Data Protection

Context and overview

Malachi Specialist Family Support Services CIC (“Malachi”) needs to gather and use certain personal information about individuals. This can include clients, customers, staff, funders and business colleagues.

All data must be collected, stored and managed in accordance with UK and EU law, and in line with Malachi’s ethos and values. Individuals retain the rights over their own data at all times. Our use of their data must be fair and lawful, and we must be open and honest about what we do with people's data.

All data we process is in accordance with the rules as laid down in statute and Guidance published by the Department for Education, including the General Data Protection Regulations, the Data Protection Act 2018, Keeping Children Safe in Education 2018, the Children Act 1989 and 2004, the Children and Social Work Act 2017, the Children and Families Act 2014, and Working Together to Safeguard Children 2018.

Key principles

  • Individuals retain rights over their data
  • Data should be collected fairly and lawfully and used only in ways that the individual would expect
  • Data should only be kept for as long as is necessary
  • Data integrity and security is paramount
  • Data governance will be actively managed at all levels of the organisation, to minimise risks to both the individual and the organisation
  • All collection and use of data will be open and honest

Why this policy exists

This policy will help ensure that Malachi respects the rights of all individuals whose data it collects, including clients, customers, staff, funders and business colleagues. It encompasses legal responsibilities and best practice. By being open and honest with individuals we will demonstrate that people can trust our organisation and that we handle personal data with integrity. Routine application of these principles will also help protect Malachi from the risk of data breaches and unauthorised access to personal information.

Data Protection Law and Principles

The use of personal data is governed by EU and UK law. This is enhanced and explained by case law and best practice.

In order to comply with the law, personal data must be collected fairly and lawfully. It must be stored safely and managed securely. It must not be disclosed to anyone who does not have authority to see it.

The General Data Protection Regulations (GDPR), enacted into UK law as the Data Protection Act 2018, set out how data should be obtained, stored and handled. These regulations set out six principles that underpin lawful use of data. These provide the foundation for good data governance. These principles are enhanced by a range of powers for individuals to control how their data is processed and stored.

Policy Scope

This policy applies to:

  • All sites within our organisation, and all places where Malachi staff carry out their professional tasks
  • Our front-line staff, support staff, management, and Trustees
  • Contractors, suppliers and anyone working on our behalf

Responsibilities under this policy

Everyone who works with or for Malachi has some responsibility for ensuring that data is handled safely, securely and appropriately.

There are key roles within the organisation that carry specific responsibilities.

The Board of Trustees are the strategic lead body for the organisation. They will bear ultimate responsibility for ensuring that all our legal obligations are met. They will be accountable for any failure to abide by the correct regulations and for any impact that they may have on our ability to provide services to the children and families in our community, and our reputation within the sector.

The Chief Executive Officer and Management Team are the operational lead body for the organisation. They must ensure that all relevant policies and procedures are in place, and that practice follows the policy across all teams and working areas. They will liaise with the Data Protection Officer in the event of any data governance issues that require attention, and will have overall responsibility for setting an appropriate tone of respect for personal data within the organisation.

The Data Protection Officer has a key role to play in providing expert advice and guidance to the Board and the Senior Leadership Team. It is their responsibility to update senior management and the Board about Data Protection issues, and update policies and procedures in accordance with an agreed schedule and following legislative and best practice updates. They will oversee training and guidance for all staff, and be responsible for liaison with 3rd party suppliers, contractors and partners if they handle personal data. They will also oversee any Subject Access Requests, and handle the response to any data breaches, including being the point of contact for the public and notifying the ICO where necessary.

The IT Manager is responsible for ensuring the physical and virtual integrity of IT data storage services, systems and equipment. They will ensure all IT security meets acceptable professional standards, appropriate to the needs of the organisation, and that access to all electronic systems, databases or files is managed in accordance with the relevant polices. They will liaise with any 3rd party used for processing data, such as an HR / payroll supplier or cloud computing provider, to ensure appropriate levels of protection for all personal data. They have responsibility for making sure that customer-facing applications such as websites or online forms comply with relevant regulations including cookie policies and privacy notices. They will also oversee the life-cycle of data, software and hardware, ensuring that the processes for deleting or encrypting files in accordance with Retention Policies function effectively.

What is personal data?

Personal data is information about a person - anything that would allow someone to identify a living individual. Processing that data means obtaining, using, and transferring data, and storing it in any system that allows it to be found again, such as a computer database or filing system.

In line with the Data Minimsation principle, Malachi will ensure that any personal data collected is adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.

Our Privacy Notice

Malachi will take all reasonable steps to ensure that individuals are aware their data is being processed. This will include telling individuals what is being used, how it is being used, how long it will be kept for, and how they can exercise their rights in respect of that data.

Our Privacy Notice sets out how we collect data, what data we collect, the lawful basis for that, and how long we retain it. It includes information on who we share data with and the lawful basis for such sharing. It also sets out how people can request copies of data we hold about them. The Notice will be included in any marketing or information literature we produce. It will also be available on request, and on the Malachi website.

Establishing a lawful basis for processing your personal data

Under the Data Protection Act 2018, we need to make clear the lawful basis for every type of data processing we carry out.

