Privacy & Data Protection Statement
At the Harrow MS Therapy Centre (HMSTC) we are committed to protecting your privacy and handling your information respectfully and legally. We always keep your personal information secure and protected, and will not share your information outside of HMSTC without your prior consent. We collect your personal information to help us run and improve our services. You can change your mind about receiving information and personal contact from us at any time. We are fair, clear and honest about how we use your personal information, and you can find out more detail from our GDPR policy.
The Harrow MS Therapy Centre (HMSTC) are committed to a processing personal information in accordance with the Data Protection Act 1998. Protecting the confidentiality and integrity of the personal data of everyone who uses, or works in HMSTC, is a responsibility that HMSTC takes seriously at all times. We will ensure that our staff and those acting on our behalf obtain, use, disclose and destroy personal information lawfully and correctly.
2. What is data?
2.1 Data is any information, whether written, verbal or pictorial (including photographs) about an individual.
2.2 Personal Data
Personal data is any information through which an individual could be directly or indirectly identified. Both data which could be used on its own to identify someone, or data which could be used in combination with other identifiers which HMSTC possesses, or can reasonably access, is relevant. Personal data can be factual (for example, a name, email address, location or date of birth) or could be an expressed opinion about that person or their actions.
2.3 Sensitive Personal Data
Sensitive personal data is a special category of information which relates to a personal characteristics of the data subject. This could apply to race or ethnic origin, political opinions, gender, religious (or other) beliefs, trade union membership or otherwise, impairments, including knowledge of any physical or mental health conditions, sexual life, sexual orientation, and biometric or genetic data. It also includes personal data relating to criminal offences and convictions.
2.4 Data subject
This is a person who is protected by the Data Protection Act. Every living person is protected, and in some circumstances, individuals may be protected after their death.
2.5 Data Processing
Data processing is any activity that involves the use of personal data. This may involve obtaining, recording or storing information, or using data in any way – eg. organising, retrieving, using, disclosing, deleting or destroying it. Processing also includes any transfer of personal data to third parties. HMSTC will never process individual data in a manner which would unlawfully identify the subject.
2.6 HMSTC will collect data for analysis and reporting purposes in a way that does not identify individuals, and will also not attribute any specific comments used to any individual without prior consent of the individual.
3. Fair and lawful processing of data
3.1 In particular we will ensure that personal information is:
Used lawfully, fairly and in a transparent way;
Processed fairly and lawfully.
Processed only for specified and valid lawful purposes, relevant to specific purposes and limited only to those purposes
Adequate, relevant and not excessive.
Accurate and up to date.
Not kept longer than is necessary for the purposes intended, or to ensure legal retention compliance
Deleted, or if in paper format, shredded prior to disposal.
Processed in accordance with the rights of the owners of the information.
3.2 Some examples of lawful reasons for processing data would be:
HMSTC using personal information eg. for anonymised reporting, in which case HMSTC may use such information without further notice to, or consent from the data subjects.
When it is needed to perform employees’ contracts of employment, volunteer agreements, agreements for people on placement with HAD or any other contracts
In order to provide a service to a client
When it is needed to comply with a legal obligation; or
When information is needed to ensure the wellbeing, health and safety of any person associated with HMSTC
3.3 HMSTC may process special categories of personal information in the
In limited circumstances, with explicit written consent, in order to meet legal obligations, or to provide a service involving external parties
When it is needed for specific reasons, such as for anonymised equal opportunities or quality monitoring or in relation to HMSTC’s occupational pension scheme; or
When it is needed to assess working capacity on health grounds, subject to appropriate confidentiality safeguards.
When it is necessary to protect the interests of an employee, client or other person
When it is necessary in the public interest or for official purposes.
When it is necessary for HMSTC’s legitimate interests (or those of a third party) and employees’ interests and fundamental rights do not override those interests.
In relation to legal claims
Where it is needed to protect the interests of a client, employee, or other person and the person is not capable of giving consent
Where the person themselves has already made the information public.
Where there is a legal requirement for HMSTC to disclose information such as in a safeguarding or criminal case.
3.4 The same rules apply to any information HMSTC holds regarding criminal records.
3.5 In order to monitor the reach of services provided we may collect and collate personal information about the people who use the services which we provide. This may be gathered by means of monitoring forms, registers, questionnaires or surveys.
3.6 On the rare occasion that a funder requires information about individuals, we will ensure that clients are aware of this and have the opportunity to withdraw from receiving a service.
4. Data storage
4.1 Any personally identifiable information will be securely stored at all times. All information which is held on any staff member or client must be password protected at all times.
