SOAS Detainee Support Data Handling and Management Policy
The purpose of the policy is to set out how SOAS detainee Support manages the collection, retention, use of and disposal of data, documents and other information.
This policy is important not only in order for SO AS detainee support to meet its legal obligations, but also to ensure that everyone we hold data on; whether detainees, visitors, staff, members, or anyone else; is treated fairly through the holding of that data, the way it is used and the manner in which it is disposed of.
All staff, visitors, and anyone else handling data for the organisation, has a responsibility for the appropriate handling of data. There should be special attention paid to the sensitive nature of some of the data that we collect, particularly the data of those in detention or those at risk of detention that we support in the community.
SOAS Detainee Support’s board of directors is ultimately responsible for the organisation’s compliance with GDPR legislation. Anyone who requires advice and guidance on any issue relating to this policy, and its implementation, should consult with the director leading on data protection.
This policy applies to all areas of SOAS detainee support and covers documents and data that are held in both electronic and paper format either by SDS the organisation, or by individual SDS visitors.
The policy incorporates SOAS Detainee Support’s responsibilities under the General Data Protection Regulations (2016).
The key terms used in this policy are defined in the Glossary of Terms (Appendix A). These definitions are designed to be consistent with their use in the GDPR.
Personal data held by SOAS detainee support principally concerns the following groups:
- other people supported by SDS, but not in detention
Personal data processed by SOAS detainee support will abide by the general principles set out in the GDPR. These principles are set out in Appendix B.
No personal data will be made available to any third party unless (a) there is a legal obligation to disclose it, or (b) the relevant data subject has given approval to disclosure or (c) disclosure is considered to be in SOAS Detainee Support’s legitimate interest, which is not outweighed by any potential prejudice to the affected data subject’s interests. This means, among other things, that we will not sell, or pass on, personal data purely for financial gain. However we do use some of the personal data we hold to contact data subjects with information about our work, and requests to support our work either financially or as a volunteer.
In the case of visitors, members, and directors where people have registered themselves as the above they have been judged as to expect such communications, and SOAS detainee support will use the legitimate interest basis for this type of contact.
In the case of the data of detainees, or other people that SDS supports, consent will be used as the basis for processing and sharing data.
Any deliberate misuse of personal data may be considered to be a disciplinary offence and may be considered to be gross misconduct, depending upon the circumstances.
Under GDPR, SOAS detainee support, as the Data Controller, is accountable for the personal data we process. This means that for each type of personal data held we will be able to demonstrate that we comply with the requirements of the GDPR.
The directors are responsible for ensuring that SOAS detainee support has a comprehensive policy on data and records management that, if properly implemented, will enable SOAS detainee support to meet all of its responsibilities in this area and will help support the achievement of its aims.
Directors are responsible for ensuring:
i) That the agreed policy is implemented across SOAS detainee support; and
- That appropriate training is compulsory for all staff and any members or visitors regularly handling data.
- That the policy is updated in line with any changes of legislation or operational requirements;
- That the policy is reviewed every 3 years; and
- Where any major changes are proposed to way data is collected, held, analysed or disposed of, that an impact assessment is carried out; and
- That any breaches are reported to the Information Commissioners Office
All Staff are responsible for:
- Ensuring that personal data about them, held by SOAS detainee support, is accurate and up to date;
- Informing the data owner of any errors or inaccuracies that they may become aware of through their use of personal data;
- Informing the directors of any failure to comply with this policy that they become aware of or of any breach of security.
Staff who are data owners are responsible for:
- Recording information correctly; ensuring that appropriate consent is obtained for recording data; correcting any known errors or inaccuracies; ensuring that data is only used for previously agreed purposes; providing any relevant data in response to legitimate access to information requests: taking reasonable steps to ensure that the agreed level of security for the data is maintained; and that data is deleted in line with the policy; and
- When establishing any new collection of data (or designing any new format of data collection) that the requirements of this policy are fully met.
Explain the security of our IT and electronic data.
