Data Protection Policy

Lyndale Knowsley Cancer Support Centre

40, Huyton Lane, Liverpool L36 7XG

Tel: 0151 489 3538

Registered Charity No: 519725

“Supporting people affected by cancer”

Data Protection Policy

This policy applies to all members, volunteers and Trustees of Lyndale Knowsley Cancer Support Centre.

 Introduction

 The purpose of this policy is to enable Lyndale Knowsley Cancer Support Centre to:

  • Comply with the law in respect of the data it holds about individuals.
  • Follow good practice.
  • Protect Lyndale Knowsley Cancer Support Centre’s members, volunteers and other individuals
  • Protect the organisation from the consequences of a breach of its responsibilities.

Brief introduction to Data Protection Act 1998

 The Data Protection Act gives individuals the right to know what information is held about them. It provides a framework to ensure that personal information is handled properly.

The Act works in two ways. Firstly, it states that anyone who processes personal information must comply with eight principles, which make sure that personal information is:

  • Fairly and lawfully processed
  • Processed for limited purposes
  • Adequate, relevant and not excessive
  • Accurate and up to date
  • Not kept for longer than is necessary
  • Processed in line with the rights of Data Subjects
  • Secure
  • Not transferred to other countries without adequate protection

The second area covered by the Act provides individuals with important rights, including the right to find out what personal information is held on computer and most paper records.

 Policy statement

 Lyndale Knowsley Cancer Support Centre will:

  • Comply with both the law and good practice
  • Respect individuals’ rights
  • Be open and honest with individuals whose data is held
  • Provide training and support for Trustees, volunteers, therapists and teachers who handle personal data, so that they can act confidently and consistently

Lyndale Knowsley Cancer Support Centre recognises that its priority under the Data Protection Act is to avoid causing harm to individuals.  Information about staff, volunteers and clients will be used fairly, securely and not disclosed to any person unlawfully.

The Data Protection Controller is The Board of Lyndale Trustees or “The Board”.Secondly, the Act aims to ensure that the legitimate concerns of individuals about the ways in which their data may be used are taken into account.  In addition to being open and transparent.

The Data Subject is the individual whose personal data is being processed. Examples include:

  • Trustees – current and past
  • Volunteers, therapists and teachers
  • Volunteering applicants
  • Donors
  • Centre Users
  • Suppliers.

Processing means the use made of personal data including:

  • Obtaining and retrieving data
  • Holding and storing data
  • Making data available within or outside the organisation
  • Printing, sorting, matching, comparing, destroying of data.

The Data Controller is the legal ‘person’, or organisation, that decides why and how personal data is to be processed. The data controller is responsible for complying with the Data Protection Act.

The Data Processor – the data controller may get another organisation to be their data processor, in other words to process the data on their behalf. Data processors are not subject to the Data Protection Act. The responsibility of what is processed and how remains with the data controller. There should be a written contract with the data processor who must have appropriate security.

The Data Protection Officer is the name given to the person in organisations who is the central point of contact for all data compliance issues.

Responsibilities

The Board of Trustees recognises its overall responsibility for ensuring that Lyndale Knowsley Cancer Support Centre complies with its legal obligations.

The Data Protection Officer is currently The Board of Lyndale Trustees who has the following responsibilities:

  • Briefing the board on Data Protection responsibilities
  • Reviewing Data Protection and related policies
  • Advising other staff on Data Protection issues
  • Ensuring that Data Protection induction and training takes place
  • Handling subject access requests
  • Approving unusual or controversial disclosures of personal data
  • Ensuring contracts with Data Processors have appropriate data protection clauses
  • Electronic security
  • Approving data protection-related statements on publicity materials and letters

Each Trustee, volunteer, therapist and teacher at Lyndale Knowsley Cancer Support Centre who handles personal data will comply with the organisation’s operational procedures for handling personal data (including induction and training) to ensure that good Data Protection practice is established and followed.

All Trustees, therapists, teachers and volunteers are required to read, understand and accept any policies and procedures that relate to the personal data they may handle in the course of their work.

