This checklist highlights 12 steps we at One Voice 4 Travellers are taking for the General Data Protection Regulation (GDPR) which will apply from 25 May 2018.
It is essential for us to plan our approach to GDPR compliance now and to have ‘buy in’ from key people of One Voice 4 Travellers. For example, to put new procedures in place to deal with the GDPR’s new transparency and individuals’ rights provisions.
The GDPR places greater emphasis on the documentation that data controllers must keep to demonstrate their accountability. Compliance with all the areas listed in this document require One Voice 4 Travellers to review their approach to governance and how they manage data protection as a corporate issue. One aspect of this is we have review the contracts and other arrangements we have in place when sharing data with other organisation
1 Awareness
We make sure that decision makers and key people in our organisation are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have and identify areas that could cause compliance problems under the GDPR. It has been useful to start by looking at our organisation’s risk register. Implementing the GDPR could have significant resource implications which we at One Voice 4 Travellers will comply with.
Placed as agenda item on team meeting, management meeting and board meeting as from February 2018 and there after.
2 Information we hold
We have documented what personal data we hold, where it came from and who we share it with. We have organise an information audit across the organisation The GDPR requires us to maintain records of our processing activities. It updates rights for a networked world. For example, if we have inaccurate personal data and have shared this with another organisation, we will have to tell the other organisation about the inaccuracy so it can
correct its own records. We won’t be able to do this unless we know what personal data we hold, where it came from and who we share it with. We have document this. Doing this will also help us to comply with the GDPR’s accountability principle, which requires organisations to be able to show how they comply with the data protection principles, for example by having effective policies and procedures in place.
Documents held Information _ Reason why
Case notes Name & contact details Are not now displayed on case notes, now on overall case registration which is held in the office on computer or if paper in lockable filing cabinet.
Case notes Age group Monitoring of impact of project in terms of age coverage plus certain age groups may require additional action i.e. under 18 years of age require consent from parent/guardian.
Case notes Ethnicity Monitoring of impact of project in terms of coverage of the various community groups under the name Gypsy, Traveller Roma. To enable any . . adjustments to work to be made for cultural reasons.
Case notes Disability Monitoring of impact of project in terms of access for people with a disability, monitor and implement any changes that need to be made for person to get . the most out of the project and to facilitate carers if required.
Case notes Venerable adult .
Awareness and monitoring.
Case notes Marital status Monitoring of project coverage and if cultural adjustment to project needed.
Case notes Number of children Monitoring of project, adjustment of activity/meeting requirements, child . . protection awareness and monitoring
Case notes Who children live with As Number of children above.
Case notes Type of home venue Risk assessment for workers/volunteers, implications to adjustment of . . activity or meeting i.e. venue adjustments.
Case notes Notes of work For quality control, development of project, capacity of worker/volunteer for additional work.
Closed Issue sheet list yes/no statements Used as tool for worker/Vol and service user to agree work finished and case closed or how work will progress after issue/activity/agreed programme has finished.
Risk Assessment list prompt questions Questions tailored to each project therefore relevant to work, gives information such as conditions of home, surrounding area, animals, potential aggression from family, friends or other individuals. Used to assess risk and allocation of case as indicated by supervisor (we have a traffic light coding system where individuals are trained up to and including particular colours – i.e. red=high risk case i.e. high violence in home and/or other persons etc. yellow=medium risk such as the majority of DV/DA cases etc. and green= such as filling in forms, undertaking play activities for children on a site)
Overall monitoring Monitoring of case East project which requires working person/s has it’s own overall monitoring sheet which consolidates information from case notes and closed issue sheet. Contact details are not added to this monitoring sheet only case numbers from the case registration is used as identifier (see case registration below).
Case registration List of those working with East project which requires working with person/s has it’s own case registration document
On project. At the beginning of formal engagement (prior to this may be engagement to promote project etc.). Each person/s is placed on the ‘case registration’ and given a unique case number.
