Stepping Stones is an organisation which needs to keep records of certain personnel data, including personal data relating to its employees, in order for the organisation to function effectively. This may include information that identifies individuals by reference to their names, jobs titles, responsibilities or other matters related to the operation of the organisation.
To comply with the law, such information must be collected and used fairly, stored safely and not disclosed to any other person unlawfully. There are additional safeguards for individuals in respect of processing sensitive personal data. That is the information as to that person’s racial or ethnic origin, political opinions, religious beliefs, trade union membership, health, sexual life or information in relation to the allegation of or commission of a sentence for any offence.
To do this Stepping Stones must comply with the Data Protection principles as set out in the Data Protection Act 1998.
This policy addresses the following areas:
• What are the Data Protection principles ?
• What is personal data ?
• An employee’s rights under the Act
• Responsibilities of the Employees
• Data Security
In addition Stepping Stones complies fully with the Criminal Records Bureau (CRB) Code of Practice regarding the correct handling, use, storage, retention and disposal of disclosure information.
What Are The Data Protection Principles ?
In accordance with the Data Protection Act, personal data held in a computerised format must comply with all the following principles. The principles state that personal data must;
i. Be obtained and processed fairly and lawfully and that a condition has been met for the processing of such data
ii. Not be held on file other than for legitimate purpose (not be used or made use of for any other purpose)
iii. Be adequate, relevant and not excessive in relation to the purpose for which it is kept
iv. Be accurate, and where necessary kept up to date
v. Not be kept for longer than is absolutely necessary
vi. Be processed in accordance with the rights of the employee under this Act, such as the rights of access to personal data
vii. Be protected against unauthorised access or disclosure and against accidental loss, damage or destruction
viii. Not be transferred to any Country (e.g., a sister, subsidiary Company etc) outside the EEA whose data protection laws are less adequate, unless the employee agrees or the transfer is necessary for employment purposes e.g. a secondment.
What Is Personal Data ?
It is data which relates to a named or readily identifiable individual. It includes any expression of opinion about the person and any indication of the organisation’s intentions in relation to that employee. The data can be held in the format of a letter, memo, report, certificate, a paper-based file or on a computer. For the purposes of this document we are referring to personnel information relating to an employee e.g., their personnel file.
Some personal data is considered to be sensitive. This includes information about an employee’s:
• Racial or ethnic origin
• Political opinions
• Religious beliefs
• Trade union membership (or non-membership)
• Physical or mental health or condition
• Sex life or sexual orientation
• Criminal (or alleged criminal) activities
• Criminal proceedings, criminal convictions (or any sentences imposed by the courts)
Stepping Stones cannot hold sensitive data on an employee’s file without their consent. It is essential therefore that when dealing with medical issues, for example, consent for access to medical records, is obtained from the employee.
There are exceptions to this stipulation which include when the organisation must hold sensitive data:
• In accordance with legal obligations e.g., Health and Safety requirements
• To protect the employee’s interests
• For the purposes of defending a compliant of unlawful discrimination on the grounds of sex, race, union membership etc
• For the purpose of maintaining and monitoring Stepping Stones’s Equality Policy
Personal data likely to be found on an employee’s file could be:
• Name, address, telephone number
• Education and training information
• Employment history (including reason for leaving)
• Experience (skills/knowledge etc)
• Whether the applicant has ever been convicted of a criminal offence
• Referee details (references are kept on file)
• Equal Opportunities form
• Original application form/interview notes
• Appraisal forms
• Vehicle information
• Training undertaken and required
• Next of kin details
• Contract and updates to the contract including salary changes(together with notification of this)
• Salary and pension information
• Any complaint or grievance action involving the staff member
• Responses from Disclosure checks
An Employee’s Rights Under The Act
In accordance with the Data Protection Act, an employee has the following rights:
i. Notification of Data held and processed:
Any employee who is concerned about the nature, content, accuracy or relevance of the personal data on their personnel file may:
Ask for a description of the data Stepping Stones holds about them.
Ask for an explanation of the purposes for which the data is being held.
Ask for details of the names of the people within Stepping Stones to whom the data is routinely or occasionally disclosed.
ii. Right to Access the Information:
An employee also has the right to access personal data that is being kept by Stepping Stones about them and to be provided with hard copies of this data.
An employee who wishes to exercise either or both of these rights must make a request in writing to their line manager. Stepping Stones will make a charge of £10 on each occasion that such a request is made. Stepping Stones will aim to respond to a request as quickly as possible but will ensure a response is given within 30 days of receipt of a written request or fee whichever is received later.
