KNOWLEDGE THROUGH GROWTH (KTG) CONFIDENTIALITY, DATA PROTECTION AND SECURITY POLICY AND PROCEDURE
The nature of KTG’s work means that confidential personal data is handled by our staff, in a variety of different formats, on a day to day basis.
The purpose of this policy is to enable KTG to:
Respect every individual’s and organisation’s right to confidentiality
Outline the specific circumstances when staff might need to break confidentiality
Comply with the law in respect of the data KTG holds about individuals
Follow good practice in all aspects of data protection, security and confidentiality
Protect KTG’s clients, staff, volunteers and other individuals
Protect the organisation from the consequences of a breach of its responsibilities
This policy and procedure demonstrates the principles that we work to in order for our data to be protected and secure, in keeping with the principles of the Data Protection Act and the standards contained within ISO/IEC 27001.
1. What is data protection and data security?
The Data Protection Act is a framework of rights and duties which are designed to safeguard personal data and balance the needs of the organisation collecting the data and the individual to whom the data belongs.
Firstly, it states that anyone who processes personal information must comply with eight principles, which make sure that personal information is:
a) Fairly and lawfully processed
b) Processed for limited purposes
c) Adequate, relevant and not excessive
d) Accurate and up to date
e) Not kept for longer than is necessary
f) Processed in line with the rights of Data Subjects (the individual to whom the data belongs)
h) Not transferred to other countries without adequate protection
The second area covered by the Act provides individuals with important rights, including the right to find out what personal information about them is held by organisations.
Data security is defined as the measures that KTG has in place to ensure we keep our data safe and protect it from internal and external breaches of security.
E-safety can be described as: all fixed and mobile devices that allow access to content and communications that could pose risks to personal safety and wellbeing. Examples are: PCs, laptops, mobile phones and gaming consoles such as Xbox, PlayStation and Wii.
The misuse of these types of technology poses potential dangers and it is important that we raise awareness of the dangers, minimise the risks and offer information to safeguard staff and candidates.
The risks can include:
Cyber bullying (bullying or being bullied using any of the above technologies – this includes stalking and harassment)
Inappropriate content (being sent or being invited to view unwelcome sexual/pornographic/violent/hateful/racist content)
Scams/fraud (being targeted with the intent to obtain money illegally)
Grooming (unwanted approaches of a sexual nature or with sexual intent)
You should use KTG electronic equipment for work purposes only
2. When would confidentiality be breached?
KTG respects every individual’s and organisation’s right to confidentiality and will maintain confidentiality of information unless:
We are legally required to make information available to third parties;
The individual is perceived to be a danger to themselves, someone in their care or the general public;
In each of these cases the individual (or organisation) on whom information is to be shared will be informed of the disclosure and consent gained – unless this would increase the potential risk to the individual.
Any decisions to break confidentiality should be discussed with a line manager before any action is taken. Concerns regarding a child or vulnerable adult must be discussed with the KTG Safeguarding Lead before any action is taken.
3. Data Security and Protection Plan
Prior to employment by KTG, all staff will have pre-employment checks in line with HMG Baseline Security Clearance standards. Records of these checks will be retained in their personnel file.
Where staff are working with young people and/or vulnerable people, they will undergo an enhanced DBS check. The DBS form will be completed within the first week of employment and no un-supervised work involving access to children or vulnerable adults will be undertaken until the check has been returned to KTG and agreed as satisfactory by the Managing Director.
Individuals failing to meet pre-employment checks and/or DBS checks will not be offered or confirmed in employment.
Staff training and awareness
All staff handling or accessing data will receive training in confidentiality and the handling of data in order to comply with the Data Protection Act. This includes the use of electronic media and hard copies.
Staff working directly with clients will be trained to meet Matrix standards relating to information, advice and guidance confidentiality standards
Where funding organisations have additional requirements regarding data controls, additional training will be undertaken by the relevant staff.
Breaching confidentiality is explicitly listed as an example of gross misconduct in the KTG Disciplinary and Grievance Policy and could lead to dismissal.
Where funding organisations have contractual requirements relating to confidentiality, staff will be required to confirm their adherence to these requirements (this may include individual confidentiality agreements between staff and funding organisations).
Secure information handling and transfers
KTG operates a clear desk policy for all staff. This means that no documents containing personal information should be left on desks overnight or for long periods of time unattended.
All confidential information is stored within locked storage filing cabinets or within locked rooms in compliance with the Data Protection Act.
All redundant confidential material will be destroyed in line with the audit timeframe requirements of funding organisations; hard copies to be shredded, hard disks and CDs to be physically destroyed.
All KTG computers will be password protected to limit access to appropriate users.
Any personal data (e.g. CV’s / application forms / client notes) saved on a computer or portable media should be saved in a password protected folder.
Where confidential information is transferred electronically, a secure internet connection will be used. KTG staff will be trained in any particular requirements of funding organisations relating to electronic transfer of data.
All data processing will be undertaken within the United Kingdom.
Where confidential data is sent to an alternative address it will always be sent using a fully tracked system (this may include recorded signed for postal services, delivery by a member of KTG staff or a professional courier service). KTG staff will ensure that the correct postal address and addressee is used and that packages are properly sealed.
KTG will maintain up to date anti-virus software on all PC’s and portable media used by staff.
All documents are stored on the KTG intranet. Daily spanning backups are taken of this. By using Spanning backup, KTG are alleviating the risk of data loss with automated backup and recovery. KTG have also modified permissions so only certain members of staff will have access to this. Spanning backup enables us to use the best practices for automating user access, data security and data protection.
