for improvements or amendments to existing practises, to avoid a repeat and ensure the charity is handling data securely. It will be the responsibility of the DPO to oversee the implementation of any such recommendations.