Data Protection Policy and Privacy Statement

Context and overview

Key details

• Policy prepared by: Dr Lesley Taylor
• Policy became operational on: 24th May 2018
• Next review date: 24th May 2020 or before if any legislation is changed in the interim.

Introduction

Spectrum North West needs to gather and use certain information about individuals.

These can include customers and other people the organisation has a relationship with or may need to contact.

This policy describes how this personal data must be collected, handled and stored to meet the company’s data protection standards — and to comply with the law (General Data Protection Regulation). Personal data includes any information that allows an individual to be identified. It applies to any information held electronically or manually.

Why this policy exists

This data protection policy ensures Spectrum North West:

• Complies with data protection law and follows good practice
• Protects the rights of anyone working with us, customers and partners
• Is open about how it stores and processes individuals’ data
• Protects itself from the risks of a data breach

Data protection law

The Data Protection Act 1998 describes how organisations — including Spectrum North West must collect, handle and store personal information.

These rules apply regardless of whether data is stored electronically, on paper or on other materials.

To comply with the law, personal information must be collected and used fairly, stored safely and not disclosed unlawfully.

The Data Protection Act is underpinned by eight important principles. These say that personal data must:

1. Be processed fairly and lawfully
2. Be obtained only for specific, lawful purposes
3. Be adequate, relevant and not excessive
4. Be accurate and kept up to date
5. Not be held for any longer than necessary
6. Processed in accordance with the rights of data subjects
7. Be protected in appropriate ways
8. Not be transferred outside the European Economic Area (EEA), unless that country or territory also ensures an adequate level of protection.

People, risks and responsibilities

Policy scope

This policy applies to:

• Spectrum North West
• All clinicians working with Spectrum North West
• Other people working on behalf of or alongside Spectrum North West

It applies to all data that the company holds relating to identifiable individuals, even if that information technically falls outside of the Data Protection Act 1998. This can include:

• Names of individuals
• Postal addresses
• Email addresses
• Telephone numbers
• Transaction data- i.e. payments
• Any other information relating to individuals, including referral information or previous reports

We may receive some of this information via our contact form on the website or via email or telephone at a later date, when a client requests services or enquires about the services we offer. If a client provides us with contact information and does not go on to access services from Spectrum North West their contact details are deleted.

We only use clients’ data to ensure the care clients receive in our assessments and interventions is appropriate, to identify each client and to maintain contact with clients.

We do not store what is termed as ‘special categories’ of data, such as sexual orientation or ethnic origin.

Data Controller Details

For the purposes of processing clients’ personal data, our individual clinicians act as ‘Data Controllers.’

We are Spectrum North West, 1st Floor Beehive House, Tarporley Road, Stretton, Warrington, WA4 4ND.

Our generic email address is admin@spectrumnorthwest.org

Data protection risks

This policy helps to protect Spectrum North West from some very real data security risks, including:

• Breaches of confidentiality. For instance, information being given out inappropriately.
• Failing to offer choice. For instance, all individuals should be free to choose how the company uses data relating to them.
• Reputational damage. For instance, the company could suffer if hackers successfully gained access to sensitive data.

Responsibilities

Every clinician who works with Spectrum North West has some responsibility for ensuring data is collected, stored and handled appropriately.

Everyone who handles personal data must ensure that it is handled and processed in line with this policy and data protection principles.

Data should only be collected for the purposes of carrying out any assessment or intervention.

All clinicians working under the umbrella of Spectrum North West are responsible for ensuring that they meet their legal obligations. All clinicians have an individual duty to register with ICO for this purpose

Each clinician works independently under the umbrella of Spectrum North West and will deal individually with any requests from individuals to see the data that clinician holds about them (also called ‘subject access requests’). A subject access referral can be requested to the individual clinician via our office address (above).

No other companies handle data belonging to Spectrum North West unless permission is expressly given by clients, i.e. when clients ask us to liaise directly with other agencies, such as schools, colleges, companies, the NHS, local authorities, solicitors and other organisations. If a client asks us to do so they are giving permission for us to share information with such organisations. Any information sent to clients or their associates will be password protected.

Spectrum North West does not have a data base of information. All information is either stored electronically or in paper format in a locked filing cabinet. Any reports or information stored on computers is kept securely and password protected. Any computers are protected by security hardware and software.

Spectrum North West uses Stomm Ltd to advise us on our email system, provide technical support and to support with management of the Spectrum North West website. Stomm Ltd have no access to our emails or cloud documents on a routine basis. All our emails are encrypted via Office 365 and we also use OneDrive built into the Office 365 service to securely store our documents.

