The EU General Data Protection Regulations (GDPR) and Data Protection Bill are the biggest change in Data Protection law in twenty years. The deadline for compliance was set at 25 May 2018. This note seeks to advise our almshouse membership on the changes and accompanies the Almshouse Association data protection policy.

Background

The GDPR is an extension of existing data protection laws. Under the Data Protection Act, you must:

  • only collect information that you need for a specific purpose;
  • keep it secure;
  • ensure it is relevant and up to date;
  • only hold as much as you need, and only for as long as you need it; and
  • allow the subject of the information to see it on request.

As this is an extension to existing data protection laws, Almshouses should refer to the ICO top five tips on data protection for small and medium sized charities, if they have not already done so. These are:

  1. Tell people what you are doing with their data
  2. Make sure your staff are adequately trained
  3. Use strong passwords
  4. Encrypt all portable devices
  5. Only keep people’s information as long as necessary

https://ico.org.uk/for-organisations/charity/

If an Almshouse charity already has these principles embedded in the organisation, compliance will be much easier.

EU General Data Protection Regulations

All these regulations will affect almshouse charities to a varying degree, depending on size, number of employees or how advanced their data protection is. The ICO has produced a package of tools aimed at small and micro organisations, including charities

What can my Almshouse Charity do to get ready now?

When reviewing data protection within your Almshouse Charity it is important that you reflect the principles of GDPR.

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/principles/

These can be simply defined as

  1. Transparency – Make it clear to individuals that you intend to hold their data, why you hold their data, how they can access the data (Subject Access Request) and how they can edit or delete their data.
  2. Relevancy – The data collected is for a legitimate and relevant reason.
    For example, it would be legitimate to ask for a resident’s next of kin but not for information on additional relatives.
  3. Timely – You should hold data for no longer than is necessary and identify why you store for that length of time.For example, you may decide it is appropriate to store a resident’s file for a specified length of time (for example two years) after they have moved into a care home. However you are able to justify the two years because in your experience the care-home usually requests additional information for up to two years.
  4. Security – Make sure that personal data is processed, stored and disposed of securely. For example if resident’s records are kept in a filing cabinet, make sure that it is locked. Or if a trustee legitimately stores information about residents on a home computer, which is accessed by other members of their family, that the file is password protected.
  5. Accountability – It is important to demonstrate that trustees and staff are aware of their responsibilities to protect individual’s data. For example a trustee may be tasked to have a data protection responsibility and data protection is regularly reviewed at board level.

Conclusion

While data protection may seem intimidating, it is important to view it as a positive concept that can be used to improve processes that are already in place at your almshouse.

Only implement or revise measures that are appropriate to your individual almshouse and be able to justify why you took these decisions.

The ICO are extremely helpful and in conjunction with the Charity Commission have various materials available to assist almshouse charities

https://ico.org.uk/for-organisations/charity/

The ICO have a phone service is aimed at people running small businesses or charities. To access the new service dial the ICO helpline on 0303 123 1113 and select option 4 to be diverted to staff who can offer support.

If you are particularly concerned about compliance you should take professional advice.

Subject: EU General Data Protection Regulations
Date: March 2018, updated July 2018