SDS does not generally keep paper records. Any paper records created to collect data should be transferred onto the database at the earliest opportunity and then the paper record destroyed.
Any paper records judged to be critical to keep will have electronic copies made.
Any paper records will be kept in a locked environment.
All personal data and data key to SOAS detainee support’s operations held in electronic form will be backed up on a regular basis.
Meeting our obligations under the General Data Protection Regulations (2016)
Duties under the Act
The General Data Protection Regulations (GDPR) governs the collection, storage, processing, disclosure and disposal of personal data. Some types of personal data are categorised as special (see Appendix C) and have a tighter set of criteria applied in terms of how they should be processed.
In order to comply with the regulations, SOAS detainee support is required to identify the types of personal data that it holds and to show that, for each type, it has met its obligation namely:
- That it has determined the legal basis for processing the data (see Appendix D)
- That the DP principles (Appendix B) have been met;
- That the data subjects concerned have been properly informed (Appendix E)
- That the data is kept in an appropriately secure environment: and
- That the data is being effectively managed so that it remains accurate and up to date and that it is disposed of when it is no longer required.
In addition to the management of the personal data it processes, the following sections address how SOAS detainee support meets these further requirements:
- The rights of data subjects;
- Subject Access Requests;
- Dealing with data breaches:
- DP by design and DP Impact Assessments
Rights of data subjects
SOAS detainee support, through the Data and Records Management Policy and appropriate training, is committed to ensuring that all staff understand their responsibilities as far as the rights of data subjects are concerned.
Under the GDPR there are a number of specific rights, outlined below, that may be relevant in dealing with data subjects:
1) The right to be informed
There is an expanded list of information that must be provided (see Appendix E). For each set of personal data that is held there must be an agreed method of communicating all of the required information.
2)The right of access
Requests to access personal data should be responded to as soon as possible and within one month at the latest. (See following section 7.4)
3) The right to rectification
As far as possible there should be a process in place that automatically updates any personal data that may have changed. Any data subject will have the right to request a change in any of their personal data if it is not correct. 7.4
4)The right to erasure
This right is dependent on the legal basis for processing the data. Any request for the erasure of data will need to be carefully weighed against the legitimate needs of the organisation. Decisions will be made by the DPO. Any appeal against the DPO’s decision will be considered by the Warden.
5)The right to restrict processing
This right exists in specific circumstances. Again, the right of the data subject will need to be weighed against the legitimate needs of the organisation. The decision making and appeal process will be the same as the right to erasure.
6) The right to object
Data subjects have the right to object to processing which is carried out for the legitimate purposes of SOAS detainee support or for direct marketing. In the case of the first SOAS detainee support can refuse if the needs of the organisation outweigh those of the individual. In the case of the second SOAS detainee support cannot refuse the request.
Subject access requests
Access requests can be made by anyone for whom SOAS detainee support holds personal data.
Requests should be forwarded to the DPO in writing (email is acceptable). The DPO will take reasonable steps to verify that the request has actually come from the data subject concerned.
The DPO will seek to engage with the data subject as to the scope of the request if there is any doubt as to the actual data being requested. SOAS detainee support is committed to providing, wherever possible, the information that is actually required rather than simply relying on the wording of the request.
Requests will be replied to within the statutory period of one month. Where possible the response time will be less than this. In exceptional cases the time limit can be extended by up to two months if it is a multiple and/or very complex request.
Under GDPR the data subject is entitled to be given:
- A copy of all of the records held;
- A description of the data held:
- The reason(s) for the data being processed;
- The origin of the data (if not provided by them);
- Who has been given the data or who may be given it; and
- How long the data is expected to be kept.
Any data subject who is not content with the accuracy or completeness of the response to their request for information has the right to complain to the coordinators within 10 working days of receipt of the response to their original request.
If the data subject is not satisfied with the response from the coordinators then they will be advised of their right to complain to the Information Commissioner’s Office.
Dealing with data breaches
What is a data breach?
A data breach is defined as a security incident that has affected the confidentiality, integrity or availability of personal data. There will be a breach whenever personal data is lost, destroyed, corrupted or disclosed: if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable and that unavailability has a significant negative effect on the individual.
