top of page

GDPR Policy

At HAD we are committed to protecting your privacy and handling your information respectfully and legally. We always keep your personal information secure and protected, and will not share your information outside of HAD without your prior consent.

We collect your personal information to help us run and improve our services. You can change your mind about receiving information and personal contact from us at any time.

We are fair, clear and honest about how we use your personal information, and you can find out more detail from our GDPR policy below.

1. Introduction.

Harrow Association of Disabled people (HAD) are committed to a processing 

personal information in accordance with the Data Protection Act 1998. Protecting the confidentiality and integrity of the personal data of everyone who uses, or works in HAD, is a responsibility that HAD takes seriously at all times. We will ensure that our staff and those acting on our behalf obtain, use, disclose and destroy personal information lawfully and correctly.

2. What is data?

2.1 Data is any information, whether written, verbal or pictorial (including 

photographs) about an individual.

2.2 Personal Data

Personal data is any information through which an individual could be directly or indirectly identified. Both data which could be used on its own to identify someone, or data which could be used in combination with other identifiers which HAD possesses, or can reasonably access, is relevant. Personal data can be factual (for example, a name, email address, location or date of birth) or could be an expressed opinion about that person or their actions.

2.3 Sensitive Personal Data

Sensitive personal data is a special category of information which relates to a personal characteristics of the data subject. This could apply to race or ethnic origin, political opinions, gender, religious (or other) beliefs, trade union membership or otherwise, disabilities, including knowledge of any physical or mental health conditions, sexual life, sexual orientation, and biometric or genetic data. It also includes personal data relating to criminal offences and convictions.

2.4 Data subject

This is a person who is protected by the Data Protection Act. Every living

person is protected, and in some circumstances, individuals may be protected after their death.

2.5 Data Processing

Data processing is any activity that involves the use of personal data. This may involve obtaining, recording or storing information, or using data in any way – eg. organising, retrieving, using, disclosing, deleting or destroying it. Processing also includes any transfer of personal data to third parties. HAD will never process individual data in a manner which would unlawfully identify the subject.

2.6 HAD will collect data for analysis and reporting purposes in a way that

does not identify individuals, and will also not attribute any specific

comments used to any individual without prior consent of the individual.

3. Fair and lawful processing of data

3.1 In particular we will ensure that personal information is:

  • Used lawfully, fairly and in a transparent way;

  • Processed fairly and lawfully.

  • Processed only for specified and valid lawful purposes, relevant to specific purposes and limited only to those purposes

  • Adequate, relevant and not excessive.

  • Accurate and up to date.

  • Not kept longer than is necessary for the purposes intended, or to ensure legal retention compliance

  • Deleted, or if in paper format, shredded prior to disposal.

  • Processed in accordance with the rights of the owners of the information.

  • Kept secure

3.2 Some examples of lawful reasons for processing data would be:

  • HAD using personal information eg. for anonymised reporting, in which case HAD may use such information without further notice to, or consent from the data subjects.

  • When it is needed to perform employees’ contracts of employment, volunteer agreements, agreements for people on placement with HAD or any other contracts

  • In order to provide a service to a client

  • When it is needed to comply with a legal obligation; or

  • When information is needed to ensure the wellbeing, health and safety of any person associated with HAD

3.3 HAD may process special categories of personal information in the

following circumstances:

  • In limited circumstances, with explicit written consent, in order to meet legal obligations, or to provide a service involving external parties

  • When it is needed for specific reasons, such as for anonymised equal opportunities or quality monitoring or in relation to HAD’s occupational pension scheme; or

  • When it is needed to assess working capacity on health grounds, subject to appropriate confidentiality safeguards.

  • When it is necessary to protect the interests of an employee, client or other person

  • When it is necessary in the public interest or for official purposes.

  • When it is necessary for HAD’s legitimate interests (or those of a third party) and employees’ interests and fundamental rights do not override those interests.

  • In relation to legal claims

  • Where it is needed to protect the interests of a client, employee, or other person and the person is not capable of giving consent

  • Where the person themselves has already made the information public.

  • Where there is a legal requirement for HAD to disclose information such as in a safeguarding or criminal case.

3.4 The same rules apply to any information HAD holds regarding criminal

records.

3.5 In order to monitor the reach of services provided we may collect and collate personal information about the people who use the services which we provide. This may be gathered by means of monitoring forms, registers, questionnaires or surveys.

3.6 On the rare occasion that a funder requires information about individuals, we will ensure that clients are aware of this and have the opportunity to withdraw from receiving a service.

4. Data storage

4.1 Any personally identifiable information will be securely stored at all times.

All information which is held on any staff member or client must be password protected at all times.

