Data Protection in Oasis: GDPR Compliance and Ethical Practices

Introduction Introduction How our personal data is used has a huge impact on all of our lives. Oasis are committed to ensuring that we always handle personal data in a manner aligned to our ethos and in a legally compliant way, that we are transparent and open about how we handle data and we only reveal personal information to those who have a legitimate right to access it.

Oasis ethos Oasis ethos a commitment to healthy open a commitment to healthy open relationships relationships To create and maintain such healthy open relationships, our behaviours towards others will be characterised by being honest and truthful. We will show respect to others, viewing and treating them as people of infinite value and not objects to be used. We will appreciate others and spend time investing in our relationships with them. In light of all of this, it is therefore important that we handle the information that we have about the people that we are in relationship with in the very best possible way. This is what GDPR remind us to do it is also a legal requirement.

Our obligations as an organisation Our obligations as an organisation OCP's Data Protection Lead (DPL) is Kat Simmonds, CEO of OCP. This is a National office appointee and is responsible for, and be able to demonstrate, compliance with the principles of the GDPR. OCP is not required to have a Data Protection Officer (DPO). Each local Hub has a local Data Protection Lead (DPL) this is a Hub appointee and is responsible for, and be able to demonstrate, compliance with the principles of GDPR in the Hub and will communicate with the National DPL around data protection issues. Some hub s may also have a Deputy Data Protection Lead.

We must have a lawful basis for processing We must have a lawful basis for processing personal data personal data There are six legal reasons for processing personal data 1. Consent this has to be obtained from the individual 2. Public Interest and education has that legal right 3. Contract with a member of staff for employment or an individual 4. Legal obligation to comply with common or statutory law 5. Vital interests to protect an individual or another person 6. Legitimate interest which are pursued by the data controller or a third party

Only 4 of the lawful basis apply to OCP and Only 4 of the lawful basis apply to OCP and local Community Hubs local Community Hubs 1. Consent this has to be obtained from the individual 2. Public Interest and education has that legal right - we are not a public body 3. Contract with a member of staff for employment or an individual 4. Legal obligation to comply with common or statutory law 5. Vital interests to protect an individual or another person only applies in a handful of scenarios, which largely do not apply to us 6. Legitimate interest which are pursued by the data controller or a third party

What is Personal Data? What is Personal Data ? Personal Data is any information relating to an identified or identifiable natural living person, they are known as a data subject. An identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as: oa name o an identification number o location data o an online identifier o one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person Further information can be found here: What is personal data? | ICO

What is 'Special Category Data'? What is 'Special Category Data'? The UK GDPR singles out some types of personal data as likely to be more sensitive, and gives them extra protection. These are: personal data revealing racial or ethnic origin personal data revealing political opinionspersonal data revealing religious or philosophical beliefs personal data revealing trade union membership genetic data biometric data (where used for identification purposes) data concerning health data concerning a person s sex life data concerning a person s sexual orientation Further information can be found here: What is special category data? | ICO

How and why do we process personal data for How and why do we process personal data for users of our services users of our services Due to the varied nature of Oasis Hubs, there could be several reasons. The key areas are listed below. How do we obtain personal data Sign ups to be part of a marketing mailing list Application Forms (volunteering, activity based etc) Registration Forms Permission Slips Safeguarding reporting forms Why do we need personal data For Health and Safety/safeguarding purposes To ensure we have appropriate records for service users and staff/volunteers To track progress in a programme or activity To communicate with Hub Users

How and why do we process staff and How and why do we process staff and volunteers personal data volunteers personal data The reasons for processing staff and volunteers vary, but could include: How do we obtain personal data Application form P45 DBS Enhancement Qualifications Passport/Birth certificate References Why do we need personal data Create a profile on iTrent Produce a timetable Record attendance, sickness Right to work Confirm suitability for job role Enter details onto the Single Central Register Emergency contact details Identification for security Qualifications to undertake our jobs Salary remuneration

How we comply with GDPR How we comply with GDPR We must document all the personal data we hold by recording: where it comes from what we use it for who we share the data with where we store it who is responsible for it This covers both Paper records and Electronic records and we must: Maintain records of our processing activities Maintain records of who we share our data with Correct any inaccurate personal data and that which we have shared with another organisation Inform any other organisations about any inaccuracies so they can correct their data

What obligations do we have when processing What obligations do we have when processing personal data? personal data? We must have a legal reason for collecting personal data Know what items of personal data needs to be collected Know the purpose(s) the data is to be used for Know which individuals to collect data about Know whether to disclose the data and, if so, to whom Know whether subject access and other individual s rights apply Know how long to retain the data

There are six principles we must consider There are six principles we must consider when processing personal data when processing personal data It must be: 1. Processed fairly, lawfully and in a transparent manner 2. Used for specified, explicit and legitimate purposes 3. Used in a way that is adequate, relevant and limited 4. Accurate and kept up-to-date 5. Kept no longer than is necessary 6. Processed in a manner that ensures appropriate security of the data

