1.1 ASNEW takes the security and privacy of your data seriously. We need to gather and use information or ‘data’ about you as part of our business and to manage our relationship with you. We intend to comply with our legal obligations under the Data Protection Act 2018 (the ‘2018 Act’) and the EU General Data Protection Regulation (‘GDPR’) in respect of data privacy and security. We have a duty to notify you of the information contained in this policy.
1.2 This policy applies to everyone that ASNEW works with. For the purpose of this policy you are a ‘data subject’. You should read this policy alongside your any other notice we issue in relation to your data.
1.3 ASNEW is a ‘data controller’ for the purposes of your personal data. This means that we determine the purpose and means of the processing of your personal data.
1.4 This policy explains how ASNEW will hold and process your information. It explains your rights as a data subject.
1.5 It is intended that this policy is fully compliant with the 2018 Act and the GDPR. If any conflict arises between those laws and this policy, ASNEW intends to comply with the 2018 Act and the GDPR.
2 Data Protection Principles
2.1 Personal data must be processed in accordance with six ‘Data Protection Principles.’ It must:
• be processed fairly, lawfully and transparently;
• be collected and processed only for specified, explicit and legitimate purposes;
• be adequate, relevant and limited to what is necessary for the purposes for which it is processed;
• be accurate and kept up to date. Any inaccurate data must be deleted or rectified without delay;
• not be kept for longer than is necessary for the purposes for which it is processed; and
• be processed securely.
We are accountable for these principles and must be able to show that we are compliant.
3 How we define personal data
3.1 ‘Personal data’ means information which relates to a living person who can be identified from that data (a ‘data subject’) on its own, or when taken together with other information which is likely to come into our possession. It does not include anonymised data.
3.2 This policy applies to all personal data whether it is stored electronically, on paper or on other materials.
3.3 This personal data might be provided to us by you, or someone else, such as the person referring you or a professional working with you.
3.4 We will collect and use the following types of personal data about you:
• your name
• your contact details;
• your date of birth;
If you advocacy issue relates to benefits/employment issues we may need you national insurance number.
4 How we define special categories of personal data
4.1 ‘Special categories of personal data’ are types of personal data consisting of information as to:
• your gender;
• your racial or ethnic origin;
• your health;
• your sexual orientation;
We request this information anonymously as part of our equal opportunities monitoring and it is your choice if you provide us with these special categories of your personal data.
5 How we define processing
5.1 ‘Processing’ means any operation which is performed on personal data such as:
• collection, recording, organisation, or storage;
• adaption or alteration;
• restriction, destruction or erasure.
This includes processing personal data which forms part of anonymised statistics
6 How will we process your personal data?
6.1 ASNEW will process your personal data (including special categories of personal data) in accordance with our obligations under the 2018 Act.
6.2 We will use your personal data for:
• performing the advocacy services between us;
• complying with any legal obligation in relation to:
The Independent Mental Capacity Advocacy
The Independent Mental Health Advocacy
The paid Relative Persons Representative.
• if it is necessary for our legitimate interests (or for the legitimate interests of someone else). However, we can only do this if your interests and rights do not override ours (or theirs). You have the right to challenge our legitimate interests and request that we stop this processing. See details of your rights in section 12 below.
We will not process your personal data for these purposes without your knowledge or consent. We will not use your personal data for an unrelated purpose and we will not share your information without your consent.
7 Examples of when we might process your personal data
7.1 For example:
• to carry out the advocacy work between us and including where relevant, its conclusion;
• offering SAFE training courses.
• anonymised monitoring information to enable compliance with our policies and our contractual obligations;
• within the organisation -directing our business and planning for the future;
• to defend ASNEW in respect of any investigation or litigation and to comply with any court or tribunal orders for disclosure; and
• for any other reason contained in the Privacy Notice issued.
7.2 We do not need your consent to process special categories of your personal data when we are processing it for the following purposes:
• where it is necessary to protect your vital interests or those of another person where you/they are legally incapable of giving consent;
• where processing is necessary for the organisation to defend against any legal claims.
• To follow the procedures set out in ASNEW’s Confidentiality Policy:-
▪ where information is given to an advocate that causes her/him to believe that the client is at risk from harm /another person is at risk.
▪ a child or adult is at risk of abuse.
▪ where a court of law or its agents legally demand disclosure, (it can be seen as obstruction not to respond to police questioning.)
▪ where information is given to an advocate that relates to acts of terrorism.
8 Sharing your personal data
We will not share your personal data with anyone outside of ASNEW without your permission unless it falls into the categories outlined above in 7.2
9 How should ASNEW process your personal data?
9.1 Everyone who works for ASNEW has responsibility for ensuring data is collected, stored and handled appropriately and in accordance with the law.