Significant breaches of this policy will be handled under Lyndale Knowsley Cancer Support Centre’s Disciplinary Procedures

Confidentiality

 Because confidentiality applies to a much wider range of information than Data Protection, Lyndale Knowsley Cancer Support Centre has a separate Confidentiality Policy. This Data Protection Policy should be read in conjunction with Lyndale Knowsley Cancer Support Centre’s Confidentiality Policy.

 Lyndale Knowsley Cancer Support Centre has a privacy statement for clients/members, setting out how their information will be used. This is available on request, and a version of this statement will also be used on the Lyndale Knowsley Cancer Support Centre web site. (See Appendix)

Trustees, volunteers, therapists and teachers are required to sign a short statement indicating that they have been made aware of their confidentiality responsibilities.  (See Confidentiality Policy and Statement.)

In order to provide some services, Lyndale Knowsley Cancer Support Centre will need to share member’s personal data with other agencies (Third Parties). Verbal or written agreement will always be sought from the client before data is shared.

Where anyone within Lyndale Knowsley Cancer Support Centre feels that it would be appropriate to disclose information in a way contrary to the confidentiality policy, or where an official disclosure request is received, this will only be done after discussions with a Keyworker or the Data Protection Officer (The Board or Trustee).  All such disclosures will be documented.

Security

This section of the policy only addresses security issues relating to personal data.  It does not cover security of the building, business continuity or any other aspect of security.

Any recorded information on Members, Keyworkers, volunteers, therapists and teachers and others will be:

  • Kept in locked cabinets
  • Protected by the use of passwords if kept on computer
  • Destroyed/shredded confidentially if it is no longer needed

Access to information on the main database is controlled by a password and only those needing access are given the password. Keyworkers and volunteers should be careful about information that is displayed on their computer screen and make efforts to ensure that no unauthorised person can view the data when it is on display.

Notes regarding personal data of clients/members should be shredded or destroyed.

Data Recording and storage

 Lyndale Knowsley Cancer Support Centre has a single database holding basic information about all Trustees and volunteers, therapists, teachers and members. The back-up discs/pen drives of data are kept in the safe.

Lyndale Knowsley Cancer Support Centre will regularly review its procedures for ensuring that its records remain accurate and consistent and, in particular:

  • The database system is reviewed and re-designed, where necessary, to encourage and facilitate the entry of accurate data.
  • Data on any individual will be held in as few places as necessary, and all Trustees and volunteers will be discouraged from establishing unnecessary additional data sets.
  • Effective procedures are in place so that all relevant systems are updated when information about any individual changes.
  • Trustees and Keyworkers who keep more detailed information about individuals will be given additional guidance on accuracy in record keeping.

 Data will be corrected if shown to be inaccurate

Lyndale Knowsley Cancer Support Centre stores archived paper records of clients/members and volunteers securely in the office.

Access to data

 All members and volunteers and others have the right to request access to all information stored about them. Any subject access requests will be handled by the Data Protection Officer (The Board) within the required time limit.

Subject access requests must be in writing.  All Trustees and volunteers are required to pass on anything which might be a subject access request to the Data Protection Officer (The Board) without delay.

All those making a subject access request will be asked to identify any other individuals who may also hold information about them, so that this data can be retrieved.

Where the individual making a subject access request is not personally known to the Data Protection Officer (The Board) their identity will be verified before handing over any information.

The required information will be provided in permanent form unless the applicant makes a specific request to be given supervised access in person.

Lyndale Knowsley Cancer Support Centre will provide details of information to members who request it unless the information may cause harm to another person.

The Trustees have the right to access their file to ensure that information is being used fairly. If information held is inaccurate, the individual must notify the Board so that this can be recorded on file. 

Transparency

Lyndale Knowsley Cancer Support Centre is committed to ensuring that in principle Data Subjects are aware that their data is being processed and

  • for what purpose it is being processed.
  • what types of disclosure are likely; and
  • how to exercise their rights in relation to the data.

Data Subjects will generally be informed in the following ways:

  • Volunteers: in the volunteer terms and conditions
  • Volunteers: in the volunteer welcome/support pack
  • Members: when they request (on paper, on line or by phone) services

Standard statements will be provided to Keyworkers/Trustee for use on forms where data is collected.

