This policy outlines our legal requirements under the General Data Protection Regulations and the processes for how Mindspace meets them. Note: until GDPR come into force on 28 May 2018 the current Data Protection Act 2000 will continue to apply.
The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the European Council and the European Commission intend to strengthen and unify data protection for individuals within the European Union (EU). It also addresses the export of personal data outside the EU. The primary objectives of the GDPR are to give citizens back control of their personal data and to simplify the regulatory environment across borders.
The 1998 Data Protection Act, which came into force on 1 March 2000, will continue to apply until the new General Data Protection Regulations come into force in May 2018.
The Regulations cover both written and computerised information and the individual’s right to see such records.
The Regulations also cover records relating to staff and volunteers.
Mindspace staff, Board and volunteers are required to follow this Data Protection Policy at all times.
The Chief Executive has overall responsibility for data protection within Mindspace but each individual processing data is acting on the controller’s (i.e. Mindspace) behalf and therefore has a legal obligation to adhere to the Regulations.
Processing of information – how information is held and managed.
Information Commissioner - formerly known as the Data Protection Commissioner.
Notification – formerly known as Registration.
Data Subject – used to denote an individual about whom data is held.
Data Controller – used to denote the entity with overall responsibility for data collection and management. Mindspace is the Data Controller for the purposes of the Act.
Data Processor – an individual handling or processing data
Personal data – any information which enables a person to be identified
Special categories of personal data – information under the Regulations which requires the individual’s explicit consent for it to be held by the Charity.
Data Protection Principles
Mindspace is required to comply with the principles of good information handling.
This means that Mindspace must :-
1. Process personal data fairly, lawfully and in a transparent manner.
2. Obtain personal data only for one or more specified and lawful purposes and to ensure that such data is not processed in a manner that is incompatible with the purpose or purposes for which it was obtained.
3. Ensure that personal data is adequate, relevant and not excessive for the purpose or purposes for which it is held.
4. Ensure that personal data is accurate and, where necessary, kept up-to-date.
5. Ensure that personal data is not kept for any longer than is necessary for the purpose for which it was obtained.
6. Ensure that personal data is kept secure.
7. Ensure that personal data is not transferred to a country outside the European Economic Area unless the country to which it is sent ensures an adequate level of protection for the rights (in relation to the information) of the individuals to whom the personal data relates.
Mindspace must record explicit consent from all individuals using Mindspace services to storing certain information (known as ‘personal data’ or ‘special categories of personal data’) on file.
Personal data covers information relating to:
1. The racial or ethnic origin of the Data Subject.
2. An individual’s political opinions.
3. An individual’s religious beliefs.
4. Membership of a trade union.
5. An individual’s physical or mental health or condition.
6. An individual’s sexual orientation and gender identity
7. Actual or alleged offences
8. Online identifiers such as an IP address
9. Name and contact details
10. Genetic and/or biometric data which can be used to identify an individual
Consent for information already held by the organisation should be sought at the earliest appropriate opportunity people using the services of Mindspace.
If personal and/or special categories of personal data need to be recorded for the purpose of service provision and the individual refuses consent, the case should be referred to the Chief Executive for advice.
Consent may be obtained in a number of ways depending on the nature of the contact and consent must be recorded on or maintained with the case records:
A registration form should be used and signed by the individual. This can be transferred to an electronic database and the paper record destroyed.
Verbal consent should be sought and noted on the electronic record.
The initial response should seek consent via email.
Consent obtained for one purpose cannot automatically be applied to all uses e.g. where consent has been obtained from a client/student in relation to information needed for the provision of that service, separate consent would be required if, for example, direct marketing purposes.
Preliminary verbal consent should be sought at point of initial contact as personal and/or special categories of personal data will need to be recorded either in an email or on a computerised record (e.g. Bookeo/ACT). The verbal consent is to be recorded in the appropriate fields on the computer record or stated in the email for future reference.
Specific consent for use of any photographs and/or videos taken should be obtained in writing. Such media could be used for, but not limited to, publicity material, press releases, social media, and website. Consent should also indicate whether agreement has been given to their name being published in any associated publicity. If the subject is less than 18 years of age then parental/guardian consent should be sought.
