Glasgow Children’s Hospital Charity (GCHC)
Data Protection Policy
Purpose and Scope
GCHC is fully committed to compliance with the requirements of the Data Protection Act 1998 (DPA). We are required to maintain certain personal data about individuals for the purposes of satisfying our operational and legal obligations. We recognise the importance of correct and lawful treatment of personal data as it helps to maintain confidence in our charity and to ensure efficient and successful outcomes when using this data.
We endorse and adhere to the eight principles of the Data Protection Act which are summarised as follows:
1. be processed fairly and lawfully and shall not be processed unless certain conditions are met.
2. be obtained for a specified and lawful purpose and shall not be processed in any manner incompatible with that purpose.
3. be adequate, relevant and not excessive for those purposes.
4. be accurate and, where necessary, kept up to date.
5. only be kept for as long as is necessary for the purpose for which it was obtained.
6. be processed in accordance with the data subject's rights.
7. be kept secure from unauthorised or unlawful processing and protected against accidental loss, destruction or damage by using the appropriate technical and organisational measure.
8. not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
These principles apply to obtaining, handling, processing, transportation and storage of personal data. Staff and agents of GCHC who obtain, handle, process, transport and store personal data for us must adhere to these principles at all times.
1. Handling of personal/sensitive information
GCHC will, through appropriate management and the use of strict criteria and controls:
a. observe fully the conditions concerning the fair collection and use of personal information
b. specify the purpose for which information is used
c. collect and process information only to the extent that it is needed to fulfil operational needs or legal requirements
d. endeavour always, to ensure the quality of information used
e. not keep information for longer than required, operationally or legally
f. always endeavour to safeguard personal information by physical and technical means (i.e. keeping paper files and other records or documents containing personal/sensitive data in a secure environment; protecting personal data held on computers and computer systems by the use of secure passwords, which where possible, are changed periodically and ensuring that individual passwords are not easily compromised)
g. ensure that personal information is not transferred abroad without suitable safeguards
h. ensure that the lawful rights of people about whom the information is held can be fully exercised.
In addition, GCHC will ensure that:
i. there is someone with specific responsibility for data protection for the charity (the designated Data Controller) - currently the Director of Operations.
j. all those who manage and handle personal information understand that they are contractually responsible for following good data protection practice
k. all those who manage and handle personal information are appropriately supervised and trained to do so
l. a clear procedure is in place to deal with any data access requests (internal or external) that ensures that such enquiries are dealt with promptly and courteously
m. methods of handling personal information are regularly assessed and evaluated
n. any data sharing is carried out under a written agreement, setting out the scope and limits of the sharing
o. any disclosure of personal data will be in compliance with approved procedures.
GCHC also has a legal obligation to provide staff liability information to any organisation that our staff are transferring to, in line with the Transfer of Undertakings Regulations (TUPE).
2. Access to personal data
All individuals who are the subject of personal data held by us are entitled to:
a. ask what information we hold about them and why
b. ask how to gain access to it
c. be informed of how to keep it up to date
d. have inaccurate personal data corrected or removed
e. prevent us from processing information or request that it is stopped if the processing of such data is likely to cause substantial, unwarranted damage or distress to the individual or anyone else
f. require us to ensure that no decision which significantly affects an individual is solely based on an automated process for the purposes of evaluating matters relating to him/her, such as conduct or performance
g. be informed what we are doing to comply with our obligations under the Data Protection Act.
This right is subject to certain exemptions which are set out in the Act.
3. Data Subject Access Request
Any person who wishes to exercise the right to access their information should make a request in writing, using the Data Subject Access Request form to the Director of Operations. A fee of £10.00 is payable for each subject access request. If personal details are inaccurate, they will be amended upon request. If by providing this information we would have to disclose information relating to or identifying a third party, we will only do so provided the third party gives consent, otherwise we may edit the data to remove the identity of the third party.
Unless we are under a legal obligation to release data, or the individual has given us permission, personal information will only be released to the individual to whom it relates. The disclosure of such information to anyone else without their consent may be a criminal offence. Any staff member who is in doubt regarding a subject access request should check with the Director of Operations.
Information must under no circumstances be sent outside of the UK without the prior permission of the Director of Operations.
We aim to comply with requests for access to personal information as quickly as possible, but will ensure that this is provided within 40 days of receipt of a written request unless there is good reason for delay. In such cases, the reason for the delay will be explained in writing to the individual making the request.
4. Staff responsibilities
Staff must ensure that, in carrying out their duties, GCHC is able to comply with its obligations under the DPA. In addition, each staff member is responsible for:
a. checking that any personal data that he/she provides to us is accurate and up to date
b. informing us of any changes to information previously provided, e.g. change of address
c. checking any information that we may send out from time to time, giving details of information that is being kept and processed
d. ensuring that if, as part of their responsibilities, they collect information about other people or about other staff, they comply with this policy. This includes ensuring that information is processed in accordance with the DPA, is only processed for the purposes for which it is held, is kept secure, and is not kept any longer than is necessary.
