Data protection policy and procedures
The FirstStop Advice Service is a national service for housing, care, finance and rights issues for older people, their relatives, friends and professionals, comprising a telephone and email advice service, a website and, through local partners a face to face service which together with local and regional partners provides a seamless service to the user throughout England, with the intention of becoming UK wide in the future. The service is provided by the charity Elderly Accommodation Counsel (EAC) This Policy applies to the work of EAC as it relates to providing the FirstStop Service.
EAC is registered as the Data Controller under the terms of the Data Protection Act 1988. The registration number is Z6813565 and is due for renewal on 10 June 2012.
This registration covers the following services for FirstStop
- FirstStop website
- FirstStop Advice Line - Our nationwide telephone advice service and email enquiry service.
- Work carried out by but commissioned by funders (e.g. government agencies and other commissioning bodies) and other partners whether charitable, public sector or commercial.
Data Protection enquiries should be made to the Data Protection Officer, 3rd Floor,89 Albert Embankment London SE1 7TP.
2. PRINCIPLES OF DATA PROTECTION AS OUTLINED IN THE DATA PROTECTION ACT 1998
2.1 Anyone processing personal data must comply with the eight enforceable principles of good practice.
2.2 Data must be:
- Fairly and lawfully processed
- Processed for limited purposes
- Adequate, relevant and not excessive
- Not kept longer than necessary
- Processed in accordance with the data subjects rights
- Not transferred to countries outside of the EEC without adequate protection
3. FIRSTSTOP ADVICE COMMITMENT
FirstStop is committed to meeting its obligations under the Data Protection Act of 1998. FirstStop Advice will strive to observe the law in all collection and processing of subject data and will meet any subject access request in compliance with the law. FirstStop Advice will only use data in ways relevant to carrying out its legitimate purposes and functions in a way that is not prejudicial to the interests of individuals. FirstStop Advice has adopted a Code of Practice for Sharing Personal Information which we will adhere to when sharing personal personal information between the FirstStop partners.
3.1 Staff providing the FirstStop service will take due care in the collection and storage of any sensitive data and will do their utmost to keep all data accurate, timely and secure. Where notified of changes to personal data, FirstStop will amend records within 20 days of receipt of notification.
3.2 Staff providing the FirstStop service, whether permanent, temporary, or volunteers, must be aware of the requirements of the Data Protection Act when they collect or handle data about an individual and appropriate training will be provided.
3.3 FirstStop Partners providing the FirstStop service must not disclose data except within the Policy and Procedure on disclosures described in Paragraphs 10 and 11.
3.4 Data supplied to outside agencies must always be protected by a written contract.
3.5 All collection and processing must be carried out in good faith.
3.6 FirstStop Advice will keep records of all complaints by data subjects and any subsequent follow up. FirstStop will also keep a record of all data access requests. There will be a repository of all FirstStop statements of Data Protection Law compliance and information about any contacts made with the Data Protection Registrar. This information will be available to staff and data subjects on request.
3.7 FirstStop will inform subjects of any processing, disclosure or transfer that does not fall within FirstStop’s purpose in a way that any individual supplying could be expected to understand.
3.8 FirstStop will keep Data Protection notification up to date.
4. POLICY ON COLLECTING SUBJECT DATA
FirstStop will only collect data that is relevant to the carrying out of the legitimate purposes and functions in a way that is not prejudicial to the interests of individuals. All data on individual subjects will be treated in a consistent way.
4.1 Subjects will be informed about how FirstStop will store and use the data at the time of collection. This will require a standard statement to be sent in all written requests for data and correspondence and a similar verbal script will be used for data collection by telephone.
4.2 Where FirstStop intends to use data for its main purposes, of responding to requests for information on care issues for older people, subjects will be deemed to have given their data for this purpose. If other use is to be made of the data, eg for the purpose of undertaking customer satisfaction surveys, they will be offered an opt-out for any mailings beyond this core purpose. FirstStop will honour this opt-out to the best of its ability.
