Malachi Specialist Family Support Services CIC:

Data Protection Policy

 

Context and overview

Malachi Specialist Family Support Services CIC (“Malachi”) needs to gather, store and use certain personal information about individuals. This can include clients, customers, staff, funders and business colleagues.

All data must be collected, stored and managed in accordance with UK and EU law, and in line with Malachi’s ethos and values. Individuals retain the rights over their own data at all times. Our use of their data must be fair and lawful, and we must be open and honest about what we do with people’s data.

All data we process is in accordance with the Data Protection Act 2018, Keeping Children Safe in Education 2018, Working Together to Safeguard Children 2018.

 

Key principles

  • Individuals retain rights over their data.
  • Data should be collected fairly and lawfully and used only in ways that the individual would expect.
  • Data should only be kept for as long as is necessary.
  • Data integrity and security is paramount.
  • Data governance will be actively managed at all levels of the organisation, to minimise risks to both the individual and the organisation.
  • All collection and use of data will be open and honest.

 

Why this policy exists

This policy will help ensure that Malachi respects the rights of all individuals whose data it collects, including clients, customers, staff, funders and business colleagues. It encompasses legal responsibilities and best practice. By being open and honest with individuals we demonstrate that people can trust our organisation and that we handle personal data with integrity. Routine application of these principles will also help protect Malachi from the risk of data breaches and unauthorised access to personal information.

 

Data Protection Law and Principles

The use of personal data is governed by EU and UK law. This is enhanced and explained by case law and best practice. The Data Protection Act 2018 is the UK’s implementation of the General Data Protection Regulations (GDPR). In order to comply with the law, personal data must be collected fairly and lawfully, it must be stored safely and managed securely, and it must not be disclosed to anyone who does not have authority to see it. GDPR define six principles that must be complied with when processing personal data. These principles are as follows:

1. Processing should be lawful, fair and transparent.
Data subjects should have a clear understanding of what personal data is being processed about them, and why it is being processed. Any communication with the data subject about their personal data should be easily accessible, easy to understand and written in plain and clear language. This is particularly important when the personal data relates to a child, who should be able to understand what an organisation is doing with their information. GDPR requires organisations to provide certain information to the data subject when the personal data is collected either directly from the data subject or from another source.

2. Personal data shall be collected for specified, explicit and legitimate purposes.
Personal data should be collected for a specific purpose, and the data subject should know what that purpose is.

3. Personal data must be adequate, relevant, and limited to what is necessary.
Organisations should only process the personal data they need to process to achieve the purpose for which it was collected.

4. Personal data shall be accurate and kept up to date.
Organisations should have processes in place to ensure the personal data they process is accurate and up to date.

5. Personal data shall be kept for no longer than is necessary.
GDPR requires personal data to be deleted or destroyed when it is no longer needed by the organisation. Alternatively, the personal data could be anonymised or otherwise modified so that it no longer relates to an individual. Malachi’s data retention periods are specified in our Privacy Policy.

6. There must be appropriate security in place in respect of the personal data.
Each organisation should put in place security measures (whether technical, organisational or manual) to protect the personal data against unauthorised or unlawful processing and against accidental loss, destruction or damage. This may include, for example, ensuring documents stored online or on a computer are password protected or encrypted and that hard copy documents are stored in locked drawers or cabinets with restricted access.

This Data Protection Policy demonstrates how we ensure we are adhering to and applying these principles to our work.

 

Policy Scope

This policy applies to:

  • All sites within our organisation, and all places where Malachi staff carry out their professional tasks.
  • Our front-line staff, support staff, management, and Directors.
  • Contractors, suppliers and anyone working on our behalf in conjunction with a relative NDA.

 

Responsibilities under this policy

Everyone who works with or for Malachi has some responsibility for ensuring that data is handled safely, securely and appropriately.

There are key roles within the organisation that carry specific responsibilities.

The Board of Directors are the strategic lead body for the organisation. They will bear ultimate responsibility for ensuring that all our legal obligations are met. They will be accountable for any failure to abide by the correct regulations and for any impact that they may have on our ability to provide services to the children and families in our community, and our reputation within the sector.