Staff are reminded that the DPA does not just apply to records relating to our staff, but also to any client/customer/donor files/records. Information stored on clients/customers/donors should be reviewed regularly to ensure it is accurate and up to date. All documents, whether hand written or stored in emails (current or deleted) are potentially disclosable in the event of a request from staff or client/customer/donor.
5. Staff records
We hold personal information about all staff as part of our general staff records. This includes address and contact details, age, date of birth, marital status or civil partnership, educational background, employment application, employment history with GCHC, areas of expertise, details of salary and benefits, bank details, performance appraisals and salary reviews, records relating to holiday, sickness and other leave, working time records and other management records. We may receive and/or retain this information in various forms (whether in writing, electronically, or verbally or otherwise).
This information is used for a variety of administration and management purposes, including payroll administration, benefits administration, facilitating the management of work and staff, performance and salary reviews, complying with record keeping and other legal obligations.
We also process information relating to staff's health, some of which may fall under the definition of 'sensitive personal data'. This includes pre-employment health questionnaires, records of sickness absence and medical certificates (including self-certification of absence forms), night worker assessments, VDU assessments, noise assessments and any other medical reports. This information is used to administer contractual and Statutory Sick Pay, monitor and manage sickness absence and comply with our obligations under health and safety legislation and the Working Time Regulations.
From time to time we may ask staff to review and update the personal information we hold about them. Staff should check this information carefully and inform us of any inaccuracies. However we ask that staff do not wait until asked to update this information, but inform us immediately of any significant change(s).
6. Data security
The need to ensure that data is kept securely means that precautions must be taken against physical loss or damage, and that both access and disclosure must be restricted.
All hard copy personnel files are kept in a locked cabinet and are not to be removed from the premises. Other information that is stored electronically has appropriate levels of authorisation which prevent unauthorised access.
Only designated responsible personal have access to the personnel records. Line Managers are required not to retain their own copies of personal data, but provide all details to the designated responsible personal, who will ensure the data is filed appropriately.
Data retained on laptops, smartphones and any other electronic equipment that is removed from our offices must be password protected.
Staff are responsible for ensuring that any personal data that they hold is stored securely and that personal information is not disclosed either orally or in writing or otherwise to any unauthorised third party.
References that disclose personal information will not be provided to any third party without the data subject's prior authority (unless this is required or permitted by law such as by the police, HMRC, Contributions Agency or similar body.)
Third party processors will be required to provide sufficient guarantees for their data security measures and compliance with them. A written contract will be in place with each supplier which requires them to dispose of data securely and to provide suitable evidence of this. Checks will be made to ensure that secure data disposal facilities are in place and regular monitoring will take place.
Any staff member who discovers personal or sensitive data in an inappropriate place (for example unknowingly sent to the wrong printer) should immediately pass this to Director of Operations, ensuring that its contents are not revealed to anyone else.
7. Publication of information
Information that is already in the public domain is exempt from the Act. This would include, for example, information contained within externally circulated publications such as brochures and other sales and marketing aids.
Any individual who has good reason for wishing his/her details not to be included in such publications should contact Director of Operations.
8. Subject consent
Our contracts of employment require the consent of staff to the processing of personal data for the purposes of administration, managing and employing them. This includes: payroll, benefits, medical records, absence records, sick leave/pay information, performance reviews, disciplinary and grievance matters, pension provision, recruitment, family policies (maternity, paternity, adoption etc) and equal opportunity monitoring.
Information about an individual will only be kept for the purpose for which it was originally provided. Staff and managers must not collect data that is simply "nice to have" nor use data for any purpose other than what it was provided for originally.
9. Retention and disposal of data
Information will be kept in line with our document retention guidelines. All staff are responsible for ensuring that information is not kept for longer than necessary.
Documents containing any personal information will be disposed of securely, and paper copies will be shredded (not disposed of directly into a normal bin or recycling bin). Information stored on obsolete electronic equipment (desktops, laptops and other devices) will be erased prior to the equipment being sold, disposed of or reallocated to other staff.
The Data Protection Act 1998 requires every data controller who is processing personal data, to notify and to renew their notification on an annual basis. Failure to do so is a criminal offence.
GCHC is registered in the Information Commissioner's public register of data controllers. Director of Operations is our Data Controller and is responsible for ensuring compliance with the Data Protection Act, for notifying and updating the Information Commissioner of our processing of personal data, and for the monitoring and implementation of this policy on behalf of GCHC.
Any changes made to the information stored and processed must be brought to the attention of the Director of Operations immediately.
We also have the following related policies: Use of Technology Policy; Use of Social Media Policy.
11. Implementation, monitoring and review of this policy
The Director of Operations has overall responsibility for implementing and monitoring this policy, which will be reviewed on a regular basis following its implementation (at least annually) and additionally whenever there are relevant changes in legislation or to our working practices.
Any questions or concerns about the interpretation or operation of this policy should be taken up in the first instance with Director of Operations. Any breach will be taken seriously and may result in formal disciplinary action. Any staff member who considers that the policy has been breached in any way should raise the matter with his/her manager or the Director of Operations.