4.3 Data may be collected by the use of a telephone monitoring system which is used to improve both staff training and the quality of the services offered by FirstStop.
4.4 FirstStop will strive to ensure that data collection is as accurate as is possible.
4.5 Data may be stored in many ways such as databases, manual files or Word or Excel files. The data will be collected consistently no matter where the data is to be stored.
5. SENSITIVE DATA
5.1 There are various categories of sensitive data relating to individuals. These include (a) racial or ethnic origin (b) physical or mental health (c) lifestyle, (d) sexuality (e) religious or cultural beliefs.
5.2 FirstStop undertakes not to collect sensitive data where it is unnecessary to do so to further FirstStop’s purpose of providing an effective information and advice service. One example of these are where a caller is looking for a care home to meet social and cultural needs in relation to their ethnic origin or religious background. Another example is where FirstStop is searching for housing solutions to cater for an older person with dementia.
5.3 FirstStop will strive to ensure that sensitive data is accurately identified on collection. The key questions relating to sensitive data on the CRM client recording system can be easily identified. The other key area of recording sensitive data is within the notes box of the CRM as part of the case history narrative.
6. PROCEDURES FOR COLLECTING SUBJECT DATA
6.1 A Data Table will be kept showing all data collection processes/points throughout FirstStop and the type of data collected within each process/point and its usage.
6.2 Staff are responsible for ensuring that all personal and where appropriate sensitive personal data is collected accurately and fully. Staff are responsible for ensuring that sensitive data is identified when collected.
6.3 Staff will obtain permission from the subject that their data will be stored at the time of collection and transferred within the partner organisations providing the FirstStop service on the Customer Relations Management System.
6.4 All personal information should be dated at the time of collection so that records can be archived/anonymised at an appropriate time.
7. DATA PROTECTION STATEMENTS
7.1 When personal data,including personal sensitive data is collected by FirstStop the following statement must be included in all written forms, letters and web/email communications:
7.2 First Stop will store and process your data in accordance with the requirements of the Data Protection Act 1998. FirstStop will not provide your information to any organisations apart from FirstStop partners without your express permission. FirstStop may contact you in relation to customer satisfaction surveys, which are an integral part of our service. Please tick the box or contact us if you do not want your data to be used in this way ?
7.3 Emails transmitted by FirstStop will display the following statement:
‘This message contains information that may be privileged or confidential and is the property of FirstStop. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorised to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.
Email is not a secure communications medium. Please be aware of this when replying.’
8. POLICY FOR DATA STORAGE AND PROCESSING
8.1 FirstStop will only hold data that is relevant to the carrying out of its legitimate purposes and functions, in a way that is not prejudicial to the interests of individuals. Information will be accurate and timely and will be held in an environment as secure as possible. FirstStop Partners will be responsible for ensuring that all regular data care procedures are fully and conscientiously followed. All manual files and databases will be kept up to date and will be archived or destroyed from 2 years of the last contact (as determined by the nature of the data held. Where data is held in a paper format, procedures for the disposal of confidential waste will apply e.g. shredding.
8.2 Data no longer required for the legitimate purposes of FirstStop will be purged from computer systems from 2 years after the last contact..
All individual data will be kept secure, by regular office security procedures or through the controls over the computer network. Sensitive data will be treated with appropriate security.
8.3 Data processing within FirstStop, including data sharing by FirstStop partners will only take place in accordance with the FirstStop Code of Practice
8.4 Where data is passed to a third party for processing, FirstStop will ensure that a written contract is in place that states that the agent will work within First Stop’s data protection policy. Control of the data will not be allowed to move to the third party.
9. PROCEDURE FOR DATA STORAGE AND PROCESSING
9.1 All forms of data processing should be included in the Data Table. Any changes to data storage or processing to be recorded.
9.2 All staff must take responsibility for following through any data care work required of them to maintain accurate data systems. They are also responsible for any records they keep in any filing systems.
