DATA PROTECTION
POLICY
Introduction
This policy was introduced at Anjuman to meet the requirements and recommendations of the Employment Practice Data Protection Code, which considers the practical steps employers need to take to ensure compliance with the Data Protection Act (1998).
Data Storage
Service User Data
We have a legal requirement under the Data Protection Act (DPA) 1998 that personal data is retained for “no longer than is necessary”. We subscribe to the Department for Health timescales for data retention.
All access to patient identifiable information is controlled on a need to know basis, in accordance with Records Management Procedures. We maintain compliance with any legal and statutory duties including provisions under the Data Protection Act, Caldicott Guidance and the Human Rights Act.
When not in use, all data is held in a secure central location, paper based records are held in locked storage, with all electronic records securely stored on a central network location. All staff members requiring network access must request approval from the appropriate director or system owner. Regular audits of appropriate access levels and data use undertaken.
Any data that is transferred (change in format, change of storage location), or access of archived records, must be approved by an appropriate Director and a record of the transfer created.
Most data stored contains confidential/sensitive information, and destruction of this information must be undertaken in secure auditable manner. The decision to destroy records is made by the responsible Director, after the minimum retention period has been exceeded, and they are satisfied that no useful purpose can be gained by retention.
Paper records to be destroyed are shredded in-house, prior to collection by an external contractor. A certificate of destruction is also provided for destroyed paper records.
Employee Data
All employees are informed of what information is being kept and how it is being used and of their right to access this information. All employees are invited to review and update their personal details during their annual appraisal meeting. Anjuman takes reasonable steps to check the accuracy of the data and when an employee informs us that the data is inaccurate an entry will be placed in their file.
A standard retention time for disciplinary matter is as per Anjuman Disciplinary Policy. As for other records kept they are kept as per retaining information guidelines in the table below.
Sickness and Accident Records
Sickness and accident records are kept separately from absence records, and information about an employee illness or injury is only disclosed for legal reasons, or where an employee has given explicit consent. Our designated Health and Safety Lead facilitates these requirements.
Marketing
Employees have the right not to have their personal data used to deliver advertising messages to them. Where marketing material are distributed to employees, they should be given a clear opportunity to opt out. Employees’ personal data should only be disclosed to other organisations for marketing where the individual employees have positively indicated their agreement.
Disclosure Requests
Anjuman adheres to all legislation, including the Public Interest Disclosure Act (1998), on the subject of whistleblowing, ensuring that fairness and transparency is upheld throughout our organisation.
Disciplinary Procedures and Grievances
As per Anjuman’s disciplinary and grievance procedure.
Retaining information
Retention times must ensure that employee records are not kept for longer than is necessary. Below is a guide for the minimum time that the following records should be retained for.
Policy Updated May 2017