The majority of the data we process about clients will fall under the lawful basis of consent. Malachi workers explicitly seek full, informed and positive consent to record personal data, and to keep records of work carried out with clients and their families. All clients sign a consent form, which explains what information is processed and how it might be shared. Where information being processed falls under the ‘special’ categories of personal data, we will make it clear that clients do not have to disclose this information, but failing to do so may reduce the quality of the service we are able to offer.

Clients have the right to withdraw their consent at any time during or after the working relationship. When this happens, Malachi will remove most personal data from our systems. We will only retain the level of information we need for our administration and to enable us to feedback to funders about work we have undertaken. This data processing falls under the category of our legitimate interest in processing data.

Malachi processes the personal data of colleagues in schools, in local authorities, and in partner organisations that work with children and families. This data is processed under the lawful basis of our legitimate interests in being able to contact and communicate with named professionals across the sector.

Staff working with Malachi will have a range of personal data processed by us, to enable us to support their development, keep them and our clients safe, and enable the contractual elements of their employment to be completed. Data we process about potential or current staff falls under the lawful basis of contract. Data we share with regulators and other organisations about our staff, such as PAYE information, falls under the lawful basis of legal obligation. When staff leave Malachi, we will retain certain information about them, based on the lawful basis of our legitimate interest in being able to demonstrate that we have complied with all relevant rules and guidelines during their employment.

Where Malachi need to share information with other professionals or agencies due to concerns about risk of harm to a child or to a vulnerable adult, this falls under the lawful basis of substantial public interest, which is necessary for the purpose of protecting an individual from neglect or physical, mental or emotional harm, or protecting the physical, mental or emotional well-being of an individual.

Keeping personal data secure

Once personal data has been lawfully and fairly collected and processed, it must be safely stored, kept up to date, and safely accessed. Storing data in a way that complies with the regulations is a mix of common sense, clear processes and application of strong IT solutions.

The only people who will have access to personal data at Malachi are those who need it for their work. Our IT systems and file storage will have granular levels of permission, and we will ensure that people only see personal data if required for operational reasons and for the benefit of the children and families they are supporting.

Strong passwords must be used to access electronic resources and IT systems. These should never be shared with other people, or written down. Malachi will set an appropriate password policy and require passwords to be changed on an annual basis.

Personal data must only be disclosed to those who are authorised to see it, both within and outside the organisation. If there is any doubt about the identity the person requesting access to information, or doubt as to whether they should be allowed to see it, Malachi will seek further clarification before disclosing any information.

Data will only be shared with those people who are authorised to see it. This will be in line with our legal obligations and with the lawful and legitimate requirements of the business. Our Privacy Notice explains who we might share data with, the lawful basis for that, and the circumstances in which individuals can object to data being shared.

Full training for all Malachi staff is available. This will help them understand their responsibilities under data protection legislation. Staff should ask their line manager or the Data Protection Officer for guidance if they are unsure about any aspect of data protection.

Data use and transfer

Data must only be used for the purpose it was first obtained. Personal data should not be shared informally, either internally or externally to the organisation.

Staff should follow simple checks when transferring data outside the organisation via post or email, to ensure that personal data goes to the correct recipient. Malachi will use a simple checklist when sending personal data by post, to add an extra layer of security and checking to our data transfers.

Extra care is always taken when sharing data via email. This might include encryption or use of a secure email client. All staff have undertaken training which includes the need to take additional care when using the email system to communicate with individuals and other organisations.

Data should not be stored on personal IT devices. In particular staff must not email work documents to their personal email addresses. If data needs to be transferred outside of the secure work environment, staff should use their Malachi email account, or a secure cloud storage solution provided by the ICT department.

If things go wrong

In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, Malachi will promptly assess the risk to people’s rights and freedoms and if appropriate report this breach to the ICO.

Marketing and Promotion

Malachi carries out a range of marketing and promotional work. This includes promotional literature in schools and other organisations that may wish to use our services. We always ensure that anyone receiving marketing or promotion communications from us has given positive consent to receiving those communications, in the format that we send them out. All such communications will also show clearly how an individual can stop receiving marketing or update information from us.

CCTV at Malachi sites

Malachi uses CCTV cameras at the Billesley Ark site. This is to ensure the safety and security of all those who use or visit our facilities, and to protect the site from damage. Our use of CCTV follows best practice guidelines as laid down by the ICO. You can ask to see CCTV footage in which your image is captured. This should be done in writing as part of a Subject Access Request.

Images recorded by the CCTV cameras are stored on a separate server, in a secure location. They are retained for a maximum of 14 days, after which time they are securely overwritten. Access to the images is restricted to specified people within Malachi. We will only view CCTV footage in response to an incident or an allegation.

The images on our CCTV system are of a sufficient quality to allow us to make out faces of individuals in most circumstances. We are able to take copies of relevant parts of the CCTV footage and store it securely, in order to assist investigations into incidents or allegations. In certain circumstances we may share CCTV footage with partners or other agencies. This may include senior managers or the Police.

Subject Access Requests and your Rights over your data

You have the right to ask to see a copy of any information we hold about you. This is known as a Subject Access Request (SAR). You also have the right to request correction of inaccuracies, and object to processing. To do this, you can write to us, or email us at