Caravan Diary When caravan in use All cases using the caravan diary will have a WAG case number only the WAG case number together with the number of nights will be placed on the caravan diary. Any request for caravan stay by anyone will only progress with the authorisation of the one of the two managers (Shirley or Janie).
Personal data of staff and volunteers
All data pertaining to staff and volunteers is securely saved on computer in office with disabling facility.
External access to any information on client, personal or volunteer
At no time will any information concerning a person’s details be given out without first requesting permission from them (this will be done on each request and not be presumed if given previously) or unless required to do so my law. Management must be kept fully informed of organisation requesting information, why requesting and how will use information, thus enabling us to give as much information to the person/s who is having information and thus enabling them to make an informed choice.
Where information is kept
All cases which are being worked on are to be kept on One Voice 4 Travellers laptop and held only by the staff member or volunteer working on behalf of One Voice 4 Travellers. The lap top much have been registered for ‘screamers and disabling (all computers owned by One Voice 4 Travellers has this registration) no computer which is not One Voice 4 Travellers have be used for our work. The client have be informed what information if being kept, why. All clients must agree to information being kept before commencement of gathering of said information.
Information retained concerning a client, member of staff or volunteer have not be printed out in paper format unless necessary to undertake task to be undertaken. Only those who have the authority to undertake such action (authority given by client and One Voice 4 Travellers) may undertake this action. If need to print out the work have be printed on the One Voice printers within the office. All paper information needs to be placed within the lockable filing cabinet within the office.
At know time have information which contains personal data be stored on saver keys.
If any person thinks at any time that the laptop, computer or other storage equipment has been lost, stolen or accessed by person or persons who do not have clearance to do so i.e. ‘hacked into’ they must inform their manager Shirley or Janie if their manager is not available then the other manager must be informed IMMEDIATELY.
3 Communicating privacy information
We reviewed our current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation. When we collect personal data we currently have to give people certain information, such as our identity and how we intend to use their information. This is usually done through a privacy notice. Under the GDPR there are some additional things we will have to tell people. For example, we will need to explain our lawful basis for processing the data, our data retention periods and that individuals have a right to complain to the ICO if they think there is a problem with the way we are handling their data. The GDPR requires the information to be provided in concise, easy to understand and clear language. The ICO’s Privacy notices code of practice reflects the new requirements of the GDPR.
Have a confidentiality policy for workers and also a confidentiality agreement for service users and workers to fill in together and have remind with the service user. (see attached at end of document)
4 Individuals’ rights
We have check our procedures to ensure they cover all the rights individuals have, including how we would delete personal data or provide data electronically and in a commonly used format. The GDPR includes the following rights for individuals:
the right to be informed;
the right of access;
the right to rectification;
the right to erasure;
the right to restrict processing;
the right to data portability;
the right to object; and
the right not to be subject to automated decision-making including profiling.
On the whole, the rights individuals will enjoy under the GDPR are the same as those under the DPA but with some significant enhancements. As we are geared up to give individuals their rights now, the transition to the GDPR is relatively easy. This is a good time to check our procedures and to work out how we would react if someone asks to have their personal data deleted, for example. Would our systems help us to locate and delete the data? Who will make the decisions about deletion? The right to data portability is new. It only applies:
to personal data an individual has provided to a controller;
where the processing is based on the individual’s consent or for the performance of a contract; and
when processing is carried out by automated means.
We have consider whether we need to revise our procedures and make any changes. We will provide the personal data in a structured commonly used and machine readable form and provide the information free of charge.
Confidentially agreement revised to include statement of above on the 19/1/18
5 Subject access requests
We have update our procedures and planed how we will handle requests to take account of the new rules:
In most cases we will not be able to charge for complying with a request.
We will have a month to comply, rather than the current 40 days.
We can refuse or charge for requests that are manifestly unfounded or excessive.
If we refuse a request, we must tell the individual why and that they have the right to complain to the supervisory authority and to a judicial remedy. We must do this without undue delay and at the latest, within one month. If our organisation handles a large number of access requests, consider the logistical implications of having to deal with requests more quickly. We could consider whether it is feasible or desirable to develop systems that allow individuals to access their information easily online.
