A common sense guide to the Data Protection Act 1998 for volunteers Why is it necessary? The Data Protection Act 1998 is a law introduced to control the way information held about individuals is handled and to give legal rights to people who have information stored about them. This need not be particularly sensitive information, and can be as little as a name and address. This guidance refers to all personal information whether it is stored electronically or in hard copy/paper systems. There can be serious consequences for breaching data protection. This can be a financial penalty, as well as the risk of damage to your branch, group or the Associations reputation. If you would like a copy of the Data Protection Policy which fully explains the Act, please contact the branch and group support and information line (details at the end of the guide). It is clear we must ensure we are storing personal information carefully and this guidance explains what branches, groups and other volunteers need to do to ensure they are not at risk of breaching the Act. Data Protection Act Principles: There are eight data protection principles. These specify that personal data must be: 1. Processed lawfully and fairly 2. Obtained for specified and lawful purposes 3. Adequate, relevant and not excessive 4. Accurate and up to date 5. Not kept any longer than necessary 6. Processed in accordance with the ‘data subject’s’ (the Individuals) rights 7. Securely kept 8. Not transferred to any other country without adequate protections in situ So what does this mean in practice and how can you ensure you are complying with the law and protecting the rights of the people we support? By adhering to the following practices, you can be sure you will be acting in accordance with the principles outlined. Collecting and storing information: The Data Protection Act refers to information about a living person that allows them to be identified and is kept in any type of filing system. This includes names, addresses, telephone numbers and email addresses. These include those stored on a computer or any manual system you may use. Think about the sort of information you may hold: Databases Lists where people living with MND are included Mailing lists Requests for funding Volunteer records Referral forms Correspondence files Email address books Booking application forms Invoices If you can say yes to any of the above, you will be covered by the Act and have to take steps to safeguard personal information in your care. This is classified as “personal data”. Information is classed as “sensitive” if it includes: Racial or ethnic origins Religious beliefs Physical or mental health None of this must be shared without the express consent of the person. You might find you are handling these very well, but you may find you need to change or add to some of the things you do. Any information you collect must be for a specific purpose and mustn’t be used for anything else, so to avoid duplication, check in your branch or group what information you keep and who is keeping it. Consent: If you are keeping personal or sensitive information on anyone - you must let them know you are doing so and why you need to. They have a right to say you may not have their information, or not to receive information from you. The Association will always try to get permission to keep someone’s personal details, and where these are sensitive (usually relating to health) then we must try to get explicit consent either in writing or verbally. We will do this prior to sharing information with you, or Association Visitors may do this when they first contact someone with MND. Recording: The Act states that information should be ‘adequate, relevant and not excessive’. Ask yourself: Do you really need to know this information? For example,do you need to know family history? At branch or group meetings, how much information do you really need to know and why, when you are looking at funding applications. Consider how you would you feel if sensitive personal information was shared? Be really clear about why you want this information and for whose benefit it is. If it is not relevant to supporting people with MND, then you should not be collecting it. Consider these best practice points when you are recording information: Summarise the main points of a discussion Complete immediately or as soon as is practical after a meeting Differentiate between fact and fiction Write clearly in terms that are easily understood Avoid using jargon and abbreviations Avoid words that are emotive or could be misinterpreted Avoid using ‘clearly’ or ‘obviously’ if this reflects a personal opinion Avoid keeping duplicate information Security and confidentiality: We are in a position of trust with the information we have and therefore we must ensure that this trust is not misplaced in us. It is important that you make sure that the information you keep is safe from other people seeing it, and that it doesn’t get lost, damaged or destroyed. Putting it into practice: Make sure everyone in your branch or group know their responsibilities Use your funds to buy a small lockable filing cabinet Password protect emails (see Good Practice at the end of this document) Use up to date anti-virus software If you are taking information to a meeting by car make sure it is kept in the boot and the car locked when you leave it Don’t leave information on tables, and turn off computer screens when it is possible other family members or visitors can see the information Avoid using identifying names, or other information in minutes or newsletters unless you have permission Don’t pass details to other organisations or individuals without permission If you no longer need the information, destroy it (see disposal of information) Access to information In practice, a person you have information on has the right to see it. If someone makes a request to see the information you have about them you have to: Tell them what information you have about them Why you have the information and who it may be shared with Supply them with a copy of all the actual information Say where you got the information from If you get a request asking to see what information you are holding about a person you must ensure the following: The request is in writing (fax or email is