Lincoln Area DialaRide is required to process relevant personal data regarding members of staff, volunteers, partners, stakeholders, clients and customers as part of its operation and shall take all reasonable steps to do so in accordance with this Policy.
Lincoln Area DialaRide has access to information concerning many groups and individuals and it is therefore imperative that the strictest confidentiality is maintained at all times.
Information belongs to the person or agency entrusting it to a member of staff / volunteer of Lincoln Area DialaRide. Any information passed on outside of Lincoln Area DialaRide will only be given with the express permission of the person or body which supplied the information unless Lincoln Area DialaRide is legally obliged to disclose it.
Lincoln Area DialaRide has a responsibility to ensure all staff and volunteers are aware of Data Protection principles and the need for confidentiality, and that they are aware of specific guidelines that may be developed for specialised areas of work.
All members of Lincoln Area DialaRide staff and volunteers are responsible for ensuring any information they hold or are party to, is handled in line with Lincoln Area DialaRide policies and the General Data Protection Regulation (GDPR) and Data Protection Act 2018.
All personal records, whether on paper or on computer are covered by the GDPR and Data Protection Act 2018 and individuals and the organisation have criminal liability if they recklessly disclose personal information. A serious breach would be a disciplinary matter.
Care With Identification
It is accepted that most breaches of confidentiality are accidental rather than
deliberate and it is important to remember never to break confidentiality regardless of how the information is received. It is important to recognise that descriptions of individual events and circumstances can lead to identification even when names have not been used.
It is accepted that on certain occasions you may need to discuss an issue with other people, for example the General or Deputy Manager. If this occurs it must be made absolutely clear that all people concerned are bound by confidentiality and that confidential matters must not be discussed outside Lincoln Area DialaRide.
Lincoln Area DialaRide realises that on rare occasions it may be necessary to breach the basic rules of confidentiality. For example, safeguarding situations concerning dangers to children, young people or other vulnerable people, may necessitate a breach of confidentiality. Where a staff member or volunteer feels that a matter is sufficiently serious they must report it to the General or Deputy Manager. They will make a decision as appropriate in line with Lincoln Area DialaRide policies and depending on the nature of the issue. It may also be necessary to consult with the Chairperson of the Board of Trustees of Lincoln Area DialaRide before a decision is made on the action to be taken.
Data Protection Controller
The General Manager of Lincoln Area DialaRide is the Data Controller and will endeavour to ensure that all personal data is processed in compliance with this Policy and the Principles of the GDPR and Data Protection Act 2018. The Freedom of Information Act 2000 is also relevant to parts of this policy.
Lincoln Area DialaRide recognises The General Data Protection Regulation (GDPR), and is actively working towards compliance with the Regulation.
Lincoln Area DialaRide shall as far as is reasonably practicable comply with the Data Protection Principles contained in the GDPR and Data Protection Act to ensure that all data is;
Fairly and lawfully processed
Processed for a lawful purpose
Adequate, relevant and not excessive
Accurate and up to date
Not kept for longer than necessary
Processed in accordance with the data subject’s rights
Not transferred to other countries without adequate protection
Personal data covers both facts and opinions about an individual where that data
identifies an individual. For example, it includes information necessary for employment such as the member of staff’s name and address and details for payment of salary. Personal data may also include sensitive personal data as defined in the Act.
Processing of Personal Data
Consent may be required for the processing of personal data unless processing is
necessary for the performance of the contract of employment. Any information which falls under the definition of personal data and is not otherwise exempt, will remain confidential and will only be disclosed to third parties with appropriate consent.
Lincoln Area DialaRide processes some personal data for direct marketing and fund-raising purposes, data subjects have the right to request an opt-out to these activities, which must be respected.
Sensitive Personal Data
Lincoln Area DialaRide may, from time to time, be required to process sensitive personal data. Sensitive personal data includes data relating to medical information, gender, religion, race, sexual orientation and criminal records and proceedings.
Rights of Access to Information
Data subjects (i.e. individuals who are the subject of the personal data), have the right of access to information held by Lincoln Area DialaRide, subject to the provisions of the Data Protection Act 2018 and the Freedom of Information Act 2000. Any data subject wishing to access their personal data should put their request in writing to the General Manager (or Deputy Manager in their absence). Lincoln Area DialaRide will endeavour to respond to any such written requests as soon as is reasonably practicable and in any event, within 30 days for access to records and 21 days to provide a reply to an access to information request. The information will be imparted to the data subject as soon as is reasonably possible after it has come to Lincoln Area DialaRide’s attention and in compliance with the relevant Acts.
Certain data is exempt from the provisions of the Data Protection Act which includes the following:-
The assessment of any tax or duty
Where the processing is necessary to exercise a right or obligation conferred or imposed by law upon Lincoln Area DialaRide, including Safeguarding and prevention of terrorism and radicalisation.
The above are examples only of some of the exemptions under the Act and is therefore not exhaustive.
Lincoln Area DialaRide will endeavour to ensure that all personal data held in relation to all data subjects is accurate. Data subjects must notify the Data Processor of any changes to information held about them. Data subjects have the right in some circumstances to request that inaccurate information about them is erased. This does not apply in all cases, for example, where records of mistakes or corrections are kept, or records which must be kept in the interests of all parties to which they apply.
If an individual believes that Lincoln Area DialaRide has not complied with this Policy or acted otherwise than in accordance with the Data Protection Act, the member of staff should utilise the grievance procedure (as shown in the Staff Handbook) and should also notify the General Manager (or Deputy Manager in their absence).
Lincoln Area DialaRide will take appropriate technical and organisational steps to ensure the security of personal data. All staff will be made aware of this policy and their duties under the Act. Lincoln Area DialaRide and therefore all staff are required to respect the personal data and privacy of others and must ensure that appropriate protection and security measures are taken against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to all personal data. Personal data must be stored in appropriate systems and an appropriate level of data security must be deployed for the type of data and the data processing being performed.
Other personal data may be for publication or limited publication within Lincoln Area Dial-A-Ride, therefore having a lower requirement for data security. Attention is also drawn to the Company’s Security Policy and Email, Internet & Social Media Policy, which provide more specific information on digital data protection.
Lincoln Area DialaRide must ensure that data processed by external processors
(for example; service providers, Cloud services such as storage and web sites etc.), are compliant with this policy and the relevant legislation.
When data held in accordance with this policy is destroyed, it must be destroyed securely in accordance with best practice at the time of destruction.
Retention of Data
Lincoln Area DialaRide may retain data for differing periods of time for different purposes as required by regulatory requirements and/or best practices.
Other statutory obligations, legal processes and enquiries may also necessitate the retention of certain data. Lincoln Area DialaRide may store some data (such as registers and photographs), indefinitely in its archive.