4.2 Where the use of paper information cannot be avoided, it must be locked in a secure cabinet at all times.
4.3 Any computer and other equipment which may contain confidential information must be disposed of using an IT Data Destruction company which is compliant with government directives.
5. Data Sharing
5.1 Personal information is not ´owned´ by the person within HMSTC with whom it is shared, although only those who need access to information will be allowed access. Examples may include staff or volunteers in their work with clients, and their managers.
5.2 Once shared, personal information requires third parties to respect the security of employee data and to treat it in accordance with the law. Legal situations where HMSTC may share personal information with third parties are eg. with companies which provide secure IT facilities to HMSTC, or in the context of the event of any possible restructure. HMSTC may also need to share personal information with a regulator or to otherwise comply with the law. HMSTC will never contract with a third party which does not have legally
compliant data protection policies.
5.3 HMSTC may also share employee data with third-party service providers where it is necessary to administer the working relationship with employees or where HMSTC has a legitimate interest in doing so. Such activities would include:
Payroll and pension administration
The provision of HR advice and guidance and
6. Data subject rights
6.1 To ensure the accuracy of data, HMSTC will conduct regular reviews of the information held by it to ensure the relevance of the information it holds, and to ensure that retention schedules are adhered to. Employees are under a duty to inform HMSTC of any changes to their current circumstances, and clients are advised to, as a service may not be able to be provided without this. Where a client or worker has concerns regarding the accuracy of personal data held by HMSTC, they should contact their line manager, if an employee, and a HMSTC manager if a client, to request an amendment to the data.
6.2 Under certain circumstances, those for whom HMSTC holds information have the right to:
Request access to personal information (commonly known as a “data subject access request”).
Request erasure of personal information, or have an explanatory note added to a file
Object to processing of personal information where HMSTC is relying on a legitimate interest (or those of a third party) to lawfully process it.
Request the restriction of processing of personal information.
Request the transfer of personal information to another party.
6.3 If anyone would like to make a request on any of the above grounds, they should contact a senior manager or board member in writing. Please note that, depending on the nature of the request, HMSTC may have good grounds for refusing to comply, or to compromise – eg. a client may want a record erased which HMSTC is obliged to retain by law. If that is the case, the requester will be given an explanation by HMSTC.
6.4 Clients, employees, students on placement, volunteers and contractors have the right to request to see information which HMSTC holds about them, referred to as Data Subject Access Requests.
6.5 For a first request, there will not normally be charge. However, HMSTC may charge a reasonable fee if the request for access is clearly unfounded or excessive. Alternatively, HMSTC may refuse to comply with the request in such circumstances. Where we agree to the request, and the requester would like copies of information viewed, a charge will be made to cover printing and staff time.
6.6 HMSTC may need to request specific information from the requester to confirm their identity and ensure the right to access the information (or to exercise any of the other rights).
7. Automated Decision Making
7.1 HMSTC does not envisage that any decisions will be taken about employees or clients, or any other person, using automated means, however employees, clients and any affected person will be notified if this position changes.
8. Collection and Retention of Data
8.1 HMSTC will collect personal information about workers and clients through referral including self-referral, application and recruitment process, either directly from applicants or sometimes from an external referrer such as an employment agency or other organisation.
8.2 To comply with other lawful and good practices, HMSTC may sometimes be required to collect additional information from third parties including former employers or other background check agencies such as criminal record checks.
9. Retention of Data
9.1 HMSTC will only retain personal information for as long as necessary to fulfil the purposes it was collected it for, including for the purposes of satisfying any legal, retention, accounting, or reporting requirements. Details of retention periods for different aspects of personal information are set out
in a table which can be made available on request.
9.2 When determining the appropriate retention period for personal data, HMSTC will consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of personal data, the purposes for which the personal data is processed, whether HMSTC can achieve those purposes through other means, and the applicable legal requirements.
9.3 After the data retention period has expired, HMSTC will securely destroy all personal information.
10. Data Security and Sharing
10.1 HMSTC has put in place appropriate security measures to prevent personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. Details of these measures are available upon request. Access to personal information is limited to those employees, agents, contractor and other third parties who have a business need to know. They are contractually bound to only process
personal information on HMSTC’s instructions and are subject to a duty of confidentiality.
11. Compliance with this Policy
11.1 The Board is tasked with overseeing compliance with this policy, and a named person, the Data Protection Officer, will be responsible for reporting breaches*. If workers have any questions about this policy or how HMSTC handles personal information, they should contact a member of the senior management team. Workers have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues.