How will we ensure that we process personal How will we ensure that we process personal data correctly? data correctly? There must be a documented instruction on how each piece of data is being processed Staff and volunteers must ensure confidentiality when processing personal data Staff and volunteers must take appropriate security measures to protect the data Staff and volunteers must support the Data Processing Lead by using appropriate technical and organisational measures Staff and volunteers must support the Data Processing Lead to ensure compliance Staff and volunteers must store or delete all data at the end of the retention period Staff and volunteers must provide the Data Processing Lead with all information necessary to demonstrate compliance

What is a Privacy Notice? What is a Privacy Notice? OCP and Community Hubs must issue written statements known as a Privacy Notice to individuals when we collect their personal data. This should be displayed on our hub websites. Privacy Notices must be clear, transparent and written in a straight forward language which anyone can understand. OCP has a Privacy Notice that covers all Oasis Hubs. In addition, the local DPL in each Hub will complete a supplementary information form that gives specific information about that setting. A copy of the Privacy Notice is available from your local DPL.

What rights will individuals have? What rights will individuals have? Individuals will now have increased rights over the control of their personal data, these are: The right to be informed that we are processing their personal data The right of access to the information we are processing The right to rectification of their personal data The right to erasure of any incorrect data The right to restrict processing of their personal data The right to data portability in a compatible format The right to object that you process their personal data The right not to be subject to automated decision-making including profiling

Subject Access Requests (SAR) Subject Access Requests (SAR) Individuals have the right to request details of all the personal information we hold on them and these are known as Subject Access Requests (SAR) All requests must be made in writing this can include a message via social media they don t have to be titled Subject Access Request to count, any written communication that asks for their personal data is enough. They can also come to anyone not just the DPL. Most requests will be free of charge We must comply within 30 days, holidays and weekends included We can refuse or charge if manifestly unfounded or excessive However, if we refuse we must tell the individual why and their right to complain to the Information Commissioners Office, ICO If you are sent a SAR, or aren t sure if something you ve received could be a SAR, you must inform your local DPL immediately.

Data Protection, Consent and Marketing Data Protection, Consent and Marketing When someone is a user of one of our Hub services, it is likely that our lawful basis for processing their data is contractual. However, in some cases we will be processing data on the basis of consent, in particular when marketing or promoting the Hub. Consent must be freely given Must be specific for the reason requested Must be Informed and unambiguous There must be a positive opt-in, consent cannot be inferred from silence, pre- ticked boxes or inactivity Consent must be clear and separate from other terms and conditions Consent must be easy to withdraw

Data Protection, Consent and Marketing Data Protection, Consent and Marketing Remember: Marketing refers to a wide range of activity. We can only market to people if we have their explicit and informed consent. Therefore, you must be 100% confident that you have explicit consent before undertaking any marketing activity. Speak to your local DPL if you have any specific questions. You can only market to people around the specific item they have given their consent for i.e. if they consented only to hear from the youth club, you cannot then send general fundraising emails to this person. Activities could include: - Sending a Hub newsletter - Writing an email requesting funding - Adding a banner to your email signature that is about an event or fundraising - Emailing people to invite them to an event

What happens when there is a loss of data? What happens when there is a loss of data? Should there be a loss of personal data or data breach then it must be reported immediately to your local DPL. The local DPL will report this to the national DPL. A loss of data could accidentally sending data to the wrong person or losing a device that contain data. The loss must be investigated to ensure that steps are taken to reduce the risk of it happening again in the future. All data losses which have the potential to have a significant detrimental effect on the individual(s) through: Discrimination Damage to reputation Financial loss Loss of confidentiality Or any other economic or social disadvantage Must be reported to the National Data Protection Lead who must report it to the ICO within 72 hours of discovery (weekends are included). Therefore there is a time pressure to communicate quickly. If the breach is potentially a high risk to the individual(s) then we must notify those concerned directly this would be managed by the national DPL.

How do individual staff and volunteers How do individual staff and volunteers reduce the risk of a data breach? reduce the risk of a data breach? Emails Use the Out of Office when not working due to either holiday, sickness, training etc. Clear desk Implement a clear desk policy and ensure your desk is cleared at the end of each day and no documents, or photographs are left laying about Laptops, PCs and iPads Screen lock your laptops, PCs and iPads when you are not at your desks. Securely lock away your laptop at the end of each day. Data/Memory sticks Do not use data/memory sticks to transfer data. Use OneDrive to share or access personal data Filing cabinets and cupboards Ensure filing cabinets and cupboards are securely locked with a key; the key is to be either locked in a safe/key cabinet or retained by the member of staff. Personal and Sensitive documents No paper documents with personally identifiable or sensitive data may be taken off site unless, you have authority from the Data Processing Lead. Documents taken off site must be securely stored and not in sight of others i.e. on the back seat of your car. Disposal of unwanted documents All documents containing personally identifiable personal or sensitive data must be either shredded immediately or disposed of in a confidential sack. These should not be left lying around or disposed of in the recycling bins, this includes photographs.

Find out more Find out more More information about UK GDPR can be found on the Information Commissioner s Office (ICO) website, here: UK GDPR guidance and resources | ICO