Charitable Incorporated Organisation No: 1166157
Data Protection/Information Sharing/Records Management Policy
HYI fully endorse and adhere to the principles of data protection as outlined in the Data Protection Acts 1994 and 1998. All staff involved in the collection, processing and disclosure of personal data are aware of their duties and responsibilities within these guidelines.
Information about HYl's Data Protection policy can be obtained from Keda Norman.
Fair Obtaining and Processing
HYI undertakes to obtain and process data fairly and lawfully by informing all data subjects of the reasons for data collection, the purposes for which data is held, the likely recipients of the data and the data subjects' right of access. Information about the use of personal data is printed on the appropriate collection form. If details are given verbally, the person collecting the data will explain the issues before collection of the information.
Processing - obtaining, recording or holding the information or data or carrying out a set of operations on the information or data.
Data subject means an individual who is the subject of personal data or the person to whom the data relates.
Personal data means data which relates to a living individual who can be identified. Addresses and telephone numbers are examples.
Parent refers to the meaning given in the Education Act 1996 and includes any person who has parental responsibility for a child.
The Data Protection Act Registration entries for HYI are available for inspection by appointment at the office. Explanation of any codes and categories is available from Keda Norman who is the person nominated to deal with data protection issues. Registered purposes covering the data held at the youth project are listed on the youth project's registration and data collection documents. Information held for these stated purposes will not be used for any other purpose without the data subject's consent.
HYI undertakes to ensure that data integnty 1s achieved by the followmg...methods:
• Data Accuracy - Data will be as accurate and up to date as 1s reasonably possible. Hexham Youth initiative staff will update records and as soon as practical when informed of any changes by young people, parents or partners.
• Data Adequacy and Relevance - Data held about people will be adequate, relevant and not excessive in relation to the purpose for which the data is held. In order to ensure compliance with this principle, HYI will check records regularly for missing, irrelevant or seemingly excessive information and may contact the subjects to verify certain items of data.
• Length of Time - Data held about individuals will not be kept for longer than necessary for the purposes registered.
• Subject Access - The Data Protection Acts extend to all data subjects a right of access to their own personal data. All staff and young people will have access to any data we hold on them on request.
• Authorised Disclosures - HYI will, in general, only disclose data about individuals with their consent. However, there are circumstances under which HYl's authorised officer may need to disclose data without explicit consent for that occasion.
These circumstances are strictly limited to:
• Young person data disclosed to authorised recipients related to education, health, safety and welfare necessary for the project to perform its statutory duties and obligations.
• Young person data disclosed to authorised recipients in respect of serious concerns regarding their young person's health, safety and welfare.
• Staff data disclosed to relevant authorities eg. in respect of payroll and administrative matters.
• Only authorised and trained staff are allowed to make external disclosures of personal data. We will not disclose anything on young people's records which would be likely to cause serious harm to their physical or mental health or that of anyone else - including anything which suggests that they are, or have been, either the subject of or at risk of child abuse.
A 'legal disclosure' is the release of personal information from the computer to someone who requires the information to do his or her job within or for the organisation, provided that the purpose of that information has been registered.
An 'Illegal disclosure' is the release of information to someone who does not need it, or has no right to it, or one which falls outside the organisation's registered purposes.
Data and Computer Security
HYI undertakes to ensure security of personal data by the following general methods (precise details cannot be revealed).
Appropriate building security measures are in place, such as alarms, window bars, deadlocks, and computer hardware cable locks. Only authorised persons are allowed in the computer room. Disks, tapes, and printouts are locked away securely when not in use. Visitors to the project are required to sign in and out, to wear identification badges whilst in the project and are, where appropriate accompanied.
Security software is installed on all computers containing personal data. Only authorised users are allowed access to the computer files and password changes are regularly undertaken. Computer files are backed up (ie security copies are taken_ regularly.
In order to be given authorised access to the computer, staff will have to undergo checks and will sign a confidentiality agreement. All staff are trained in their Data Protection obligations and their knowledge updated as necessary. Computer printouts as well as source documents are shredded before disposal.
Overall security policy data is determined Keda Norman and is monitored and reviewed regularly, especially if a security loophole or breach becomes apparent. HYI security policy is kept in a safe place at all times.
Any queries or concerns about security of data in the project should in the first instance be referred to Keda Norman.
Individual members of staff can be personally liable in law under the terms of the Data Protection Acts. They may also be subject to claims for damages from persons who believe that they have been harmed as a result of inaccuracy, authorised use or disclosure of their data. A deliberate breach of this Data Protection Policy will be treated as a disciplinary matter, and serious breaches could lead to dismissal.
Further details on any aspect of this policy and its implementation can be obtained from Keda Norman.