Introduction to General Data Protection Regulations
This document contains details of the Charity’s policy on personal privacy and data protection including our obligation to comply with the eight Data Protection Principles contained in the General Data Protection Regulations 2018 to protect the personal privacy of all living people.
A Glossary of terms is set out at the end of the document.
Data Protection Officer
If you have any questions or need information on anything to do with data protection, please contact the Director.
What is Data Protection?
In simple terms, data protection is the protection of information about living people. This information can be created and kept in many forms – for example on computer; such as emails and databases, paper, CCTV, photographs, personal digital assistants and many others; it covers both facts and opinions about people.
What is the Data Protection Act?
The Data Protection Act 2018 (the “Act”) imposes obligations on businesses that hold personal information, and gives rights to individuals whose data is held. The Information Commissioner oversees and enforces the Act. The General Data Protection Regulation (the “GDPR”) will come into force in the UK in May 2018, and provides additional protection to individuals.
What does the Act apply to?
The Act applies to “personal data”. This is information relating to living people who can be identified from the information that a “data controller” has, even if an individual’s name is not specifically mentioned, and is referred to throughout this policy as “Personal Information”. These individuals are known as “data subjects”. The Act is intended to protect this information and the way that the information is used. It is also intended to regulate against the potential misuse of this information.
Who does the Act apply to?
The Act applies to anyone who processes personal information. “Processing” is a broad term referring to almost anything that can be done to information – including collecting, recording, storing, transferring, amending, destroying it or simply holding it.
What are the Data Protection Principles?
There are 6 Data Protection Principles under article 5 of the GDPR, which are designed to protect the personal privacy of each of us and with which we must comply under the Act.
The Principles state that personal information must be:
• processed lawfully, fairly and in a transparent manner in relation to individuals;
• collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
• adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
• accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
• kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; and
• processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
What is the Charity’s legal basis for processing personal data?
Where the Charity does not have consent, it is entitled to process data under article 6(f) of the GDPR because it is in its legitimate interests. That means that the processing is necessary for the legitimate interests of the Charity unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. It is necessary for the Charity to process data to carry out the purposes and aims that it was set up to do and operate as a mediation service.
It is in the legitimate interests of the Charity to obtain data from:
• mediation clients in order to help them mediate their conflict and ultimately to benefit them;
• trustees to contact them and to comply with legislation;
• volunteers in order to manage the mediation cases effectively, by ensuring mediators have the appropriate training and experience to mediate;
• office staff to ensure they have the appropriate experience and skills to manage cases and comply with their contracts of engagement;
• referral agencies for invoicing purposes;
• suppliers of services and goods to Calm Mediation
• individuals to offer and provide training in conflict management
What is the legal basis for processing special categories of personal data?
“Sensitive personal data” or “special categories of personal data” (under the GDPR) is given additional protection under the Act. This is information that relates to an individual’s:
• racial or ethnic origin
• political opinions
• religious or similar beliefs
• trade union membership
• physical or mental health or condition
• sexual life
• criminal history (including convictions or commission of offences/alleged offences).
This is referred to throughout this Policy as “special categories of personal data”.
The Charity must gain explicit consent for processing special categories of personal data.
General Data Protection Regulation
Areas of good practice
• All personal data is potentially disclosable to the person to whom it relates. Volunteers, staff and trustees should bear this in mind when recording expressions of opinion about people and ensure that the Charity can justify what it writes (e.g. in interview notes or in emails).
• It is important for volunteers and staff to remind mediation clients that anything expressed in writing about another person could be seen by that person if they make a subject access request.
• All personal data held on personal computers, phones, tablets and other devices must be deleted or destroyed at the end of a case. This includes emails sent and received, case notes, handwritten notes, documents to prepare for a mediation and any other written data.
• If data is retained by volunteers, staff or trustees, for example for professional development or to comply with professional requirements, it must be anonymised so that the data subject cannot be identified from the data held. If data is held which would allow the data subject to be identified, then the holder of this data is required to comply with the data protection legislation in their own right.
• Please keep devices or paperwork relating to cases or the work of the Charity secure, that is:
a. Password protect phones and devices.
b. Ensure that data in transit is password protected if appropriate.
c. It is recommended to use case numbers as opposed to names and addresses where practical in email exchanges.
d. Make sure you know where your data is stored. If you cannot guarantee that data remains in the UK/EEA please inform the Data Controller. Note that dropbox, office 365 and other document and email systems may have servers based outside the EEA.
