At HAD we are committed to protecting your privacy and handling your information respectfully and legally. We always keep your personal information secure and protected, and will not share your information outside of HAD without your prior consent.
We collect your personal information to help us run and improve our services. You can change your mind about receiving information and personal contact from us at any time.
We are fair, clear and honest about how we use your personal information, and you can find out more detail from our GDPR policy below.
Harrow Association of Disabled people (HAD) are committed to a processing
personal information in accordance with the Data Protection Act 1998. Protecting the confidentiality and integrity of the personal data of everyone who uses, or works in HAD, is a responsibility that HAD takes seriously at all times. We will ensure that our staff and those acting on our behalf obtain, use, disclose and destroy personal information lawfully and correctly.
2. What is data?
2.1 Data is any information, whether written, verbal or pictorial (including
photographs) about an individual.
2.2 Personal Data
Personal data is any information through which an individual could be directly or indirectly identified. Both data which could be used on its own to identify someone, or data which could be used in combination with other identifiers which HAD possesses, or can reasonably access, is relevant. Personal data can be factual (for example, a name, email address, location or date of birth) or could be an expressed opinion about that person or their actions.
2.3 Sensitive Personal Data
Sensitive personal data is a special category of information which relates to a personal characteristics of the data subject. This could apply to race or ethnic origin, political opinions, gender, religious (or other) beliefs, trade union membership or otherwise, disabilities, including knowledge of any physical or mental health conditions, sexual life, sexual orientation, and biometric or genetic data. It also includes personal data relating to criminal offences and convictions.
2.4 Data subject
This is a person who is protected by the Data Protection Act. Every living
person is protected, and in some circumstances, individuals may be protected after their death.
2.5 Data Processing
Data processing is any activity that involves the use of personal data. This may involve obtaining, recording or storing information, or using data in any way – eg. organising, retrieving, using, disclosing, deleting or destroying it. Processing also includes any transfer of personal data to third parties. HAD will never process individual data in a manner which would unlawfully identify the subject.
2.6 HAD will collect data for analysis and reporting purposes in a way that
does not identify individuals, and will also not attribute any specific
comments used to any individual without prior consent of the individual.
3. Fair and lawful processing of data
3.1 In particular we will ensure that personal information is:
Used lawfully, fairly and in a transparent way;
Processed fairly and lawfully.
Processed only for specified and valid lawful purposes, relevant to specific purposes and limited only to those purposes
Adequate, relevant and not excessive.
Accurate and up to date.
Not kept longer than is necessary for the purposes intended, or to ensure legal retention compliance
Deleted, or if in paper format, shredded prior to disposal.
Processed in accordance with the rights of the owners of the information.
3.2 Some examples of lawful reasons for processing data would be:
HAD using personal information eg. for anonymised reporting, in which case HAD may use such information without further notice to, or consent from the data subjects.
When it is needed to perform employees’ contracts of employment, volunteer agreements, agreements for people on placement with HAD or any other contracts
In order to provide a service to a client
When it is needed to comply with a legal obligation; or
When information is needed to ensure the wellbeing, health and safety of any person associated with HAD
3.3 HAD may process special categories of personal information in the
In limited circumstances, with explicit written consent, in order to meet legal obligations, or to provide a service involving external parties
When it is needed for specific reasons, such as for anonymised equal opportunities or quality monitoring or in relation to HAD’s occupational pension scheme; or
When it is needed to assess working capacity on health grounds, subject to appropriate confidentiality safeguards.
When it is necessary to protect the interests of an employee, client or other person
When it is necessary in the public interest or for official purposes.
When it is necessary for HAD’s legitimate interests (or those of a third party) and employees’ interests and fundamental rights do not override those interests.
In relation to legal claims
Where it is needed to protect the interests of a client, employee, or other person and the person is not capable of giving consent
Where the person themselves has already made the information public.
Where there is a legal requirement for HAD to disclose information such as in a safeguarding or criminal case.
3.4 The same rules apply to any information HAD holds regarding criminal
3.5 In order to monitor the reach of services provided we may collect and collate personal information about the people who use the services which we provide. This may be gathered by means of monitoring forms, registers, questionnaires or surveys.
3.6 On the rare occasion that a funder requires information about individuals, we will ensure that clients are aware of this and have the opportunity to withdraw from receiving a service.
4. Data storage
4.1 Any personally identifiable information will be securely stored at all times.
All information which is held on any staff member or client must be password protected at all times.
4.2 Where the use of paper information cannot be avoided, it must be locked
in a secure cabinet at all times.
