1. Policy Statement
Glasgow Women’s Aid delivers services to women, children and young people who are experiencing domestic abuse.
Glasgow Women’s Aid is required to keep and use (process) certain personal information (also referred to as data) about women, children and young people, employees (current and former), job applicants, temporary and agency staff, volunteers, interns, apprentices, suppliers, partners and funders for a number of specific lawful purposes, as set out in our privacy notices.
Glasgow Women’s Aid may also process personal information (and data relating to criminal offence(s)) in relation to perpetrators and alleged perpetrators. The organisation is permitted to do this under a number of exemptions contained in the Data Protection Act 2018 and relevant Schedules. This information will be treated in the same way as other personal data and sensitive personal data, for example we will use the appropriate technical and organisational measures to keep this information secure and to protect it against unauthorised or unlawful processing and against accidental loss destruction or damage.
Glasgow Women’s Aid takes the security and privacy of personal information seriously. The organisation gathers and uses data about you in the normal course of their business and the delivery of their services and to manage their relationship with you and others with whom they have dealings and come into contact with.
Glasgow Women’s Aid may also have to share information about individuals and will aim to do this in line with this policy, privacy notices and information sharing protocols.
2. Policy Aims
This policy aims to set out how we comply with our data protection obligations and seek to protect personal information and sensitive personal information relating to our employees, volunteers, women, children and young people accessing our services and others.
Its purpose is also to ensure that our employees and volunteers understand and comply with the rules governing the collection, use and deletion (all of which is known as ‘processing’) of personal information to which they may have access in the course of their work.
We are committed to complying with our data protection obligations and to being concise, clear and transparent about how we obtain, use and share personal information relating to our workforce, volunteers, service users and others and how and when we delete that information once it is no longer required.
We have a number of privacy statements that can be provided by contacting us.
Our retention policy will give you information about how we dispose of (destroy) records and data retention.
This policy applies to the personal information of job applicants, current and former staff including employees, temporary and agency workers, volunteers, casual or contract staff, suppliers, service users, partners, funders and any other third party we have dealings with.
We will review and update this policy in accordance with our data protection obligations. It does not form part of any employee’s contract of employment and we may amend, update or supplement it from time to time. We will circulate any new or modified policy to staff and relevant others before it is adopted.
4.1 Glasgow Women’s Aid is responsible for ensuring:
- that our employees and volunteers are aware of this policy
- that they receive the appropriate level of training to support the implementation of this policy
- the Information Commissioner entry is up-to-date and accurate
- that data is processed in line with Glasgow Women’s Aid policies and procedures
- that this policy is implemented and enforced
- that any suspicious activities are reported
- all subject access requests are managed appropriately
4.2 All employees, directors/trustees and volunteers have responsibilities to comply with the data protection principles outlined in section 5 below. In particular, they should:
- not disclose any personal information outside the organisation’s procedures nor use it for their own purposes. Anyone disclosing information without the authority of the organisation may commit a criminal offence, and may also be subject to disciplinary proceedings
- ensure that they are familiar with, and comply with, the terms of this policy
- ensure that they provide Glasgow Women’s Aid with relevant and accurate personal data about themselves
5. Data Protection Principles
Glasgow Women’s Aid will comply with the following data protection principles when processing personal information and will comply with these in the following ways:
- we will process personal information lawfully, fairly and in a transparent manner
- we will collect personal information for specified, explicit and legitimate purposes only, and will not process it in a way that is incompatible with those legitimate purposes
- we will only process the personal information that is adequate, relevant and necessary for the relevant purposes
- we will keep accurate and up to date personal information, and take reasonable steps to ensure that inaccurate personal information is deleted or corrected without delay
- we will keep personal information, in a form which permits identification of data subjects, for no longer than is necessary for the purposes for which the information is processed
- we will take appropriate technical and organisational measures to ensure that personal information is kept secure and protected against unauthorised or unlawful processing, and against accidental loss, destruction or damage
6. Individual Rights
You have the following rights in relation to your personal information:
- to be informed about how, why and on what basis that information is processed
- to obtain confirmation that your information is being processed and to obtain access to it and certain other information by making a subject access request
- to have data corrected if it is inaccurate or incomplete
- to have data erased if it is no longer necessary for the purpose for which it was originally collected/processed or if there are no overriding legitimate grounds for the processing (known as the right to be forgotten)
- to restrict the processing of personal information where the accuracy of the information is contested, or the processing is unlawful (but you do not want the data to be erased), or where the organisation no longer needs the personal information but you require the data to establish, exercise or defend a legal claim
- to restrict the processing of personal information temporarily where you do not think it is accurate (and the employee is verifying whether it is accurate) or, where you have objected to the processing (and the organisation is considering whether their legitimate grounds override your interests.)