The Managing Director and Management Team are the operational lead body for the organisation. They must ensure that all relevant policies and procedures are in place, and that practice follows the policy across all teams and working areas. The Director with responsibility for GDPR, also known as the Data Protection Officer (DPO), has overall responsibility for setting an appropriate tone of respect for personal data within the organisation. The DPO will deal with all data governance issues that require attention.

The DPO has a key role to play in providing expert advice and guidance to the Board and the Senior Leadership Team. It is their responsibility to update senior management and the Board about Data Protection issues, and update policies and procedures in accordance with an agreed schedule and following legislative and best practice updates. They will oversee training and guidance for all staff, and be responsible for liaison with 3rd party suppliers, contractors and partners if they handle personal data. They will also oversee any Subject Access Requests, and handle the response to any data breaches, including being the point of contact for the public, notifying the ICO where necessary and commissioners and their associated Information Governance Units (IGU).

The DPO is responsible for ensuring the physical and virtual integrity of IT data storage services, systems and equipment. They will ensure all IT security meets acceptable professional standards, appropriate to the needs of the organisation, and that access to all electronic systems, databases or files is managed in accordance with the relevant policies. They will liaise with any 3rd party used for processing data, such as a HR / payroll supplier or cloud computing provider, to ensure appropriate levels of protection for all personal data. They have responsibility for making sure that customer-facing applications such as websites or online forms comply with relevant regulations including Cookie Policy and Privacy Policy. They will also oversee the life-cycle of data, software and hardware, ensuring that the processes for deleting or encrypting files in accordance with the Privacy Policy function effectively.

 

What is personal data?

Personal data is information about a living person that would allow someone to identify them. Processing that data means obtaining, using, and transferring data, and storing it in any system that allows it to be found again, such as a computer database or filing system.

Malachi will ensure that any personal data collected is adequate, relevant, and limited to what is necessary in relation to the purpose for which it is processed. This is in line with the third principle of GDPR.

 

Our Privacy Policy

Malachi will take all reasonable steps to ensure that individuals are aware their data is being processed. This will include telling individuals what is being used, how it is being used, how long it will be kept for, and how they can exercise their rights in respect of that data.

Our Privacy Policy sets out how we collect data, what data we collect, the lawful basis for that, and how long we retain it. It includes information on who we share data with and the lawful basis for such sharing. It also sets out how people can request copies of data we hold about them. The Privacy Policy will be included in any marketing or information literature we produce. It will also be available on request, and on the Malachi website.

 

Establishing a lawful basis for processing your personal data

Under the Data Protection Act 2018, we need to make clear the lawful basis for every type of data processing we carry out.

The majority of the data we process about clients will fall under the lawful basis of consent. Malachi workers explicitly seek full, informed, and positive consent to record personal data, and to keep records of work carried out with clients and their families. All clients sign a consent form, which explains what information is processed and how it might be shared. Where information being processed falls under the ‘special’ categories of personal data, we will make it clear that clients do not have to disclose this information and that this will not impact the service they are offered.

Clients have the right to withdraw their consent at any time during or after the working relationship. When this happens, Malachi will immediately cease to record further information about that client and their family. We will retain all information previously held on our system that was gathered with the client’s previous informed consent. This information will be retained in line with our usual working practices as set out in our Privacy Policy. This data processing falls under the category of our legitimate interest in processing data.

Malachi processes the personal data of colleagues in schools, in local authorities, and in partner organisations that work with children and families. This data is processed under the lawful basis of our legitimate interests in being able to contact and communicate with named professionals across the sector.

Staff working with Malachi will have a range of personal data processed by us, to enable us to support their development, keep them and our clients safe, and enable the contractual elements of their employment to be completed. Data we process about potential or current staff falls under the lawful basis of contract. Data we share with regulators and other organisations about our staff, such as PAYE information, falls under the lawful basis of legal obligation. When staff leave Malachi, we will retain certain information about them, based on the lawful basis of our legitimate interest in being able to demonstrate that we have complied with all relevant rules and guidelines during their employment.

