A common sense guide to the Data Protection Act 1998 for volunteers



Similar documents
DATA PROTECTION AND DATA STORAGE POLICY

Data Protection Policy

So the security measures you put in place should seek to ensure that:

Scottish Rowing Data Protection Policy

Hampstead Parochial CofE Primary School Data Protection Policy Spring 2015

Information Governance Policy

DATA PROTECTION IT S EVERYONE S RESPONSIBILITY. An Introductory Guide for Health Service Staff

Policy Document Control Page

Page 1. NAOP HIPAA and Privacy Risks 3/11/2014. Privacy means being able to have control over how your information is collected, used, or shared;

Security Awareness. A Supplier Guide/Employee Training Pack. May 2011 (updated November 2011)

Data Protection Policy

Data Protection and Data security Policy

Human Resources Policy documents. Data Protection Policy

Data Protection Good Practice Note

Case Recording Practice Adults Services

PACIFIC EXPLORATION & PRODUCTION CORPORATION (the Corporation )

Data Protection and Information Security Policy and Procedure

Merthyr Tydfil County Borough Council. Data Protection Policy

DATA PROTECTION POLICY

CORK INSTITUTE OF TECHNOLOGY

Data Protection Policy

DATA AND PAYMENT SECURITY PART 1

By the end of this course you will demonstrate:

Everyone in the workplace has a legal duty to protect the privacy of information about individuals. AEP/BELB/LJ/2010 Awareness Session

Data and Information Security Policy

Information Governance

Data Protection Policy June 2014

Secure Storage, Communication & Transportation of Personal Information Policy Disclaimer:

Summary Electronic Information Security Policy

Little Marlow Parish Council Registration Number for ICO Z

Data Protection in Ireland

Career Connection, Inc. Data Privacy. Bringing Talent Together With Opportunity

DATA MANAGEMENT POLICY AND GUIDANCE FOR SAFEGUARDERS

Data Protection and Privacy Policy

Acceptable Use of ICT Policy For Staff

University of Limerick Data Protection Compliance Regulations June 2015

HIPAA and Privacy Policy Training

Alliance for Clinical Education (ACE) Student HIPAA Training

PERSONAL INJURIES ASSESSMENT BOARD DATA PROTECTION CODE OF PRACTICE

Dublin City University

Photography and filming in schools Code of Practice

Internet, and SMS Texting Usage Policy Group Policy

Additional Information

Data Protection in the Charity & Voluntary Sector

The Manitowoc Company, Inc.

The Basics of HIPAA Privacy and Security and HITECH

Data Protection Act 1998 The Data Protection Policy for the Borough Council of King's Lynn & West Norfolk

HIPAA Training for Staff and Volunteers

HIPAA Training for Hospice Staff and Volunteers

Good Practice in Records Management and Information Security

Enterprise Information Security Procedures

ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY

DATA PROTECTION POLICY

A Mobile Phone and Camera Toolkit for Early Years Settings. Early Years Services April 2013 Version 1.0

HIPAA SECURITY AWARENESS

ACRONYMS: HIPAA: Health Insurance Portability and Accountability Act PHI: Protected Health Information

Data Protection and Information Security. Data Security - Guidelines for the use of Personal Data

Corporate Data Protection Policy

SOCIAL MEDIA POLICY FOR VOLUNTEERS TEMPLATE

DATA PROTECTION POLICY

Data Security and Extranet

Road to Recovery Fact Sheet

E-SAFETY POLICY 2014/15 Including:

Office of the Data Protection Commissioner of The Bahamas. Data Protection (Privacy of Personal Information) Act, A Guide for Data Controllers

Pacific Northwest University of Health Sciences

APPENDIX 1: Frequently Asked Questions

Information Handling Policy

Non ASPH Trust Staff - DATA ACCESS REQUEST Page 1/3

Data Protection for Charities

HIPPA Goes HITECH. Data Protection for Agents

Website Privacy Policy Statement

Evidence additional element appendix 47. Records Management Guidance for the management of s

Policy and Procedure Title: Maintaining Secure Learner Records Policy No: CCTP1001 Version: 1.0

Acceptable Use Guidelines

Model Policy for a Law Enforcement Agency s use of Social Networking

INDEX PRIVACY POLICY...2

Access to Health Records

How To Protect Decd Information From Harm

Data Protection Act a more detailed guide

Working Practices for Protecting Electronic Information

Data protection. Report on the data protection guidance we gave schools in 2012

Data Protection A Guide for Users

HERTSMERE BOROUGH COUNCIL

Privacy Tips for Providers and Suppliers

Quick guide to the employment practices code

The term Broadway Pet Stores refers we to the owner of the website whose registered office is 6-8 Muswell Hill Broadway, London, N10 3RT.

