The Data Protection Act 2018 (DPA) is the UK’s implementation of the General Data Protection Regulation (GDPR) and controls how your personal information is used by organisations, businesses or the government.
Youth Legal is committed to meeting its legal and moral obligations under the DPA.
Youth Legal will strive to observe the law in all collection and processing of personal data and will meet any subject access requests in compliance with the law.
Youth Legal will take due care in the collection and storage of any sensitive data.
Youth Legal staff will do their utmost to keep all data accurate, timely and secure.
Youth Legal needs to keep certain information about staff, volunteers, clients, agencies and other organisations in order to operate in accordance with legal requirements and its contract with the Legal Aid agency as well as to operate effectively. The organisation recognises that all staff, clients, volunteers, trustees and other users are entitled to know what personal information Youth Legal holds and processes about them, all purposes that the information will be used for and how long it will be kept for. The procedure section of this document outlines how staff and volunteers can exercise their rights to obtain access or restrict use of their info.
To comply with the relevant legislation all information must be collected and used fairly, stored safely and not disclosed to any other person unlawfully. To do this Youth Legal complies with the principles set out in Article 5 of the GDPR.
In summary these state that personal data shall be:
• Processed fairly and lawfully and transparently
• Obtained for specified, explicit and lawful purposes and only processed for those purposes
• Adequate, relevant and limited to what is necessary to achieve the purposes for which it was collected
• Accurate and up to date.
• Kept for no longer than necessary
• Protected by appropriate security
Data Protection Officer
Youth Legal is registered with the Information Commissioner's Office. After reviewing the law society's guidance, we do not believe a Data Protection Officer role is necessary for our organisation. We do need to ensure Youth Legal's notification with the Information Commissioner is up to date and the Director, who is a suitably senior qualified person will lead on data protection compliance. She/he will also be responsible for checking staff and managers are aware of data protection responsibilities and making sure that Youth Legal procedures are in line with the General Data Protection Regulation. In the absence of the Director the Chair of the Board of Trustees will lead.
These procedures relate to the use of personal data, i.e. information about individuals. This includes client or case records, membership/mailing lists, records of staff or volunteers and contact databases that have named individuals. Information that is intended to become part of these systems and any set of files where you can easily go to information about a specific individual (e.g. files that are numbered and there is a list matching client names to numbers) is also covered by these procedures. Data will also include an individual's IP address.
Lawful Means of Processing Data
The GDPR sets out the circumstances in which the processing of personal data is lawful. These are:
Consent which can be withdrawn at any time
Compliance with a legal obligation
Necessary to protect the vital interests of a person whose personal data has been collected
Necessary for the purposes of the legitimate interests of Youth Legal
It is important that the lawful grounds for processing personal data are documented by Youth Legal staff at the time the data is obtained.
Where Extra Care must be taken
Sensitive Personal Data
Where sensitive personal data (including data relating to a person's racial or ethnic origin, political, religious or philosophical beliefs) is to be processed, additional care must be taken. If sensitive personal data is to be processed, the processing must fall within certain categories. The two most relevant for Youth Legal are:
Necessary for the establishment, exercise or defence of legal claims.
Information to be Provided
Whenever Youth Legal processes personal data, all clients, staff, users etc must be given information about how their data is used. A standard statement on forms, a standard paragraph in letters for new users or a notice in a contract is sufficient but should be tailored to the particular circumstances. Such statement or paragraph needs to cover:
Identify the organisation (Youth Legal) obtaining the data.
The purpose for which the data are being processed and the legal basis for processing. Managers must review the data protection implications whenever using information for any new or slightly different purpose.
Identify possible disclosures to other organisations and offer an opt out from disclosure to other organisations if this is appropriate.
Indicate any data items on forms that are voluntary.
Explain explicitly why sensitive data, if any, is needed.
How long the information is to be held.
Right to request rectification or erasure of information .
Right to complain to the Information Commissioner's Office about misuse of personal data.
This information should be communicated in a clear and comprehensible form, particularly where the personal data relates to a child.
Individual’s access to information
Clients, all staff members, volunteers and users of Youth Legal services have the right to view all information held about them and to have a copy of the information.