Stepping Stones is not always obliged to disclose personal data on the request of the employee. For example, Stepping Stones may refuse to disclose personal data if:
• It cannot comply with the request without disclosing information relating to another individual who can be identified from that information
• It is processed for the purpose of management forecasting or planning to assist the organisation in the conduct of its business and where the disclosure of such personal data is likely to prejudice the conduct of the organisation
• It consists of a reference given to, or to be given in confidence by Stepping Stones for the purposes of education, training or employment of an employee
Responsibilities of Employees
As part of their Terms and Conditions of employment, all employees must:
• Provide Stepping Stones with their personal details i.e., address, telephone numbers, bank details, next of kin and emergency contact details etc
• Check that any personal data that they have provided to Stepping Stones is accurate and up to date
• Inform Stepping Stones of any changes to information which they have provided e.g., change of address
Data Security And Storage
The need to ensure that data is kept securely means that precaution must be taken against physical loss or damage and that both access and disclosure must be restricted. All employees are responsible for ensuring that:
• Any personal data which they hold is kept securely e.g., locked storage facilities, use of passwords etc
• Personnel information is not disclosed either orally, in writing or otherwise to any unauthorised third party or inappropriate work colleague
Stepping Stones is committed to ensuring the correct handling, use, storage, retention and disposal of Disclosures and Disclosure information as laid down by the Criminal Records Bureau for all staff using the Criminal Records Bureau to help assess the suitability of applicants for positions of trust, both as paid employees and volunteers.
Disclosure information is only passed to those who are authorised to receive it in the course of their duties and it is only used for the specific purpose for which it was requested and for which the applicant/employee’s full consent has been given.
Once someone has been recruited or a further CRB check has been undertaken during the course of employment Stepping Stones will not keep the Disclosure information for any longer than is necessary. This is generally for a period of up to six months. Once the retention period has lapsed Stepping Stones will ensure that the Disclosure information is destroyed by secure means.
NB. The Data Protection Act is an extremely complex piece of legislation which contains sections which even the experts find difficult to interpret and which have not been tested. Stepping Stones reserves the right to amend this policy at any time to take into account of developments in this area of the law.
Co-operation With Other Agencies Policy
i. Although it is our policy to limit contact with other agencies, Stepping Stones recognises that there are circumstances in which the client’s best interests are served by co-operation/communication between the counsellor and other helping professionals.
ii. Any contact will only be made with the consent of, or at the request of, the client and any sharing of personal information will be kept to a minimum.
iii. While Stepping Stones would wish to support clients in their claim for justice and compensation, it is not our policy to write reports for other agencies which attempt to quantify or describe the degree or nature of the damage caused by their experience of abuse. The role of the counsellor or group worker involves them accepting the client, their past experiences and the subsequent effects of these experiences in the present. We therefore view it as unacceptable to make assessments or write reports on our clients as this is not part of the counselling ethos.
iv. In exceptional circumstances Stepping Stones will write to:police or solicitors, to whom we will give the full notes on receipt of a signed consent form, or a subpoena from the courts, housing authorities, upon receipt of a signed consent form; in this case we will only state that the client is receiving or had received counselling, the referrer, e.g. to state how far down the waiting list the client is, and also provision of a copy of the initial letter to the client.
Records And Data Protection
Given the sensitive nature of the counselling work that Stepping Stones is involved in, it is imperative that we protect the privacy and confidentiality of the clients. It is therefore our policy to keep records and notes to a minimum.
Note And Record Taking And Storage Policy
i. All documents relating to clients should be kept secure in the Stepping Stones office. Overnight they will be kept in a secure filing cabinet. Part B records are stored in a different filing cabinet from Part A and other records.
ii. Access to all client records is restricted to the Service Manager and the Administrator on a “need to know” basis. Access to a particular client’s record may be made by the counsellor of that client and the clinical supervisor.
iii. A client record may be provided to the Police, solicitor or a third party having received informed consent from the client, such consent will contain an advisory note to the client absolving Stepping Stones of responsibility for what use is made of the record. It is recognised that records may be subpoenaed by the courts. No document or information should be provided without the agreement of the Service Manager.
iv. Paper notes shall be destroyed by shredding three years after the termination of the counselling. Likewise electronic records shall be destroyed by deletion and waste basket emptying. Information on back-up disks shall be destroyed by deletion.
For practical purposes, paper and electronic records may be destroyed from a time between three years and five years after termination of counselling, batching the operation at the convenience of the Administrator.
v. Referrers may be provided with the a copy of the following letters: a) first contact letter, b) first appointment letter and c) the first DNA letter (but not any further letters re DNAs or re any other matter). A referrer may enquire where a client is on the waiting list. No other information may be provided to the referrer without a) the agreement of the Service Manager and b) informed consent from the client.
Access To Records Policy
A client record may be shown to that client upon request, with the prior knowledge of the Service Manager.