Should you wish to exercise any of these rights, or for more information please contact Angela Devine, Chief Executive on 01415534088.
7. Individual Obligations
Individuals are responsible for helping the organisation keep their personal information up to date. You should let your line manager know if the information you have provided to the organisation changes, for example if you move house or change details of the bank or building society account to which you are paid.
Where you have access to the personal information of other members of our workforce, volunteers, service users, suppliers, funders or partners in the course of your employment or arrangements with the organisation, the organisation expects you to help meet its data protection obligations to those individuals. For example, you should be aware that they may also enjoy the rights set out in paragraph 6 above.
If you have access to others’ personal information, you must:
- only access the personal information that you have authority to access and only for authorised purposes
- only allow other staff from the organisation to access personal information if they have appropriate authorisation
- only allow individuals who are not staff from the organisation to access personal information if you have specific authority to do so from the Chief Executive.
- keep personal information secure (e.g. by complying with rules on access to premises, computer access, password protection and secure file storage and destruction)
- not remove personal information, or devices, containing personal information (or which can be used to access it) from the organisations’ premises unless appropriate security measures are in place (such as encryption or password protection) to secure the information on the device
- not store personal information on local drives or on personal devices that are used for work purposes and you must comply with the organisation’s Electronic Communications Policy.
You should contact Angela Devine, Chief Executive if you are concerned or suspect that one of the following has taken pace (or is likely to take place);
- processing of personal data without a lawful basis for its processing or, in the case of sensitive personal information, without one of the additional conditions for processing being met
- any data breach including those set out in paragraph 12 below
- access to personal information without the proper authorisation
- personal information not kept or deleted securely
- removal of personal information, or devices containing personal information (or which can be used to access it) from the organisation’s premises without appropriate security measures being in place
- any other breach of this Policy or of any of the data protection principles set out in paragraph 5.
8. Data Security
The organisation will use appropriate technical and organisational measures to keep personal information secure and in particular to protect against unauthorised or unlawful processing and against accidental loss, destruction or damage.
8.1 Glasgow Women’s Aid will ensure that personal data they hold will be secure and safe from unauthorised or inadvertent alteration or erasure and that access and disclosure will be properly controlled. Glasgow Women’s Aid will ensure that appropriate security measures are implemented.
8.2 All personal information in the form of physical records will be kept in a locked filing cabinet, drawer or other secure area with access limited to those who have the right or a need to access it.
8.3 All personal information in the form of computerised records will be password protected, kept on a secure IT system, and kept only on a storage device that is secure. This includes tablets, laptops, desktops and mobile phones.
8.4 Personal and sensitive personal information that is no longer required will be deleted permanently from the organisations information systems and any hard copies will be destroyed securely.
Glasgow Women’s Aid confidentiality policy sets out the limits of confidentiality in relation to data held about service users by Glasgow Women’s Aid.
Glasgow Women’s Aid also has a duty of confidentiality in terms of records kept about our employees, volunteers, and others and will inform them about data kept and how this will be used and shared through privacy notices.
10. Management of Records
Glasgow Women’s Aid will:
- ensure that adequate records are maintained to account fully and transparently for all actions and decisions to ensure that legal and other rights of those affected are protected
- identify what records they are required to hold and how these will be used.
- develop appropriate systems for collecting, maintaining and using, and storing (i.e. processing) this information
- ensure as far as possible that all records are complete and accurate and the information they contain is reliable and its authenticity can be assured
- ensure that records and the information within them can be efficiently retrieved by those with a legitimate right of access, for as long as the records are held by the organisation
The provision of an employment reference will generally involve the disclosure of personal data.
Any reference must be fair and accurate and its contents must be approved by the appropriate manager/worker with management responsibility before being sent. References should avoid giving objective opinions or comments that are not supported by facts.
A personal reference may be given by a member of staff in an individual capacity only. Such a reference must make clear that it is not given on behalf of Glasgow Women’s Aid and must not be provided on Glasgow Women’s Aid headed paper.