Whenever data is collected, the number of mandatory fields will be kept to a minimum and Data Subjects will be informed which fields are mandatory and why.

Consent

Consent will normally not be sought for most processing of information about volunteers, therapists and teachers. Although volunteer details will only be disclosed for purposes unrelated to their work for Lyndale Knowsley Cancer Support Centre (e.g. financial references) with their consent.

Information about volunteers will be made public according to their role, and consent will be sought for (a) the means of contact they prefer to be made public, and (b) any publication of information which is not essential for their role

Information about members will only be made public with their consent.  (This includes photographs.)

‘Sensitive’ data about members (including health information) will be held only with the knowledge and consent of the individual.

Consent should be given in writing, although for some services it is not always practicable to do so. In these cases verbal consent will always be sought to the storing and processing of data. In all cases it will be documented on the database that consent has been given. 

All Data Subjects will be given the opportunity to opt out of their data being used in particular ways, such as the right to opt out of direct marketing (see below).

Lyndale Knowsley Cancer Support Centre acknowledges that, once given, consent can be withdrawn, but not retrospectively.  There may be occasions where Lyndale Knowsley Cancer Support Centre has no choice but to retain data for a certain length of time, even though consent for using it has been withdrawn.

Direct marketing

Lyndale Knowsley Cancer Support Centre will treat the following unsolicited direct communication with individuals as marketing:

  • Seeking donations and other financial support.
  • Promoting any Lyndale Cancer Support Centre services
  • Promoting Lyndale Cancer Support Centre events
  • Promoting membership to supporters.
  • Promoting sponsored events and other fundraising exercises.
  • Marketing the products of Lyndale Cancer Support Centre

Marketing on behalf of any other external company or voluntary organisation:

Whenever data is first collected which might be used for any marketing purpose, this purpose will be made clear, and the Data Subject will be given a clear opt out.  If it is not possible to give a range of options, any opt-out which is exercised will apply to all Lyndale Knowsley Cancer Support Centre marketing. Lyndale Knowsley Cancer Support Centre does not have a policy of sharing lists, obtaining external lists or carrying out joint or reciprocal mailings.

Lyndale Knowsley Cancer Support Centre will only carry out telephone marketing where consent has been given in advance, or the number being called has been checked against the Telephone Preference Service.

Whenever e-mail addresses are collected, any future use for marketing will be identified, and the provision of the address made optional.

Staff training and acceptance of responsibilities

All Keyworkers and volunteers who have access to any kind of personal data will be given copies of all relevant policies and procedures during their induction process, including the Data Protection policy, Confidentiality policy and the operational procedures for handling personal data. All Trustees and volunteers will be expected to adhere to all these policies and procedures.

Data Protection will be included in the induction training for all volunteers.

Lyndale Knowsley Cancer Support Centre will provide opportunities for volunteers to explore Data Protection issues through training, team meetings, and supervisions.

Policy review

The policy will be reviewed in May 2019 and approved by the Board of Trustees. It will also be reviewed in response to changes in relevant legislation, contractual arrangements, good practice or in response to an identified failing in its effectiveness.

Date this policy will be updated is May 2020 and will be approved by the Board of trustees

May 2020– To be reviewed in 2021 due to introduction of new DPA rules (GDPR)

Appendix: Privacy statement

When you request information from Lyndale Knowsley Cancer Support Centre, sign up to any of our services or buy things from us, Lyndale Knowsley Cancer Support Centre obtains information about you.  This statement explains how we look after that information and what we do with it.

We have a legal duty under the Data Protection Act to prevent your information falling into the wrong hands.  We must also ensure that the data we hold is accurate, adequate, relevant and not excessive.

Normally the only information we hold comes directly from you. Whenever we collect information from you, we will make it clear which information is required in order to provide you with the information, service or goods you need.  You do not have to provide us with any additional information unless you choose to.  We store your information securely on our computer system, we restrict access to those who have a need to know, and we train our volunteers in handling the information securely.

If you have signed up to a class or other service we will also pass your details to the professional worker providing that service.  That worker may hold additional information about your participation in these activities.