acceptable) You reply promptly and within a maximum of 40 calendar days You give the information to the right person - check their identity If a third party request information (solicitor or next of kin) you check that: - they are properly authorised to do so - they are acting in the interest of the individual - get written authorisation Sharing information From time to time we may need to share this information with other people or organisations to either provide or ensure individuals receive the service most suited to their needs and care. In May 2011 a Data Sharing Code of Practice was published by the Information Commissioners Office, which said “People now have an expectation that, where appropriate and necessary, their personal details may be shared.” – Christopher Graham, Information Commissioner This supports increased transparency with information within the Association as long as the minimum amount of information is shared with as few people, and only if it supports the care of people with MND and their families. We should never do anything that might cause risk or harm through the sharing of information. We must have consent to store and share personal information and have processes in place to capture this wherever possible For example, you may hear at an AGM of challenges for people with MND in your area not receiving social care as would be expected. You may ask the individual if you can share this information with your RCDA or MND Connect as this could support future campaigning. Another example may be that you receive the names of people with MND in your area from national office, this will enable you to consider branch planning and possible fundraising. This of course does not mean their full information can be shared at meetings, however it means the branch contact has the information and the Individuals initials can be their identification. Remember – it is not your information, it is the person with MNDs and it should be shared with as few people as possible in order to provide the best care and support. Good practice when sharing information – including by email You will all be aware of the need for confidentiality, and the Association expects all its staff and volunteers to be aware of what this means to them. In order to ensure we protect information, we need to ensure our processes for sharing are carefully considered, and this would include information in newsletters, minutes, websites as well as branch listings. Remember the following Lists of peoples personal details should only be shared on a “need to know” basis Anything with personal information in should be sent marked “Private and Confidential” and anything that has sensitive information contained in it should be sent recorded delivery All personal computers should have a password protection to ensure only the volunteer working with the Association can access the data, not family or friends Any information kept on a memory stick / computer disc must be encrypted When sharing information with colleagues on home PCs all sensitive information should be put in a word document and then attached as a password protected document – you will need to agree on a password and share this with the people you are corresponding with. Please refer to your Help Documentation supplied with your application on how to password protect a document To password protect a document: go into Tools in Word then select Protect Document This brings up a password box where you enter this selected password to open the document. It is also good practice to include a disclaimer at the end of all messages sent on branch or group business. This alerts the receiver that they should delete if it’s not for them. The one we have as standard for all outgoing messages from the Association, which you could copy, is as follows: The information contained in this email message, and any files transmitted with it, are confidential, and intended solely for the use of the individual or organisation to whom they are addressed. If you are not the intended recipient, please note that any disclosure, distribution or copying of the email is strictly prohibited. If you have received this email in error, please notify the MND Association via email at postmaster@mndassociation.org and delete the message from your system. Thank you for your cooperation. The opinions expressed in this message are those of the individual and are not necessarily the official opinions of the MND Association. The MND Association cannot be held responsible for any advice provided in this message and is not liable for any damages caused by the recipient’s reliance on the content. Motor Neurone Disease Association, Registered in England Company Limited by Guarantee No 2007023. Registered Charity Number 294354 Disposal of information Once you no longer need the information you have, special care needs to be taken when destroying it to ensure that it cannot be read or used by anyone else. There is also a duty under statute to keep certain information for a defined length of time: Minutes and other correspondence for three years Financial records and related correspondence must be kept for seven years Sensitive personal information must be kept for 10 years For paper based information your branch or group could use funds to buy a shredder and appoint one person to be responsible for destroying these, or set up a rota for this task. To remove information from a computer, special discs can be purchased which completely remove the information. Deleting data not only secures privacy but helps make the computer run better, saves storage space and most importantly, makes sure you are in control of what’s seen and what’s not. And finally, if you have any questions or queries please get in touch with the branch and group support and information line on Branch and Group queries: 0845 6044 150 or volunteering@mndassociation.org This information sheet has been produced for use by volunteers of the MND Association. If you are external to the Association and wish to use or re-produce all or parts of the document, please contact the Volunteering Team on 0845 6044 150 or email volunteering@mndassociation.org Registered Charity No. 294354. Registered address: Motor Neurone Disease Association, PO Box 246, Northampton, NN1 2PR Last updated – December 2011