As an organisation, we require to hold personal information relating to both our service users and employees. In keeping this personal information, we must comply with the following principles of the Data Protection Act.

• Fairly & lawfully processed in a transparent manner
• Processed for limited purposes
• Adequate, relevant, and not excessive
• Accurate
• Not kept longer than necessary
• Processed in accordance with the data subjects’ rights
• Your data will be kept secure

Data Security
All staff are responsible for ensuring that:

• Any personal data relating to staff, or service users which they hold and process, whether electronic or paper format, is kept securely. Paper records and records kepds kept on removable storage devices should be kept in a locked drawer or a locked filing cabinet. Electronic records should be password protected. Passwords should be kept secure, changed regularly, and not shared with unauthorised persons.
• Personal information is not disclosed either orally or in writing to any unauthorised third party unless there are justified exceptional circumstances, such as assisting the police with an criminal investigation.
• Manual records containing personal information are not left unattended where unauthorised persons can view them.
• Manual records and printouts that are no longer required are shredded and disposed of securely.
• Particular care is to be taken if data is being removed from Enhance office to other premises. All work must be kept confidential.


Email Security

• Always consider whether the content of emails should be encrypted, or password protected. Files can be encrypted with WinZip programme.
• Always check that the email address of the intended recipient is correct prior to sending.
• To send an email to a recipient without revealing their email address to other recipients, staff should make sure to use blind carbon copy (bcc), not carbon copy (cc). When you use cc every recipient of the email message will be able to see the addresses it has been sent to.
• Staff should be careful when sending group emails. Ensure before sending that you have checked only those that should receive the mail are in the group.

Royal Mail/Postal Security

Enhance is responsible for how we process all personal data that we hold, which includes data we send via postal service.

• Always consider whether the data needs to be posted at all. Could it be sent via email? Does the email need to be secured first – password protected/encrypted?
• If required to post personal data, such as employee identification or service user information then this should always be done using the Royal Mail ‘tracked’/’signed for’ service.
• Always check the recipients address is correct and retain postal receipt as proof of posting.

Use of Data for Research Purposes
Enhance will never use any personal data held for research purposes or share any personal information with researchers.

Rights of Access and Exemptions
All staff, service users and other data subjects are entitled to know:

• what information Enhance holds and processes about them and for what purposes;
• the source of the information and to whom the information is disclosed
• how to gain access to the information held on them
• how Enhance complies with the Data Protection Act and GDPR legislation.

Any person wishing to exercise their right to this information must request this in writing. Enhance will produce the information as per written request within 40 days. Confirmation of an individual’s identification will be required.

Sensitive Data
All staff must be aware that additional conditions may apply when handling sensitive data, as defined by the Act. Sensitive data is information about a person which falls into one or more of the following categories:

• personal details – name, address, and contact details
• educational and training details re staff
• employment details
• financial details
• racial or ethical origin
• religious views
• membership of trade union
• physical or mental health
• any alleged criminal offence
• any legal preceding’s connected to an individual

Sensitive data can only be processed under strict conditions, which means that in addition to this information being fairly and lawfully processed, it must meet the following conditions:

• having explicit consent of the individual;
• being required by law to process the information for employment purposes
• dealing with administration of the justice or legal proceedings;
• needing to process the information in order to protect the vital interests of the data subject, and consent cannot be given, by or on behalf of the data subject, or the vital interests of another person where consent by or on behalf of the data subject has been unreasonably withheld;
• the process is necessary for medical purposes including the provision of care and treatment and the management of healthcare services, and is undertaken by a healthcare professional;
• the processing is in the substantial public interest, is necessary for the discharge of any function which is designed for the provision of confidential counselling, advice, support or any other service, and is carried out without the explicit consent of the data subject because the processing is necessary in a case where consent cannot be given by the data subject.

Provided an individual is able to give consent, explicit consent must be obtained if the data falling into one of these categories is to be processed. Explicit consent means that it must be clear that the individual has agreed that his or her data being processed. Consent must be in writing. If the individual is unable to give consent, then consent must be sought from their welfare guardian.


Disclosure of Information & Information Sharing
Disclosure of personal information to other people, and organisations can only be made in limited circumstances. Staff must ensure they have the individuals consent prior to disclosing personal information. Staff must ensure they have confirmed the identity of the person seeking the personal information.

Only relevant information and the minimum necessary to achieve the objective may be shared.

Staff must provide information about individual s in an anonymised format, if this is acceptable to the requester.

Enhance will only share personal data on staff as required to outside agencies to meet our responsibilities. This currently includes sharing employee details with our private Payroll company, and Pensions company Smart Pensions.

Checking & Retention of Data
Personal data should be reviewed regularly to ensure that it is still accurate and still required for the purpose it was obtained. Data that is no longer needed to be kept should be safely destroyed. Statutory provision requires certain categories of data to be kept for certain lengths of time.

Enhance staff will review data at least every 2 years.

Approved by Management May 2018. L.Juett
Next review due May 2019

Enhance will ensure that all personal information once no longer required will be disposed of securely by using a paper shredding machine.