We would also like to contact you in future to tell you about other services we provide, to keep you informed of what we are doing and ways in which you might like to support Lyndale Knowsley Cancer Support Centre. You have the right to ask us not to contact you in this way.  We will always aim to provide a clear method for you to opt out.  You can also contact us directly at any time to tell us not to send you any future marketing material.

Very occasionally we may carry out a joint mailing with other carefully selected organisations, in order to tell you about products and services we think you might be interested in.  Again, you have the right to opt out of this.

You have the right to a copy of all the information we hold about you (apart from a very few things which we may be obliged to withhold because they concern other people as well as you).  To obtain a copy, either ask for an application form to be sent to you or write to the Data Protection Officer at Lyndale Knowsley Cancer Support Centre.

 There is a charge of £10 for a copy of your data (as permitted by law).  We aim to reply as promptly as we can and, in any case, within the legal maximum of 40 days. The organisation will seek to give individuals as much choice as is possible and reasonable over what data is held and how it is used. Lyndale Knowsley Cancer Support Centre is the Data Controller and is registered under the Data Protection Act 1998. All processing of personal data will be undertaken in accordance with the data protection principles.

Definitions

The Data Subject is the individual whose personal data is being processed. Examples include:

  • Employees – current and past
  • Volunteers
  • Volunteer applicants
  • Donors
  • Centre Users
  • Suppliers.

Processing means the use made of personal data including:

  • Obtaining and retrieving
  • Holding and storing
  • Making available within or outside the organisation
  • Printing, sorting, matching, comparing, destroying.

The Data Controller is the legal ‘person’, or organisation, in this case The Board of Trustees, that decides why and how personal data is to be processed. The data controller is responsible for complying with the Data Protection Act.

The Data Processor – the data controller may get another organisation to be their data processor, in other words to process the data on their behalf. Data processors are not subject to the Data Protection Act. The responsibility of what is processed and how remains with the data controller. There should be a written contract with the data processor who must have appropriate security.

The Data Protection Officer is the name given to the person in the organisations who is the central point of contact for all data compliance issues. (A Trustee of Lyndale)

Responsibilities

 The Board of Trustees recognises its overall responsibility for ensuring that Lyndale Knowsley Cancer Support Centre complies with its legal obligations.

The Data Protection Officer is the Board of Trustees, who has the following responsibilities:

  • Briefing the board on Data Protection responsibilities
  • Reviewing Data Protection and related policies
  • Advising other staff on Data Protection issues
  • Ensuring that Data Protection induction and training takes place
  • Handling subject access requests
  • Approving unusual or controversial disclosures of personal data
  • Ensuring contracts with Data Processors have appropriate data protection clauses
  • Electronic security
  • Approving data protection-related statements on publicity materials and letters

Each Trustee, member, Keyworker and volunteer, therapist or teacher at Lyndale Knowsley Cancer Support Centre who handles personal data will comply with the organisation’s operational procedures for handling personal data (including induction and training) to ensure that good Data Protection practice is established and followed.

All Trustees, Keyworkers, volunteers, therapists and teacher are required to read, understand and accept any policies and procedures that relate to the personal data they may handle in the course of their work.

Significant breaches of this policy will be handled under Lyndale Knowsley Cancer Support Centre’s disciplinary procedures.

Confidentiality

 Because confidentiality applies to a much wider range of information than Data Protection, Lyndale Knowsley Cancer Support Centre has a separate Confidentiality Policy. This Data Protection Policy should be read in conjunction with Lyndale Knowsley Cancer Support Centre’s Confidentiality Policy.

Lyndale Knowsley Cancer Support Centre has a privacy statement for members, setting out how their information will be used. This is available on request, and a version of this statement will also be used on the Lyndale Knowsley Cancer Support Centre web site. (See Appendix)

Trustees, Keyworkers, volunteers, therapists and teachers are required to sign a short statement indicating that they have been made aware of their confidentiality responsibilities.  (See Confidentiality Policy and Statement.)

In order to provide some services, Lyndale Knowsley Cancer Support Centre will need to share member’s personal data with other agencies (Third Parties). Verbal or written agreement will always be sought from the client before data is shared.