Updated confidential policy and confidential agreement.
6 Lawful basis for processing personal data
We have identify the lawful basis for our processing activity in the GDPR, document it and update our privacy notice to explain it. Under the current law this does not have many practical implications. However, this will be different under the GDPR because some individuals’ rights will be modified depending on our lawful basis for processing their personal data. The most obvious example is that people will have a stronger right to have their data deleted where we use consent as our lawful basis for processing.
We will also have to explain our lawful basis for processing personal data in our privacy notice and when we answer a subject access request. The lawful bases in the GDPR are broadly the same as the conditions for processing in the DPA. It has been possible to review the types of processing activities we carry out and to identify our lawful basis for doing so. We have document our lawful bases in order to help us comply with the GDPR’s ‘accountability’ requirements.
Legitimate interests: By collecting and processing the personal data outlines in section 2 above we are enabling a third party i.e. funders, general none GTR public and services to develop a greater understanding of issues which effect GTR on a daily bases. It also enables us to inform the funder of our cover of work being undertaken, plus works and a quality measure.
7 Consent
We have review how we seek, record and manage consent and whether we need to make any changes. We have read the detailed guidance the ICO has published on consent under the GDPR, and use our consent checklist to review our practices. Consent must be freely given, specific, informed and unambiguous. There must be a positive opt-in – consent cannot be inferred from silence, pre-ticket boxes or inactivity. It must also be separate from other terms and conditions, and we have simple ways for people to withdraw consent. Consent has to be verifiable and individuals generally have more rights where we rely on consent to process their data. We are not required to automatically ‘repaper’ or refresh all existing DPA consents in preparation for the GDPR. But if we rely on individuals’ consent to process their data, we will make sure it will meet the GDPR standard on being specific, granular, clear, prominent, opt-in, properly documented and easily withdrawn.
Consent for dater collection if given in the confidentiality agreement form and also case notes – requires list of information to be given both verbally and in writing plus person has to agree in cultural acceptable manner i.e shake of hand, plus sign (including putting their mark) on form. All staff and relevant volunteers have this included within their basic training and refresher courses run each year.
8 Children
We have start thinking now about whether we need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity. For the first time, the GDPR are bring in special protection for children’s personal data, particularly in the context of commercial internet services such as social networking. The GDPR sets the age when a child can give their own consent to this processing at 16 (although this may be lowered to a minimum of 13 in the UK). If a child is younger then we will need to get consent from a person holding ‘parental responsibility’. At all times we at One Voice 4 Travellers remember that consent has to be verifiable and that when collecting children’s data our privacy notice must be written in language that children will understand.
At the moment we do not hold children data only as part of family group data, however we have consent for children parental career if and when required and also information for children on consent for photos and information (see attached at end of document) which has been developed though community consolations and good practice.
9 Data breaches
We have made sure we have the right procedures in place to detect, report and investigate a personal data breach.
The GDPR introduces a duty on all organisations to report certain types of data breach to the ICO, and in some cases, to individuals. We only have to notify the ICO of a breach where it is likely to result in a risk to the rights and freedoms of individuals – if, for example, it could result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage. Where a breach is likely to result in a high risk to the rights and freedoms of individuals, we will also have to notify those concerned directly in most cases. We have put procedures in place to effectively detect, report and investigate a personal data breach. We have assess the types of personal data we hold and document where we would be required to notify the ICO or affected individuals if a breach occurred.
See One Voice 4 Travellers Limited Confidentially Policy (at end of this report)
10 Data Protection by Design and Data Protection Impact Assessments
We at One Voice 4 Travellers feel it is good practice to adopt a privacy by design approach and to carry out a Privacy Impact Assessment (PIA) as part of this. However, the GDPR makes privacy by design an express legal requirement, under the term ‘data protection by design and by default’. It also makes PIAs – referred to as ‘Data Protection Impact Assessments’ or DPIAs – mandatory in certain circumstances. A DPIA is required in situations where data processing is likely to result in high risk to individuals, for example:
where a new technology is being deployed;
where a profiling operation is likely to significantly affect individuals; or
where there is processing on a large scale of the special categories of data.
