GDPR policy

Organisation Details

Organisation name:                       Befriend Motherwell
Organisation is a Data Controller:     There is no Data Protection Officer. Data Protection Champion is our Project Coordinator.

info@befriendmotherwell.org.uk
Befriend Motherwell, Dalziel St. Andrew’s Church, 43-47 Merry Street, Motherwell, ML1 1JJ

Purpose

Befriend Motherwell, due to the nature of our organisation comes into contact with individual’s personal data. The individuals who’s data we process are prospective and current volunteers, prospective and current befriendee’s and staff.

Befriend Motherwell has an obligation to ensure that individuals personal data is stored and used lawfully in conjunction with (GDPR) requirements. We only ask for the information that we require to carry out our service and we treat all personal information confidentially.


Key Principles of GDPR.

  • Lawfulness, fairness and transparency.
    Befriend Motherwell has a valid reason for collecting individual’s personal information.  Befriend Motherwell uses the personal information fairly and we are clear, open and honest about how we use the information.

  • Purpose limitation.
    We are clear about our purposes for collecting and using information.
     
  • Data minimisation
    The data we collect, and process is adequate for the purpose, relevant to it and limited to what is necessary.
  • Accuracy.
    Our systems enable us to keep personal information updated and correct.
  • Storage limitation.
  • Integrity and confidentiality (security).
    We keep most information in hard copy in locked filing cabinets in locked offices.  Information kept electronically is kept to a minimum and has an appropriate level of security: it is in encrypted files on password-protected un-networked computers, and backups are to an encrypted cloud service.
  • Accountability.
    We have a Privacy Policy and Confidentiality Policy.

Our Purposes for Processing Information.

  • We collect and process information about volunteers carers and befriendees for the purpose of providing our befriending service. 
  • We process information about staff members to make recruitment decisions, administer payroll & pensions and provide supervision and support. 

Lawful basis for processing information

Consent
Befriend Motherwell seeks consent before processing personal information.
We rarely rely on it as the sole lawful basis of processing data under GDPR, we obtain written consent from members, carers and volunteers on Request for Assistance forms (referral forms), Volunteer Application forms and additional specific consent forms.  Requests are prominent, separate from other information and require a positive opt-in; records of consents are kept, and consents are refreshed if anything changes.

  • We ask for consent to use photos and video in publicity and reporting.

  • Some member information comes from other sources such as health & care professionals and social work. We ask for consent on Request for Assistance forms (referral forms) to collect this information and to share information with volunteers.

Legitimate Interests

  • For volunteers, befriendees and staff an additional legal basis for is legitimate interests: we need to collect and process the information to provide and evaluate the service and manage the organisation. 
  • The Information Commissioners Office has confirmed that these legitimate interests are a sound basis on which a befriending service can process information. 
  • Special Category Data and Criminal Convictions and Offence Data
  • Special Category Data: Health. This principally relates to members (although some health information may involve volunteers or staff.  We rely on GDPR Article 9(2)(a) consent and Article 9(2)(h) social care.
  • Criminal Convictions and Offence Data: we process this in connection with volunteer, staff and director PVG Scheme Applications. We rely on Data Protection Act 2018 Sch.1, Pt.1, 2 – social care & Sch.1, Pt.2, 29 consent.
  •  The Information Commissioners Office has confirmed that befriending services are social care services for GDPR and DPA purposes.

Other

  • Contract and legal obligation are additional lawful bases for processing staff information.

Individual Rights

Right to be informed

At the time of collecting personal data, Befriend Motherwell provide individuals with concise, transparent intelligible and easily accessible privacy information written in clear and plain language.
This includes:   -Our purposes for processing their personal data,
                    -Our retention periods for that personal data, and
                    -Who it will be shared with. 

Rights of access to, rectification of and erasure of data: we give information about these rights on Request for Service and Volunteer Application forms. 

Rights to restrict processing, to have data portability, and to make objection to the use of data have special features and are unlikely to be invoked in relation to our service.

Subject Access requests

Any individual has the right to see what personal information we hold about them. They are entitled to be given confirmation as to whether we hold or process their personal information, and if so they are entitled to access all their personal information as well as details of:
• The purposes for which we process their personal data;
• The categories of their personal data we process;
• The recipients, or categories or recipient to whom personal data has been or will be     disclosed
• How long we expect to store their data; 
• Where they did not give us the personal data, the source from which we collected the            personal data.  They are entitled to have any mistakes in their personal data rectified, and to have the data deleted if they would no longer like us to store or process their personal data, or to request restriction of our processing of their personal data.


Data Retention & Disposal Policy

  • Member, Volunteer and Staff files (including computer files) are kept for 6 years after they leave the service or organisation.
  • Information on our database/register of Befriendees and Volunteers is also kept for 6 years after leaving the service or organisation.
  • PVG Scheme Records and Record Updates are shredded as soon as a recruitment decision has been made.
  • Records of group activities (including group risk assessments) are kept for 6 years from date of activity.
  • Accounting records (which contain information on staff and volunteers through their expenses claims) are kept for 6 years from financial year-end.
  • Hard-copy marketing materials that include photographs of individuals, such as posters, leaflets and pull-up banners are replaced every 6 years at maximum.
  • Website and Social media content: photographs of individuals are replaced every 6 years at maximum.
  • The Project Co-ordinator has responsibility for ensuring data is disposed of on schedule.

Data Breaches

  • A breach occurs if there is an accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
  • Likely breaches might be through an email being sent to the wrong person, someone outside the organisation gaining access to a filing cabinet, or the loss or theft of a laptop or paper files
  • If there is a confirmed or suspected breach of personal data, the staff member discovering it should contact the Project Co-ordinator immediately.
  • The Project Co-ordinator and staff involved will try to contain the breach, minimise its effects and recover any data where possible.
  • They will investigate the breach and assess the risks associated with it (for example, identity theft, fraud, safety of members, reputational damage) the potential adverse consequences for individuals, how serious or substantial those are and how likely they are to occur. If it is likely there will be a risk to people’s rights and freedoms then the data subject(s) and the Information Commissioners Office will be notified immediately.
  • A record of the breach, together with any action taken to remedy it and prevent its recurrence will be made on an Incident Report form. A report will also be made by the Project Co-ordinator to the Interest Link Board, either immediately or in the next bimonthly report depending on the seriousness of the breach.
  • If the breach is the result of an inappropriate disclosure by a volunteer or staff member it may also be a disciplinary matter and be dealt with in accordance with our disciplinary procedures