METHODIST HOMES
DATA PROTECTION POLICY
PURPOSE
To provide underlying principles and specific procedures regarding the processing and
protection of personal data and sensitive personal data contained within MHA’s paper and
computerised records. It is aimed at ensuring compliance with the Data Protection Act 1998
(the “Act”) and our Values.
SCOPE
All members of staff.
Also the following ‘data processors’: partner organisations, non-executive Board members,
contractors, contracted service providers, agency staff and volunteers.
VALUES
This Policy has been developed in line with our Values and should be understood and
implemented in that context.
DEFINITIONS
Data protection relates to information which is held in a filing system in such a way that living
individuals may be identified. It should not be confused with:

requests for access to records relating to someone who has died. Such a case is subject to the
Access to the Health Records Act 1990 and our procedure is attached at appendix 1.

any general information held by MHA

the Freedom of Information Act 2000, which applies to public bodies only.
If there is any doubt, a matter should be referred to MHA’s Data Protection Officer and
considered by the appropriate Director and the Corporate Management Team if necessary.
Terminology is defined at Appendix 2
1
DATA PROTECTION PRINCIPLES
MHA will comply with the eight data protection principles which require that Personal Data
should be:
1.
2.
3.
4.
5.
6.
7.
8.
Fairly and lawfully processed
Processed for specified purposes
Adequate, relevant and not excessive for the above purposes
Accurate and kept up to date
Kept no longer than necessary
Processed in accordance with the Data Subject’s rights
Kept secure
Transferred to countries outside the European Economic Area only with adequate
protection
This policy assumes MHA’s data processing remains within the EU geographical area. The Act
stipulates more stringent conditions if this is not the case and any such instances must be referred to
MHA’s Data Protection Officer.
1.
Fair and Lawful Processing
1.1
MHA will notify the Data Subject advising that we will abide by the Data Protection
Act and process their data accordingly. The notification for each grouping is as
follows:




Residents / Live at Home Members – Agreement
Staff Members – Contract of Employment
Volunteers – Induction Pack
Donors - Website
1.2
MHA will process personal data where consent of the subject has been given and
where it is deemed necessary to enter into and perform a contract with the subject .
We will be mindful to ensure that the legitimate interests of Data Subjects do not
suffer unwarranted prejudice as a result.
1.3
MHA will process sensitive personal data where consent of the subject has been
given and/or where it is necessary:




1.4
To perform a legal obligation
To protect the vital interest of the Data Subject or another person
To establish, exercise or defend legal rights
To enable confidential counselling, advice or support which cannot be carried
out with the explicit consent of the Data Subject
MHA’s Donors Privacy Statement clarifies our policy and procedure for donors. See
appendix 5. MHA will not send unsolicited direct marketing communications to
anyone who has indicated that they do not want it, and will not pass / share / sell
personal data to third parties for their marketing purposes.
2
1.5
MHA’s use of Closed Circuit Television (CCTV) is for security and crime detection
only. Details are included at appendix 6.
2.
Processed for Specified Purposes
2.1
MHA will process personal data only for specified purposes. These purposes are
disclosed to the Information Commissioner and listed in Appendix 3.
2.2
The Data Protection Officer authorises all personal data processing, submits
applications for notification and completes an annual notification renewal to the
Information Commissioner.
2.3
If a MHA staff member wishes to initiate a new system which would entail processing
new personal data or existing data for a new purpose, then this must be referred to
the relevant Director and MHA’s Data Protection Officer who will guide MHA staff
members, with legal assistance if needed.
2.4
Breach of this policy by any employee is a disciplinary offence, which may result in
dismissal. Breach of this policy by any other data processor will constitute a breach
of contract with MHA and may result in the termination of the contract.
If MHA breaches the Act, the Data Protection Officer must be advised immediately.
Appropriate advice on how to manage the breach will be provided to the member of
staff and, if necessary, the Data Protection Officer will advise the Information
Commissioner of the matter. MHA will manage breaches in accordance with the
Information Commissioner’s published guidance. Failure to act on the advice of the
Data Protection Officer within the agreed timescale may result in disciplinary action
being taken.
3.
Efficient, Effective and Secure Processing
3.1
MHA will seek to ensure all personal data processed is adequate for the specified
purpose and limited to only those items relevant.
3.2
MHA will seek to ensure all personal data processed is accurate initially and updated
as necessary.
3.3
MHA will seek to ensure all personal data processed is stored / filed consistently and
logically, and that data is retained only for relevant periods.
3.4
Details are attached in Appendix 4 regarding the responsible person for the efficient
and effective processing of the different categories of data.
3.5
MHA will seek to ensure that the level of security is appropriate to the degree of
damage or distress that would be caused to the Data Subject as a result of the loss,
theft or damage of Personal Data
As the Act obliges, MHA will take 'appropriate technical and organisational measures'
to prevent the unauthorised or unlawful processing or disclosure of Personal Data.
The measures we will take to protect against the loss of personal information will
include:
3