If a DPIA indicates that the data processing is high risk, and we cannot sufficiently address those risks, we will be required to consult the ICO to seek its opinion as to whether the processing operation complies with the GDPR. We have therefore start to assess the situations where it will be necessary to conduct a DPIA. Who will do it? Who else needs to be involved? Will the process be run centrally or locally? We have also familiarise ourself now with the guidance the ICO has produced on PIAs as well as guidance from the Article 29 Working Party, and work out how to implement them in our organisation. This guidance shows how PIAs can link to other organisational processes such as risk management and project management.
See end of report for notes on how to undertake, when and why
11 Data Protection Officers
We have designate someone to take responsibility for data protection compliance and assess where this role will sit within our organisation’s structure and governance arrangements. We have consider whether we are required to formally designate a Data Protection Officer (DPO). We must designate a DPO if we are:
a public authority (except for courts acting in their judicial capacity);
an organisation that carries out the regular and systematic monitoring of individuals on a large scale; or
an organisation that carries out the large scale processing of special categories of data, such as health records, or information about criminal convictions. The Article 29 Working Party has produced guidance for organisations on the designation, position and tasks of DPOs. It is most important that someone in our organisation, or an external data protection advisor, takes proper responsibility for our data protection compliance and has the knowledge, support and authority to carry out their role effectively.
However as we are a small charity responsibility for data protection compliance is every person responsibility, however the two managers will take a lead role within data protection. This position will be reviewed annually.
Shirley Barrett (if not available then Janie Codona)
External data protection advisor
David Bailey, Traveller & Diversity Manager, Fenland District Council
Tel: 01354- 622451, Mob: 07960- 955591, e-mail dbailey@fenland.gov.uk
12 International N/A to One Voice 4 Travellers Limited
Confidentiality means that details about other people have only be disclosed on a need to know basis.
Who can look at case studies
The Managers of One Voice 4 Travellers need to sign off all cases and also monitor quality, therefore Management team have access to all case studies and details. It is the duty of the Manager to inform the board and also co-Manager if they are related or know the person personal.
If our key worker is absent from work and information is needed about our case a fellow worker authorised on the same or higher work level may access file only with Management consent.
Where are case files kept
All paper case files are kept securely in a lock filing cabinet. Files are kept for five years due to audit may be requested.
Electronic files are kept under secure case held file and when closed place on secure saver key and as with paper files kept for five years due to may be needed for audit.
At the end of five years files are destroyed by shedding and/or burning and keys are whipped clean. A client may request to be present at the destruction of file.
Definition of Confidentiality
One voice understands confidentiality to mean that no information regarding a service user shall be given directly or indirectly to a third party, which is external to one voice workers and management, without the service user’s prior expressed consent to disclose such information.
One Voice recognises that all users have be able to access its services in confidence and that no other person have ever know that they have used One Voice services. All staff have ensure that no discussions relating to an individual user can lead to the identification of that person – a case may be discussed and issues explored without identifying the person(s) concerned.
One Voice recognises that users need to feel secure in using its services in a confidential manner. One Voice will ensure that all users are afforded confidential interview space (if required) and will ensure that mechanisms are used to ensure no breach of confidentiality can occur inadvertently.
Confidentiality may be breached in cases of child and vulnerable adult protection – One Voice’s policy regarding this, or other situations where someone is perceived to be at risk or has broken the law, which may have an impact on the whole organisation are available on request.