Individuals have a right to withdraw consent at any time. If this affects the provision of a service(s) by Mindspace then the Service Leader should discuss with the Chief Executive at the earliest opportunity.
Ensuring the Security of Personal Information
Unlawful disclosure of personal information
1. It is an offence to disclose personal information ‘knowingly and recklessly’ to third parties.
2. It is a condition of receiving a service that all individuals for whom we hold personal details give consent (as described above) allowing us to hold such information.
3. Clients/students may also consent for us to share personal or special categories of personal information with other helping agencies on a need to know basis.
4. A client/student’s individual consent to share information should always be checked before disclosing personal information to another agency.
5. Where such consent does not exist information may only be disclosed if it is in connection with criminal proceedings or in order to prevent substantial risk to the individual or others. In either case permission of the Chief Executive or Service Leader should first be sought.
6. Personal information should only be communicated within and between Mindspace staff, counselling and volunteer team on a strict need to know basis. Care should be taken that conversations containing personal or special categories of personal information may not be overheard by people who should not have access to such information.
Use of Files, Books and Paper Records
In order to prevent unauthorised access or accidental loss or damage to personal information, it is important that care is taken to protect personal data. Paper records should be kept in locked cabinets/drawers overnight and care should be taken that personal and special categories of personal information is not left unattended and in clear view during the working the day. If your work involves you having personal / and/or special categories of personal data at home or in your car, the same care needs to be taken.
Disposal of Scrap Paper, Printing or Photocopying Overruns
Be aware that names/addresses/phone numbers and other information written on scrap paper are also considered to be confidential. Please do not keep or use any scrap paper that contains personal information but ensure that it is shredded.
If you are transferring papers from your home, to the office for shredding this should be done as soon as possible and not left in a car for a period of time. When transporting documents they should be carried out of sight in the boot of your car.
Where computers are networked, access to personal and special categories of personal information is restricted by password to authorised personnel only.
Computer monitors in the reception area, or other public areas, should be positioned in such a way so that passers-by cannot see what is being displayed. If this is not possible then privacy screens should be used on the monitor to afford this level of protection. If working in a public area, eg reception, you should lock your computer when leaving it unattended.
Firewalls and virus protection to be employed at all times to reduce the possibility of hackers accessing our system and thereby obtaining access to confidential records.
Documents should only be stored on the server or cloud-based systems and not on individual computers.
Where computers or other mobile devices are taken for use off the premises the device must be password protected.
When commissioning cloud based systems, Mindspace will satisfy themselves as to the compliance of data protection principles and robustness of the cloud based providers.
Mindspace does not currently use cloud based data management systems to hold and manage information about its stakeholders.
IT Works Dunfermline
IT works services and backs-up the data on the Mindspace server. These files are stored using a 256-bit encryption system. Data on these servers cannot be decrypted by anyone other than IT Works technical staff.
Bookeo is owned by Bookeo Pty Ltd and holds data about our students and courses. Access is password protected and restricted to staff within the Recovery College to carry out their job. Bookeo adheres to the laws of Australia when processing data and is currently reviewing its compliance with GDPR
Online Text Service – Greentext
Greentext is owned by Stericycle and is currently going through compliance with GDPR and ISO27001. Messages sent through their system are deleted after 365 days. Data is securely stored with EEA at Rackspace UK.
Currently used to store details about clients of the counselling service is available on two computers within the organisation and all details are stored on the Mindspace server.
Survey Monkey is used by Mindspace to store anonymised collective data regarding courses and feedback about Mindspace services. This information is held on servers currently outwith the EU
Hanlon is used in the data collection and storage of information for people using the Peer Support Hub service which is an ESF funded project. The storage of this information is held on encrypted SQL servers in the EU.
The following statement is to be included on any forms used to obtain personal data:
If you consent to us keeping your details for the purposes outlined above please sign below:-
Name (please print)…………………………………………………………………………………………………………………
In addition and separately from using personal information as described above, we would like to contact you from time to time with details of other courses or events we are running. Are you happy to receive this communication?
