Data Protection Policy
Introduction
Calderdale Carers Project is fully committed to compliance with the requirements of the Data
Protection Act 1998 (“the Act”), which came into force on the 1st March 2000. In addition, we
are committed to adhering to the Caldicott Standards. We will therefore follow procedures that
aim to ensure that all employees, trustees, volunteers and subcontracted individuals, who
have access to any personal data held by or on behalf of the Calderdale Carers Project, are
fully aware of and abide by their duties and responsibilities under the Act.
Statement of policy
In order to operate efficiently, Calderdale Carers Project has to collect and use information
about people with whom it works. These may include members of the public, current, past
and prospective employees, clients and customers, and suppliers. In addition, it may be
required by contract or law to collect and use information. This personal information must be
handled and dealt with properly, however it is collected, recorded and used, and whether it be
on paper, in computer records or recorded by any other means, and there are safeguards
within the Act to ensure this.
We regard the lawful and correct treatment of personal information as very important to
successful operation and to maintaining confidence between us and those with whom we
carry out business. We will ensure that we treat personal information lawfully and correctly.
To this end the Calderdale Carers Project fully endorses and adheres to the Principles of
Data Protection as set out in the Data Protection Act 1998 and the Caldicott Standards.
The principles of data protection
The Act stipulates that anyone processing personal data must comply with Eight Principles
of good practice. These Principles are legally enforceable.
The Principles require that personal information:
1.
2.
3.
4.
5.
6.
7.
8.
Shall be processed fairly and lawfully and, in particular, shall not be processed unless
specific conditions are met.
Shall be obtained only for one or more specified and lawful purposes and shall not be
further processed in any manner incompatible with that purpose or those purposes.
Shall be adequate, relevant and not excessive in relation to the purpose or purposes for
which it is processed.
Shall be accurate and, where necessary, kept up to date.
Shall not be kept for longer than is necessary for that purpose or those purposes.
Shall be processed in accordance with the rights of data subjects under the Act.
Shall be kept secure; i.e. protected by an appropriate degree of security.
Shall not be transferred to a country or territory outside the European Economic Area,
unless that country or territory ensures an adequate level of data protection.
Data Protection Policy
1
February 2015
The Act provides conditions for the processing of any personal data. It also makes a
distinction between personal data and “sensitive” personal data.
Personal data is defined as data relating to a living individual who can be identified from:
 That data.
 That data and other information which is in the possession of, or is likely to come into the
possession of, the data controller and includes an expression of opinion about the
individual and any indication of the intentions of the data controller, or any other person
in respect of the individual.
Sensitive personal data is defined as personal data consisting of information as to:
 Racial or ethnic origin.
 Political opinion.
 Religious or other beliefs.
 Trade union membership.
 Physical or mental health or condition.
 Sexual life.
 Criminal proceedings or convictions.
Handling of personal/sensitive information
Calderdale Carers Project will, through appropriate management and the use of strict criteria
and controls:







Observe fully conditions regarding the fair collection and use of personal information.
Meet its legal obligations to specify the purpose for which information is used.
Collect and process appropriate information and only to the extent that it is needed to
fulfil operational needs or to comply with any contractual or legal requirements.
Ensure the quality of information used.
Apply strict checks to determine the length of time information is held.
Take appropriate technical and organisational security measures to safeguard personal
information.
Ensure that personal information is not transferred abroad without suitable safeguards.
Ensure that the rights of people about whom the information is held can be fully
exercised under the Act.
These include:




The right to be informed that processing is being undertaken.
The right of access to one’s personal information within the statutory 40 days.
The right to prevent processing in certain circumstances.
The right to correct, rectify, block or erase information regarded as wrong information.
Data Protection Policy
2
February 2015
In addition, Calderdale Carers Project will ensure that:









There is someone with specific responsibility for data protection in the organisation. This
will be the Chief Officer for overall responsibility, with the Operations Manager having
day to day responsibility.
Everyone managing and handling personal information understands that they are
contractually responsible for following good data protection practice.
Everyone managing and handling personal information is appropriately trained to do so.
Everyone managing and handling personal information is appropriately supervised.
Anyone wanting to make enquiries about handling personal information, whether a
member of staff or a member of the public, knows what to do.
Queries about handling personal information are promptly and courteously dealt with.
Methods of handling personal information are regularly assessed and evaluated.
Performance with handling personal information is regularly assessed and evaluated.
Any data sharing is carried out under a written agreement, setting out the scope and
limits of the sharing. Any disclosure of personal data will be in compliance with approved
procedures.
All Trustees are to be made fully aware of this policy and of their duties and responsibilities
under the Act.
All staff will take steps to ensure that personal data is kept secure at all times against
unauthorised or unlawful loss or disclosure and in particular will ensure that:



Paper files and other records or documents containing personal/sensitive data are kept
in a secure environment.
Personal data held on computers and computer systems is protected by the use of
secure passwords, which where possible are changed periodically.
Individual passwords should be such that they are not easily compromised.
All contractors, consultants, partners or other servants or agents of the Calderdale Carers
Project must:


Ensure that they and all of their staff who have access to personal data held or
processed for or on behalf of the Calderdale Carers Project, are aware of this policy and
are fully trained in and are aware of their duties and responsibilities under the Act. Any
breach of any provision of the Act will be deemed as being a breach of any contract
between the council and that individual, company, partner or firm;
Indemnify the Calderdale Carers Project against any prosecutions, claims, proceedings,
actions or payments of compensation or damages, without limitation.
All contractors who are users of personal information supplied by the Calderdale Carers
Project will be required to confirm that they will abide by the requirements of the Act with
regard to information supplied us.
Where a contractor is providing a care service on our behalf they must be registered as a
provider to Calderdale Health and Social Care. This will be accepted as proof that they are
Data Protection compliant.
Data Protection Policy
3
February 2015
Implementation
The Chief Officer, through the Operations Manager, will be responsible for ensuring that this
Policy is implemented. The Chief Officer is the Designated Guardian under Caldicott
Principles. Implementation will normally be led and monitored by the Operations Manager,
who will report to the Chief Officer. They will also have overall responsibility for:
Notification to the Information Commissioner
The Information Commissioner maintains a public register of data controllers. Calderdale
Carers Project is registered as such.
The Data Protection Act 1998 requires every data controller, who is processing personal data,
to notify and renew their notification, on an annual basis. Failure to do so is a criminal offence.
To this end the Chief Officer will be responsible for notifying the Information Commissioner on
an annual basis.
The Chief Officer will review the Data Protection Register with the Operations Manager
annually, prior to notification to the Information Commissioner.
Any changes to the register must be notified to the Information Commissioner, within 28 days.
_______________________________________
For detailed Protection Operational Procedures see Appendix A.
Data Protection Policy
4
February 2015
APPENDIX A
Operational Procedures for staff to ensure Data Protection in accordance with
Caldicott Principles.
Introduction
Data Protection is an important consideration in all aspects of our work. Legislation places
obligations on many aspects of how we process personal data. Those whose data we collect,
process and store have legal rights and protections in respect of this. The legislation applies
to all information that is processed by computer and also to some information held in some
types of paper files.
Calderdale Carers Project is committed to protecting the data it collects processes and holds
and operating in a fair and lawful manner.
The procedures in place are to be followed to enable all staff to work in a legal compliant way.
Contents:
1.
2.
3.
4.
5.
6.
7.
8.
Processing Fairly and Lawfully.
Purposes for which we collect and process data.
The information we obtain and process.
The Accuracy of Information.
Retention of Information.
Information Subjects Rights.
Security of IT Equipment and Systems.
Information processing limited to the UK and European Union.
1. Processing Fairly and Lawfully.




All information which is IT based must be processed and stored in compliance with the
Data Protection Act and Caldicott Principles. This includes information contained in
Emails and on the shared diary.
Staff will be provided with training and refresher training in processing data.
Imputing Data using Charity Log is secure and compliant with this section of the Data
Protection Act. It is therefore important that Charity Log is used as the prime means of
recording information and sharing data about carers as it is our most secure means of
doing this. Staff should not share data about carers other than through this system other
than simple messages, with minimal personal details.
Any questions or request for further information about processing fairly and lawfully
should be addressed to the Chief Officer or the Operations Manager.
Data Protection Policy
5
February 2015
2. Purposes for which we collect and process data.



We collect, process and retain data about carers and professionals for various purposes,
to enable us to provide a quality personal service to them.
We also collect, process and retain data to fulfil our contractual obligations to our
funders.
The areas where we process data about an individual shall be limited to those where we
require the information in order to provide them with a service, or act within the terms of
our contracts. These are the fields on our Charity Log Database.
Purposes for which we process data with the consent of the individual concerned include.
For Staff:

To assess their application for employment.

To address Health and Safety Issues and record accidents, near misses and
investigations.