Technical, eg
o need-to-know access only to paper and electronic files
o password protection
o encryption
o back-ups
o mobile device security

Organisational measures, eg
o premises are secure
o personal data is not left on desk but locked away
o verify telephone caller identity before disclosing personal data
o computers are turned off when not in use
o procedures for mobile and home workers aimed at preventing Third Party
access to information they are processing
o staff leaver procedures
o confidential data destruction
o training
o staff vetting, supervision and management systems.
Responsible directors/managers should consider the implications of this requirement
and ensure security measures are appropriate for the types of data they are
processing and ensure records are disposed of securely and according to the timings
stipulated in Appendix 4. Confidential paper records must be shredded or disposed
of using a specialist confidential waste contractor using sealed bags.
4
Rights of Data Subjects
4.1
MHA will cooperate with the Data Subject as fully as possible.

4.2
On receipt of a request we will seek to clarify the exact purpose of the request
so that we can target the most relevant data sources efficiently. If we are not
able to do this verbally, we will expect the data subject to complete the Subject
Access Request Form (Appendix 7). MHA will not charge a fee for a visual
inspection, but may charge up to £10 for electronic or paper output and up to
£50 for medical or educational information.
A Data Subject is entitled to:

Make a request to be granted access to, and be provided with a copy of, any
Personal Data that MHA holds about him or her. This includes a right to be
provided with information about the purposes for which MHA processes those
Personal Data, and the source of the data, and the logic behind any automated
decision making processes.
However, Data Subjects are only entitled to access their own Personal Data.
MHA must withhold Personal Data of Third Parties and not disclose it in
response to a subject access request.
MHA may ask Data Subjects to confirm their requests clearly, and in writing if
necessary, particularly if staff members may need guidance from a senior
manager/Director.
4

4.3
Prevent processing which is likely to cause the data subject damage or distress.
Before MHA releases any data it must be established whether the identity of a third
party might be revealed. If so, please refer to the flow chart below:
Does the data contain information
relating to another individual (3rd party)
No
DISCLOSE
No
DISCLOSE
Yes
DISCLOSE EDITED
VERSION
Yes
DISCLOSE
Yes
Would the release of all the information
reveal the third party’s identity?
Yes
Can the data be edited to exclude
the identity of a 3rd party
No
Has the 3rd party consented to
disclosure?
No
WITHHOLD DATA
If MHA and the Data Subject fail to agree, the Data Subject may claim compensation,
apply to the Court and/or make a Request to the Information Commissioner. Any
such occurrence should be reported to the Data Protection Officer, who will record
this in MHA’s Register of Disputed Information Requests.
5.
Disclosures to someone other than the Data Subject
5.1
Before MHA can disclose Personal Data to someone other than the Data Subject we
must have informed consent from the Data Subject, or other permission or
exemption from the non-disclosure provisions. If we are not able to do this verbally,
we will expect the data subject to complete the Subject Access Request Form
(Appendix 7).
MHA may charge a fee for dealing with a request dependent upon the circumstances.