• The Charity appreciates that anyone can make a mistake. In the event of a data protection breach (e.g. a personal phone being lost or stolen with emails relating to cases on it) please let the staff or a trustee know as soon as possible. The Charity is required to notify the Information Commissioners’ Office within 72 hours and there could be serious consequences for the Charity if we fail to comply.
• In processing data for children under 13, parental consent is required to handle data. Please speak to the Data Controller if processing data concerning those under 18.
• If consent to holding data is communicated to you, please notify the Data Controller without delay.
Collection, use and storage of personal data
The Charity will: –
• unless it is entitled to hold data in its legitimate interests, seek your consent prior to the collection of your personal data.
• make sure that the personal information which it holds is adequate, relevant and not excessive in relation to its business purposes (i.e. no one will ask for or record excessive information that we do not need, even if it is information that is ‘nice to know’).
• make sure that the personal information is accurate and kept up to date, and is not kept for any longer than is necessary.
• make sure that, to the extent necessary, data subjects are given notice of the processing of their personal information including: –
– details of the information to be collected – the purpose for which it is to be collected and used, and
– any other relevant information.
• comply with the rights of people on whom we hold information (such as the right to access information about themselves or the request to erase that information).
• only process special categories of personal data with the explicit consent of the person on whom we hold the information.
Security of personal Information
The Charity will seek your consent prior to the collection of your personal data, and will: –
• take positive steps to prevent the accidental, improper or deliberate disclosure, misuse or loss of personal information and prevent unauthorised access to it.
• protect all data on password protected computers in a secure office.
• limit the disclosure of and access to personal information to those who have a business need to access the information.
Disclosure of personal information to others
The Charity will: –
• not disclose personal information relating to an individual without the individual’s consent.
• ensure that where any person or organisation processes personal information on behalf of the Charity (such as a marketing agency or IT service provider) the Charity enters into a written agreement with them requiring them to: –
– process the personal information only in accordance with the Charity’s instructions;
– maintain adequate information security; and
– take reasonable steps to ensure staff who have access to the information are reliable.
Disclosure of personal information outside the EEA
The Charity will: –
• make sure that personal information is not transferred to any country outside the UK unless that country has adequate levels of protection in place to protect personal data;
• make sure that the data subject(s) concerned has/have consented to the transfer of the information; or
• make sure that an agreement has been entered into with the organisation the data is being transferred to, based on the EU standard model clauses.
Subject Access Requests
A person on whom the Charity holds information has the right to be informed of this and to have a copy of the information, subject to a few limited exceptions. He or she must make a written request (which can be by email).
If his/her personal information is being processed, the individual will be provided with (subject to limited exceptions):
• a copy of the data
• the source of the data
• the purposes for which the data is being processed
• to whom it may be disclosed
• an explanation of any unintelligible codes or rating systems.
Compliance with the subject access request is not required where the Charity has complied with an identical or similar request of the data subject in the 6-month period prior to the new request and the data held has not changed substantially in that period.
The response to the subject access request should be made promptly. It must be made no more than 40 days from receipt of the request.
Information about staff and volunteers
This section sets out the policy in relation to the processing of information about the Charity’s staff and volunteers.
As the Charity may need to hold and use certain information relating to its staff and volunteers during their employment or role in the Charity, this section gives information about the personal information that the Charity may hold and how it is used or is intended to be used:
Use of Personal Information
Information may be used in relation to the following:
• recruitment;
• payroll and benefits administration (including sick pay, pensions, health insurance, gym membership etc), work and career management, including performance appraisals; in the case of employees and supervision in case of the volunteers;
• disciplinary and grievance procedures (including monitoring compliance with and enforcing policies) in the case of employees;
• payment under contracts for the engagement of services;
• ensuring co-mediators are paired appropriately;
• ensuring mediators have the appropriate training and experience;
• deriving statistics to apply for funding to support the work that we do.
• assessing performance and to set targets to further the aims of the charity.
• absence monitoring;
• training course management;
• monitoring registrations with regulatory bodies to ensure compliance, training and other requirements are met;
• administering termination of employment, references etc;
• maintaining contact details to contact you for urgent business or personal reasons when you are out of the office;
• maintaining emergency contact and beneficiary details (which involves the Charity holding information on those you nominate in this respect);
• protecting the safety and security of staff and property; and
• to ensure health and safety compliance.