9.3. Archiving policies for data no longer needed in our storage systems will be set up for all data stores. A clear justification must be supplied for personal data to be kept beyond two years.
9.4. Any mailings generated from stored data will observe opt out choices in good faith.
10.1 All paper files containing personal data will be stored in a secure location. We will take all possible steps to prevent unauthorised access to the offices where FirstStop data is kept and due care will be taken to ensure the security of data in lockable filing cabinets. No documents containing personal data must be left on desks or in unlocked cabinets when not in use.
10.2 Any documents that contain personal data will be shredded.
10.3 All possible steps will be taken to maintain effective security for the whole of the computer system. Access to information stored on computer systems, including laptops should be appropriately password protected. Staff and volunteers will take all necessary steps to avoid careless loss of data, including when working remotely.
11. POLICY ON DISCLOSURES
11.1 FirstStop will not allow personal and sensitive personal data collected from subjects to be disclosed to third parties except in circumstances which meet the requirements of the Data Protection Act. This will be where either the subject has consented to the disclosure, there is a serious risk of harm, where FirstStop receives information which may prevent a crime or assist in the detection of a crime, or where FirstStop is legally obliged to disclose the data.
12. PROCEDURE ON DISCLOSURES
12.1 Any general disclosure must be recorded in the Data Table held by the Data Protection Officer and that each class of disclosure includes a clear justification as to why the disclosure is taking place.
12.2 Any new disclosure to be made must be checked for suitability with the Data Protection Officer beforehand who may refer to the Data Protection registrar for advice and guidance.
12.3 Any request for data based on a legal requirement, e.g. from Police or other body, must be put in writing and be checked by the Data protection Officer against the advice of the Data Protection Registrar before any data is disclosed.
13. SUBJECT ACCESS POLICY
FirstStop will provide information in response to any reasonable subject access request and will ensure that data is kept in an accessible form to facilitate such subject access.
13.1 PROCEDURE ON SUBJECT ACCESS POLICY
13.2 FirstStop will make every effort to ensure that immediate action is taken when a data access request is received. The Data Protection Officer will be informed immediately.
13.3 A standard letter (amended as appropriate) will be sent to the subject stating FirstStop policy on subject access. This will promise to provide the required data to the best of FirstStop’s ability within 20 days. FirstStop reserves the right to ask for a maximum payment of up to £10.
13.4 A search will be set up by the Data Protection Officer to ensure that all relevant data will be collected and collated ready to present to the subject. This will include all relevant electronic data and manual files. Information on data collection, storage, processing and transfer may also be required and statements will be prepared in advance. All relevant information will be prepared ahead.
13.5 The relevant information will be sent by email or registered post
14. POLICY ON COMPLAINTS AND QUERIES
14.1 FirstStop will respond to any complaints as quickly as possible. Any letter or contact we receive in relation to the Data Protection Act, that questions our policy and/or procedure will be acknowledged within 5 working days, and responded to in full within 25 working days.
14.2 The Data Protection Officer will be advised without delay, of any complaints or queries relating to Data Protection policy or issues (as in 14.1 above)
14.3 Records will be kept of all correspondence for 5 years.
15. PROCEDURE ON COMPLAINTS AND QUERIES
15.1 Notify the Data Protection Officer of the receipt of the complaint / query.
15.2 Copy all relevant documentation to the Data Protection Officer.
15.3 The Data Protection Officer will maintain a record of actions taken by staff to resolve a complaint or query.
15.4 Advise the Data Protection Officer of any further correspondence and developments as they occur.
15.5 On completion, records must be kept for 5 years
16. REPORTING ON DATA PROTECTION MATTERS
The Data Protection Officer will report on all Data Protection matters to the FirstStop Project Management Group on an annual basis, and this report will also go to the Boards of Trustees of the individual FirstStop partner organisations.
FirstStop will convey its policies on Data Protection and Privacy to the public by including the following document on its websites. A printed version will also be available through the Advice Line, by request.
This Data Protection Policy will be reviewed on a regular basis.