No charge for visual inspection if the request relates to data less than 40 days
old.
£10 for electronic or printed output
Up to £50 for medical or educational output
5
5.2
The greatest complexity for MHA relates to residents’ (sensitive) personal data
regarding their health and care.
Wherever possible MHA will seek to clarify with the resident, or their relative /
advocate / Deputy / Attorney, before s/he moves in, which individuals should be able
to access their personal data.
From 2013, we record in the Residential Care Agreement (Care Homes) and the
Home Care Agreement (Retirement Living) the wishes of the resident and will rely
on this in deciding whether or not to disclose personal data to any particular person.
5.3
If the resident is unable to give informed consent, we will seek to clarify their wishes
(as in 5.2) with their formally-appointed representative or the relative/advocate
acting as guarantor in the Care Agreement.
If the resident has a formally appointed representative, MHA will verify the
representative’s appointment. Appropriate representatives include someone with
written authority to receive or supply Personal Data, a Court of Protection Deputy,
an attorney or a trustee with appropriately wide powers.
5.4
If a request for (sensitive) personal data is made by a family member, and the
requestee is not clearly authorised in the Care Agreement, then access should be
declined. We should direct the requestee to the resident, formally-appointed
representative or relative / advocate acting as guarantor.
However if the resident is unable to give informed consent, and there is no person to
act on their behalf, then we should disclose (sensitive) personal data to a family
member, subject to our being satisfied that they are seeking to act in the best
interests of the resident.
Staff members should seek guidance from their senior manager and the matter
should be referred to the Data Protection Officer if complicated.
5.5
Regulators / commissioners should be given access to information, subject to their
acknowledging that we and they have responsibilities under the Data Protection Act,
and subject to our being satisfied that it is in relation to their discharging their
statutory duties. We should retain our information and provide copies on request
(at nil charge).
5.6
The Police should be given access to personal data on request, subject to our being
satisfied that it is in relation to a crime or legal proceedings. We should retain
information and provide copies on request (at nil charge): we must retain copies if
the originals are taken.
5.7
A health professional responsible for the clinical care of a resident ie GP, District
Nurse or similar, can be granted access to the resident’s (sensitive) personal data
subject to our being satisfied that it relates to the mental or physical health of the
resident in order to ensure necessary medical care is provided.
5.8
Disclosures to other organisations
6
For disclosures to Data Controllers, once we have consent, permission or
exemption and before disclosing the Personal Data, MHA will normally seek
assurance that use of the Personal Data will be restricted to the scope of the
permission held by MHA.
7
Appendix 1
Access to Health Records relating to someone who has died
After death, the right to access records is governed by the Access to Health Records Act
which provides that an individual is entitled to access the records if they are the
administrator of the estate or have a claim arising from the death. Otherwise the documents
are subject to confidentiality. The power conveyed by a Power of Attorney ceases on the
death of the donor.
Any such requests should be referred to the Director of Service Improvement who will seek
to ascertain whether the individual is entitled to access the records as indicated above.
8
TERMINOLOGY DEFINED
Appendix 2
The following terms are used throughout this Policy and its application. These definitions align with
those used within the Act. Each term is defined as follows: 1.
Data Controller
A “Data Controller” is the person who determines the purpose, and the manner, in which
personal data are processed. For Personal Data which is under MHA’s control this is MHA
together with those within MHA who take the decisions about how and why personal
information is to be processed.
In some cases MHA receives Personal Data from another person, and we process it for their
purposes and under their instruction. In such cases the other person is the Data Controller.
2.
Data Processor
A ‘Data Processor’ is a person who processes Personal Data on behalf of the Data
Controller and as instructed by the Data Controller, but who is not an employee of the Data
Controller. So any person, public authority or other body processing Personal Data on
behalf of the Data Controller is a Data Processor. This includes electronic publishing and
those who collect information on behalf of others.
Examples of data processors:
 External researchers providing a service for MHA
 Independent tenant participation advisors who may have access to some information
about other tenants
 Maintenance contractors who receive tenant contact and appointment details
 Builders and major works contractors who receive tenant contact and appointment
details
 Managing agents acting for MHA
 External auditors (professional service providers) who may review customer records in
the course of providing their services for MHA
 Regulators who may review customer records such as in the course of performing
inspections
 Recruitment Agencies acting for MHA
 External payroll agencies who provide services to MHA
3.
Data Protection Officer
The ‘Data Protection Officer’ is the person nominated by the Chief Executive to take
responsibility for corporate compliance:
A Godfrey – [email protected]
4.
Data Subject
A “Data Subject” is any living individual who is the subject of Personal Data. There are no
age restrictions on who qualifies as a Data Subject but the definition does not extend to
individuals who are deceased.
MHA’s Data Subjects include residents, Live at Home members, donors, volunteers and
members of staff
9
5.
Personal Data (and Sensitive Personal Data)
‘Personal Data’ are data which:
o
o
form part of a Relevant Filing System, whether stored electronically or on paper
relate to a living individual who can be identified from those data, (including
accessible public records such as certain health or educational records; or from Data
and other information which is in the possession of, or is likely to come into the
possession of MHA)
It includes any expression of opinion or view about an individual or his or her circumstances.
It also includes any information on the intention of MHA towards the individual.
Examples of personal data:









Age
Marital status
Housing history of an individual
Economic status of an individual
An individual’s allowance, benefits and grants
Support services received by an individual
Medical data
Attitudinal data
Mailing lists
Sensitive Personal Data
The Act recognises that some items of data are more sensitive than others, and therefore
require additional legal protection to ensure appropriate handling.
Sensitive personal data includes information on:








6.
race or ethnic origin;
political opinions;
religious beliefs or other beliefs of a similar nature;
membership of a trade union;
physical or mental health condition;
sexual life
the commission, or alleged commission, of any offence;
the proceedings for any offence, or alleged offence
Processing Of Personal Data
The definition of ‘Processing’ sets the boundaries for the management of personal data.
Processing includes any action that MHA, or a person acting on MHA’s instructions, takes
that involves Personal Data and/or sensitive Personal Data. Processing can be manual or
automated.
10
7.
Recipient
A “Recipient” is any person to whom personal data are disclosed, whether or not the
disclosure is intentional or lawful.
8.
Relevant Filing System
‘a Relevant Filing System’ means:
9.

a set of information, stored electronically or on computer, which is structured, either by
reference to individuals or criteria relating to individuals, in such a way that specific
information about a particular individual is readily accessible.

A useful rule of thumb in working out whether a file is likely to be covered is whether a
temporary worker, who is not familiar with the filing system, if instructed to find a
particular piece of information, would be able to do so easily and in particular without
leafing through the whole file.
Third Party
“Third party” relates to any person other than the individual (the Data Subject) or MHA
11
Appendix 3
Data Protection Register – Entries
MHA
Purpose
1
Accounts and Records
2
Advertising Marketing & Public Relations
3
4
5
6
7
8
9
10
Staff Administration
Administration of Membership Records
Trading / Sharing in Personal Information
Fundraising
Legal Services – Income / Legacies / Power of
Attorney
Realising the Objectives of a Charitable
Organisation or Voluntary Body
Crime Prevention and Prosecution of
Offenders
Health Administration and Services
HA
Purpose
1
Accounts and Records
2
Advertising Marketing & Public Relations
3
4
5
6
7
8
9
10
11
Staff Administration
Administration of Membership Records
Trading / Sharing in Personal Information
Fundraising
Legal Services – Income / Legacies / Power of
Attorney
Realising the Objectives of a Charitable
Organisation or Voluntary Body
Crime Prevention and Prosecution of
Offenders
Health Administration and Services
Property Management
MHA Auchlochan
Purpose
1
Staff Administration
2
Accounts and Records
3
Health Administration and Services
4
Crime Prevention and Prosecution of
Offenders
Key:




GFD
GDPCA
GDCH
GDRL
Dept / Function
Residents’ Income
Supporter database
Sales initiatives
HR & Payroll
N/A
N/A
Supporter database
Legal
Responsibility
GFD
GDPCA
Legal
GFD
CCTV / Estates
GDCH
Care
GDPCA
Dept / Function
Residents’ Income
Supporter database
Sales initiatives
HR & Payroll
N/A
N/A
Supporter database
Legal
Responsibility
GFD
GDPCA
Legal
GDRL
CCTV / Estates
GDCH
Care
Tenancies/Leasehold
GDPCA
GFD
Dept / Function
HR & Payroll
Residents’ Income
Care
CCTV / Estates
Responsibility
GDPCA
GFD
GDPCA
GDCH
GDPCA
N/A
N/A
GDPCA
GFD
GDPCA
N/A
N/A
GDPCA
GDRL
Group Finance Director
Group Director People and Corporate Affairs
Group Director Care Homes
Group Director Retirement Living
12
Appendix 4
MHA’s Personal Data Types and Responsible Director
The responsible Director (as indicated below) should liaise with the Data Protection Officer
in all matters referred to the Information Commissioner.
Legal advice should be sought by the responsible Director from their usual lawyers. A
member of CMT should be involved if there is any doubt or complication.
These retention periods apply to paper, electronic (document or database) and email
records.
A
Residents / Live at Home Members
– Responsibility: Director of Service Improvement
Record
Residents’ records – England and Wales
Residents’ records – Scotland
Live at Home members’ records – Britain
Details of Injuries or Accident Reports /
Records
Retention Time
3 Years
7 Years
3 Years
5 years from time of accident
occurring
– Responsibility: Director of Finance
Record
Residents’ finance records - Britain
B
Retention Time
7 Years
Staff Members
– Responsibility: Director of HR
Staff Members’ Record
Application Forms, CV’s and other unsuccessful
applicants’ details, selection records.
Employment records /details of terms and
conditions
Appraisal records /objectives / performance
reviews or targets agreed
Disciplinary and formal Capability records
Pay & benefits information (Inland Revenue
requirements)
Development / training needs and records of
completed activities
Retention Time
7 months after applicant notified of
outcome unless longer period
requested by grant funder eg Big
Lottery Fund
10 years after employee has left
employment
7 months after employee has left
employment
- 7 years after the employee has left
employment
- but, is deemed inactive after 6/12
months from date of disciplinary or
formal capability hearing (as per
Discipline and Capability Policies)
7 years after employee has left
employment
7 months after employee has left
employment
13
Category of Worker:
All staff employed in Homes
All staff employed in Retirement Living
Home Managers
Retirement Living Managers
Regional and Head Office staff
Group Directors
C
Retained By:
Home Manager in the Home’s
administrative office
Scheme Manager in the Scheme’s
administrative office
Group Director - Care Homes, Head
Office
Group Director – Retirement Living,
Head Office
Group Director or HR Director –
Head Office
Chief Executive – Head Office
Volunteers
– Responsibility: Director of HR
All records pertaining to volunteers should be kept for the same length of time as
indicated for staff members in A above.
The records should be retained by the local home or scheme manager in the
administrative office.
D
Donors / Potential Donors
– Responsibility: Director of Communications
All records held indefinitely – including donors who have indicated they wish no
further contact with MHA.
Individual record to be removed immediately on request by the donor (accepting
that it is possible that they then may receive further mailings inadvertently
thereafter).
E
CCTV Recordings
– Responsibility: Director of Estates
Record
CCTV recordings
Retention Time
1 month, unless being retained for
evidential purposes.
14
Donors Privacy Statement
Appendix 5
MHA is a member of the Fundraising Standards Board (FRSB) and adheres to the data protection
guidelines of the Institute of Fundraising
We have created this statement to demonstrate our commitment to your privacy. We do not collect
personally identifying information about you, unless you choose to provide such information to us.
Providing such information is strictly voluntary. This is your guide to how we will handle information
we learn about you.
1.
Your personal information.
We take your privacy seriously. The information provided will be held securely by MHA. We
need to hold this data to process your gift and record your wishes
2.
Third parties
MHA will not pass any of your information to any third party.
3.
Use of Links
Throughout our Web pages, we provide links to other servers which may contain
information of interest to our readers. We take no responsibility for, and exercise no
control over, the organizations, views, or accuracy of the information contained on other
servers. Creating a text link from your Web site to our site does not require permission. If
you have a link you'd like us to consider adding to our Web site, please send an email to
[email protected] with the subject "Link request."
4.
Use of Text and Images
If you would like to publish information that you find on our Web site, please send your
request to [email protected] Where text or images are posted on our site with the
permission of the original copyright holder, a copyright statement appears at the bottom of
the page.
5.
Accessibility
This Web site is designed to be accessible to visitors with disabilities, and to comply with
guidelines concerning accessibility. We welcome your comments. If you have suggestions on
how to make the site more accessible, please contact us at [email protected]
6.
Reading or Downloading
We collect and store only the following information about you: the name of the domain from
which you access the Internet, the date and time you access our site, and the Internet
address of the Web site from which you linked to our site.
We use the information we collect to measure the number of visitors to the different
sections of our site, and to help us make our site more useful to visitors.
7.
Online Profile Updates and Donations
If you complete the Profile update form, this information will be used only to provide you
with more targeted content. We may use your contact information to send further
information about our organization or to contact you when necessary. You may always optout of receiving future mailings; see the "Opt Out" section below.
15
8.
Sending us an Email
You also may decide to send us personally identifying information, for example, in an
electronic mail message containing a question or comment, or by filling out a Web form that
provides us this information. We use personally identifying information from email primarily
to respond to your requests. We may forward your email to other employees who are
better able to answer you questions. We may also use your email to contact you in the
future about our programs that may be of interest.
We want to be very clear: We will not obtain personally identifying information about you
when you visit our site, unless you choose to provide such information to us. Providing such
information is strictly voluntary. Except as might be required by law, we do not share any
information we receive with any outside parties.
If you sign up for one of our email lists, we will only send you the kinds of information you
have requested. We won't share your name or email address with any outside parties.
9.
Children and Privacy
For children who visit our site, special rules apply. We do not request personal information
about children, such as first and last name or street address and city. When children send
email to us, their online contact information (email address) is not used to re-contact them
and is not maintained in retrievable form.
10.
Opt-Out or Change Your Contact Information
MHA provides supporters with the opportunity to opt-out of receiving communications
from us. You may choose to receive only specific communications or none at all. You may
also update your contact information previously provided to us. You can not remove
yourself from our database, but you can prevent unwanted communication. To opt out of
receiving communications from MHA please contact us using the contact details below.
11.
Questions
If you have any questions about your dealings with MHA, you can contact us at:
Email: [email protected]
16
Appendix 6
USE OF CCTV