The Charity may also hold other information for accounting and billing purposes, work management and business development.
Disclosure of Personal Information
• Your consent will be obtained before the Charity responds to requests for information about you from third parties such as banks, mortgage lenders, prospective landlords or employers (e.g. requests for references), insurance and health providers.
• In relation to volunteers, with your consent, your curriculum vitae (CV) may be disclosed to mediation clients (both existing and prospective) and other professional advisers during the provision of mediation services,
Document retention
The Charity will only store data for as long as is necessary, after which time it will anonymise or delete that data.
The Charity will keep data relating to a case or enquiry for not more than six years after a case has closed.
The Charity will keep volunteer’s data for not more than six years after the end of your volunteer agreement.
The Charity will keep data from staff and trustees for not more than six years after the end of your contract or resignation.
The following exceptions are in relation to information that the Charity is required to retain to comply with legal requirements:
• Gift aid records: 6 years
• Financial information (bank statements and paying in slips, cash books, invoices, receipts) for HMRC: 6 years from the end of the financial year in which the transaction was made.
• Safeguarding information for as long as necessary in relation to the purposes for which that information was obtained.
• Unsuccessful applications for volunteering or contracts: one year.
• Insurance policies and claims – Three years after lapse or settlement of claim.
• Employer’s liability certificate – 40 years.
• Minutes of trustee meetings and resolutions: 10 years
• Annual accounts and annual reviews: permanently
Future Developments
The law and practice in relation to data protection is still evolving. This will be reflected, so far as necessary, by amendments to this Policy. If material changes are made, you will be notified.
Glossary
General terms:
Charity refers to Calm Mediation Service, and its successors and assigns from time to time.
Employee refers to anyone who has entered into a binding contract of employment with the Charity.
Mediation client means any person taking part (or preparing to take part) in a mediation facilitated by the Charity.
Director means that person designated by the Charity with that title, from time to time, and is currently: Corinne Rechais: corinne@calmmediation.org
Staff refers to trustees, coordinators, caseworkers, consultants, contractors, directors, and managers, whether employed directly by the Charity, or self-employed.
Volunteer refers to anyone who is volunteering their time and skills to the Charity on a pro bono basis.
Trustee refers to the trustees from time to time of Calm Mediation who are at the date of this version of the handbook: Chris Pickard (Chair of Trustees), Tracey Adamson, Ralph Strang, Alex Dunlop, Bode Adeloye, Paul George.
Referring Agency means any company or organisation that enters into a contract to refer their tenants, residents or clients to Calm Mediation.
Supplier means any company or organisation that supplies goods or services to Calm mediation.
Data Protection terms:
Data Controller is a person who either alone, or jointly with other people, gives instructions as to what should happen to personal information and how it is to be processed.
Data Subject means an individual to whom the personal information relates.
Personal Data or Personal Information means any information that relates to a living individual (not companies). It includes information by which that individual can be identified and includes facts and expressions of opinion about individuals.
Process/processing/processed means almost anything that can be done to personal information – including collecting, recording, storing, transferring, amending, using, holding and destroying the information.
Special categories of personal data (formerly known as Sensitive Personal Data or Sensitive Personal Information) means any information relating to an individual’s:
– racial or ethnic origin;
– political opinions;
– religious beliefs;
– trade union membership;
– physical or mental health conditions;
– sexual life;
– criminal offence
(Please note that there are additional restrictions on how this type of information can be used.)
Subject Access Request means a written request by a data subject made to a data controller, who must:
• inform him whether it has processed or is processing any information concerning him/her;
• describe the personal information, the source of the personal information, the purpose for which it is used and any third parties who receive the personal information; and
• provide the individual with a copy of the personal information except in certain limited circumstances.
This policy is illustrative of the way in which Calm Mediation aims to approach its relationship with each of its trustees, staff members, volunteers and mediation clients and other third parties.
This policy is reviewed regularly, in advance of the Trustee meeting, unless an incident occurs, or new legislation suggests the need for an earlier review date.
Calm Mediation, 92 Camberwell Rd, London SE5 0EG
020 7603 4014
info@calmmediation.org
www.calmmediation.org
Charitable Incorporated Organisation No. 1161807