Malachi will hold employee’s personal data for six years. Incidental data including employees’ emergency contact details will be deleted within 3 months of employment coming to an end.

Where Malachi need to share information with other professionals or agencies due to concerns about risk of harm to a child or to a vulnerable adult, this falls under the lawful basis of substantial public interest, which is necessary for the purpose of protecting an individual from neglect or physical, mental or emotional harm, or protecting the physical, mental or emotional well-being of an individual.

 

Keeping personal data secure

Once personal data has been lawfully and fairly collected and processed, it must be safely stored, kept up to date, and safely accessed. Storing data in a way that complies with the regulations is a mix of common sense, clear, audited processes, and application of strong IT solutions.

The only people who will have access to personal data at Malachi are those who need it for their work. Our IT systems and file storage will have granular levels of permission, and we will ensure that people only see personal data if required for operational reasons and for the benefit of the children and families they are supporting.

Strong passwords must be used to access electronic resources and IT systems. These should never be shared with other people, or written down. Malachi will set an appropriate password policy and require passwords to be changed on an annual basis.

Personal data must only be disclosed to those who are authorised to see it, both within and outside the organisation. We always verify the identity of people who request information by confirming personal details of the named child in an intervention (such as date of birth or postcode). If there is any doubt about the identity of the person requesting access to information, or doubt as to whether they should be allowed to see it, Malachi will seek further clarification before disclosing any information. This will include calling the parent or known contact at a school on a registered number to discuss a request for information being made.

Data will only be shared with those people who are authorised to see it. This will be in line with our legal obligations and with the lawful and legitimate requirements of the business. Our Privacy Policy explains who we might share data with, the lawful basis for that, and the circumstances in which individuals can object to data being shared.

Full training for all Malachi staff is available. This will help them understand their responsibilities under data protection legislation. Staff should ask their line manager or the Director with responsibility for GDPR for guidance if they are unsure about any aspect of data protection.

 

Data use and transfer

Data must only be used for the purpose it was first obtained. Personal data should not be shared informally, either internally or externally to the organisation.

Staff should follow simple checks when transferring data outside the organisation via post or email, to ensure that personal data goes to the correct recipient. Malachi will use a simple checklist when sending personal data by post, to add an extra layer of security and checking to our data transfers.

Extra care is always taken when sharing data via email. Malachi use a secure email client. All staff are made aware during induction and in ongoing training that only minimal information can be shared via email. No personal data (full names, DOBs, postcodes etc) should ever be shared in the body of an email. When personal data is shared via email, this is done via an encrypted link.

Whenever possible, sharing personal data with outside agencies and commissioners should always be done via a secure file transfer system.

Data should not be stored on personal IT devices. In particular, staff must not email work documents to their personal email addresses. Data should only be stored within our cloud-based system and not on staff laptops or phones.

There is an audit schedule in place that checks compliance with the above.

 

If things go wrong

In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, Malachi will promptly assess the risk to people’s rights and freedoms and if appropriate report this breach to the ICO.

There is a Data Breach process in place which is reviewed at least annually.

 

Marketing and Promotion

Malachi carries out a range of marketing and promotional work. This includes promotional literature in schools and other organisations that may wish to use our services. We always ensure that anyone receiving marketing or promotion communications from us has given positive consent to receiving those communications, in the format that we send them out. All such communications will also show clearly how an individual can stop receiving marketing or update information from us.

 

Subject Access Requests and your Rights over your data

Any person has the right to ask to see a copy of any information we hold about them. This is known as a Subject Access Request (SAR). You also have the right to request correction of inaccuracies, and object to processing. To do this, you can write to us, or email us at enquiry@malachi.org.uk

Issued by:
Malachi Specialist Family Support Services CIC

Date Reviewed:
July 2023

Review Date:
July 2024

Signed by:
Tony Collins | Commercial Director

Date Signed:
18th July 2023

Pin It on Pinterest