The Youth Counselling Project Data Protection Procedures for Trustees, Staff Sessional Workers and Volunteers

 INTRODUCTION

 The Youth Counselling Project is committed to promoting awareness, instituting good practice and maintaining sound procedures to ensure compliance with Data Protection principles and to preserve the rights of individuals.  These procedures will be maintained and reviewed to ensure compliance with current legislation and should be read in conjunction with our Data Protection Policy which sets out the legal framework. The Youth Counselling Project recognises that the responsibility is on everyone, whether trustee, staff, sessional worker or volunteer, for how people’s personal information is collected, stored and used.

DEFINITIONS

The Data Protection Act (DPA) 1998 applies to data about a living, identifiable individual and defines certain information as being ‘sensitive’ data:

• Racial or ethnic origin
• Political opinions
• Religious beliefs
• Trade union membership
• Physical or mental health or condition
• Sexual life
• Information about criminal convictions or proceedings.

Handling or ‘processing’ information includes:

• Collection
• Retrieval
• Consultation
• Use
• Disclosure

The General Data Protection Regulation (GDPR – https://gdpr-info.eu/ ) came into force in May 2018. Under this legislation the 8 Data Protection Principles remain largely unchanged and of the utmost importance. Personal information must be:

1. used fairly and lawfully
2. used for limited, specifically stated purposes
3. used in a way that is adequate, relevant and not excessive
4. accurate
5. kept for no longer than is absolutely necessary
6. handled according to people’s data protection rights
7. kept safe and secure
8. given adequate protection if transferred outside the European Economic Area.

Under GDPR it is necessary to identify the lawful basis under which data is processed. The Youth Counselling Project’s lawful basis for processing activity is that processing protects the vital interests of the individual. Where sensitive data is held, explicit consent must be given.

 Personal data is anything which can help identify someone. So includes:

• Name
• Address
• Date of birth
• Email
• Photo
• IP address

 It can be held on computer, a phone, in back-ups, in paper files (but random notes and less formal documents are not included).

GDPR also introduces new rights for individuals:

1. The right to be informed
2. The right of access
3. The right to rectification
4. The right to erasure
5. The right to restrict processing
6. The right to data portability
7. The right to object
8. Rights in relation to automated decision making and profiling.

PROCEDURES

 Data Protection Officer

A designated member of the Charity will be appointed to take responsibility for overseeing all Data Protection issues and ensuring these procedures are implemented.

 Awareness

• All new staff, trustees, sessional workers and volunteers who will have access to personal data will receive an induction on The Youth Counselling Project’s Data Protection Policy and Procedures
• An annual refresher session will be held on policy and procedures for Staff, Trustees and Sessional Workers.
• An annual review of The Youth Counselling Project’s data map and any sharing of data will be conducted
• Data Protection will be included in The Youth Counselling Project’s Risk Register
• An annual refresher session on policy and procedures will be conducted with volunteers who are working with access to personal data
• These procedures will be reviewed annually.
• Reviews of procedures, data map and implementation will be reported by the Data Protection Officer to the Trustees

Data Held:  The Youth Counselling Project will maintain a comprehensive data map for all personal information held, which will detail:

• The type of data held, including visual images
• In what format (paper files/electronic) and security (locked cabinet/password protected/encryption)
• Physical location
• Who has access
• The purpose of the data set
• How long data is retained
• Data flows

• All data sharing with third parties will be documented (eg in School/sessional worker/counselling supervisor contact)
• Case records will be retained for as long as required. After 3 years without any contact files will be archived*
• *Further information on the retention/archiving/destruction of records can be found in The Youth Counselling Project’s Archive Policy.

Consent

• Consent must be freely given, specific, informed and unambiguous
• Explicit consent will be sought, recorded and managed using the Record of Client Consent/Form of Authority for all new contacts and gradually introduced for those individuals for whom The Youth Counselling Project already holds personal data when they resume contact
• Consent forms will be held with client records and in a central file. Data subjects will be given a copy
• Separate consent forms will be used for visual images with a clear statement of whether consent is for one specific image or includes any future images
• The Youth Counselling Project will use a general privacy notice on the website and any form collecting personal data
• Children can give consent themselves from the age of 16 but this may be lowered to 13 when GDPR is enshrined in UK law. If a parent or legal guardian has given consent on behalf of a child this must be renewed by the data subject themselves once old enough. The previous consent will no longer apply.

Subject Access Requests

• All subject access requests must be submitted in writing – email is acceptable
• A form can be designed and offered if it will help to identify the data subject’s records, but any written request must be acted upon regardless of whether a form is completed
• Under GDPR a period of 30 days from receipt of the written request is allowed to comply with a full response
• Identity checks should be conducted to verify that it is the data subject themselves making the request, where necessary
• If a subject access request is made on someone else’s behalf checks should be carried out to ensure they have authority (for instance Parent/Guardian/ Social Worker (e.g. Young Person in Care)
• Through reference to the data map, all those who have access to a data set likely to include the data subject will be required to carry out the necessary searches to retrieve any personal information held
• As well as detailing all personal information held on the data subject, the response must also clearly set out The Youth Counselling Project’s lawful basis for processing data
• Where confidential records include references to third parties these must be deleted before the information is released
• Where there are safeguarding or child protection issues, information may be withheld if it would otherwise pose a risk to the individual or a third party. The Youth Counselling Project’s Safeguarding procedures should also be consulted.

Data Correction or Deletion

• Data subject requests to correct or delete data must be communicated to all those who have access to datasets containing the data in question, including back-up copies
• Identity checks should be conducted to verify that it is the data subject themselves making the request, where necessary
• Where such a request is made by someone representing the data subject, checks should be carried out to ensure they have authority
• Confirmation of corrections/amendments should be provided
• Confirmation of deletion must be provided. If there is a reason why data must not be deleted for a given period of time, this reason must be explained together with a notice of the time period for which the data must be kept.

Data Breaches

• Systems must be designed, maintained and reviewed with security of data in mind
• Data breaches must be reported to the individual(s) concerned where there is a risk to their rights and freedoms, eg it could result in:
  • Discrimination
  • Damage to reputation
  • Financial loss
  • Loss of confidentiality
  • Significant economic or social disadvantage
• Such data breaches must be reported to the individuals concerned within 72 hours.