Where anyone within Lyndale Knowsley Cancer Support Centre feels that it would be appropriate to disclose information in a way contrary to the confidentiality policy, or where an official disclosure request is received, this will only be done after discussions with a Trustee or the Data Protection Officer, (The Board of Trustees).  All such disclosures will be documented.

Security

This section of the policy only addresses security issues relating to personal data. It does not cover security of the building, business continuity or any other aspect of security.

 Any recorded information on members, volunteers, therapists, and teachers will be:

  • Kept in locked cabinets
  • Protected by the use of passwords if kept on computer
  • Destroyed confidentially if it is no longer needed

Access to information on the main database is controlled by a password and only those needing access are given the password. Keyworkers and volunteers should be careful about information that is displayed on their computer screen and make efforts to ensure that no unauthorised person can view the data when it is on display.

Notes regarding personal data of members should be shredded or destroyed.

Data Recording and storage

 Lyndale Knowsley Cancer Support Group has a single database holding basic information about all members and volunteers. The back-up data is saved onto a memory storage device and kept in a locked drawer.

Lyndale Knowsley Cancer Support Group will regularly review its procedures for ensuring that its records remain accurate and consistent and, in particular:

  • The database system is reviewed and re-designed, where necessary, to encourage and facilitate the entry of accurate data.
  • Data on any individual will be held in as few places as necessary, and all Keyworkers and volunteers will be discouraged from establishing unnecessary additional data sets.
  • Effective procedures are in place so that all relevant systems are updated when information about any individual changes.
  • Trustees, Keyworkers and volunteers who keep more detailed information about individuals will be given additional guidance on accuracy in record keeping.
  • Data will be corrected if shown to be inaccurate

Lyndale Knowsley Cancer Support Group stores archived paper records of members and volunteers securely in the office.

Access to data

 All clients and customers have the right to request access to all information stored about them. Any subject access requests will be handled by the Data Protection Officer, (Board of Trustees) within the required time limit.

Subject access requests must be in writing.  All Keyworkers and volunteers are required to pass on anything which might be a subject access request to the Data Protection Officer, (The Board of Trustees) without delay.

All those making a subject access request will be asked to identify any other individuals who may also hold information about them, so that this data can be retrieved.

 Where the individual making a subject access, request is not personally known to the Data Protection Officer, (The Board of Trustees), their identity will be verified before handing over any information.

The required information will be provided in permanent form unless the applicant makes a specific request to be given supervised access in person.

Lyndale Knowsley Cancer Support Group will provide details of information to members who request it unless the information may cause harm to another person.

Keyworkers and volunteers have the right to access their file to ensure that information is being used fairly. If information held is inaccurate, the individual must notify the Chair of the Board so that this can be recorded on file. 

Transparency

Lyndale Knowsley Cancer Support Group is committed to ensuring that in principle Data Subjects are aware that their data is being processed and

  • for what purpose it is being processed.
  • what types of disclosure are likely; and
  • how to exercise their rights in relation to the data.

Data Subjects will generally be informed in the following ways:

  • Volunteers: in the volunteer terms and conditions
  • Volunteers: in the volunteer welcome/support pack
  • Members: when they request (on paper, on line or by phone) services

Standard statements will be provided to volunteers for use on forms where data is collected.

Whenever data is collected, the number of mandatory fields will be kept to a minimum and Data Subjects will be informed which fields are mandatory and why.

Consent

 Consent will normally not be sought for most processing of information about volunteers. Although volunteer details will only be disclosed for purposes unrelated to their work for Lyndale Knowsley Cancer Support Group (e.g. financial references) with their consent.

Information about volunteers will be made public according to their role, and consent will be sought for (a) the means of contact they prefer to be made public, and (b) any publication of information which is not essential for their role.

Information about members will only be made public with their consent.  (This includes photographs.)

‘Sensitive’ data about members (including health information) will be held only with the knowledge and consent of the individual.

Consent should be given in writing, although for some services it is not always practicable to do so. In these cases verbal consent will always be sought to the storing and processing of data. In all cases it will be documented on the database that consent has been given. 

All Data Subjects will be given the opportunity to opt out of their data being used in particular ways, such as the right to opt out of direct marketing (see below).

