When organisations think about the Data Protection Act, they often ask if there is a template policy they can adopt. This article will get you started on the basics of putting together a policy and adopting good practice.
Data Protection is not about following a fixed set of rules which are the same for everyone; it’s about complying with the eight Principles of the Data Protection Act. These Principles are very general. In any given situation there are probably several courses of action that would be equally compliant. Which one you choose depends on how your organisation works, what kind of clients you work with, and so on.
Compliance with Data Protection is important to get right as not only is lost data is damaging to business reputation and continuity, but the Information Commissioner's Office (ICO) is starting to fine organisations heavily for breaches.
IMPORTANT NOTE - Should you suspect a data security breach or need to report a loss of personal data, see these pages from the ICO. All health service organisations and voluntary sector partners in England must now use the NHS IG (Information Governance) Toolkit Incident Reporting System. This will report IG SIRI (Serious Incident Requiring Investigation) to the Health and Social Care Information Centre (HSCIC), Department of Health, ICO and other regulators.
Everyone who is responsible for using data has to follow strict rules called ‘data protection principles’, which are neatly summarised on the Out-Law website.
Organisations must make sure the information is:
All organisations must adhere to these principles, in addition some types of organisation and profit making enterprises will also need to register (or notify) the ICO of the fact that they are holding members or customers data. To find out if you need to register this quick online self assessment test will let you know.
In addition there is a section on the NHS Information Governance Toolkit that outlines the requirements specifically for voluntary sector organisations that provide social care services. It covers Data Management, Confidentiality and Data Protection, Information Security and Clinical Assurance.
The Data Protection Policy Framework Document (152 Kb RTF) contains suggested headings, topics and sample text which will be applicable for a typical Data Protection Policy for a voluntary sector organisation. For convenience, the framework is split into 10 main areas which are then subdivided. These areas are:
The ICO publishes a wide range of leaflets, briefing notes, guides and training materials free of charge for both individuals and organisations.
The HSCIC (Health & Social Care Information Centre) on-line learning toolkit will help you work through your organisation's Information Governance compliance. (Account Registration required).
A report published by the ICO in January 2015 has highlighted some of the problems connected to data protection and information security in small charities. The 'areas for improvement' list (starting on page 10) could be useful Action Plan for an organisation. See how many you can tick off! (Direct link to download the report here - 220kb PDF).
Download: The Data Protection Policy Framework Document (152 Kb RTF) contains suggested headings, topics and sample text which will be applicable for a typical Data Protection Policy for a voluntary sector organisation.
Download: A simple Data Protection Checklist and Policy, which contains advice an organisation should consider which drafting a policy, also includes a list of the 8 Data Protection Principles.
Guidance: FREE printed publications request page and download links from the Information Commissioner's Office (ICO) and the 'THINK PRIVACY' Toolkit for Charities
Publication: Data Protection for Voluntary Organisations, Paul Ticher
With thanks and acknowledgements to Paul Ticher, this article is an updated and abridged version of on an earlier Lasa ICT Knowledgebase article, 'Data Protection Policies'.
Paul Ticher also runs regular webinars for voluntary sector organisations on Data Protection and Data Security. See the list of upcoming broadcasts here.
Connecting Care issues a monthly e-bulletin rounding up the latest technology and social care stories for providers of adult and social care. It's free for anyone interested in technology and adult social care.