To facilitate and record management decisions and actions.

As part of our strategic and operational plans.

To detect fraud.

To market our services.

As part of any funding application, tender or similar and to claim funding in respect of
these and produce reports.

Generally to carry out administration of the employment relationship, so that we may
properly carry out our duties, rights and obligations to the employee. Such processing
will principally be for HR, training, administrative, regulatory, insurance, pension and
payroll purposes.
For Carers & Former Carers:

To enable us to provide information, support and case working.

To enable us to target specific information to specific 'types' of carer, for example of a
particular age group, ethnic origin, condition of their cared for, or gender.

To enable us to report in an anonymous format on trends and statistics to our funders
and GP's.

To enable us to process our services including, but not limited to, Newsletter, Mail Outs,
Back Up Plans, Sitters and Transport and Targeted Support Grants.

To enable us to carry out carer consultation and engagement work and feedback results
in an anonymous statistical or narrative report.

Any other purpose reasonably required to enable us to provide a person centred service
to individuals
For Cared For:

To enable us to provide a Back Up Plan Service.

To enable us to refer to an agency to provide a sitting service.

To enable us to report in an anonymous format on trends and statistics to our funders
and GP's.

We also process anonymous data about the cared for in conjunction with the carers
records. (i.e. listed as 'cared for of Name of Carer' - no name of cared for given).
Data Protection Policy
6
February 2015
For Other Individuals and Organisations.

To keep names, organisation, job title and contact details of professionals and
organisations.

To record referrals and contacts with them in their professional capacity only.
For Trustees of the Calderdale Carers Project

To enable us to keep data relevant to their profile, expertise and work as a Trustee.

To enable us to complete Charity and Company House returns.

To enable us to provide Trustee details for funding applications and tenders.

To enable us to make records of the governance of the organisation.

To enable us to provide and record training.

Any other purpose reasonably required to enable us to record and process information
relating to Trustees performance of that role.
3. The information we obtain and process
For Staff:

All general personnel information to support the ongoing employment relationship.

Details of education, qualifications and training attended.

Bank details for payment of salaries and other expenses.

Information required within the Grey Fleet and Pool Car policies.

Information to record the details of a DBS Check (but not a copy of the actual certificate).

Details of any health problems, sickness absences, reports from Occupational Health or
disability assessment services and similar.

Any statutory or enforcement notices which we receive in respect of their employment,
pensions, tax or other financial matters. (e.g. attachment of earnings orders).
For Carers and Former Carers

Name, date of birth, gender, ethnic group and usual contact information.

Name of GP Practice and, where applicable, main Social Services contact.

By category, whether they have a disability or long term condition and whether they have
any additional needs to be considered in providing a service.

Basic information by category only about the age and condition of the person(s) they
care for. The name of the person cared for will not be recorded without obtaining
separate consent.

Their preferred contact method.

Employment Status.

Cared For service user grouping by category.

Whether they have had a carers needs assessment.

Copies of Letters sent to them.

Copies of any Back Up Plan or Carers Needs Fund Awards made.

Case work notes including details of any referrals made to enable a service to be
provided and recorded.

Records of attendance at any group, activity, course or training attended.

Details of any complaints raised, their investigation and actions taken.

Risk Assessment.
Data Protection Policy
7
February 2015
For Cared For:
Because of the difficulty in obtaining consent, we do not routinely collect information about
cared for by name, usually restricting this to category and age grouping only. The name of the
cared for may be used in caseworking relationship to enable a personalised service to be
provided in working with the carer or referral for a sitting service to be made. However no
information about the cared for will be processed except as listed below.
With cared for consent, or certification of lack of capacity, we keep information by name:

To enable a Back Up Plan to be completed and actioned This plan includes sensitive
personal details. An example of a Back Up Plan Document is attached to this policy.
For Other Individuals and Organisations.

Name, organisation, job title and basic contact details.

Records of attendance at events hosted by us such as training and meetings and
references in minutes.

Details of conversations and actions on a professional basis within caseworking.
For Trustees of the Calderdale Carers Project

Name, address, contact details, date of birth.

Basic CV information.

Records of attendance at meetings, training and events and minutes of same.

Information required to process returns to Charities Commission, Companies House.