Why we collect our information
Legitimate interests: By collecting the and processing the personal data outlines in section 2 above we are enabling a third party i.e. funders, general none GTR public and services to develop a greater understanding of issues which effect GTR on a daily bases. It also enables us to inform the funder of our cover of work being undertaken, plus works and a quality measure
Confidentiality agreement
Person name
Case number
Workers name
If I see we in the street do I say hello or recognise we in any way
If I ring and someone else answers what do I say
If I meet our friends, children family member who do I say I am
If I see we at a social occasion do I say hello or recognise we in any way
Please remember workers and volunteers for One Voice 4 Travellers may be at a social event we are attending, in this situation they are not at work and therefore cannot enter into undertaking work or updating on situations. Please contact them when at work.
If we find out a worker or volunteers personal contact details such as address phone number please do not telephone them at home or visit uninvited for work purposes.
As a service user of One Voice 4 Travellers we have the right to :-
to be informed of what is happening to our information at any one time
access information held by us about ourself or if carer or parent about the adult or child concerned
rectification of any information which is incorrect or we feel gives the wrong impression or we wish to add to the information
erasure of any personal information we hold on we or if caring for another individual or parent/guardian then the person concerned
restrict processing of all or part of the information
data portability of all or part of the information
object; and have our concerns taken seriously
the right not to be subject to automated decision-making including profiling.
One Voice 4 Travellers will not share our information unless we are asked first or we are required to do so my law.
If at anytime we wish to use our case study we will be asked first and information will be changed as fare has possible so that our identity and those we have discussed within our work with us will not be recognised.
Agree Disagree
Additional adjustments to above
We will keep our information for a maximum time of five years in a secure lockable storage (or in the case of computer information on a secure saver key) after five years our information will be destroyed or returned to we which ever we request (if we would like information returned to ourself please keep us up to date of any changes of address within the five year time scale)
Would like to have returned
Happy for One Voice 4 Traveller to destroy after five years
If we the service user wishes to receive a copy of information held by them we will supply within one calendar month and they will not be required to pay for any additional work or resources used.
One Voice 4 Travellers Limited
Confidentiality Policy
Confidentiality means that details about other people have only be disclosed on a need to know basis. Any details of a personal nature will only be disclosed with the consent of the person involved.
This means that as a volunteer or paid staff member:
We have not discuss personal information given to we by clients, volunteers, Warwick Volunteers members, or staff with anyone unless it is vital that the information is passed on for safety reasons.
Any information that we give to our Project, or staff members, will not be discussed with others without our consent and knowledge. The only exception to this is if there is an immediate safety issue for clients, volunteers, staff, or the public.
Consult our Project Leader or a member of the Board of Directors, immediately if we consider there may be good reason to break this rule.
Definition of Confidentiality
One voice understands confidentiality to mean that no information regarding a service user shall be given directly or indirectly to a third party, which is external to one voice workers and management, without the service user’s prior expressed consent to disclose such information.
One Voice recognises that all users have be able to access its services in confidence and that no other person have ever know that they have used One Voice services. All staff have ensure that no discussions relating to an individual user can lead to the identification of that person – a case may be discussed and issues explored without identifying the person(s) concerned. The Management Committee will not receive details of individual users.
One Voice recognises that users need to feel secure in using its services in a confidential manner. One Voice will ensure that all users are afforded confidential interview space (if required) and will ensure that mechanisms are used to ensure no breach of confidentiality can occur inadvertently.
Confidentiality may be breached in cases of child and vulnerable adult protection – please see One Voice’s policy regarding this, or other situations where someone is perceived to be at risk or has broken the law, which may have an impact on the whole organisation. Also see information sharing document.
If service user wishes to receive a copy of information held by them we will supply within one calendar month and they will not be required to pay for any additional work or resources used.
Legitimate interests: By collecting the and processing the personal data outlines in section 2 above we are enabling a third party i.e. funders, general none GTR public and services to develop a greater understanding of issues which effect GTR on a daily bases. It also enables us to inform the funder of our cover of work being undertaken, plus works and a quality measure
Breach of information of personal data breach to the relevant supervisory authority within 72 hours of becoming aware of the breach. We will also inform the individuals concerned within the same period of time. Our new designed computer site has a robust breach detection system and our policies and procedures give limited access to case notes.
