The Leys Community Development Initiative
Blackbird Leys Community Centre, Blackbird Leys Road,
Blackbird Leys, Oxford, OX4 6HW
Tel: 01865 395927 E: firstname.lastname@example.org
Leys Community Development Initiative
Data Protection (GDPR) Policy 2018
The General Data Protection Regulations (GDPR) comes into effect on 25 May 2018 and has introduced new requirements for how organisations process personal data. The data protection principles regulate the way that personal information can be collected, handled and used. The regulations give individuals the right to access and change personal data that is kept on them. The General Data Protection Regulations adheres to all EU citizens and applies to all personal and sensitive data stored on computerised and manual records.
Leys CDI Adheres to the seven data protection principles
The Seven Data Protection Principles:
- Lawfulness, fairness and transparency – all personal dated is processed lawfully, fairly and in a transparent manner
- Purpose limitation – personal data is collected for specified, explicit and legitimate purposes
- Date minimisation – all personal data is adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed
- Accuracy – every reasonable step must be taken to ensure that personal data that is inaccurate, is erased or rectified without delay
- Storage limitation – kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed
- Integrity and confidentiality – processed in a manner that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures
- Accountability – the most senior member of the organisation shall be responsible for, and be able to demonstrate compliance with these principles
Recruitment and Selection
When recruiting for a position within Leys CDI the following guidelines must be observed:
- Use the information you collect for recruitment or selection purposes only, such as application forms, CVs etc.
- Ensure that those involved in recruitment and selection are aware that General Data Protection Regulations apply and that they must handle personal information with respect adhere to the 7 principles of GDPR
- Do not collect more personal information than you need
- Do not collect from all applicants, information that you only need from the person that you go on to appoint, such as bank details
- Keep the personal information that you obtain secure, all documentation must be kept in a lockable filing cabinet or cupboard or secure electronic system
- If you are going to verify the information a person provides, e.g. references, make sure they know how this will be done and what information will be checked
- Only keep information obtained through a recruitment exercise for as long as there is a clear business need for it, this will be for six months after the recruitment process has been completed for that role
- All recruitment information for unsuccessful candidates, such as application forms and CVs must be kept for all candidates for 6 months, after this time you may dispose of this information
- Only write comments on application forms and CVs that will help you to make a decision and that you would be happy for the candidate to see, as any applicant can request to view any documentation that we hold on them
When keeping employee records the following guidelines must be adhered to:
- Ensure that those who have access to employment records are aware that General Data Protection Regulations apply, and that personal information must be handled with respect and in accordance with GDPR
- Be careful when disclosing information in an employee’s employment record. Remember that those asking for information about an employee may not actually be who they claim to be. If you receive such a request refer them to your line Manager
- Data protection does not stand in the way where you are legally obliged to disclose information, for example informing the Inland Revenue about payments to employees
- Keep employment records secure. Keep paper records under lock and key and use secure electronic systems. Ensure that only employees with proper authorisation and the necessary training have access to employment records
- Where possible, keep sickness records containing details of an employee’s illness or medical condition separate from other less sensitive information, for example a record of absence. Details of absence should be recorded and all other relevant information pertaining to an employee’s health should be kept on their personnel file
- When you no longer have a business need or legal requirement to keep an employee’s employment record, make sure it is securely disposed of, for example by shredding it. Once an employee has left the business their personnel file must be stored for the legally required amount of time before being disposed of. This is currently 7 years.
All individuals who are the subject of personal data held by Leys CDI are entitled to:
- Ask what information the Organisation holds about them and why
- Ask how to gain access to it
- Be informed how to keep it up to date
- Be informed what Leys CDI is doing to comply with its obligation under the General Data Protection Regulations
- Individuals also have the right to ask for data to be deleted, this may be refused in certain circumstances e.g. legal reasons
- Any person who wishes to exercise these rights, should make the request in writing to The Chair of the Board of Trustees. Such a request will be fulfilled within 40 days.
Information that is of vital importance to the future protection of an individual e.g. safeguarding notes will be securely archived and stored as long as express agreement is obtained from the data subject or in the case of children and young people up until the age of 21 or for 5 years, dependant on which is later.
Information will always be treated with the utmost confidence and no personal or sensitive information will be divulged outside of the organisation apart from when the exceptions below apply. If these exceptions do apply, information must be shared on a ‘need to know basis’ only.
- If the young person is under 18 and abuse is suspected
- If a young person under 18 reports or alleges abuse
- If the life of the young person or another is at risk
- If information is revealed about criminal activity
- If a young person could cause harm to themselves or others
- If a club leader has reasonable cause to believe a young person is suffering or likely to suffer significant harm
Parents will be required to provide consent to the processing of children’s personal data where those children are under 16 years old and this data will be stored until the child/young person reaches the age of 21 or for 5 years, dependant on which is later.
All personal data must be protected by appropriate security measures to safeguard against unauthorised or unlawful processing of personal data. Electronic files will be kept on secure systems. Paper documents that contain personal data will be stored in a locked cabinet. The storage of any data relating to young people is strictly prohibited on personal devices.
All employees and representatives of Leys CDI must only access and use data that is relevant to and necessary to the performance of their job function. The destruction of all material containing personal details will be shredded and the shredded paper will be disposed of by a reputable company.
No attachments which contain personal data will be sent internally or externally. If documents containing personal and/or sensitive data needs to be shared, this should be done via a secure site such as Google Drive.
All documents asking for personal data will clearly state the reason for obtaining this information, what it will be used for and how long this data will be kept.
Any breach of the General Data Protection Regulations will be taken seriously and may result in disciplinary action being taken.
All individuals are responsible for:
- Checking that any personal data that they provide to Leys CDI is accurate and up to date
- Informing Leys CDI of any changes to information which they have provided, e.g. changes of address
The need to ensure that data is kept securely means that precautions must be taken against physical loss or damage, and that both access and disclosure must be restricted. Leys CDI is responsible for keeping an up to date data mapping document and ensuring that all actions are adhered to in a timely manner. Employees and volunteers are responsible for reporting any breaches of data protection to their line manager. The data controlled for the organisation is responsible for reporting any high-risk data protection breaches within 72 hours to the Information Commissioners Office on 0303 1231113.
Key Areas of Responsibility
The organisation is responsible for:
- Keeping an up to date Data Mapping document and implementing all actions in a timely manner
- Ensuring this policy is up to date and reviewed on an annual basis
- Keep an up to date retention policy and ensure this is implemented by all staff members and volunteers
- Ensure that all processing and storing of information abides by the General Data Protection regulations
- Provide relevant GDPR training to staff and volunteers
- Reporting any serious data protection breaches to the Information Commissioners Office within 72 hours
All employees/volunteers are responsible for ensuring that:
- They are familiar with this policy and relevant documents and adhere to the seven data protection principles
- Any personal data which they hold is kept securely
- Personal and sensitive information is not disclosed either orally or in writing or otherwise to any unauthorised third party unless there are safeguarding or legal reasons for this to be done
- participant information may only be accessed for business purposes and not for personal use.
This policy was adopted at the Management Committee Meeting by:
………Sasha East………………………………………………………………… (Name)
This policy has been adopted on [date]
This policy will be reviewed on [date – one year after policy is adapted]