4.3 Any computer and other equipment which may contain confidential
information must be disposed of using an IT Data Destruction company
which is compliant with government directives.
5. Data Sharing
5.1 Personal information is not ´owned´ by the person within HAD with whom
it is shared, although only those who need access to information will be allowed access. Examples may include staff or volunteers in their work with clients, and their managers.
5.2 Once shared, personal information requires third parties to respect the
security of employee data and to treat it in accordance with the law. Legal situations where HAD may share personal information with third parties are eg. with companies which provide secure IT facilities to HAD, or in the
context of the event of any possible restructure. HAD may also need to
share personal information with a regulator or to otherwise comply with the
law. HAD will never contract with a third party which does not have legally
compliant data protection policies.
5.3 HAD may also share employee data with third-party service providers
where it is necessary to administer the working relationship with
employees or where HAD has a legitimate interest in doing so. Such
activities would include:
Payroll and pension administration
The provision of HR advice and guidance and
6. Data subject rights
6.1 To ensure the accuracy of data, HAD will conduct regular reviews of the
information held by it to ensure the relevance of the information it holds,
and to ensure that retention schedules are adhered to. Employees are
under a duty to inform HAD of any changes to their current circumstances,
and clients are advised to, as a service may not be able to be provided
without this. Where a client or worker has concerns regarding the
accuracy of personal data held by HAD, they should contact their line
manager, if an employee, and a HAD manager if a client, to request an
amendment to the data.
6.2 Under certain circumstances, those for whom HAD holds information have
the right to:
Request access to personal information (commonly known as a “data subject access request”).
Request erasure of personal information, or have an explanatory note added to a file
Object to processing of personal information where HAD is relying on a legitimate interest (or those of a third party) to lawfully process it.
Request the restriction of processing of personal information.
Request the transfer of personal information to another party.
6.3 If anyone would like to make a request on any of the above grounds, they
should contact a senior manager or board member in writing. Please note
that, depending on the nature of the request, HAD may have good
grounds for refusing to comply, or to compromise – eg. a client may want
a record erased which HAD is obliged to retain by law. If that is the case,
the requester will be given an explanation by HAD.
6.4 Clients, employees, students on placement, volunteers and contractors
have the right to request to see information which HAD holds about them,
referred to as Data Subject Access Requests.
6.5 For a first request, there will not normally be charge. However, HAD may
charge a reasonable fee if the request for access is clearly unfounded or
excessive. Alternatively, HAD may refuse to comply with the request in
such circumstances. Where we agree to the request, and the requester
would like copies of information viewed, a charge will be made to cover
printing and staff time.
6.6 HAD may need to request specific information from the requester to
confirm their identity and ensure the right to access the information (or to
exercise any of the other rights).
7. Automated Decision Making
7.1 HAD does not envisage that any decisions will be taken about employees
or clients, or any other person, using automated means, however
employees, clients and any affected person will be notified if this position
8. Collection and Retention of Data
8.1 HAD will collect personal information about workers and clients through
referral including self-referral, application and recruitment process, either
directly from applicants or sometimes from an external referrer such as an
employment agency or other organisation.
8.2 To comply with other lawful and good practices, HAD may sometimes be
required to collect additional information from third parties including former
employers or other background check agencies such as criminal record
9. Retention of Data
9.1 HAD will only retain personal information for as long as necessary to fulfil
the purposes it was collected it for, including for the purposes of satisfying
any legal, retention, accounting, or reporting requirements. Details of
retention periods for different aspects of personal information are set out
in a table which can be made available on request.
9.2 When determining the appropriate retention period for personal data, HAD
will consider the amount, nature, and sensitivity of the personal data, the
potential risk of harm from unauthorised use or disclosure of personal
data, the purposes for which the personal data is processed, whether HAD
can achieve those purposes through other means, and the applicable
9.3 After the data retention period has expired, HAD will securely destroy all
10. Data Security and Sharing
10.1 HAD has put in place appropriate security measures to prevent personal
information from being accidentally lost, used or accessed in an
unauthorised way, altered or disclosed. Details of these measures are
available upon request. Access to personal information is limited to those
employees, agents, contractors and other third parties who have a
business need to know. They are contractually bound to only process
personal information on HAD’s instructions and are subject to a duty of
11. Compliance with this Policy
11.1 The Board is tasked with overseeing compliance with this policy, and a
named person, the Data Protection Officer, will be responsible for
reporting breaches*. If workers have any questions about this policy or
how HAD handles personal information, they should contact a member of
the senior management team. Workers have the right to make a complaint
at any time to the Information Commissioner’s Office (ICO), the UK
supervisory authority for data protection issues.