9.2 The Data Privacy Manager is responsible for reviewing this policy and updating the Board of Directors on ASNEW’s data protection responsibilities and any risks in relation to the processing of data. You should direct any questions in relation to this policy or data protection to this person.
9.3 Staff should only access personal data covered by this policy if you need it for the work they do for ASNEW and only if they are authorised to do so. The data should only be used for the specified lawful purpose for which it was obtained.
9.4 ASNEW staff should keep any personal data secure and not share it with unauthorised people.
9.5 Data should be regularly reviewed and updated.
9.6 Unnecessary copies of personal data will not be made unless requested by the person the data pertains to. Any data copies should be disposed of securely.
9.7 Strong passwords will be used.
9.8 Computer screens will be locked when not in use.
9.9 Data will be anonymised so that the data subject cannot be identified.
9.10 Drawers and filing cabinets will be locked. Paper with any personal data on will not be left on people’s desks.
9.11 Personal data will be shredded and disposed of securely when we have finished with it.
9.12 Help should be sought from the Data Privacy Manager if there is any uncertainty about data protection or if there are any areas of data protection or security we can improve upon.
9.13 Any deliberate or negligent breach of this policy may result in disciplinary action being taken in accordance with our disciplinary procedure.
9.14 It is a criminal offence to conceal or destroy personal data which is part of a subject access request (see below). This conduct would also amount to gross misconduct under our disciplinary procedure, which could result in dismissal.
10 How to deal with data breaches
10.1 ASNEW has robust measures in place to minimise and prevent data breaches from taking place. Should a breach of personal data occur then we must take notes and keep evidence of that breach. If the breach is likely to result in a risk to the rights and freedoms of individuals then we must also notify the Information Commissioner’s Office within 72 hours.
10.2 If you are aware of a data breach you must inform the Data Privacy Manager immediately and keep any evidence you have in relation to the breach.
11 Subject access requests
11.1 Data subjects can make a ‘subject access request’ (‘SAR’) to find out the information that ASNEW hold about them. This request must be made in writing. If ASNEW receives such a request it should be forwarded immediately to the Data Privacy Manager who will coordinate a response.
11.2 If any member of ASNEW would like to make a SAR in relation to their own personal data, this should make this in writing to the Data Privacy Manager. It must have a response within one month unless the request is complex or numerous in which case the period in which it must be responded to can be extended by a further two months.
11.3 There is no fee for making a SAR. However, if the request is manifestly unfounded or excessive ASNEW may charge a reasonable administrative fee or refuse to respond to the request.
12 Your data subject rights
12.1 You have the right to information about what personal data we process, how and on what basis as set out in this policy.
12.2 You have the right to access your own personal data by way of a subject access request (see above).
12.3 You can correct any inaccuracies in your personal data. To do you should contact the Data Privacy Manager.
12.4 You have the right to request that ASNEW erases your personal data where ASNEW were not entitled under the law to process it or it is no longer necessary to process it for the purpose it was collected. To do so you should contact the Data Privacy Manager.
12.5 Where ASNEW provides statutory advocacy services pertaining to the Mental Capacity Act and Mental Health Act there is a legal framework surrounding these services for which client information cannot be deleted and must be retained for six years.
12.6 ASNEW will retain anonymised statistical data in order to collect the anonymised statistics that are required by our funders, the records we hold will be retained for 18 months following closure on our secure cloud based case work management system.
12.7 While you are requesting that your personal data is corrected or erased or are contesting the lawfulness of ASNEW’s processing, you can apply for its use to be restricted while the application is made. To do so you should contact the Data Privacy Manager.
12.8 You have the right to object to data processing where ASNEW are relying on a legitimate interest to do so and you think that those rights and interests outweigh our own and you wish ASNEW to stop.
12.9 ASNEW will not process your personal data for the purposes of direct marketing.
12.10 You have the right to receive a copy of your personal data and to transfer your personal data to another data controller. ASNEW will not charge for this and will in most cases aim to do this within one month.
12.11 You have the right to be notified of a data security breach concerning your personal data.
12.12 In most situations ASNEW will not rely on your consent as a lawful ground to process your data. If we do however request your consent to the processing of your personal data for a specific purpose, you have the right not to consent or to withdraw your consent later. To withdraw your consent, you should contact the Data Privacy Manager
12.13 You have the right to complain to the Information Commissioner. You can do this be contacting the Information Commissioner’s Office directly. Full contact details including a helpline number can be found on the Information Commissioner’s Office website (www.ico.org.uk). This website has further information on your rights and our obligations.
Data Privacy Manager
Advocacy Services North East Wales
42 High Street, Mold Flintshire CH7 1BH
Tel: 01352 759332
Last Updated: 05/2018