Seeing the data is sufficient to warrant the unauthorised access being defined as a breach. However, it is also likely to include the ability for someone to corrupt the data, i.e. to amend or delete it and/or to copy it. In order to be a reportable breach, the unauthorised access only has to take place and there is no requirement for it to actually be used for any damaging purpose.
What data breaches should be reported?
Any data held by SOAS detainee support that is breached should be reported to the nominated director as soon as it is reasonably possible to do so. Preferably this should be done by email or alternatively by telephone.
All staff have a responsibility to report data breaches as soon as they become aware of them.
The responsible director will report the breach to the ICO within 72 hours of being notified of it if the breach is judged to represent any risk to the rights and freedoms of the data subjects. Any breach involving encrypted data does not need to be reported to the ICO. Any breach of unencrypted special data must be reported to the ICO regardless of the risk that it is considered to present to the rights and freedoms of the data subjects.
During office hours the report will usually be done using the ICO’s DPA security breaches helpline [0303 123 1113, option 3]
Out of office hours the report will be made using the ICO’s security breach notification form (link below) and emailed to firstname.lastname@example.org
https://ico.org.uk/media/for- organisations/documents/2666/security breach notification form.doc
Our response to a data breach
In the event of a data breach the responsible director will:
- Undertake a risk assessment of the potential damage arising from the identified breach;
- Notify the data subjects concerned, as soon as reasonably possible, if there is considered to be a significant risk to their rights and freedoms, offering advice as to how the individual might protect themselves, where appropriate, and setting out how SOAS detainee support is responding;
- Take all reasonable steps to prevent the breach re-occurring;
- Take all reasonable steps to recover and/or correct the data that has been breached.
DP by design and DP impact assessments
DP by design is the commitment to make DP considerations an integral part of any organisational activity that might have implications for the way that personal data is processed,
For example, a project to develop a new IT system or the introduction of a new service would have DP issues addressed throughout the course of the project, rather than an after-thought at the end. SOAS detainee support has agreed to this commitment in order to help ensure that it continues to meet its obligations under GDPR and any future changes to DP legislation.
One of the key tools for ensuring that DP is built in to the culture of SOAS detainee support will be the use of DP Impact Assessments (DPIA). These are, in effect, risk assessments on the potential impact on DP of the change(s) being considered.
The main aims of records management are as follows:
- To protect the interests of SOAS detainee support, its staff, visitors, members, directors and people visited or supported through the maintenance of high quality information
- To comply with statutory and regulatory requirements
- To ensure accessibility where appropriate but also sufficient security to prevent unauthorised access;
- To provide evidence in any cases of litigation
The responsibilities and rights of all staff relating to the collection, retention and use of records will be regularly communicated to all staff and will be part of the induction programme for all new staff.
This policy will be available to all members, staff and people being supported by SDS via the organisational website.
The minimum periods of retention of different types of records is set out in Appendix F.
General guidance on records management
Records should be completed as soon as possible after the event to which they refer.
Records should be, as far as it is reasonably possible to make them, complete, authentic, reliable and in a usable format.
All records should be clearly identified by who entered them.
All records should be stored in such a way as to enable appropriate access. This includes a required level of security where records contain anything other than publicly available information.
