Guest blog by Laura Chalkley, Senior Employment Law adviser and Partnerships team leader at Ellis Whittam
Recent high profile fines on charities have highlighted the need for organisations to ensure they are complying with their obligations under the Data Protection Act (DPA).
At the end of January 2017, the Information Commissioner’s Office (ICO) notified 11 charities of their intention to fine them for committing breaches to the DPA. Last year, the British Heart Foundation and the RSPCA were also on the receiving end of fines.
Obligations under the DPA
Charities will often have to process data about employees, service users, donors, campaigners or suppliers, so you should take your data protection obligations seriously.
You will need to follow the 8 key principles as set out in the DPA:
- Data should be processed fairly and lawfully.
- Data should only be obtained for specified and lawful purposes.
- Data should be adequate, relevant and not excessive to the purpose.
- Data should be accurate and kept up to date.
- Data should not be kept for longer than necessary.
- Data should be processed in line with the rights of data subjects.
- Steps should be taken to prevent unauthorised or unlawful processing of data and against accidental loss or destruction of, or damage to, personal data.
- Data should not be transferred to a country outside the European Economic Area unless there is an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
Before they even become your employee, you have certain obligations. You should explain to job applicants how you will use the information they have provided as part of the recruitment and selection process. You should not seek information which is beyond what is necessary for that purpose.
Remember that all information should be kept securely and it should not be disclosed to external parties unless the applicant has consented to this.
Employees should also be aware of what data you have about them in your records, how it is used and whether you will disclose data to other parties.
If you have workplace monitoring in place – CCTV, reviews of phone logs, internet use or email- you should tell them about it and reasons for. The ICO warns that covert monitoring is rarely justified.
It is also important to keep information secure through password and encryptions, including any portable devices such as memory sticks or laptops.
You need to monitor what records you are keeping, ensuring the information is accurate, not exceeding what is required for the purpose it was collected and has not been kept longer than necessary. If you no longer need the data, you must dispose of it securely.
Workers have the right to access the personal data you are holding about them, the reasons why it is being processed and whether it has been given to other parties. You have 40 days to respond to the request.
Training and policies
It is in the best interest for your charity to have a data protection policy in place and ensure that all your employees understand their obligations under the DPA. Training should be provided not only to new starters, but also to current staff to remind them of what they must do to comply with the law.
Introduction of General Data Protection Regulations
The EU General Data Protection Regulations were passed in May 2016. The UK government has been clear that, despite Brexit, they will implement the regulations. Although EU Member States have up to the 25th May 2018 to implement the new rules in their national laws, you need to think about how to plan for the changes for your charity now.
Some of the measures are as follows:
- In cases of data breaches, for example an accidental loss of data, organisations must notify the relevant data protection authority without undue delay and where possible no later than 72 hours. Data subjects must also be informed without undue delay about breaches that could pose a high risk to their rights and freedoms.
- A subject may request for their data to be deleted if there are no legitimate grounds for retaining the data. This is known as the right to be forgotten or right to erasure.
- When a subject’s consent is required, they must be asked to give it by means of a clear affirmative action, such as a written statement. Silence or inactivity is not a sign of consent.
- Organisations must appoint a ‘data protection officer’ if they process sensitive personal data on a big scale, or regularly and systematically monitor data subjects on a large scale.
- It imposes higher maximum penalties for failure to comply, including fines of up to €20 million or 4% of annual global turnover (whichever is higher).
The clock is now ticking, so make sure you are getting prepared for the changes highlighted above. This will involve updating your internal rules and systems to reflect these changes and training those handling and processing personal data to understand the new requirements.
To discuss this matter further, please give us a free initial advice call. Members, please contact 0845 226 8393, ask for the Partnerships Legal Team and quote your ACEVO membership number.