4.2 Where the use of paper information cannot be avoided, it must be locked

in a secure cabinet at all times.

4.3 Any computer and other equipment which may contain confidential

information must be disposed of using an IT Data Destruction company

which is compliant with government directives.

5. Data Sharing

5.1 Personal information is not ´owned´ by the person within HAD with whom

it is shared, although only those who need access to information will be allowed access. Examples may include staff or volunteers in their work with clients, and their managers.

5.2 Once shared, personal information requires third parties to respect the

security of employee data and to treat it in accordance with the law. Legal situations where HAD may share personal information with third parties are eg. with companies which provide secure IT facilities to HAD, or in the

context of the event of any possible restructure. HAD may also need to

share personal information with a regulator or to otherwise comply with the

law. HAD will never contract with a third party which does not have legally

compliant data protection policies.

5.3 HAD may also share employee data with third-party service providers

where it is necessary to administer the working relationship with

employees or where HAD has a legitimate interest in doing so. Such

activities would include:

  • Payroll and pension administration

  • The provision of HR advice and guidance and

  • IT services.

6. Data subject rights

6.1 To ensure the accuracy of data, HAD will conduct regular reviews of the

information held by it to ensure the relevance of the information it holds,

and to ensure that retention schedules are adhered to. Employees are

under a duty to inform HAD of any changes to their current circumstances,

and clients are advised to, as a service may not be able to be provided

without this. Where a client or worker has concerns regarding the

accuracy of personal data held by HAD, they should contact their line

manager, if an employee, and a HAD manager if a client, to request an

amendment to the data.

6.2 Under certain circumstances, those for whom HAD holds information have

the right to:

  • Request access to personal information (commonly known as a “data subject access request”).

  • Request erasure of personal information, or have an explanatory note added to a file

  • Object to processing of personal information where HAD is relying on a legitimate interest (or those of a third party) to lawfully process it.

  • Request the restriction of processing of personal information.

  • Request the transfer of personal information to another party.

6.3 If anyone would like to make a request on any of the above grounds, they

should contact a senior manager or board member in writing. Please note

that, depending on the nature of the request, HAD may have good

grounds for refusing to comply, or to compromise – eg. a client may want

a record erased which HAD is obliged to retain by law. If that is the case,

the requester will be given an explanation by HAD.

6.4 Clients, employees, students on placement, volunteers and contractors

have the right to request to see information which HAD holds about them,

referred to as Data Subject Access Requests.

6.5 For a first request, there will not normally be charge. However, HAD may

charge a reasonable fee if the request for access is clearly unfounded or

excessive. Alternatively, HAD may refuse to comply with the request in

such circumstances. Where we agree to the request, and the requester

would like copies of information viewed, a charge will be made to cover

printing and staff time.

6.6 HAD may need to request specific information from the requester to

confirm their identity and ensure the right to access the information (or to

exercise any of the other rights).

7. Automated Decision Making

7.1 HAD does not envisage that any decisions will be taken about employees

or clients, or any other person, using automated means, however

employees, clients and any affected person will be notified if this position

changes.

8. Collection and Retention of Data

8.1 HAD will collect personal information about workers and clients through

referral including self-referral, application and recruitment process, either

directly from applicants or sometimes from an external referrer such as an

employment agency or other organisation.

8.2 To comply with other lawful and good practices, HAD may sometimes be

required to collect additional information from third parties including former

employers or other background check agencies such as criminal record

checks.

 

9. Retention of Data

9.1 HAD will only retain personal information for as long as necessary to fulfil

the purposes it was collected it for, including for the purposes of satisfying

any legal, retention, accounting, or reporting requirements. Details of

retention periods for different aspects of personal information are set out

in a table which can be made available on request.

9.2 When determining the appropriate retention period for personal data, HAD

will consider the amount, nature, and sensitivity of the personal data, the

potential risk of harm from unauthorised use or disclosure of personal

data, the purposes for which the personal data is processed, whether HAD

can achieve those purposes through other means, and the applicable

legal requirements.

9.3 After the data retention period has expired, HAD will securely destroy all

personal information.

10. Data Security and Sharing

10.1 HAD has put in place appropriate security measures to prevent personal

information from being accidentally lost, used or accessed in an

unauthorised way, altered or disclosed. Details of these measures are

available upon request. Access to personal information is limited to those

employees, agents, contractors and other third parties who have a

business need to know. They are contractually bound to only process

personal information on HAD’s instructions and are subject to a duty of

confidentiality.

11. Compliance with this Policy

11.1 The Board is tasked with overseeing compliance with this policy, and a

named person, the Data Protection Officer, will be responsible for

reporting breaches*. If workers have any questions about this policy or

how HAD handles personal information, they should contact a member of

the senior management team. Workers have the right to make a complaint

at any time to the Information Commissioner’s Office (ICO), the UK

supervisory authority for data protection issues.

