Data Protection Policy for Seachange

1. Introduction

The Data Protection policy sets out a systematic approach to recording, storing, accessing and sharing information about service users, staff and volunteers. It is designed to help Seachange staff deal with the many different information-handling requirements they encounter in a consistent, legal and ethical manner.

Everyone responsible for using data has to follow strict rules called ‘data protection principles’. They must make sure the information is:

• used fairly and lawfully;
• used for limited, specifically stated purposes;
• used in a way that is adequate, relevant and not excessive;
• accurate;
• kept for no longer than is absolutely necessary;
• handled according to people’s data protection rights;
• kept safe and secure;
• not transferred outside the European Economic Area without adequate protection.

2. Policy Statement

Seachange will ensure that legislation, namely the Data Protection Act 2018 and the

Freedom of Information Act 2000 will be adhered to.

Seachange will ensure that personal data is dealt with legally, securely, efficiently and effectively according to the principles of the Data Protection Act 2018.

What is personal data?

Personal data is information related to an identified or identifiable person (data subject): an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as name, ID number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.

These would include data in traditional paper form, stored electronically on your computers, social media, film, voice recordings, photographs and CCTV or conversation about a person.

There is a higher duty of care regarding certain sensitive information which includes people’s health and disabilities as well as any personal information about children and young people.

All staff and volunteers of Seachange will be made aware of this Data Protection Policy and their responsibilities through their induction programme and by yearly mandatory updates.

3 General requirements for Seachange staff

a) The Data Protection Act 2018 (DPA 2018) requires that all staff, volunteers and service users will be made aware of how any personal data will be recorded, stored, used, who provided the information (if someone else) and (if relevant) shared, how long it is retained and to give the information via Privacy

Notices. Such Privacy Notices are bespoke to each project or department and are additionally published on the website. There is also a general Seachange Privacy Statement.

b) Staff should make individuals aware of the Privacy Notice including their rights when they join a service or as soon as practicable after a referral has been made. Commonly this will be when an individual signs a consent form.

c) The DPA 2018 also requires Seachange to inform people of their rights to complain, access information about them, to have errors corrected, to object or restrict processing, to have records removed, to withdraw their consent

and to port their information to another organisation (as well as certain rights related to profiling and automatic profiling which is not relevant to Seachange’s operations)

d) If staff are provided with personal information about an individual by someone else, Seachange has a legal obligation to tell the individual the source of that information. Sometimes this may be fairly obvious to the individual e.g. referred at the suggestion of the GP. However in other cases this is less obvious e.g. ;

I. When volunteers provide, and Seachange processes information, about named referees

II. When service users and volunteers name, and Seachange process information, about next of kin

In such situations staff should send these individuals with a Privacy Notice (available on S:\Staff Info) bespoke to that service. This may need to be posted or given to a service user/ volunteer to pass on to the individual.

e) The information is contained in individual service privacy notices and is also available on the website. Additionally, a Privacy Notice can be quoted or signposted in newsletters, service update e-mails or when a service is evaluated.

f) It is mandatory for staff to complete training in Data Protection (GDPR) and to be aware of their individual, as well as, the organisation’s responsibilities.

4. Access to Personal Data and Data Protection Measures

Access to Seachange’s computer systems and databases will be restricted to those who need access for the purpose of their job. The decision to authorise access will be made by the appropriate Manager.

a) All emails containing personal data must be encrypted. Seachange currently uses Egress Switch

b) Where any personal data is to be erased or otherwise disposed of for any reason (including where copies have been made and are no longer needed), it should be securely deleted and disposed of. Hardcopies should be shredded or placed in the confidential waste, and electronic copies should be deleted securely.

c) Personal data may be transmitted over secure networks only; transmission over unsecured networks is not permitted in any circumstances;

d) Personal data may not be transmitted over a wireless network if there is a wired alternative that is reasonably practicable;

e) Personal data contained in the body of an email, whether sent or received, should be copied from the body of that email and stored securely. The email itself should be deleted. All temporary files associated therewith should also be deleted;

f) Where Personal data is to be sent by facsimile transmission the recipient should be informed in advance of the transmission and should be waiting by the fax machine to receive the data;

g) Where Personal data is to be transferred in hardcopy form it should be passed directly to the recipient

h) No personal data may be shared informally and if an employee, agent, sub- contractor, or other party working on behalf of Seachange requires access to any personal data that they do not already have access to, such access should be formally requested from their line manager.

i) All hardcopies of personal data, along with any electronic copies stored on physical, removable media should be stored securely in a locked box, drawer, cabinet or similar;

j) No personal data may be transferred to any employees, agents, contractors, or other parties, whether such parties are working on behalf of Seachange or not, without authorisation;

k) Personal data must be handled with care at all times and should not be left unattended or on view to unauthorised employees, agents, sub-contractors or other parties at any time;

l) If personal data is being viewed on a computer screen and the computer in question is to be left unattended for any period of time, the user must lock the computer and screen before leaving it;

m)No personal data should be stored on any mobile device (including, but not limited to, laptops, tablets and smartphones), whether such device belongs to Seachange or otherwise without approval of their line manager and, in the event of such approval, strictly in accordance with all instructions and limitations described at the time the approval is given, and for no longer than is absolutely necessary. Mobile devices should be encrypted.

