Kester Disability Rights Ltd (KDR) - Data Protection Policy
Introduction
Kester Disability Rights Ltd (KDR) will protect your personal data and sensitive personal data, using them only for the purposes for which you supplied it.
Please see glossary at the foot of this policy for definitions of all relevant terms.
Policy Statement
This Data Protection Policy explains how KDR discharges its legal obligations concerning confidentiality and data security standards. The requirements within the policy are based upon the Data Protection Act 2018 and the EU General Data Protection Regulations (EU GDPR).
Registration with the Information Commissioner
The Digital Economy Act 2017 requires every data controller (i.e. organisation) in the UK to pay a fee to the Information Commissioner’s Office (ICO) and outline the categories of data they hold about people, and what they do with it.
KDR has an Entry in the ICO Register of data controllers that states our purpose for processing personal data is as follows, “We process personal information to enable us to advise you about your rights and progress any claims you may have and to maintain our accounts and records and to support and manage our staff”.
A copy of our full certificate is here https://ico.org.uk/ESDWebPages/Entry/ZA536891 Data Protection Principles
These are laid out in the EU GDPR. The principles require that personal data is:
-
processed lawfully, fairly and in a transparentmanner;
-
collected for specified, explicit and legitimate purposes and not further
processed in a manner that is incompatible with those purposes;
-
adequate, relevant and limited to what is necessary in relation to the purposes
for which they are processed;
-
accurate and kept up to date;
-
kept in a form which permits identification of the data subjects for no longer than
is necessary for the purposes for which the personal data are processed;
-
processed in a manner that ensures appropriate security of the personal data,
including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Records can be in computerised and/or in a physical format. They include:
• Manually stored paper files – many social security and other legal processes are still dominated by paperwork and KDR operates from secure locked
premises so that manual records are safe. Any hand-written notes are either
promptly destroyed or stored in the same secure way as official documents.
-
Electronic records – KDR operates using electronic as well as paper storage of documents. All personal data is password protected. The computer containing
personal data does not leave the office, which is always locked when
unoccupied.
-
Photographs – occasionally photographic evidence may be supplied by KDR
clients to KDR. When this occurs they are stored in the same way as other
physical and electronic records.
-
Videos and tape recordings – occasionally these are also supplied by KDR
clients to KDR and are stored in the same way as other physical and electronic records.
Rights of Access by Individuals
The EU GDPR gives everyone (or their authorised representative) the right to apply for access to the personal data which organisations hold about them. This is called a Subject Access Request. KDR will comply with subject access requests within the legislative time limits.
We must act on the subject access request without undue delay and at the latest within one month of receipt.
We must calculate the time limit from the day after we receive the request (whether the day after is a working day or not) until the corresponding calendar date in the next month. If this is not possible because the following month is shorter (and there is no corresponding calendar date), the date for response is the last day of the following month.
If the corresponding date falls on a weekend or a public holiday, we have until the next working day to respond.
Practicalities
KDR only gathers and uses personal and sensitive personal data to progress cases according to the instructions of the individuals concerned. We do not pass on any data whatsoever for marketing or any other purposes at all. The only time data is shared is with third parties is to progress a case. Authority is obtained from data subjects using a plain English form of authority which authorises the sharing of such data only to progress a case. Permission to share data on this basis can be withdrawn by the data subject at any time.
Roles and Responsibilities
Maintaining confidentiality and adhering to data protection legislation applies to everyone at KDR, which is currently Kester Dean and his personal assistant Jade Sullivan, with limited input from IT contractors. When KDR grows to a level where further staff are recruited, KDR will take all necessary steps to ensure that everyone managing and processing personal data understands that they are responsible for following good data protection practice. Employees will receive training and induction accordingly.
Kester Dean is the person responsible for personal data and sensitive personal data at Kester Disability Rights. His responsibilities include ensuring compliance with all relevant legislation and ensuring notification of processing of personal data and sensitive personal data to the ICO is up to date.
The Information Commissioner’s Office (ICO) – The Information Commissioner’s Office is responsible for overseeing compliance e.g. investigating complaints, issuing codes of practice and guidance, maintaining a register of Data Protection Officers. Any failure to comply with data protection requirements may lead to investigation by the ICO which could result in serious financial or other consequences for KDR.
Glossary ofTerms
Data Subject
An individual who is the subject of personal data or sensitive personal data. This includes employees, members, volunteers, clients, residents and tenants.
Data Controller
A person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data and sensitive personal data are, or are to be, processed.
The data controller is Kester Disability Rights Ltd.
Third Party
In relation to personal data or sensitive personal data, this refers to any person other than the data subject and the data controller. For example, the DWP or HMRC.
Processing
Recording or holding data or carrying out any operations on that data including organising, altering or adapting it; disclosing the data or aligning, combining, blocking or erasing it.
Subject Access Request
A written, signed request (which includes email and other written formats) from an individual to see data which KDR holds about them. The Data Controller must provide all such information in a readable form within 1 month of receipt of the request.