Portable media includes laptops, memory sticks, handheld devices such as mobile phones, USB’s, CDs and hard-copy documents.
Information stored on portable media must be kept to a minimum and reviewed regularly.
All portable equipment/software containing confidential data that is taken outside of the KTG offices to be recorded at the KTG reception desk. Records to be updated when equipment/software is returned to the KTG offices.
All KTG laptops and portable storage devices containing confidential data to use encryption if taken outside of the KTG offices. All portable devices used by KTG staff are password protected.
All portable media to be sited in a secure area where they cannot be viewed by unauthorised persons.
When clients bring portable media into the office e.g. CV’s or applications saved onto data keys, KTG staff must scan the media using anti-virus software before opening documents to minimise the risk of viruses being introduced to the KTG network.
KTG holds both manual (hard copy files) and electronic records on staff (e.g. via the XERO payroll system).
To prevent accidental loss, destruction or disclosure of personal or sensitive data held in employee records, records will be secured as follows:
1. Line managers may only have access to personnel files for employees they either directly manage or the subordinates of staff they manage. The Managing Director and Finance Director will have access to all files on a need to know basis. The Finance Director will maintain the files and;
– All personnel files will be kept in one place, locked away securely.
– All electronically stored personnel data will be password protected with restricted password use.
2. Highly sensitive personal information (e.g. DBS information) will be kept in personnel files but in a sealed envelope. This will only be accessible to Managing Director or Finance Director. Line managers in exceptional circumstances (defined by the Managing Director) will have access to this information if required.
3. Specific information will be held on employee files only for the designated timescale and then destroyed securely (e.g. a formal disciplinary letter will be destroyed in line with the timescale set by the disciplinary procedure). The Finance Director will be responsible for reviewing HR files on a regular basis.
KTG shall not provide lists of partners to a commercial concern or other organisation, which appear to intend to use the information in connection with any profit-making activity.
KTG offices are accessed by non-staff only through Waterfront Studio Reception. Either Reception will let non staff through or KTG staff member to come and collect.
All staff and visitors to KTG premises will sign in on arrival and out when leaving the premises.
Visitors to KTG premises do not have access to staff offices or storage areas unless accompanied at all times by a member of KTG staff.
An intruder alarm system is fitted to the building in which the KTG offices are based. There is also use of CCTV in the entire building.
Only staff with KTG ID badges can access the KTG offices. Electronic records for the building can detect who has entered or exited the office. Once staff leave employment with KTG they must surrender their ID badge to be disabled by the Waterfront Studios Administrator.
All staff are obliged to comply with this policy.
Specific responsibility for championing a robust approach to data protection and security lies with the Managing Director who may delegate responsibilities as she sees fit.
Managers are also required to consider data protection and security issues as part of their project planning and risk assessment process.
It is often the case that KTG’s funders or partners require that information on service users and their background and achievements whilst using a KTG service are shared.
Service users must give their informed consent before information is shared. This is covered with a data protection disclaimer on our KTG Registration Form and is also verbalised during contracting at the beginning of an advice session or when discussing ground rules on the first day of a training course.
The responsibility for gaining this consent lies with the staff member who delivers the service to the individual.
Many people are reluctant to share confidential data about their backgrounds and it is essential that all staff are able to explain how KTG uses that data to ensure we offer an accessible service to all. If you aren’t sure about how KTG does this, it is your responsibility to talk to your line manager.
Managers are responsible for ensuring that their staff are confident in explaining confidentiality and data use to service users and also that they themselves understand what information is passed to funders and how that information is used.
KTG will use plain English and be very explicit when informing individuals/organisations about the circumstances when their information will be shared.
5. Security incidents
All breaches of security and attempted breaches of security are to be reported in the first instance to the Managing Director or her delegated deputy. Staff must not discuss their concerns with other members of staff.
The Managing Director will take immediate action as appropriate and institute longer term measures as necessary. Details of incidents and actions taken as a result of these incidents will be maintained by the Managing Director and shared with funding organisations as appropriate.
KTG agrees to meet the security incident reporting procedures of funding organisations. This may include the use of reporting forms as required.
6. Procedure on discovering breach of security
Should a breach of security be identified, KTG will undertake the following;
Immediately notify the relevant funding organisation(s)
Take all reasonable steps to remedy any breach
Take all reasonable steps to prevent an equivalent breach in future
7. Amendment and revision
The security plan will be reviewed and updated on an annual basis or where there is a need due to changes in services, standards, new threats, and/or following requests from funding organisations.
Revised plans will be sent to funding organisations within ten working days of their completion.
8. Audit of security plan and processes
The KTG security plan and associated processes will be audited prior to the annual review to ensure that processes are robust.
The date, timing and content of these audits will be sent to funding organisations in order that they may send representation if desired. Where funding organisations require the completion of specific audit paperwork, this will be undertaken and a copy sent to the funding organisation within ten working days of its completion.
Where funding organisations wish to undertake audits of KTG’s security processes, KTG agrees to facilitate these. Should areas of non-compliance/failure be discovered, KTG undertakes to resolve these within 15 working days of official notification by the funding organisation.
9. Resources / Further information
The following resources were used to inform the creation of this policy:
‘The Guide to Data Protection’ which can be accessed via the Information Commissioner’s website
This policy should be read in conjunction with the following KTG policies:
• Anti-Fraud • Disciplinary and Grievance • Financial Controls • Safeguarding
Approval This policy was approved by the KTG Managing Director
Signed by: Donaly Green
Date for review of policy: May 2019