Anyone who has suspicion of a breach of information should inform either a manager or one of the Board at which point and internal investigations will commence within 24 hrs. and a internal report produced within five working days, if during this time it is deemed to be that information of a sensitive nature or which hold potential negative implications to the person concerned professional help will be sort outside of the charity i.e computer programmer/Police etc.
A record of any personal data breaches report will be kept for up to one year, regardless of whether notification was need to an outside persons.
Signed on behalf of the Board of Trustees of One Voice 4 Travellers Limited as agreed at update meeting on …19 January 2018………………….
Signed electronically Lisa Smith , Date…19 January 2018……….
(Each time updated/revised at least one member of the Trustees must sign and date the document)
Updated Jan 18 review Jan 2019
Data Protection impact assessment (DPIAs)
Data protection impact assessments (DPIAs) help organisations to identify the most effective way to comply with their data protection obligations and meet individuals’ expectations of privacy.
DPIAs can be an integral part of taking a privacy by design approach.
The GDPR sets out the circumstances in which a DPIA must be carried out
When do I need to conduct a DPIA?
We must carry out a DPIA when:
using new technologies; and the processing is likely to result in a high risk to the rights and freedoms of individuals.
Processing that is likely to result in a high risk includes (but is not limited to):
systematic and extensive processing activities, including profiling and where decisions that have legal effects – or similarly significant effects – on individuals.
large scale processing of special categories of data or personal data relation to criminal convictions or offences.
This includes processing a considerable amount of personal data at regional, national or supranational level; that affects a large number of individuals; and involves a high risk to rights and freedoms e.g. based on the sensitivity of the processing activity.
large scale, systematic monitoring of public areas (CCTV).
What information have the DPIA contain?
A description of the processing operations and the purposes, including, where applicable, the legitimate interests pursued by the controller.
An assessment of the necessity and proportionality of the processing in relation to the purpose.
An assessment of the risks to individuals.
The measures in place to address risk, including security and to demonstrate that we comply.
A DPIA can address more than one project.
Consent form for photographs and interviews for projects from One Voice 4 Travellers
The words and photos of Gypsies and Travellers we work with are very important to us. We use them to tell people about the work we do. Would we help us, by letting us talk to we and take our photograph?
We’d like to tell our story in a way we are happy with. We don’t have to tell us anything we don’t want to, and if necessary, we can change our name. We are also always careful not to publish too much information about we, for instance, if we use our real name, we won’t say where we live.
We might use our words and our photo in leaflets, posters, videos, press, magazines and other publications to show people what we do or share them with other organisations we work with. We would also like to use our photo and words on the Internet to show people what has been happening in the project. Once our photo and information is on the Internet, people from all over the world will be able to see them. It is important to understand that laws in different countries are not the same as the ones in the UK so some countries do not have laws that will protect the information we provide.
One Voice 4 Travellers has received money to fund a project we took part in, our photo and words may be used by them to show our support for the project, but the way in which this is done will be agreed first by One Voice 4 Travellers.
If we do take any pictures of we,we’ll keep them in One Voice 4 Travellers photo library and we’ll use them from time to time.
Original recordings will be destroyed once end product has been produced (be that film, DVD, CD)
If we are happy with this, please fill in the form below.
I am happy for my first name (only), and age indicator (, child, women etc.) to be used next to photographs of me and my words. I understand these will only be used by One Voice 4 Travellers and other organisations that support its work.
We prefer to use real names, but if we do NOT want us to, please tick here.
If we do not want our words or photo used in large direct mailings sent out in the post, please tick here
Name of young person (capitals)……………………………………………… Age……….
Ethnic group i.e Traveller, Gypsy, Roma, New Traveller, Irish Traveller, showpeople other……………………….. Tel. No (optional) …………………………….
Address…………………………………………………………………………………………..
Signature or mark of young person…………………………………………… ………………………..
Signature of Parent/carer/guardian …………………………………..…………………………………
Name (caps) ……………………….. Tel. no. (optional)………………………
Date: ___/___/___
All information will be kept securely by One Voice 4 Travellers