General guidelines for clinicians

• The only people able to access data covered by this policy should be those who need it for their work.
• Data should not be shared informally.
• Spectrum North West has provided a copy of this policy to all clinicians working under the umbrella of Spectrum North West. It is the individual responsibility of each clinician to ensure they understand their responsibilities when handling data.
• Clinicians should keep all data secure, by taking sensible precautions and following the guidelines below.
• In particular, strong passwords must be used and they should never be shared.
• All emails should be encrypted and should be sent with a password.
• Personal data should not be disclosed to unauthorised people, either within the Spectrum North West or externally.
• We do not sell our clients’ data to third parties.
• Data should be regularly reviewed and updated if it is found to be out of date. If no longer required, it should be deleted and disposed of.

Data storage

These rules describe how and where data should be safely stored.

When data is stored on paper, it should be kept in a secure place where unauthorised people cannot see it.

These guidelines also apply to data that is usually stored electronically but has been printed out for some reason:

• When not required, the paper or files should be kept in a locked drawer or filing cabinet.
• Clinicians should make sure paper and printouts are not left where unauthorised people could see them, like on a printer.
• Data printouts should be shredded and disposed of securely when no longer required.

When data is stored electronically, it must be protected from unauthorised access, accidental deletion and malicious hacking attempts:

• Data should be protected by strong passwords that are changed regularly.
• If data is stored on removable media (like a CD or DVD), these should be kept locked away securely when not being used.
• Data should only be stored on designated drives via Spectrum’s own cloud computing services.
• Data should be backed up frequently.
• All servers and computers containing data should be protected by approved security software and a firewall.

Data is stored for the duration of the assessment and for five years following the assessment.

Once we have no lawful use for clients’ data we will dispose of it in a secure manner that maintains data security.

It is the client’s responsibility to ensure that information provided to Spectrum North West is accurate.

Data use

Personal data is of no value to Spectrum North West unless the clinicians can make use of it. However, it is when personal data is accessed and used that it can be at the greatest risk of loss, corruption or theft:

• When working with personal data, employees should ensure the screens of their computers are always locked when left unattended.
• Personal data should not be shared informally. In particular, any information sent via email should be encrypted and password protected.
• Personal data should never be transferred outside of the European Economic Area except with express permission of the client it is sent directly to them when they live outside of the EEA.
• Employees should not save copies of personal data to their own computers. Always access and update the central copy of any data.

Data accuracy

The law requires Spectrum North West to take reasonable steps to ensure data is kept accurate and up to date.

The more important it is that the personal data is accurate, the greater the effort Spectrum North West should put into ensuring its accuracy.

It is the responsibility of all clinicians who work with data to take reasonable steps to ensure it is kept as accurate and up to date as possible.

• Data will be held in as few places as necessary. Staff should not create any unnecessary additional data sets.
• Staff should take every opportunity to ensure data is updated. For instance, by confirming a customer’s details when they call or undertake any direct work with them.
• Spectrum North West will make it easy for data subjects to update the information Spectrum North West holds about them. For instance, by informing the individual clinician who is working with them, either in person or via our address (above).
• Data should be updated as inaccuracies are discovered. For instance, if a client can no longer be reached on their stored telephone number.

Subject access requests

All individuals who are the subject of personal data held by Spectrum North West are entitled to:

• Ask what information the company holds about them and why.
• Ask how to gain access to it.
• Be informed how to keep it up to date.
• Be informed how the company is meeting its data protection obligations.

If an individual contacts the company requesting this information, this is called a subject access request.

Subject access requests from individuals should be made by email, by post, addressed to the individual clinician who is dealing with their case via our address, or in person.

Individuals will be charged £10 per subject access request. Spectrum North West will aim to provide the relevant data within 14 days. Each clinician will always verify the identity of anyone making a subject access request before handing over any information.

Disclosing data for other reasons

In certain circumstances, the Data Protection Act allows personal data to be disclosed to law enforcement agencies without the consent of the data subject.

Under these circumstances, Spectrum North West will disclose requested data. However, the individual clinician will ensure the request is legitimate, seeking assistance from other clinicians involved and taking legal advice where necessary.

Providing information

Spectrum North West aims to ensure that individuals are aware that their data is being processed, and that they understand:

• How the data is being used
• How to exercise their rights

To these ends, the company has a privacy statement, setting out how data relating to individuals is used by the company.

Privacy Statement

The personal data we collect will be used for the following purposes:

To undertake any assessments or interventions under the umbrella of Spectrum North West

The only personal data we collect is name, date of birth, address and only information relevant to the specific assessment or intervention we have agreed to undertake, including information from previous assessments, information given during any direct work with the client and their family, if consent is given.

The information will be collected and held securely according to the terms of the policy set out above.

By asking us to undertake any work with you or your child, you are consenting and giving us permission to hold your data for the purposes specified above.

Spectrum North West will not pass on your data to third parties unless specifically asked to by the client for purposes of sharing the assessment or intervention undertaken with the client.

You have a right to access data we hold about you. You may make a subject access request according to the policy as stated above. You may also correct any inaccuracies in the information we hold.

If you wish to complain, we ask you to contact Spectrum North West, at the address above. You have a right to complain at any time to the supervisory authority in the UK for data protection matters – the Information Commissioners Office (ICO) at www.ico.org.uk.