Headway East Sussex (HES) takes our responsibilities regarding the security of personal information very seriously and strives to give individuals greater choice and control over how their personal data is used.
The following includes information on how Headway East Sussex is being transparent and how it provides accessible information to individuals about how we use personal data (this is a key element of the Data Protection Act 1998 and the EU General Data Protection Regulation)
The GDPR applies to any organisation processing and holding personal data. Personal data is any information related to a natural person that can be used to directly or indirectly identify the person.
In Early 2018 Headway East Sussex undertook a comprehensive data protection audit of all projects within the organisation to ensure they are fully compliant with the General Data Protection Regulations (GDPR) which came into force in the UK on the 25th of May 2018.
The Information Commissioners Office (ICO) assists businesses and public bodies to meet the requirements of the GDPR. For more information on the ICO & GDPR please see the following: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
For more information regarding Headway East Sussex and Data Protection, Privacy and GDPR, please contact firstname.lastname@example.org with your query and request the Data Protection Officer to contact you.
Headway East Sussex – Data Controller
Data Controllers determine how and why personal data is processed. They ultimately decide what data is collected, what it is used for and who it is shared with. The HES Trustees (Board of Directors) are the Data Controllers for Headway East Sussex. As per Article 5(2) of the GDPR, HES adheres to ensuring: “the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”
Headway East Sussex – Data Processors
Data Processors are any persons, or organisations, that process data under instruction of the Data controller. This includes anyone employed by, volunteering with or engaging with HES who has access to or is provided with Data. Essentially, all HES staff are Data Processors. All organisations that HES staff send and receive information to/from are also data Processors.
Headway East Sussex – Data Protection Officer
Data Protection Officer (DPO) are required for public authorities, large organisations and for organisations where there is large scale monitoring of special categories (e.g. health/medical data) and in organisations where a high level of transparency is required. HES’s DPO replaces the previous role of “Information Governance Lead” within HES. The Deputy Director of Service is the Data Protection Officer in HES and oversees the processing and holding of data within HES. The DPO is also the point of contact with the ICO. The DPO has gone through roles and responsibilities regarding GDPR with the Board of Management and all relevant staff. The DPO oversees annual Data Protection training provided to all HES staff within the organisation. This ensures all staff are aware of their data protection responsibilities.
Headway East Sussex – GDPR Responsibilities
Under the GDPR, the data protection principles set out the main responsibilities for organisations.
HES adheres to Article 5 of the GDPR, which requires that personal data shall be:
- a) processed lawfully, fairly and in a transparent manner in relation to individuals;
- b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
- c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
- e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
- f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”
What personal data we collect
HES collects personal data in the following projects/ category headings: Finance, HR, Communications, Fundraising, Administration, Premises & IT, Volunteers, Day Service, Support Work, Therapies, Casework, Family Support, Safeguarding, and Member Led Activities.
Depending on what service/project/information you receive from HES, this will determine what personal data is collected. This will be different for a staff member, a member of a funded service, a member of a non-funded service, a volunteer etc.
What do we use your personal data for, why and for how long?
HES collects personal data in the following projects/ category headings: Finance, HR, Communications, Fundraising, Administration, Premises & IT, Volunteers, Day Service, Support Work, Therapies, Casework, Family Support, SMT/BOM, Safeguarding, and Member Led Activities.
Depending on what service/project/information you receive from HES, this will determine what we use your personal data for, why and for how long.
There are 6 “lawful basis” to process personal data, these are: Consent, Contract, Legal Obligation, Vital interests, Public Task and Legitimate Interests.
Predominately HES utilises Consent, Contract and Legitimate Interests to process personal data. Each basis under which data is processed is made clear to people at the stage when it is relevant and people are required to positively “opt-in”, are provided with sufficient information to make a choice and are provided with information on ways we will process their data.
Some examples of where Headway East Sussex utilises Consent, Contract and Legitimate Interests to process personal data includes:
The personal data collected relating to staff is done so based on the lawful basis of Contract
The personal data collected relating to funded members is done so based on the lawful basis of Contract
The personal data collected relating to non-funded members is done so based on the lawful basis of Consent and/or Legitimate Interests.