11.2 HAD has procedures to deal with any data security breach and will notify

affected persons and any applicable regulator of any suspected breach

where legally required to do so. In certain circumstances, HAD must

notify regulators of a data security breach within 72 hours of that breach.

Therefore, if a worker becomes aware of a data security breach they must

report to the Data Protection Officer* immediately.

12. Privacy by Design

12.1 HAD will have regard to all data protection principles relevant legislation

when designing or implementing new systems or processes where

personal data is used or stored

13. Responsibilities of employees, volunteers and students on

placement/ interns (collectively referred to here as ´´workers´´)

13.1 All workers are responsible for ensuring that processing meets the

standards set out in this policy.

13.2 Workers should not disclose personal data about HAD, colleagues, clients

or other parties unless that disclosure is fair and lawful, and in line with

this policy. Ever. This is a lifetime commitment which extends beyond the

contractual or agreed terms and conditions of the relationship.

13.3 Workers must take confidentiality and security seriously at all times

Any personal data collected or recorded manually (eg. a note on a paper

or made on a phone) must be added to HAD´s electronic system straight

away, and with absolute accuracy, and the original note destroyed.

Workers must not make any oral or written reference to personal data held

by HAD about any individual except to other workers of HAD who need

the information for their work, or for an authorised recipient.

13.4 The identity of any person asking for personal information, and their right

to receive that specific information, must be established, before any

information is provided

13.5 If a worker is asked by an unauthorised individual to provide details of

personal information held by HAD, they should ask the individual to put

their request in writing and send it to the CEO/ Development Leader, data

protection officer or relevant board member.

13.6 Workers must not use personal information for any purpose other than

their work for HAD.

13.7 If an employee is in doubt about any matter to do with data protection,

they must discuss the situation with their line manager immediately.

13.8 All files and documents containing confidential information must be kept

within a passworded electronic system, or locked in secure filing cabinets

at all times, other than when being used. 

13.9 Confidential filing cabinets must be kept locked at all times when the

cabinets are not in use. Keys must never be left in the lock of the filing

cabinet, and keysafes must never be left unlocked. 

13.10 Passwords should not be disclosed and should be changed regularly

13.11 Employee or third party personal data should not be left unsecured or

unattended, e.g. on public transport, or visible in a car, if a worker is

carrying the address of a client to make a visit.

13.11 Unauthorised use of HAD´s IT equipment, or electronic systems is not

permitted

13.12 Workers may use personal equipment to carry out work but must ensure

that devices are password protected, locked when not in use, and must

not be able to be accessed by anyone else.

13.13 Workers must delete and not store any personal data from their device

when not in use

13.14 As far as possible, employee, client or third party personal data contained

in emails and attachments should be anonymised before it is sent

13.15 Documents containing sensitive information should be password protected

and, if the document requires to be transmitted, the document and

password should be transmitted separately.

13.16 Workers should use secure printing when there is no choice but to print

information

13.17 Any documentation which is no longer required should be shredded, or

deleted.

13.18 Workers must adhere to data retention guidelines for the storage and

destruction of all information

13.19 Any contractor who uses their own device for HAD work must commit to

using a secure passworded device to which no other person has access,

for their work, and is subject to adherence with this policy.

13.20 Any breach of the above rules will be taken seriously and, depending on

the severity of the matter, may constitute gross misconduct for employees

which could lead to summary termination of their employment.

13.21 Any breach may also lead to summary termination of any contract or

agreement held with HAD eg. by a volunteer or a contractor

*All staff will be notified of lead person

14. Consent to employee Data Processing

14.1 HAD does not require consent from employees to process most types of

employee data when personal information is required to fulfil legal

obligations the or exercise specific rights in the field of employment law. If

an employee fails to provide certain information when requested, HAD

may not be able to perform the contract (such as paying the employee or

providing a benefit). HAD may also be prevented from complying with

legal obligations.

14.2 In limited circumstances, for example, if a medical report is sought for the

purposes of managing sickness absence, employees may be asked for

written consent to process sensitive data. In those circumstances,

employees will be provided with full details of the information that sought

and the reason it is needed, so that employees can carefully consider

whether to consent. It is not a condition of employees’ contracts that

employees agree to any request for consent.

14.3 Where employees have provided consent to the collection, processing and

transfer of personal information for a specific purpose, they have the right

to withdraw consent for that specific processing at any time. Once HAD

has received notification of withdrawal of consent it will no longer process

information for the purpose or purposes originally agreed to, unless it has

another legitimate basis for doing so in law

bottom of page