How To Share Your Health Records With The National Health Service

STATE BANK OF INDIA. Rules and Regulations of Internet Banking. General Information:

Using Your Personal Information

Boys and Girls Clubs of Kawartha Lakes B: Administration B4: Information Management & Policy: Privacy & Consent Technology

Making a complaint in the independent healthcare sector. A guide for patients

Code of Business Principles Helping us do the right thing

HIPAA 101: Privacy and Security Basics

The potential legal consequences of a personal data breach

ST IVES CHAMBERS POLICY ON THE COLLECTION AND USE OF DIVERSITY DATA

Mobility and Young London Annex 4: Sharing Information Securely

Information Security

Police Financial Services Limited Copyright exists in this document Privacy Policy 1

Safe Haven Procedure. Final. Date Issued March 2009 Review Date March 2010 NHS East Midland Employees. Safe Haven Procedure: v1.

Transcription:

A common sense guide to the Data Protection Act 1998 for volunteers Why is it necessary? The Data Protection Act 1998 is a law introduced to control the way information held about individuals is handled and to give legal rights to people who have information stored about them. This need not be particularly sensitive information, and can be as little as a name and address. This guidance refers to all personal information whether it is stored electronically or in hard copy/paper systems. There can be serious consequences for breaching data protection. This can be a financial penalty, as well as the risk of damage to your branch, group or the Associations reputation. If you would like a copy of the Data Protection Policy which fully explains the Act, please contact the branch and group support and information line (details at the end of the guide). It is clear we must ensure we are storing personal information carefully and this guidance explains what branches, groups and other volunteers need to do to ensure they are not at risk of breaching the Act. Data Protection Act Principles: There are eight data protection principles. These specify that personal data must be: 1. Processed lawfully and fairly 2. Obtained for specified and lawful purposes 3. Adequate, relevant and not excessive 4. Accurate and up to date 5. Not kept any longer than necessary 6. Processed in accordance with the data subject s (the Individuals) rights 7. Securely kept 8. Not transferred to any other country without adequate protections in situ So what does this mean in practice and how can you ensure you are complying with the law and protecting the rights of the people we support? By adhering to the following practices, you can be sure you will be acting in accordance with the principles outlined.

Collecting and storing information: The Data Protection Act refers to information about a living person that allows them to be identified and is kept in any type of filing system. This includes names, addresses, telephone numbers and email addresses. These include those stored on a computer or any manual system you may use. Think about the sort of information you may hold: Databases Lists where people living with MND are included Mailing lists Requests for funding Volunteer records Referral forms Correspondence files Email address books Booking applications forms If you can say yes to any of the above, you will be covered by the Act and have to take steps to safeguard personal information in your care. This is classified as personal data. Information is classed as sensitive if it includes: Racial or ethnic origins Religious beliefs Physical or mental health (including noting a diagnosis of MND disclosure could impact employment / insurance etc ) None of this must be shared without the express consent of the person. You might find you are handling these very well, but you may find you need to change or add to some of the things you do. Any information you collect must be for a specific purpose and mustn t be used for anything else, so to avoid duplication, check in your branch or group what information you keep and who is keeping it. Consent: If you are keeping personal or sensitive information on anyone - you must let them know you are doing so and why you need to. They have a right to say you may not have their information, or not to receive information from you. The Association will always try to get permission to keep someone s personal details, and where these are sensitive (usually relating to health) then we must try to get explicit consent either in writing or verbally. We will do this prior to sharing information with you, or Association Visitors may do this when they first contact someone with MND.

Recording: The Act states that information should be adequate, relevant and not excessive. Ask yourself: Do you really need to know this information? For example, do you need to know family history? At branch or group meetings, how much information do you really need to know and why, when you are looking at funding applications. Consider how you would you feel if sensitive personal information was shared? Be really clear about why you want this information and for whose benefit it is. If it is not relevant to supporting people with MND, then you should not be collecting it. Consider these best practice points when you are recording information: Summarise the main points of a discussion Complete immediately or as soon as is practical after a meeting Differentiate between fact and fiction Write clearly in terms that are easily understood Avoid using jargon and abbreviations Avoid words that are emotive or could be misinterpreted Avoid using clearly or obviously if this reflects a personal opinion Avoid keeping duplicate information Security and confidentiality: We are in a position of trust with the information we have and therefore we must ensure that this trust is not misplaced. It is important that you make sure that the information you keep is safe from other people seeing it, and that it doesn t get lost, damaged or destroyed. Putting it into practice: Make sure everyone in your branch or group know their responsibilities Use your funds to buy a small lockable filing cabinet Password protect emails (see Good Practice at the end of this document) Use up to date anti-virus software If you are taking information to a meeting by car make sure it is kept in the boot and the car locked when you leave it Don t leave information on tables, and turn off computer screens when it is possible other family members or visitors can see the information Avoid using identifying names, or other information in minutes or newsletters unless you have permission Don t pass details to other organisations or individuals without permission If you no longer need the information, destroy it (see disposal of information) Do not use personal / sensitive information in an email subject line