Information required to support funding and tendering applications, and monitor same.
4. The Accuracy of Information
All information recorded or processed will be, to the best of our endeavours, accurate. Usually
information will be collected by the subject of that information having completed a form
supplying it. Where information is collected by telephone for initial registration, a registration
form is then posted out for checking, further completion and signed consent.
Copies of the forms completed for registration, Back Up Planning and Carers Needs Fund
Awards are scanned to PDF and held on our secure database. This ensures that a cross
check of accuracy to input is always possible.
Where information is ongoing, for example details of caseworking visits, attendance at groups
and events etc., staff record details of the event on individual records. Whilst every attempt is
made to ensure its accuracy this recording of actions or contacts does not compromise the
accuracy of the identifiable personal information recorded about individuals. Changes to such
information only being made with the consent of the data subject.
Data Protection Policy
8
February 2015
5. Retention of Information




In accordance with the requirements of our statutory funders all records are archived for
six full financial years from the date of the carer or former carer ceasing to be registered
to access our services.
All records of carers/former carers who are no longer wishing to be registered with our
service will be marked as inactive to ensure they do not receive any routine
correspondence from us by letter or email.
At the annual review of our database, all records archived for longer than 6 years will be
removed from the system.
At the annual review of our database, all associated paper records archived for longer
than 6 years will be securely shredded.
6. Information Subject's rights.







Any individual about whom we hold personal data has the right to be told that their
personal data is being processed and be given a description of the personal data held.
This includes:
 The purposes for which it is being processed.
 Who receives personal data.
Information subjects have a right to expect that their data will be dealt with in accordance
with all legislation relating to its use and protection, and in accordance with other
relevant legislation, for example the Equalities Act.
Calderdale Carers Project is entitled to require an individual to pay a fee of up to £10 for
any request for copies of personal data held, however it is not our current policy to make
such a charge, save in exceptional circumstances. (e.g. multiple requests over a short
period of time).
Written requests for a copy of information should be sent to the Operations Manager.
The request for information will be dealt with promptly and in any event within the 40 day
legislative timescale.
The 40 day timescale begins from the day we receive the request, providing it is
submitted in writing, contains sufficient details to allow us to respond and sufficient
details to confirm the identity of the person making the request. For security purposes
documentary proof of identity will be required.
Identifiable personal information will not be shared with third parties except where
specific consent for this has been signed or is implicit in the service provided. For
example, booking of sitters and transport, processing financial payments via online
banking, forwarding Back Up Plans and grant applications to Calderdale Health and
Social Care. All such organisations have reliable data protection policies in place.
7. Security of IT Equipment and Systems



All computers used for input or processing data are protected by regularly updated
antivirus and firewall.
No personal data may be transferred to a stand-alone storage device (e.g. USB dongle,
CD/DVD) unless that device is protected by password protected encryption.
The active database will be the sole storage facility for personal information and is held
on a secure cloud based system 'Charity Log'.
Data Protection Policy
9
February 2015







All authorised users of Charity Log will be provided with training in its use with particular
attention to maintaining security.
Access to Charity Log is restricted to those who have been authorised to use the system
and been issued with the current secure login details for the first layer of secure access.
All who have access to Charity Log have a second layer of security with personal log in
name and confidential password. The system requires periodic changes of password.
Staff members are instructed that they must log out at the end of each session of access
to Charity Log and that failure to do so could lead to a compromise in security which will
be regarded as misconduct subject to investigation under disciplinary procedures.
Charity Log is configured to automatically log out a user if there has been no activity for
60 minutes.
Use of Charity Log is part of our service continuity plans and therefore it is
acknowledged that staff may access it outside of the office. All staff members are aware
that in doing so they have a personal responsibility, in law, to ensure they do so with due
regard for security. In particular they should use a CCP laptop where possible, or ensure
personal computers have up to date antivirus and firewall in place. Logging off is
imperative at the end of each session.
The use of Charity Log ensures that in the event of theft of a computer only minimal
identifiable data would be held on the hard drive. For example, information contained in
letters, reports and spreadsheets.
Information about Charity Log Security

Charitylog is accredited to ISO 27001:2013 Information Security Standard and is fully
compliant with the Data Protection Act 1998 so you can be sure that your data is safe.
They are also accredited to the International Quality Management Standard ISO
9001:2008 and are registered with the Information Commissioners Office.

Data held by Charity Log is backed up securely to a remote server and is encrypted to
ISO standards.

All access to Charity Log is via SSL the standard encryption process which protects data
in transmission between the Charity Log server and individual computers.
8. Information processing limited to the UK and European Union.

No information held by Calderdale Carers Project will be held or processed outside the
United Kingdom and European Union.
Data Protection Policy
10
February 2015