As the nature of our work involves medically related conditions, HES also processes special category data (e.g. health records). The lawful basis used to process this can be; Contract, Consent and/or Legitimate interests, depending on the project(s) accessed. The additional condition required under article 9 of GDPR for processing this type of data is:
“(h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;”
In order to safeguard all those we work with, and who work with us, all Staff, volunteers and other relevant stakeholders are required to undergo a Disclosure and Barring Service (DBS) check. This helps us to make safer recruitment decisions and prevents unsuitable people from working with vulnerable groups.
The lawful basis used to process is Contract (as part of the application process). The additional condition required under article 9 of GDPR for processing this type of data is:
“(b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;”
Security of your personal data
Adhering to the “security principle’, HES uses appropriate technical and organisational measures including secure paper filing systems, and security tiered software, and cloud based Management systems to collate, manage and hold personal data. HES has written contracts in place with all relevant organisations that process personal data on our behalf.
Examples of such systems/ organisations and their GDPR Compliance/ Privacy Policies include:
Microsoft 365 & SharePoint: For information on specifics regarding Microsoft GDPR compliance for each product in 365, please see the following link: https://www.microsoft.com/en-us/TrustCenter/CloudServices/office365/GDPR
International Data Transfer
Headway East Sussex does not transfer data internationally.
Sharing your personal data
There may be situations when it is necessary to share personal information with third parties. This may be to allow us to support you, and/or to get other organisation involved in supporting you.
There may also be situations when there is a legal obligation for us to share your personal data (e.g. to safeguard your, or someone’s safety) For a comprehensive breakdown of why and when we may share your personal data please see the “is this data being shared with third parties” column, on the relevant tab on the HES Data Mapping Excel sheet.
Your Data Protection Rights
Headway East Sussex (HES) takes our responsibilities regarding the security of personal information seriously and strives to be open, transparent and proactive in every aspect of how we manage data.
HES views GDPR and Data Protection legislation as an opportunity to ensure we are operating in a best practice manner and fully comply with all relative legislation and guidance and takes a “data protection by design and default” approach.
The GDPR provides the following rights for individuals, and HES is fully committed adhering to these throughout the organisation:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling. (HES does not partake in automated decision making or profiling of any kind)
HES will report certain types of personal data breach to the relevant supervisory authority (Information Commissioners Office) within 72 hours of becoming aware of the breach, where feasible.
If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, HES will also inform those individuals without undue delay.
HES have robust breach detection, investigation and internal reporting procedures in place which facilitates decision-making about whether or not the organisation needs to notify the relevant supervisory authority and the affected individuals.
HES keeps a record of any personal data breaches, regardless of whether we are required to notify.
Headway East Sussex – Subject Access Requests
A subject access request is most often used by individuals who want to see a copy of the information an organisation holds about them and individual who makes a written request are entitled to be:
- told whether any personal data is being processed;
- given a description of the personal data, the reasons it is being processed, and whether it will be given to any other organisations or people;
- given a copy of the information comprising the data; and given details of the source of the data (where this is available).
In most cases Headway East Sussex will strive to respond to a subject access request promptly and in any event within 40 calendar days of receiving it.
Headway East Sussex treat any request by an individual asking for their personal information as a subject access request and treat it as either a routine enquiry, or more formally.
Requests that can be easily dealt with, are treated as routine matters, in the normal course of business, and a more formal routine is in place for more formal request.
For more information, or to make a subject access request please email email@example.com and request the Data Protection Officer to contact you.
If you make use of the website’s text size or contrast options, a small text file called a cookie will be set on your computer in order to remember your most recent text size or contrast preference. This small text file is used only for your convenience in order to implement your preference when you re-visit our website.
The cookie contains no personal information about you and is used for no other purpose than that
described above. It has a default ‘life’ of one year after which you will be required to choose your
text size or contrast preference again. Cookies can only be read by the site from which they originate,
so no other website will have access to the cookie.