Access to information In practice, a person you have information on has the right to see it. If someone makes a request to see the information you have about them you have to: Tell them what information you have about them Why you have the information and who it may be shared with Supply them with a copy of all the actual information Say where you got the information from If you get a request asking to see what information you are holding about a person you must inform the Data Protection Officer (DPO) at David Niven House, and they will ensure the following: The request is in writing (fax or email is acceptable) The DPO will reply promptly and within a maximum of 40 calendar days They will give the information to the right person - check their identity If it is a third party who requests the information (solicitor or next of kin) the DPO will check that: - they are properly authorised to do so - they are acting in the interest of the individual - get written authorisation Sharing information From time to time we may need to share this information with other people or organisations to either provide or ensure individuals receive the service most suited to their needs and care. In May 2011 a Data Sharing Code of Practice was published by the Information Commissioners Office, which said People now have an expectation that, where appropriate and necessary, their personal details may be shared. Christopher Graham, Information Commissioner This supports increased transparency with information within the Association as long as the minimum amount of information is shared with as few people, and only if it supports the care of people with MND and their families. We should never do anything that might cause risk or harm through the sharing of information. We must have consent to store and share personal information and have processes in place to capture this wherever possible. For example, you may hear at an AGM of challenges for people with MND in your area not receiving social care as would be expected. You may ask the individual if you can share this information with your RCDA or MND Connect as this could support future campaigning.

Another example may be that you receive the names of people with MND in your area from David Niven House, this will enable you to consider branch planning and possible fundraising. This of course does not mean their full information can be shared at meetings; however it means the branch contact has the information and the Individuals initials can be their identification. Remember it is not your information, it is the person with MNDs and it should be shared with as few people as possible in order to provide the best care and support. Good practice when sharing information including by email You will all be aware of the need for confidentiality, and the Association expects all its staff and volunteers to be aware of what this means to them. In order to ensure we protect information, we need to ensure our processes for sharing are carefully considered, and this would include information in newsletters, minutes, and websites as well as branch listings. Remember the following Lists of peoples personal details should only be shared on a need to know basis Anything with personal information in should be sent marked Private and Confidential and anything that has sensitive information contained in it should be sent recorded delivery All personal computers should have a password protection to ensure only the volunteer working with the Association can access the data, not family or friends Dedicated email address for MND Association correspondence only this must not be a shared email adress Any information kept on a memory stick / computer disc must be encrypted When sharing information with colleagues on home PCs all sensitive information should be put in a word document and then attached as a password protected document you will need to agree on a password and share this with the people you are corresponding with. Please refer to your Help Documentation supplied with your application on how to password protect a document To password protect a document: Go into Tools in Word Then select Protect Document This brings up a password box where you enter a selected password Once you save the document the password will be applied and will be needed to open the document again

It is also good practice to include a disclaimer at the end of all messages sent on branch or group business. This alerts the receiver that they should delete if it s not for them. The one we have as standard for all outgoing messages from the Association, which you could copy, is as follows: The information contained in this email message, and any files transmitted with it, are confidential, and intended solely for the use of the individual or organisation to whom they are addressed. If you are not the intended recipient, please note that any disclosure, distribution or copying of the email is strictly prohibited. If you have received this email in error, please notify the MND Association via email at postmaster@mndassociation.org and delete the message from your system. Thank you for your co-operation. The opinions expressed in this message are those of the individual and are not necessarily the official opinions of the MND Association. The MND Association cannot be held responsible for any advice provided in this message and is not liable for any damages caused by the recipient s reliance on the content. Motor Neurone Disease Association, Registered in England Company Limited by Guarantee No 2007023. Registered Charity Number 294354 Disposal of information Once you no longer need the information you have, special care needs to be taken when destroying it to ensure that it cannot be read or used by anyone else. There is also a duty under statute to keep certain information for a defined length of time:- Minutes and other correspondence for three years Financial records and related correspondence must be kept for seven years Sensitive personal information must be kept for 10 years For paper based information your branch or group could use funds to buy a shredder and appoint one person to be responsible for destroying these, or set up a rota for this task. To remove information from a computer, special discs can be purchased which completely remove the information. Deleting data not only secures privacy but helps make the computer run better, saves storage space and most importantly, makes sure you are in control of what s seen and what s not. For more information contact the Volunteering Team: Phone: 0345 6044 150 Email: volunteering@mndassociation.org Website: www.mndassociation.org/volunteerzone

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information