Our GDPR Policy
Peninsula Healthy Living Partnership Ltd
Charity No: NIC 103577
DATA PROTECTION POLICY
Author / Data Protection Officer: Sheila Bailie.
Operational from June 2018
Peninsula Healthy Living updated its Data Protection Policy to reflect the new GDPR legislation that came into effect on 25th May 2018 to protect the privacy of all EU Citizens and prevent data breaches.
The organisations ‘Privacy Notice’ can be found on our website at:-
Data Protection Principles
Our Data Protection Principles when collecting and storing information relating to individuals remain relevant:
- Processed fairly, lawfully and in a transparent manner in relation to the Data Subject.
- Collected for specified, explicit and legitimate purposes and not further processed for other purposes incompatible with those purposes.
- Adequate, relevant and limited to what is necessary in relation to the purposes for which data is processed.
- Accurate and, where necessary, kept up to date.
- Kept in a form that permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Data is processed.
- Processed in a way that ensures appropriate security of the Personal Data including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.
Peninsula Healthy Living (PHLP) needs to collect, use and process personal data, including sensitive data, about our clients. This is managed under the framework of the Data Protection Act 1998.
This policy relates to how we manage our records, use ICT equipment, and provide information to others under the Freedom of Information Act (FOI). PHLP also adheres to protocols implemented by the Public Health Agency and South Eastern H&SC Trust.
Personal Data (including Sensitive Personal Data) will only be processed by the Association where there is a valid legal basis for doing so, as set out in the GDPR and our Data Protection procedures.
The processing of Sensitive Personal Data shall be proportionate to the aim being pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the Data Subject.
Sensitive Personal Data relating to:
- Ethnic origin or religion may be used to provide statistical information to organisations that regulate the Association provided this information is presented in a way that does not identify individuals.
- Medical and/or health information may be used to assess applications for housing and adaptions, to assist residents in receiving appropriate care, support and assistance in an emergency, and to ensure that PHLP makes reasonable adjustments for employees and Board Members in accordance with the Equality Act 2010.
The Association will place Privacy Policies relating to the use of its website, CCTV surveillance and forms on its website.
PHLP will maintain an information register on the Personal Data that it processes, which will include the type, location, security arrangements, legal basis for collecting, who the data may be shared with and how long it will be retained.
Accuracy and Relevance
PHLP will take steps to ensure that any Personal Data it processes is accurate, adequate, relevant and not excessive, given the purpose for which it was obtained.
PHLP will not process Personal Data obtained for one particular purpose for any other unconnected purposes unless the individual concerned has consented to this or would otherwise reasonably expect this.
PHLP will take steps to ensure that Personal Data is kept secure from unauthorized users or unlawful loss or disclosure.
Where necessary, in order to carry out its objectives, PHLP may need to share some of the Personal Data it processes with other organisations and individuals. This may include the following:
- Local government and authorities
- Central government including the Department of Work and Pensions
- Contractors and Suppliers
- Service Providers
- Regulatory bodies
- Health Authorities
- Enquirers and Complainants
- Credit reference and debt collection agencies
- Courts and Tribunals
- Other Housing Associations or Trusts or Landlords
- Educators and examining bodies
- Financial organisations
- Survey and research organisations
- Security organisations
- Probation services
- Charities and Voluntary organisations
- Emergency services such as the PSNI and the NIFRS
- Employment and recruitment agencies and organisations who process applications for Disclosure and Barring checks
- Current, Past or Prospective employers
- Insurers and providers of staff benefits
- Press, media and social media, provided Data Subject’s identity is kept anonymous or explicit consent has been received.
Personal Data held by the Association will not be sold to any other organization or individual.
Personal Data held by PHLP will not be shared with organisations or individuals who have no particular right to know about the information or the internal business of PHLP without the Data Subject’s explicit written consent, other than in exceptional circumstances in compliance with the Regulations, as follows:
- Where there is clear evidence of fraud
- To comply with the law
- In connection with legal proceedings
- To protect the health and safety of the Data Subject, where they would be at risk if the information were not disclosed, or where there is a legal requirement to do so
- Anonymously for statistical purposes
If there is no clear legal basis for sharing Personal Data, consent or explicit consent will be obtained from the Data Subject where:
- Confidential or particularly sensitive information is going to be shared;
- The individual would be likely to object should the data be shared without his or her consent; or
- The sharing is likely to have a significant impact on an individual or group of individuals.