All requests to gain access to information held must be made in writing to the Chair of the Board of Trustees and accompanied by proof of identity.
Youth Legal will provide a copy of the information requested as soon as possible and no longer than a calendar month.
Please note: requests to see all personal data have a legal status and must be handled correctly. All requests must be overseen by the Chair of the Board of Trustees and Director.
Restrictions on access
There is some information that Youth Legal does not have to provide. This is mainly true when there is information that identifies others.
Individuals do not have the right to see confidential references sent by Youth Legal. They may however, make an application to the recipient of the reference. To avoid confusion all staff requesting references should specify whether the reference is expected to be provided in confidence and kept confidential or to be accessible to the data subject.
Security and confidentiality
All managers are responsible for ensuring that:
Staff and volunteers are aware of this policy and the requirements of the GDPR outlined within it when they collect or handle data about an individual.
Staff and volunteers within their teams work within the guidelines of the Youth Legal policy.
Access to files by staff and volunteers is restricted.
All manual files within their service containing personal data are kept locked in cabinets.
All staff is responsible for ensuring that:
Information about data processing and data protection rights is covered during inductions or during initial meetings with new users/clients.
Confidentiality is maintained and that personal data is not disclosed unnecessarily.
All personal data which they hold (e.g. client files and case notes) is kept securely.
Unauthorised personnel do not have access to other’s personal data. For example files containing personal data must not be left on desks unattended and must be locked away in storage at the end of each day.
Data is not lost or damaged while in their care. Access to personal information held on computers is restricted by passwords.
Personal information which they provide to Youth Legal in connection with their employment is accurate and up-to-date.
In addition staff must not share personal data with other organisations unless consent has been given or it is necessary for service provision.
Disposing of data
In general data must not be kept for longer than necessary and cannot be kept without good reason. In particular Criminal Records Bureau (CRB) disclosures must not be kept for longer than 6 months. Please see the CH policy for the handling, use and storage of CRB disclosures for further details.
All personal data must be destroyed via shredding. While awaiting destruction, Personal data will be kept securely. Managers are responsible for ensuring that data is not kept longer than necessary and that it is disposed of via shredding.
Email and the Web
Staff and volunteers must take care when sending someone’s personal data in an email.
They must know who will be receiving the information and confirm that no-one else has access to the email account.
Staff must make sure email addresses are not disclosed unnecessarily or inadvertently, e.g. use the bcc field when sending to multiple addresses. Sensitive information should be sent to be a secure email such as Egress.
Staff must get written consent before publishing photographs of individuals on a website or in a publication.
The use of any photographs and the length of time they will be used should be made clear to the individual (the annual report one year is different from a photo that appears in every advert for a service over a decade).
Data Protection Impact Assessment (DPIA)
DPIA is a process to help us identify and minimise the data protection risks at Youth Legal that which is likely to result in a high risk to individuals. This includes some specified types of processing.
We have consulted the ICO's screening checklists to help us decide when and if we need to do a DPIA and round that we do not carry out any major projects that require data processing as listed on the ICO's website screening check list.
We have assessment the level of risk, the likelihood and the severity of any impact on individuals and have found there is not a high risk or a high probability of some harm, or a lower possibility of serious harm in our data processing.
We will carry out yearly reviews of this policy to confirm there is no change to the risk.
We will endeavour to train our staff in data processing regulations through webinars and other on line vehicles. This is so our staff understands the need to consider a DPIA at the early stages of any plan involving personal data.
Data Retention Timescales
Our procedure for identifying and reviewing data retention timescales is to keep up to date on the Solicitors Regulation Authority rules for retaining client records and update as necessary. At present we must keep client records for 6 years. We also review yearly our policy of retaining other records for one year whether anonymised or not.
Data Protection Breaches
A data protection breach is defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”
All data protection breaches involving employees and clients must be reported to Director, Valerie Clark. The report should specify the nature of the breach, the nature of the data involved in the breach, the scope of the breach, a description of the events relating to the breach, any employees or clients involved, when the breach occurred and any other relevant information.