A common sense guide to the Data Protection Act

advertisement
A common sense guide to the Data Protection Act 1998 for
volunteers
Why is it necessary?
The Data Protection Act 1998 is a law introduced to control the way information
held about individuals is handled and to give legal rights to people who have
information stored about them. This need not be particularly sensitive
information, and can be as little as a name and address. This guidance refers to
all personal information whether it is stored electronically or in hard copy/paper
systems.
There can be serious consequences for breaching data protection. This can be a
financial penalty, as well as the risk of damage to your branch, group or the
Associations reputation. If you would like a copy of the Data Protection Policy
which fully explains the Act, please contact the branch and group support and
information line (details at the end of the guide).
It is clear we must ensure we are storing personal information carefully and this
guidance explains what branches, groups and other volunteers need to do to
ensure they are not at risk of breaching the Act.
Data Protection Act Principles:
There are eight data protection principles. These specify that personal data must
be:
1. Processed lawfully and fairly
2. Obtained for specified and lawful purposes
3. Adequate, relevant and not excessive
4. Accurate and up to date
5. Not kept any longer than necessary
6. Processed in accordance with the ‘data subject’s’ (the Individuals) rights
7. Securely kept
8. Not transferred to any other country without adequate protections in situ
So what does this mean in practice and how can you ensure you are complying
with the law and protecting the rights of the people we support? By adhering to
the following practices, you can be sure you will be acting in accordance with the
principles outlined.
Collecting and storing information:
The Data Protection Act refers to information about a living person that allows
them to be identified and is kept in any type of filing system. This includes
names, addresses, telephone numbers and email addresses. These include
those stored on a computer or any manual system you may use.
Think about the sort of information you may hold:
Databases
Lists where people living
with MND are included
Mailing lists
Requests for funding
Volunteer records
Referral forms
Correspondence files
Email address books
Booking application
forms
Invoices
If you can say yes to any of the above, you will be covered by the Act and have to
take steps to safeguard personal information in your care. This is classified as
“personal data”.
Information is classed as “sensitive” if it includes:
 Racial or ethnic origins
 Religious beliefs
 Physical or mental health
None of this must be shared without the express consent of the person.
You might find you are handling these very well, but you may find you need to
change or add to some of the things you do.
Any information you collect must be for a specific purpose and mustn’t be used
for anything else, so to avoid duplication, check in your branch or group what
information you keep and who is keeping it.
Consent:
If you are keeping personal or sensitive information on anyone - you must let
them know you are doing so and why you need to. They have a right to say you
may not have their information, or not to receive information from you. The
Association will always try to get permission to keep someone’s personal details,
and where these are sensitive (usually relating to health) then we must try to get
explicit consent either in writing or verbally. We will do this prior to sharing
information with you, or Association Visitors may do this when they first contact
someone with MND.
Recording:
The Act states that information should be ‘adequate, relevant and not
excessive’. Ask yourself: Do you really need to know this information? For
example,do you need to know family history? At branch or group meetings, how
much information do you really need to know and why, when you are looking at
funding applications. Consider how you would you feel if sensitive personal
information was shared?
Be really clear about why you want this information and for whose benefit it is. If it
is not relevant to supporting people with MND, then you should not be collecting
it.
Consider these best practice points when you are recording information:

Summarise the main points of a discussion







Complete immediately or as soon as is practical after a meeting
Differentiate between fact and fiction
Write clearly in terms that are easily understood
Avoid using jargon and abbreviations
Avoid words that are emotive or could be misinterpreted
Avoid using ‘clearly’ or ‘obviously’ if this reflects a personal opinion
Avoid keeping duplicate information
Security and confidentiality:
We are in a position of trust with the information we have and therefore we must
ensure that this trust is not misplaced in us.
It is important that you make sure that the information you keep is safe from other
people seeing it, and that it doesn’t get lost, damaged or destroyed.
Putting it into practice:









Make sure everyone in your branch or group know their responsibilities
Use your funds to buy a small lockable filing cabinet
Password protect emails (see Good Practice at the end of this document)
Use up to date anti-virus software
If you are taking information to a meeting by car make sure it is kept in the
boot and the car locked when you leave it
Don’t leave information on tables, and turn off computer screens when it is
possible other family members or visitors can see the information
Avoid using identifying names, or other information in minutes or
newsletters unless you have permission
Don’t pass details to other organisations or individuals without permission
If you no longer need the information, destroy it (see disposal of
information)
Access to information
In practice, a person you have information on has the right to see it. If someone
makes a request to see the information you have about them you have to:
 Tell them what information you have about them
 Why you have the information and who it may be shared with
 Supply them with a copy of all the actual information
 Say where you got the information from
If you get a request asking to see what information you are holding about a
person you must ensure the following:




The request is in writing (fax or email is acceptable)
You reply promptly and within a maximum of 40 calendar days
You give the information to the right person - check their identity
If a third party request information (solicitor or next of kin) you check that:
- they are properly authorised to do so
- they are acting in the interest of the individual
- get written authorisation
Sharing information
From time to time we may need to share this information with other people or
organisations to either provide or ensure individuals receive the service most
suited to their needs and care. In May 2011 a Data Sharing Code of Practice was
published by the Information Commissioners Office, which said
“People now have an expectation that, where appropriate and necessary, their
personal details may be shared.” – Christopher Graham, Information
Commissioner
This supports increased transparency with information within the Association as
long as the minimum amount of information is shared with as few people, and
only if it supports the care of people with MND and their families. We should
never do anything that might cause risk or harm through the sharing of
information.
We must have consent to store and share personal information and have
processes in place to capture this wherever possible
For example, you may hear at an AGM of challenges for people with MND in your
area not receiving social care as would be expected. You may ask the individual if
you can share this information with your RCDA or MND Connect as this could
support future campaigning.
Another example may be that you receive the names of people with MND in your
area from national office, this will enable you to consider branch planning and
possible fundraising. This of course does not mean their full information can be
shared at meetings, however it means the branch contact has the information and
the Individuals initials can be their identification. Remember – it is not your
information, it is the person with MNDs and it should be shared with as few
people as possible in order to provide the best care and support.
Good practice when sharing information – including by email
You will all be aware of the need for confidentiality, and the Association expects
all its staff and volunteers to be aware of what this means to them. In order to
ensure we protect information, we need to ensure our processes for sharing are
carefully considered, and this would include information in newsletters, minutes,
websites as well as branch listings.
Remember the following
 Lists of peoples personal details should only be shared on a “need to know”
basis
 Anything with personal information in should be sent marked “Private and
Confidential” and anything that has sensitive information contained in it should
be sent recorded delivery
 All personal computers should have a password protection to ensure only the
volunteer working with the Association can access the data, not family or
friends
 Any information kept on a memory stick / computer disc must be encrypted
 When sharing information with colleagues on home PCs all sensitive
information should be put in a word document and then attached as a
password protected document – you will need to agree on a password and
share this with the people you are corresponding with. Please refer to your
Help Documentation supplied with your application on how to password
protect a document
To password protect a document:
 go into Tools in Word
 then select Protect Document
 This brings up a password box where you enter this selected password to
open the document.
It is also good practice to include a disclaimer at the end of all messages sent on
branch or group business. This alerts the receiver that they should delete if it’s
not for them. The one we have as standard for all outgoing messages from the
Association, which you could copy, is as follows:
The information contained in this email message, and any files transmitted
with it, are confidential, and intended solely for the use of the individual or
organisation to whom they are addressed. If you are not the intended
recipient, please note that any disclosure, distribution or copying of the
email is strictly prohibited. If you have received this email in error, please
notify the MND Association via email at postmaster@mndassociation.org
and delete the message from your system. Thank you for your cooperation.
The opinions expressed in this message are those of the individual and are
not necessarily the official opinions of the MND Association. The MND
Association cannot be held responsible for any advice provided in this
message and is not liable for any damages caused by the recipient’s
reliance on the content.
Motor Neurone Disease Association, Registered in England Company
Limited by Guarantee No 2007023. Registered Charity Number 294354
Disposal of information
Once you no longer need the information you have, special care needs to be
taken when destroying it to ensure that it cannot be read or used by anyone else.
There is also a duty under statute to keep certain information for a defined length
of time: Minutes and other correspondence for three years
 Financial records and related correspondence must be kept for seven years
 Sensitive personal information must be kept for 10 years
For paper based information your branch or group could use funds to buy a
shredder and appoint one person to be responsible for destroying these, or set up
a rota for this task.
To remove information from a computer, special discs can be purchased which
completely remove the information. Deleting data not only secures privacy but
helps make the computer run better, saves storage space and most importantly,
makes sure you are in control of what’s seen and what’s not.
And finally, if you have any questions or queries please get in touch with the
branch and group support and information line on
Branch and Group queries: 0845 6044 150 or volunteering@mndassociation.org
This information sheet has been produced for use by volunteers of the
MND Association. If you are external to the Association and wish to use or
re-produce all or parts of the document, please contact the Volunteering
Team on 0845 6044 150 or email volunteering@mndassociation.org
Registered Charity No. 294354.
Registered address: Motor Neurone Disease Association, PO Box 246,
Northampton, NN1 2PR
Last updated – December 2011
Download