n) No personal data should be transferred to any device personally belonging to an employee and personal data may only be transferred to devices belonging to agents, contractors, or other parties working on behalf of Seachange where the party in question has agreed to comply fully with the letter and spirit of this Policy and of the Regulation (which may include demonstrating to Seachange that all suitable technical and organisational measures have been taken);

o) All electronic copies of personal data should be stored securely using passwords;

p) All passwords used to protect personal data should be changed regularly and should not use words or phrases that can be easily guessed or otherwise compromised. All passwords must contain a combination of uppercase and lowercase letters, numbers, and symbols;

q) Under no circumstances should any passwords be written down or shared between any employees, agents, contractors, or other parties working on behalf of Seachange, irrespective of seniority or department. If a password is forgotten, it must be reset using the applicable method;

r) Staff and volunteers should not leave information (either in written or electronic form) unattended or available for unauthorised access. Transportation of personal information should be as direct and secure as possible. See document: Data Protection: Practical guidelines for volunteers supporting people off site

s) Where personal data held by Seachange is used for marketing purposes, it shall be the responsibility of the Marketing Manager to ensure that all concerned have given their consent to receive marketing.

t) A clear desk policy should be adopted in order to reduce any potential unauthorised access to paper records containing personal information.

See also documents: Communications, e-mail and internet policy and ICT Services and Equipment Policy for additional specific measures and restrictions users should take using equipment in processing, sharing and storing personal information.

If someone exercises their rights under the DPA 2018, all staff must follow the correct agreed procedure: See document: Rights of Access Protocol. Requests must not be ignored. Seachange has a legal obligation to respond and take appropriate actions within 1 month.

Seachange’s Responsibilities:

Seachange shall ensure that the following measures are taken with respect to the collection, holding, and processing of personal data:

a) All employees, agents, contractors, or other parties working on behalf of

Seachange handling personal data will be appropriately trained to do so;

b) All employees, agents, contractors, or other parties working on behalf of

Seachange handling personal data will be appropriately supervised;

c) Methods of collecting, holding and processing personal data shall be

regularly evaluated and reviewed;

d) The performance of those employees, agents, contractors, or other parties working on behalf of Seachange handling personal data shall be regularly evaluated and reviewed;

e) All employees, agents, contractors, or other parties working on behalf of Seachange handling personal data will be bound to do so in accordance with the principles of the Regulation and this Policy by contract;

f) All agents, contractors, or other parties working on behalf of Seachange handling personal data must ensure that any and all of their employees who are involved in the processing of personal data are held to the same conditions as those relevant employees of Seachange arising out of this Policy and the Regulation;

g) Where any agent, contractor or other party working on behalf of Seachange handling personal data fails in their obligations under this Policy that party shall indemnify and hold harmless Seachange against any costs, liability, damages, loss, claims or proceedings which may arise out of that failure.

5. Breaches of the Data Protection Policy

Breach Reporting. Data security breaches must be reported using the data Breach form (Appendix 2).

Internal breaches of the Data Protection Policy will be fully investigated and risk assessed, and remedial action will be taken to prevent a further breach.

Seachange’s Disciplinary Procedure will be followed where appropriate.

Under no circumstances should staff or volunteers discuss anything they have seen or observed regarding a service user, with colleagues at work or anyone outside Seachange unless on a need to know basis. In the event that the personal information needs to be discussed, only the minimum information should be given to execute duties effectively.

Under no circumstances should staff or volunteers access personal information unless they need to and have permission to do so. Personal information/data to which staff and volunteers have access must be used for legitimate Seachange business purposes only.

You should not at any time during your employment (except so far as is necessary and proper in the course of your employment), or at any time after your employment has terminated, disclose to any person any information as to the practice, business dealings or affairs of Seachange or any of Seachange’s customers or any other matters which may have come to your knowledge by reason of your employment.

External Breaches of Data. Personal data breach1 means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

1. Article 4(13)

There are three types of breach2:

- Confidentiality breach- unauthorised or accidental disclosure of, or access to personal data.

- Availability breach- unauthorised or accidental loss of access to, or destruction of, personal data.

- Integrity breach - unauthorised or accidental alteration of personal data.

Breaches must be recorded immediately they are discovered or suspected to Head of Operations who will undertake a graded assessment as to what might be the likelihood and significance of harm to the rights and freedoms of individuals. (Document: Data Security Breach Procedure)(data Protection – Seachange:

Appendix 2 Breach Reporting Form)

6. Termination of Employment

Upon termination of your employment you will return all notes, records and information; however, that material is stored, to Seachange.

7. Withholding Information

There are some situations when organisations are allowed to withhold information, e.g. if the information’s about:

• the prevention, detection or investigation of a crime;
• national security or the armed forces;
• the assessment or collection of tax;
• judicial or ministerial appointments.

Seachange does not have to say why they’re withholding information.

8. Records and Documentation

Supervision, appraisal, and other meetings covering personal matters will be treated in strict confidence and all records will be kept securely to ensure uttermost confidentiality.

Seachange also expects all staff to respect the confidentiality of information/data and makes it a requirement in all contracts of employment that everyone should adhere to the Confidentiality Policy and abide by the Data Protection Code of Practice.

Seachange will monitor compliance with this policy by internal review every 2 years.

This policy has been approved & authorised by: Name: Seachange Board of Directors

Created by: Marc Jobson Head of Seachange