Dean Court Community Centre Association.

Data Protection Policy.

1.        Introduction.

All organisations that hold personal data are required to work within the Data Protection Act 1998. The Act regulates the way the Association collects, stores and processes information (personal data) about individuals (data subjects).

This policy sets out the principles of the Data Protection legislation, the policy of the DCCCA, and the reasons that DCCCA holds data. This is to enable DCCCA to conform to the data protection legislation.

The legislation and guidance are very detailed and complex, but provided the Trustees understand and accept the basic principles and policy, it is acceptable to nominate an individual to be responsible for data protection on behalf of the DCCCA.

The legislation covers records held both manually and on computer.

2.        Registration.

As a voluntary organisation that is also a charity, provided we abide by the principles of the legislation, we are not required to register with or notify the Information Commissioner’s Office.

3.        The Data Protection Principles and their Implementation by DCCCA.

DCCCA will comply with the following eight data protection principles in processing personal data.

• Personal data must be processed lawfully and fairly.

This is primarily about individuals knowing why data has been collected and recorded. This can be covered by a general policy (see below). If data is collected from a third person, then it is expected that the individual will be told about this.

These issues only become a problem if data is being passed on to other people, and therefore we have a policy that we will never disclose information to any third party apart from that directly relevant in respect of employment or volunteers.

• Personal data may only be obtained for one or more specified and lawful purposes, and may not be further processed in any way incompatible with that or those purposes.

i.e. We collect data for specified purposes, from the individual, and do not disclose it to anyone else.

• Personal data must only be collected that is adequate for the purpose and not excessive or irrelevant.

• Data must be accurate and kept up to date.

We must take all reasonable steps to ensure data is accurate.

• Data is not to be kept longer than necessary.

Data on people who are no longer members or involved with the DCCCA should be destroyed. For instance, if someone chooses to unsubscribe from our e-mail list, we will delete their record from the system.

• Data must only be processed in accordance with the rights of the individual.

The main implication of this is that individuals have a right to see data held about them.

• Data should be kept safe and secure against loss or damage or destruction.

For instance, it should be password-protected on computers or hard copies stored in a locked cupboard.

• Data must not be transferred to other countries.

4.        Policy Statement.

 DCCCA is committed to working within the Data Protection Act 1998 and upholding the data protection principles.

Data will only be recorded for stated purposes as set out below, and will be stored, processed and monitored in compliance with the legislation.

Data will only be collected and processed that is directly relevant to the objectives of the DCCCA.

Data will be stored safely and securely to ensure confidentiality. This will be reviewed on a regular basis.

No data (apart from employment data, public protection and references) will be disclosed to any third party without the consent of the individual.

Data will be regularly reviewed and if no longer required, destroyed.

All members of groups and activities will have a right to know what personal information has been recorded about them, and have a right to see such information. They also have a right to check the accuracy of such data.

5.        Data collected by the DCCCA.

(a) Employment data for staff and volunteers.

The DCCCA is allowed to hold and process data for employment purposes and to keep a register of volunteers, and to undertake CRB checks, take up references, etc. as required.

Regarding references, the DCCCA does not have to give employees a copy of a confidential reference that it provides to another organisation. However, references received from another organisation about an employee are subject to the right of the individual of access to their data. This is not an absolute right.

The DCCCA does not have to disclose information relevant to negotiations with staff where personal data is concerned.

(b) Registers for activities.

It is perfectly lawful to collect information from individual members of different groups and activities of the DCCCA. The data should only be the minimum necessary for the purpose: to keep a register, to be able to contact people and a carer/responsible person, and should not include personal data that is not directly relevant. It is appropriate and in the individual’s interest to record information about allergies, medication, etc. but this information should only be made available on a need to know basis.

Additional data about the individual (e.g. ethnicity), should only be collected if there is a clear and publicly available purpose for collecting that data.

For each activity or group, there should be clarity of what information is required to be held on the membership list.

6.        Public Protection.

Where there is a need to act to protect the welfare of an individual, then data can be shared with an appropriate organisation. For example, where there are child protection concerns, information can be shared with the Local Authority Children’s Services Department. Similarly if there is concern about criminal activity, the protection of the public and individuals takes precedence over the Data Protection Principles and Human Rights legislation.

7.        Other Users

It is legitimate to keep information about other users of the resources and facilities of the DCCCA – e.g. people who hire rooms, etc.

8.        Implementation of Policy.

Check that we comply with the legislation on a regular basis: that records are only kept for specified purposes and are relevant, that accuracy is checked, that records are stored securely, are updated or destroyed, etc.