11.2 HMSTC has procedures to deal with any data security breach and will notify
affected persons and any applicable regulator of any suspected breach where legally required to do so. In certain circumstances, HMSTC must notify regulators of a data security breach within 72 hours of that breach. Therefore, if a worker becomes aware of a data security breach they must report to the Data Protection Officer* immediately.
12. Privacy by Design
12.1 HMSTC will have regard to all data protection principles relevant legislation when designing or implementing new systems or processes where personal data is used or stored
13. Responsibilities of employees, volunteers and students on placement/ interns (collectively referred to here as ´´workers´´)
13.1 All workers are responsible for ensuring that processing meets the standards set out in this policy.
13.2 Workers should not disclose personal data about HMSTC, colleagues, clients or other parties unless that disclosure is fair and lawful, and in line with this policy. Ever. This is a lifetime commitment which extends beyond the contractual or agreed terms and conditions of the relationship.
13.3 Workers must take confidentiality and security seriously at all times Any personal data collected or recorded manually (eg. a note on a paper or made on a phone) must be added to HMSTC’s electronic system straight away, and with absolute accuracy, and the original note destroyed. Workers must not make any oral or written reference to personal data held by HMSTC about any individual except to other workers of HMSTC who need the information for their work, or for an authorised recipient.
13.4 The identity of any person asking for personal information, and their right to receive that specific information, must be established, before any information is provided
13.5 If a worker is asked by an unauthorised individual to provide details of personal information held by HMSTC, they should ask the individual to put their request in writing and send it to the CEO/ Development Leader, data protection officer or relevant board member.
13.6 Workers must not use personal information for any purpose other than
their work for HMSTC.
13.7 If an employee is in doubt about any matter to do with data protection, they must discuss the situation with their line manager immediately.
13.8 All files and documents containing confidential information must be kept within a passworded electronic system, or locked in secure filing cabinets at all times, other than when being used.
13.9 Confidential filing cabinets must be kept locked at all times when the cabinets are not in use. Keys must never be left in the lock of the filing cabinet, and key safes must never be left unlocked.
13.10 Passwords should not be disclosed and should be changed regularly
13.11 Employee or third party personal data should not be left unsecured or unattended, e.g. on public transport, or visible in a car, if a worker is carrying the address of a client to make a visit.
13.11 Unauthorised use of HMSTC’s IT equipment, or electronic systems is not permitted
13.12 Workers may use personal equipment to carry out work but must ensure that devices are password protected, locked when not in use, and must not be able to be accessed by anyone else.
13.13 Workers must delete and not store any personal data from their device when not in use
13.14 As far as possible, employee, client or third party personal data contained in emails and attachments should be anonymised before it is sent
13.15 Documents containing sensitive information should be password protected and, if the document requires to be transmitted, the document and password should be transmitted separately.
13.16 Workers should use secure printing when there is no choice but to print information
13.17 Any documentation which is no longer required should be shredded, or deleted.
13.18 Workers must adhere to data retention guidelines for the storage and destruction of all information
13.19 Any contractor who uses their own device for HMSTC’s work must commit to using a secure passworded device to which no other person has access, for their work, and is subject to adherence with this policy.
13.20 Any breach of the above rules will be taken seriously and, depending on the severity of the matter, may constitute gross misconduct for employees which could lead to summary termination of their employment.
13.21 Any breach may also lead to summary termination of any contract or agreement held with HMSTC eg. by a volunteer or a contractor. All staff will be notified of lead person
14. Consent to employee Data Processing
14.1 HMSTC does not require consent from employees to process most types of employee data when personal information is required to fulfil legal obligations the or exercise specific rights in the field of employment law. If an employee fails to provide certain information when requested, HMSTC may not be able to perform the contract (such as paying the employee or providing a benefit). HMSTC may also be prevented from complying with legal obligations.
14.2 In limited circumstances, for example, if a medical report is sought for the purposes of managing sickness absence, employees may be asked for written consent to process sensitive data. In those circumstances, employees will be provided with full details of the information that sought and the reason it is needed, so that employees can carefully consider whether to consent. It is not a condition of employees’ contracts that employees agree to any request for consent.
14.3 Where employees have provided consent to the collection, processing and transfer of personal information for a specific purpose, they have the right to withdraw consent for that specific processing at any time. Once HMSTC has received notification of withdrawal of consent it will no longer process information for the purpose or purposes originally agreed to, unless it has another legitimate basis for doing so in law.