Types of data and guidelines on handling it [not including detainee data]:
|Type of Data||Guidelines on Handling||Length of retention and explanation||Basis for processing||Who handles this data|
|Data on directors||This data should be kept in the database, with the consent of the directors.||The data will be retained for five years after a given director leaves the board.||Legitimate interests||Coordinators Directors Treasurers|
|Data on visitors||This data should be kept on the database. Visitors give their consent to have their data held when they register as a member/visitor with SDS. Email addresses will also be held on the riseup mailing list.||Those who have visited or supported someone will have their data held for 10 years.||Consent||Coordinators|
|Data on members (not active in visiting)||This data should be kept on the database. Member give their consent to have their data held when they register as a member/visitor with SDS. Email addresses will also be held on the riseup mailing list.||For those who have not visited, data will be held for 5? years after the last time that an individual engaged with SDS. This could be through responsing to an email, attending an event or meeting, or donating to SDS.||Consent||Coordinators|
|Data on people interested in SDS, or attending events.||From time to time SDS holds stalls, events and trainings which attract people who want to know more, but have not registered as a visitor or member. Where this information is kept on paper, it should be transferred to the database as soon as possible and the paper copied destroyed. Where this information is collected through a third party (e.g. eventbrite) it should be transferred to the database as soon as possible and any downloaded copies deleted.||For those who ask to find out more we will send an initial email asking them to register as a member/visitor. At that point they will give consent for their data to be held as per the member/visitor guidelines . Following this initial email, the original list should be destroyed.||Legitimate interests||Coordinators, members running events|
|Data on individual financial donors||This data will be held on the database. Donors will consent to being contacted by us following their donation.||We will keep the data of donors for 5? years after they last engaged with SDS. This could be through responsing to an email, attending an event or meeting, or donating to SDS.||Consent||Treasurers|
|Emails||Anyone who emails SDS shares their email address with us, and may share other data within that email. In relation to data about detainees received over email see below.||We keep emails for 10 years after which point they will be permanently erased.||Legitimate interests.||Coordinators|
Types of data and guidelines on handling it [detainee data]:
|Type of Data||Guidelines on Handling||Length of retention and explanation||Basis for processing||Who handles this data|
|Database||In every circumstance data about detainees, or other people we support, should be entered onto the database at the earliest possible opportunity and other records destroyed. It is important that records entered into the database are clear, complete and marked by who entered it.||We will hold detainee data for ten years. This is the longest period in which it it possible to make a claim of unlawful detention, and we consider it out responsibility to keep those records accessible for that purpose.||Consent.||Visitors Coordinators.|
|Emails||To whatever extent possible personal data about detainees should not be passed over email, but should be entered directly into the database. However, it may sometimes be necessary to pass information over email either between coordinators and visitors, or between SDS and external organisations. All emails and their responses remain in our inbox, but when a case closes the coordinator should archive the relevant emails in the database and then delete them from the inbox.|
The visitor should also delete all emails related to the case when the case closes. However, we also have a large history of emails which will not be able to be moved to the database.
|Emails will be kept for 10 years for the same reason stated above, however for security from August 2019 emails related to casework will be archived on the database and deleted from the inbox.||Legitimate interests.||Coordinators|
|Faxes to email||Where visitors or coordinators receive faxes from detention into the email account these should be uploaded to the database as soon as possible and deleted from email accounts and personal computers if they have been downloaded.||Faxes including personal data should be kept in email or on personal devices for the minimal possible time. Once uploaded to the database these records will be kept for ten years.||Consent||Coordinators Visitors|
|Paper records||It is rare for SDS to deal with any paper records. |
In the case that SDS does deal with any paper records originals should be kept in a locked environment accessible to coordinators only, and an electronic copy should be made to the database.
|Ten years, as above.||Consent||Coordinators Visitors|
|Notes on paper||Sometimes coordinators or visitors may need to take notes on paper relating to someone’s case or personal details. These should be transferred to the database at the earliest possible opportunity and then destroyed. If notes are being taken on paper, they should be kept in a clear accessible place (e.g. in a designated folder, not just in a pocket).||Destroy asap.||Legitimate interests||Coordinators Visitors|
|Notes or documents on computers, tablets, phones or other electronic devices.||In every possible circumstance notes should be made directly into the database. However, if notes are taken on computer these should be transferred to the database and the original deleted at the earliest opportunity. Visitors MUST NOT retain data relating to the cases or personal details of detainees on personal devices for more that the time it takes them to access the database and transfer this information.||Delete asap.||Legitimate interests.||Coordinators Visitors|
|Documents viewed on google drive||Must be transferred to the database at the earliest opportunity and then permanently deleted from google drive.||Delete asap||Legitimate interest||Coordinators|
SDS does not hold a paper archive.