CCTV recordings are primarily used for security & crime detection, but can incidentally
be used if they reveal activity that no employer can reasonably be expected to ignore.

Recordings must record the date and time accurately and the accuracy of the system
must be checked every 6 months

Cameras must only cover areas deemed necessary

CCTV signage should be placed so that the public are aware that they are entering a
CCTV area and it should state, “Images are being recorded for the purpose of crime
prevention and detection. The scheme is controlled by Methodist Homes Tel: 01332 296
200”.

Access to images should be restricted to a manager or designated member of staff who
will decide whether to allow requests for access by third parties in accordance with this
policy.

Live video feed screens should be placed so they are not be viewable from public areas.

Any media containing recordings must be stored in a secure, lockable location.

Access to recordings must be based on a date and time range.

Access Requests should be referred to the Estates Manager and should be processed
within 40 days

Subject Access Requests must specify the date and time range to be searched and must
be for security or crime detection purposes.

In order to comply with the protection of other people the images or video may need
editing before releasing to the Subject. Any third party doing the editing must provide a
guarantee of privacy.
17
Appendix 7
METHODIST HOMES
SUBJECT ACCESS REQUEST FORM
To:
From:
Name
Address
Date:
I am writing to request that you provide a copy of the following personal data which you may be holding
in a filing system such that I may be identified:
I understand that the information will be provided within 40 days of the above date.
Date:
Signed:
For official use only
Received
Name
Date
Name
Date
Action:
Supplied
Page 18 of 18