Our website administrators may consume cookies while editing the website. To find out more about this type of cookie, click here.
Our terms only cover the Headway East Kent Website and pages. Use any external links at your own risk.
Headway East Kent General Data Protection Regulation Policy (GDPR)
Headway East Kent needs to collect and use personal data about client, carers, staff, trustees, volunteers, members and supporters/donors etc., (hereby recognised as “data subjects”) in order to carry out our business effectively and to provide high quality services. We recognise that the lawful and correct treatment of personal data is very important to maintain confidence between ourselves, our clients, their carer’s and families, our staff, trustees and volunteers and professionals in the field of brain injury.
Any personal data we collect, record or use in any way, whether it is held on paper, computer or on other media, will have appropriate safeguards applied to it to ensure we comply with the General Data Protection Regulation (May 2018) and the Data Protection Act, 1998 and adhere to the 8 principles of data protection, as set out in the Act, which states that personal data must be:
- Fairly and lawfully processed
- Processed for limited purposes and not in any other way which would be
incompatible with those purposes
- Adequate, relevant and not excessive
- Accurate and kept up to date
- Not kept for longer than is necessary for the purpose
- Processed in line with the data subject’s rights
- Kept secure, and
- Not transferred to a country which does not have adequate data protection laws
In order to adhere to these principles we will:-
- Observe the conditions concerning the fair collection and use of personal data
- Meet our obligations to specify the purposes for which personal data is used
- Collect and process appropriate personal data only to the extent that it is needed
to fulfil operational needs or to comply with any legal requirements
- Ensure the quality of personal data used
- Apply strict checks to determine the length of time personal data is held
- Ensure that the rights of individuals about whom the personal data is held can be
fully exercised under the Act
- Take appropriate security measures to safeguard personal data, and
- Ensure that personal data is not transferred abroad without suitable safeguards.
Headway East Kent will conduct a risk impact assessment and mapping exercise to review what data is collected, how it is used and shared with others.
Where we collect any sensitive data we will take appropriate steps to ensure that we have explicit consent by issuing agreements to obtain permission to hold, use and retain the information. Sensitive data is personal data that clearly identifies the person including name, address, date of birth, telephone number and next of kin. It also can include other sensitive information about an individual’s physical or mental health conditions, racial or ethnic origin, religious beliefs, sexual orientation, details any offences or alleged offences and any court proceedings relating to the commission of an offence.
We do not normally have the need to provide information we retain on any of our data subjects to organisations or individuals outside Headway East Kent, other than to Social Services and other related statutory bodies during the course of a client’s time with us or their reviews.
Occasionally, we might wish to evaluate our data for research and study purposes and on these occasions we would give information to third parties such as university students who are carrying out the work. On these occasions only a summary in statistical form would be gathered. In cases where individual case studies were required, we would always request specific written permissions from the individual members of staff.
Headway East Kent has decided that the following categories of contacts will be considered as having a ”legitimate interest” and will therefore not be required to sign a permissions agreement:
- Website enquiries
- Hospital patients/carers
Headway East Kent respects the privacy of data subjects and in connection with the handling of information it will ensure that:
- The CEO/General Managers are the Data Controllers for Headway East Kent and as such assume overall responsibility for data captured and stored
- Everyone managing and handling personal information known as Data Collectors understands the requirements of the Act and their responsibilities under it
- Everyone managing and handling personal information is appropriately trained to do so
- Everyone managing and handling personal information is appropriately supervised
- Queries about handling personal information are promptly and efficiently dealt with
- A regular review and audit is made of the way in which personal information is managed
- Methods of handling personal information are regularly assessed and evaluated
Under the Data Protection Act and General Data Protection Regulations (May 2018) any individual may write to the (Data Controller) of Headway East Kent, at our Registered Office: Headway House, Kent & Canterbury Hospital, Ethelbert Road, Canterbury, Kent CT1 3NG and request a copy of the information we hold about them. After proving their identity, the Data Controller will disclose to the individual all data held on them in an easily readable form. In accordance with GDPR information is provided free of charge within 30 days, however, Headway East Kent reserves the right to charge a “reasonable” administration fee when a request is manifestly unfounded or excessive, or particularly if it is repetitive.
If the data subject believes that the information we hold on them is inaccurate then they are entitled to ask for it to be amended.
All data subjects under Article 17 have “the right to be forgotten”. If the subject is no longer working with, or a client of the charity, Headway East Kent will delete all data being held immediately upon request. However, Headway East Kent would not be able to continue to offer a service to these individuals.
As Data Controllers are legally required to ensure that the information is processed securely and that the risk of accidental loss or inappropriate access is minimised. Failure to comply with new legislation could result in the loss of personal/sensitive data and could financially cost the organisation large amount in fines.
Headway East Kent is responsible for keeping all data safe. This is required for all datawhether kept in electronic or written form. Data is stored electronically on the charity’s own password protected computers or laptops and is backed up on encrypted sticks or to the cloud. Paper information is kept in lockable filing cabinets.
Headway East Kent will use a secure local authority pro-contract notifications system to receive sensitive client data.
Headway East Kent staff will be responsible for ensuring that all devices used to capture data are downloaded with suitable anti-virus protection programmes. Private emails for current staff members will not be used and any documents or information downloaded to USB sticks must be encrypted and passworded accordingly.
Any breaches of data will be investigated by the Data Controller within 24 hours of notification and will be recorded in Headway East Kent’s Data Breach Register. Steps will be taken to mitigate the breach. Where there is a considered serious breach, the Data Controller will inform The Information Commissioners Office (ICO) within 72 hours and the Charity Commission as soon as possible.
Headway East Kent will obtain evidence that their operations are compliant with the GDPR from all business partners who handle and process data on its behalf to undertake administration processes. This may include obtaining a copy of their own Data Protection Policy and/or an acknowledgement that they have read and comply with our data protection policy.
Data will be stored for as long as contacts remain a client,Carers, Volunteers, Staff, Trustees/Directors, Supporters, Donators of Headway East Kent and for a set number years following discharge from the service; as outline in Headway East Kent’s Record Retention Policy. Any subjects requiring access to their data will need to write to the Data Controllers at Headway East Kent. It is the responsibility of the data subject to advise Headway East Kent of any changes to their records.
Headway East Kent will obtain disclaimers from all parties accessing its data from personal devices such as homeworkers using PC’s, laptops, ipads, iphones etc. to confirm that they are responsible for keeping the data safe and secure by password protecting their devices. Whilst it is accepted that this applies largely to employees of the Company, it may also apply to Trustees/Directors.
All confidential waste, being sensitive data no longer required, will be disposed of by mean of either shredding if paper or removed from all areas if electronically stored.
Headway East Kent has membership of the Information Commissioner’s Office (ICO) which provides comprehensive information on the GDPR and the legal requirements for compliance.
The views expressed in the website are not necessarily those of Headway.