Lyndale Knowsley Cancer Support Group acknowledges that, once given, consent can be withdrawn, but not retrospectively.  There may be occasions where Lyndale Knowsley Cancer Support Group has no choice but to retain data for a certain length of time, even though consent for using it has been withdrawn.

Direct marketing

Lyndale Knowsley Cancer Support Group will treat the following unsolicited direct communication with individuals as marketing:

  • Seeking donations and other financial support.
  • Promoting any Lyndale Knowsley Cancer Support Group services.
  • Promoting Lyndale Knowsley Cancer Support Group events.
  • Promoting membership to supporters.
  • Promoting sponsored events and other fundraising exercises.
  • Marketing the services of Lyndale Knowsley Cancer Support Group.
  • Marketing on behalf of any other external company or voluntary organisation.

Whenever data is first collected which might be used for any marketing purpose, this purpose will be made clear, and the Data Subject will be given a clear opt out.  If it is not possible to give a range of options, any opt-out which is exercised will apply to all Lyndale Knowsley Cancer Support Group marketing. The organisation does not have a policy of sharing lists, obtaining external lists or carrying out joint or reciprocal mailings.

Lyndale Knowsley Cancer Support Group will only carry out telephone marketing where consent has been given in advance, or the number being called has been checked against the Telephone Preference Service.

Whenever e-mail addresses are collected, any future use for marketing will be identified, and the provision of the address made optional.

 Volunteer training and acceptance of responsibilities

 All volunteers who have access to any kind of personal data will be given copies of all relevant policies and procedures during their induction process, including the Data Protection policy, Confidentiality policy and the operational procedures for handling personal data. All volunteers will be expected to adhere to all these policies and procedures.

Data Protection will be included in the induction training for all volunteers.

Lyndale Knowsley Cancer Support Group will provide opportunities for volunteers to explore Data Protection issues through training, team meetings, and supervisions.

Policy review

The policy will be reviewed in May 2019 by the Board of Trustees. It will also be reviewed in response to changes in relevant legislation, contractual arrangements, good practice or in response to an identified failing in its effectiveness.

Date this policy was approved by the Board of trustees:  25th May 2020

Due for further review: May 2021

Appendix: Privacy statement

When you request information from Lyndale Knowsley Cancer Support Group, sign up to any of our services or buy things from us, Lyndale Knowsley Cancer Support Group obtains information about you.  This statement explains how we look after that information and what we do with it.

We have a legal duty under the Data Protection Act to prevent your information falling into the wrong hands.  We must also ensure that the data we hold is accurate, adequate, relevant and not excessive.

Normally the only information we hold comes directly from you.  Whenever we collect information from you, we will make it clear which information is required in order to provide you with the information, service or goods you need.  You do not have to provide us with any additional information unless you choose to.  We store your information securely on our secure computer system or in a locked cabinet in the office. We restrict access to those who have a need to know, and we train our Keyworkers and volunteers in handling the information securely.

If you have signed up to a class or other service we will also pass your details to the professional worker providing that service.  That worker may hold additional information about your participation in these activities.

We would also like to contact you in future to tell you about other services we provide, to keep you informed of what we are doing and ways in which you might like to support Lyndale Knowsley Cancer Support Group. You have the right to ask us not to contact you in this way.  We will always aim to provide a clear method for you to opt out.  You can also contact us directly at any time to tell us not to send you any future marketing material.

Very occasionally we may carry out a joint mailing with carefully selected other organisations, in order to tell you about products and services we think you might be interested in.  Again, you have the right to opt out of this.

You have the right to a copy of all the information we hold about you (apart from a very few things which we may be obliged to withhold because they concern other people as well as you).  To obtain a copy, either ask for an application form to be sent to you, or write to the Data Protection Officer,( the Board of Trustees ) at Lyndale Knowsley Cancer Support Group.  There is a charge of £10 for a copy of your data (as permitted by law).  We aim to reply as promptly as we can and, in any case, within the legal maximum of 40 days

Lyndale Knowsley Cancer Support Group is a limited company (limited by guarantee),registered in England and Wales (Company Number 02184955) and a registered charity (charity registration number 519725) whose registered office is 40, Huyton Lane, Huyton, Liverpool L36 7XG