11.2 HAD has procedures to deal with any data security breach and will notify
affected persons and any applicable regulator of any suspected breach
where legally required to do so. In certain circumstances, HAD must
notify regulators of a data security breach within 72 hours of that breach.
Therefore, if a worker becomes aware of a data security breach they must
report to the Data Protection Officer* immediately.
12. Privacy by Design
12.1 HAD will have regard to all data protection principles relevant legislation
when designing or implementing new systems or processes where
personal data is used or stored
13. Responsibilities of employees, volunteers and students on
placement/ interns (collectively referred to here as ´´workers´´)
13.1 All workers are responsible for ensuring that processing meets the
standards set out in this policy.
13.2 Workers should not disclose personal data about HAD, colleagues, clients
or other parties unless that disclosure is fair and lawful, and in line with
this policy. Ever. This is a lifetime commitment which extends beyond the
contractual or agreed terms and conditions of the relationship.
13.3 Workers must take confidentiality and security seriously at all times
Any personal data collected or recorded manually (eg. a note on a paper
or made on a phone) must be added to HAD´s electronic system straight
away, and with absolute accuracy, and the original note destroyed.
Workers must not make any oral or written reference to personal data held
by HAD about any individual except to other workers of HAD who need
the information for their work, or for an authorised recipient.
13.4 The identity of any person asking for personal information, and their right
to receive that specific information, must be established, before any
information is provided
13.5 If a worker is asked by an unauthorised individual to provide details of
personal information held by HAD, they should ask the individual to put
their request in writing and send it to the CEO/ Development Leader, data
protection officer or relevant board member.
13.6 Workers must not use personal information for any purpose other than
their work for HAD.
13.7 If an employee is in doubt about any matter to do with data protection,
they must discuss the situation with their line manager immediately.
13.8 All files and documents containing confidential information must be kept
within a passworded electronic system, or locked in secure filing cabinets
at all times, other than when being used.
13.9 Confidential filing cabinets must be kept locked at all times when the
cabinets are not in use. Keys must never be left in the lock of the filing
cabinet, and keysafes must never be left unlocked.
13.10 Passwords should not be disclosed and should be changed regularly
13.11 Employee or third party personal data should not be left unsecured or
unattended, e.g. on public transport, or visible in a car, if a worker is
carrying the address of a client to make a visit.
13.11 Unauthorised use of HAD´s IT equipment, or electronic systems is not
13.12 Workers may use personal equipment to carry out work but must ensure
that devices are password protected, locked when not in use, and must
not be able to be accessed by anyone else.
13.13 Workers must delete and not store any personal data from their device
when not in use
13.14 As far as possible, employee, client or third party personal data contained
in emails and attachments should be anonymised before it is sent
13.15 Documents containing sensitive information should be password protected
and, if the document requires to be transmitted, the document and
password should be transmitted separately.
13.16 Workers should use secure printing when there is no choice but to print
13.17 Any documentation which is no longer required should be shredded, or
13.18 Workers must adhere to data retention guidelines for the storage and
destruction of all information
13.19 Any contractor who uses their own device for HAD work must commit to
using a secure passworded device to which no other person has access,
for their work, and is subject to adherence with this policy.
13.20 Any breach of the above rules will be taken seriously and, depending on
the severity of the matter, may constitute gross misconduct for employees
which could lead to summary termination of their employment.
13.21 Any breach may also lead to summary termination of any contract or
agreement held with HAD eg. by a volunteer or a contractor
*All staff will be notified of lead person
14. Consent to employee Data Processing
14.1 HAD does not require consent from employees to process most types of
employee data when personal information is required to fulfil legal
obligations the or exercise specific rights in the field of employment law. If
an employee fails to provide certain information when requested, HAD
may not be able to perform the contract (such as paying the employee or
providing a benefit). HAD may also be prevented from complying with
14.2 In limited circumstances, for example, if a medical report is sought for the
purposes of managing sickness absence, employees may be asked for
written consent to process sensitive data. In those circumstances,
employees will be provided with full details of the information that sought
and the reason it is needed, so that employees can carefully consider
whether to consent. It is not a condition of employees’ contracts that
employees agree to any request for consent.
14.3 Where employees have provided consent to the collection, processing and
transfer of personal information for a specific purpose, they have the right
to withdraw consent for that specific processing at any time. Once HAD
has received notification of withdrawal of consent it will no longer process
information for the purpose or purposes originally agreed to, unless it has
another legitimate basis for doing so in law