If yes, how you would like us to communicate with you:-
Email Text Message Post
We promise never to share or sell your information to other organisations or businesses and you can opt out of our communications at any time by telephoning 01738 639657/631639 or by writing to Mindspace Limited, 18-20 York Place, Perth, PH2 8EH or by emailing firstname.lastname@example.org
Any documentation which gathers personal and/or special categories of personal data should contain the following Privacy Statement information:
• Explain who we are
• What we will do with their data
• Who we will share it with
• How long we will keep it for
• That their data will be treated securely
• How to opt out
• Where they can find a copy of the full notice
A Privacy Statement is also published on our website.
The Regulations apply equally to volunteer and staff records. Mindspace may at times record special categories of personal data with the volunteer’s consent or as part of a staff member’s contract of employment.
For staff and volunteers who are regularly involved with vulnerable adults, it is necessary for Mindspace to apply to the Disclosure Scotland to request a disclosure of spent and unspent convictions, as well as cautions, reprimands and final warnings held on the police national computer. Any information obtained will be dealt with under the strict terms of data protection. If there is a positive disclosure the Chief Executive will discuss this, anonymously, with the Chair of the Board and our insurers to assess the risk of appointment. Trustees and insurers should not see the report itself.
Further guidance regarding confidentiality issues can be found in our Confidentiality Policy.
When working from home, or from some other off-site location, all data protection and confidentiality principles still apply. All computer data, e.g. documents and programmes related to work for Mindspace should not be stored on any external hard disk or on a personal computer. If documents need to be worked on at a non-networked computer they should be saved onto a USB drive which should be password protected.
Workstations in areas accessible to the public, e.g. reception or trading office, should operate a clear desk practice so that any paperwork, including paper diaries, containing personal and/or special categories of personal data is not left out on the desk where passers-by could see it.
When sending emails to outside organisations, care should be taken to ensure that any identifying data is removed Confidential and/or special categories of personal information should be written in a separate document which should be password protected before sending. Wherever possible, this document should be ‘watermarked’ confidential.
Any paperwork kept away from the office should be treated as confidential and kept securely as if it were held in the office. Documents should not be kept in open view (eg on a desktop) but kept in a file in a drawer or filing cabinet as examples, the optimum being a locked cabinet but safely out of sight is a minimum requirement.
Retention of Records
Please see Records Management Policy
What to Do If There Is a Breach
If you discover, or suspect, a data protection breach you should report this to the Chief Executive. The Board should be informed of the breach, action taken and outcomes to determine whether it needs to be reported to the Information Commissioner. There is a time limit for reporting breaches to ICO so the Chief Executive should be informed without delay.
Any deliberate or reckless breach of this Data Protection Policy by an employee or volunteer may result in disciplinary action which may result in dismissal.
The Rights of an Individual
Under the Regulations an individual has the following rights with regard to those who are processing his/her data:
• Personal and special categories of personal data cannot be held without the individual’s consent (however, the consequences of not holding it can be explained and a service withheld).
• Data cannot be used for the purposes of direct marketing of any goods or services if the Data Subject has declined their consent to do so.
• Individuals have a right to have their data erased and to prevent processing in specific circumstances:
Where data is no longer necessary in relation to the purpose for which it was originally collected
When an individual withdraws consent
When an individual objects to the processing and there is no overriding legitimate interest for continuing the processing
Personal data was unlawfully processed
• An individual has a right to restrict processing – where processing is restricted, Mindspace is permitted to store the personal data but not further process it. Mindspace can retain just enough information about the individual to ensure that the restriction is respected in the future.
• An individual has a ‘right to be forgotten’.
Data Subjects can ask, in writing to the Chief Executive, to see all personal data held on them, including e-mails and computer or paper files. The Data Processor (Mindspace) must comply with such requests within 30 days of receipt of the written request.
Powers of the Information Commissioner
The following are criminal offences, which could give rise to a fine and/or prison sentence
• The unlawful obtaining of personal data.
• The unlawful selling of personal data.
• The unlawful disclosure of personal data to unauthorised persons.
Further information is available at www.informationcommissioner.gov.uk
Details of the Information Commissioner
The Information Commissioner’s office is at:
Cheshire SK9 5AF
Switchboard: 01625 545 700
Data Protection Help Line: 01625 545 745
Notification Line: 01625 545 740
Mindspace Counselling Service and Mindspace Recovery College are part of Mindspace Limited, a Company Limited by Guarantee No 180643 and a Registered Charity SC002072 in Scotland.