All electronic data should be stored in such a way that it is clear on what date that data should be disposed of.
All physical records will be disposed of using an appropriate service provider with a certifiable document disposal process.
All electronic records to be disposed of will be erased in such a way as to minimise the risk of them being reconstructed.
Glossary of terms
General Data Protection Regulations (referred to as GDPR): The rules that update the original 1988 Data Protection legislation, effective 25 May 2018.
Personal data: Any information that refers to an identifiable, living person that is held in a structured format.
Special data: Particular personal data for example information about race or ethnicity (see Appendix C for full list)
Data subject: An individual to which the data refers.
Data Controller/Owner:The person responsible for managing the data.
Data Processor: A person or organisation responsible for processing data.
Processing data: The organisation, adaption or alteration of data. The retrieval of, consultation with or use of data. The disclosure or dissemination of data.
The alignment, combination and/or erasure of data.
Privacy notice: The statement made by the Data Controller to the Data Subject explaining that their personal data is being held and all of the relevant information about this that they have the right to know.
Subject Access Request: A request made by a Data Subject to be given copies of all of their personal data held and certain information about its use.
Data Protection Impact Assessmen:
This is a risk assessment of the likely impact on personal data from any changes, such as changes to processes, adopting new technology or the introduction of a new activity.
Data breach: When a security incident occurs that affects the confidentiality, integrity or availability of personal data.
Data Protection by design: This is the commitment to always consider the impact on DP whenever a policy or process is amended.
The Data Protection General Principles under GDPR
The following principles apply to the processing of all personal and special data:
- processed lawfully, fairly and in a transparent manner in relation to individuals;
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes:
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
- processed in a manner that ensures appropriate security of the personal data, including
protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”
[Note — The above is taken directly from the ICO website]
What is ‘special’ personal data?
Special personal data is personal data that refers to data in one, or more, of the following categories:
- Racial and/or ethnic origin;
- Political opinions;
- Religious or other beliefs of a similar nature;
- Membership of a trade union;
- Physical or mental health or condition;
- Sexual life;
- The commission of or alleged commission, of, any criminal offence; or
- Proceedings related to the commission, or alleged commission, of,any criminal offence, the outcome of such proceedings or the sentence of any court in such proceedings.
There are additional criteria that apply when considering the processing of special data. (See Appendix D) Appendix D
The legal basis for holding personal data
For each type of personal data held there must be one of the following legitimate legal basis for processing that data:
Consent of the data subject
Processing is necessary for the performance of a contract with the data subject (or to take steps to enter in to a contract with the data subject)
Processing is necessary for compliance with a legal obligation Processing is necessary to protect the vital interests of the data subject (or another person)
Processing is necessary to fulfil the legitimate purposes of the data controller (or a third party), except where such interests are overridden by the interests, rights or freedoms of the data subject
For each type of special personal data held there must be one of the following legitimate legal basis for processing that data:
Explicit consent of the data subject (unless reliance is prohibited by law)
Processing is necessary for carrying out obligations under employment, social security or social protection law or a collective agreement
Processing is necessary to protect the vital interests of the data subject (or another) where the individual physically/legally cannot give consent
Processing is carried out by a not-for-profit body with a political, philosophical, religious or trade union aim, providing that the processing relates only to members (or former members or those who have regular contact with it in connection with its purposes) and provided that there is no disclosure to a third party without consent
Processing relates to data clearly made public by the data subject Processing is related to a legal claim or where courts are acting in their judicial capacity
Processing is necessary for reasons of substantial public interest based in law which is proportionate to the aim pursued and which contain appropriate safeguards
Processing is necessary of preventative or occupational medicine; for assessing the working capacity of an employee; medical diagnosis; the provision of health or social care treatment (or the management of lawful health or social care systems; or a contract with a health professional Processing is necessary for reasons of public health
Processing is necessary for archiving in the public interest, or scientific and historical research or for statistical purposes (as defined by Article 89(1)) What we need to tell data subjects in our privacy notices