The policy applies to all employees and volunteers.
PHLP will not retain Personal Data for longer than is required.
Personal Data that is no longer required will be disposed of in a way which protects the rights and privacy of Data Subjects.
Anonymous Personal Data may be kept for statistical use, for example, equality and diversity opportunities.
Date Subject Rights
Data Subjects are entitled to:
- Know what information PHLP holds and processes about them and why.
- Request access to it.
- Require PHLP to rectify, block, erase or destroy inaccurate information.
- Prevent processing likely to cause unwarranted damage or distress.
- Prevent processing for the purposes of direct marketing.
All requests should be made in writing using the Subject Access Request form and proof of identity should also be given.
Any reasonable request for Personal Data from a Data Subject will be processed in accordance with the Regulations.
Except as outlined in the clause below, a Data Subject shall receive access to their Personal Data within one calendar month of the request being made and this will be made free of charge.
PHLP reserves the right to refuse a request, extend the period to provide the information being requested or charge a reasonable fee based on administrative costs, where the request is manifestly unfounded, excessive or a repeated request for copies of the same information. In such cases, the Data Subject will be notified accordingly within one calendar month of the request being made.
A Personal Data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed in connection with the provision of a public electronic communications service.
Where such a breach occurs PHLP will use its best endeavours to investigate the breach and draw up an appropriate action plan, including the taking of remedial steps and notification of the Information Commissioner and all affected Data Subjects as may be necessary.
Under the Data Protection Guardianship Code, whilst everyone who processes personal data is responsible for complying with PHLP policies and procedures and the regulations on Data Protection, overall responsibility for Personal Data rests with the Board.
The Board delegates tasks to the Data Controller.
The Director of Finance will act as the Data Protection Officer (“DPO”) for PHLP and together with the Management Team, is responsible for the effective implementation of the Policy.
The DPO will be responsible for:
- Understanding and communicating legal obligations
- Identifying potential problem areas or risks
- Keeping the Board updated about data protection responsibilities, risks and issues
- Producing and reviewing all data protection procedures and policies on a regular basis
- Providing appropriate training and advice for all staff members
- Answering questions on data protection from staff, Board Members and other Stakeholders
- Checking and approving contracts or agreement with third parties regarding Data Processing
- Ensuring systems, services, software and equipment meet acceptable security standards
All employees who process Personal Data must:
- Ensure they understand and act in line with this Policy and Procedures and the Data Protection
- Inform their Line Manager, the Chief Executive or the Director of Finance if they become or are aware of a breach of this policy.
- Inform the Chief Executive or the Director of Finance if they become or are aware of a data breach whether malicious or accidental.
A breach of the Regulations or failure to follow this Data Protection Policy is considered a serious offence and as such may result in disciplinary proceedings.
Training and review
This Policy will be made available for viewing on PHLP’s website and all current customers, suppliers, together with current and prospective employees will be guided towards this Policy so that they may see how Personal Data collected may be used by PHLP and who this data may be shared with.
All staff will receive training and refresher training on this policy and on the associated procedures, in particular when there has been a substantial change in the law or in the Association’s policy and procedures.
New staff will receive training as part of their induction process.
This Policy will be updated as necessary to reflect best practice in data management, security and control and to ensure compliance with any changes or amendments in relevant legislation.
The policy will be reviewed at least annually by the Trustees of the organization.
24th May 2018
Re: The General Data Protection Regulations (EU 2016/679) “GDPR”
As you may be aware, the law regarding Data Protection is changing from 25th May 2018. All organisations which process personal data from that date will have new obligations under the provisions of the GDPR.
Although there is a change approaching, Peninsula Healthy Living’s commitment to protect your personal data will never change. We will always respect how you want us to use your details.
To support us in managing your relationship with Peninsula Health Living, we need to store some of your basic information, and in some circumstances, sensitive personal data. We want you to know that we take privacy very seriously and we will always manage your data responsibly.
Peninsula Healthy Living as a Data Controller, may undertake satisfaction surveys periodically for the purposes of monitoring and improving our services for our customers.
To find out more about how we use your data you can contact Sheila Bailie on 028427 39021 or by email: email@example.com
PENINSULA HEALTHY LIVING