Policy operational date

from 25 May 2018 to present

Policy prepared by

Dr J C Robertson

Policy review date

reviewed 25 May 2022;

next review 25 May 2023.

Introduction

Purpose of policy

• complying with the law
• following good practice
• protecting MMST, clients, staff and other individuals

Data Protection Principles

The EU General Data Protection Regulation (GDPR) offers increased protection of the collection and processing of personal data, including contact details.

Policy statement

The MMST Policy statement:

• complies with both the law and good practice to respect individuals’ rights
• ensures that MMST is open and honest with individuals whose data is held; ie, MMST Friends, donors and staff
• aids in providing training and support for staff who handle personal data, so that they can act confidently and consistently.

Key risks

The two key areas of potential risk about which MMST takes extra precautions to guard against:

• information about individuals getting into the wrong hands, through poor security or inappropriate disclosure of information
• individuals being affected through data being inaccurate or insufficient.

Responsibitilies

Trustees

MMST Trustees have overall responsibility for ensuring that the organisation complies with its legal obligations.

Data Protection Officer

The Data Protection Officer’s responsibilities include:

• Briefing the board on Data Protection responsibilities
• Reviewing Data Protection and related policies
• Advising other staff on Data Protection issues
• Ensuring that Data Protection induction and training takes place
• Handling subject access requests
• Approving unusual or controversial disclosures of personal data
• Approving contracts with Data Processors.

Team/Department managers

Each MMST team where personal data is handled is responsible for drawing up its own operational procedures (including induction and training) to ensure that good Data Protection practice is established and followed.

Also, the managers ensure that the Data Protection Officer is informed of any changes in their use of personal data that might affect MMST’s Notification.

Staff & volunteers

MMST staff and volunteers are required to read, understand and accept any policies and procedures that relate to the personal data they may handle in the course of their work. 

Confidentiality

Scope

Confidentiality applies to a much wider range of information than Data Protection. Therefore, the following are likely to be confidential, but may well not be subject to Data Protection:

• Information about MMST (and its plans or finances, for example)
• Information about other organisations, since Data Protection only applies to information about individuals
• Information which is not recorded, either on paper or electronically
• Information held on paper, but in a sufficiently unstructured way that it does not meet the definition of a “relevant filing system” in the Data Protection Act.

Understanding of confidentiality

When working with all ages, including children, young people and the elderly, procedures from the MMST’s Safeguarding Policy are strictly followed.

Communication with staff

Staff and volunteers are informed and trained in their responsibilities, and about correct procedures regarding disclosure and access.

Security

Specific risks

Staff and volunteer contact details are not given over the phone.

Subject access

Responsibility

MMST ensures that subject access requests regarding the contact details held about an individual are handled within the legal time limit of 40 days.

Procedure for making request

Subject access requests must be in writing or via email. There is a clear responsibility for all staff to pass on anything which might be a subject access request to the appropriate person without delay.

Provision for verifying identity

Where the person managing the access procedure does not know the individual personally, identity is required and verified before handing over any information.

Transparency

Procedure

Data protection information is conveyed through:

• staff handbook
• newsletters
• initial interviews
• website

Consent

Forms of consent

Consent for MMST to use email addresses to send updates about events and activities can be given via email, in writing or by verbal consent, which is safely documented.

Opting out

Individuals are free to opt out of receiving email updates at anytime via the website.

Withdrawing consent

MMST acknowledges that, once given, consent can be withdrawn, but not retrospectively. 

Direct marketing

Underlying principles

Activities include providing information about donations, goods and services, and forthcoming and historic events. 

Opting out

As individuals have the right to require their data not to be used for notification about the above activities, they are free to opt-out (via email, including from the website) at any time.

Electronic contact

Because of the Data Protection and Privacy (EC Directive) Regulations 2003 most electronic marketing (by phone, fax, e-mail or text message) either requires consent in advance or electronic consent.

Staff training & acceptance of responsibilities

Documentation

Procedures relating to Data Protection are maintained and documented.

Induction

All staff who have access to any kind of personal data have their responsibilities outlined during their induction procedures.

Continuing training

Data Protection issues are raised at opportunities including staff training, team meetings, supervisions, etc.

Policy review

Responsibility

MMST has responsibility for carrying out the next policy review.

Procedure

Dr C Robertson will consult with staff members with responsibility for complying with the Data Protection Act in the review.

Timing

The next major review will commence by Feb 2023, in order to be completed by 25 May 2023.