Under the Data Protection Act 2018, an employee of Glasgow Women’s Aid has no automatic entitlement to see the contents of a reference provided by a previous employer. Nor is there any obligation on Glasgow Women’s Aid to disclose a reference being provided for an existing employee to a potential future employer.
12. Non-Compliance and Data Breaches
Any non-compliance by staff with this policy will normally be dealt with through Glasgow Women’s Aid Disciplinary Policy.
Any non-compliance by volunteers with this policy will normally be dealt with through GWA’s Volunteer Policy.
A data breach may take many different forms, for example:
- loss or theft of data or equipment on which personal information is stored
- unauthorised access to or use of personal information either by a member of the workforce or third party
- human error such as accidental deletion or alternation of data
- deliberate attacks on IT systems such as hacking, viruses or phishing scams
- unforeseen circumstances such a fire or flood.
Glasgow Women’s Aid will make the required report of a data breach to the Information Commissioner’s Office without undue delay and where possible and appropriate, within 72 hours of becoming aware of it, if it is likely to result in a risk to the right and freedoms of individuals and notify the affected individuals if a data breach is likely to result in a high risk to their rights and freedoms and notification is required by law.
13. Privacy Statements & Consent Forms
In line with the Data Protection legislation, Glasgow Women’s Aid have created a set of privacy statements and consent forms for employees, job applicants, women, children and young people. These can be provided by contacting us.
The information provided in our privacy statements and consent forms is provided in a concise, transparent, intelligible and easily accessible format using clear and plain language.
14. Subject Access
Individuals have the right to access their personal data; this can be requested verbally or in writing. Glasgow Women’s Aid will normally respond to a request no later than one month after receiving it.
We may extend the response time by up to a further two months if the request is complex or if we have received a number of requests from the individual; we will let the individual know within one month of receiving their request and explain why the extension is necessary.
We will not charge a fee to respond to the initial requests in most circumstances. However, if the case is complex or if we have to provide a lot information we may charge for administration costs.
Sometimes we might ask individuals to confirm their identity; we will only do this if it is necessary.
We will refuse any request that is not about your personal data or if it is manifestly unfounded or excessive, taking into account whether the request is repetitive in nature.
All requests will be kept securely by Glasgow Women’s Aid, until the matter is resolved.
If a service user has a complaint about data protection, or the processing of personal or sensitive personal information, you can contact Angela Devine, Chief Executive on 01415534088.
If you are unhappy with our response, you can contact the ICO at https://ico.org.uk/make-a-complaint/ or telephone: 0303 123 1113 for further information about your rights and how to make a formal complaint.
If an employee has a complaint about data protection, they should discuss this with HR.
16. Information and Training
Glasgow Women’s Aid will make available to all employees a copy of the Data Protection policy in a centralised and easily accessible location or in a shared file electronically. Training will be delivered and available to ensure that all employees understand the policy and procedure, including the statutory requirements.
17. Monitor and Review
Glasgow Women’s Aid will monitor and review this policy at approximately two yearly intervals and/or when there are relevant changes in legislation or circumstances.
Angela Devine is responsible for implementing and monitoring compliance with this policy.
Personal information - Sometimes known as personal data. Information relating to an individual who can be identified (directly or indirectly) from that information. This can be as simple as a name or a number or could include other identifiers such as an IP address or a cookie identifier, or other factors.
Data subject - The individual to whom the personal information relates.
Data controller - Gathers and processes (uses) certain information about individuals (Glasgow Women’s Aid is a data controller) Responsible for updating data protection registrations.
Data Processor - Processes data on behalf of the Data Controller (Glasgow Women’s Aid may also be a data processor)
Processing information - Means obtaining, recording, organising, storing, amending, retrieving, disclosing and/or destroying information, or using or doing anything with it
Criminal records information - Personal information relating to criminal convictions and offences, allegations, proceedings, and related security measures
Data breach - Means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal information.
Sensitive personal information - Sometimes known as ‘special categories of personal data’ or ‘sensitive personal data’. This is personal information about an individual’s race, ethnic origin, political opinions, religious or philosophical beliefs, trade union membership (or non-membership), genetics information, biometric information (where used to identify an individual) and information concerning an individual’s health, sex life or sexual orientation.
Pseudonymised - The process by which personal information is processed in such a way that it cannot be used to identify an individual without the use of additional information, which is kept separately and subject to technical and organisational measures to ensure that the personal information cannot be attributed to an identifiable individual.
Information for Women
Glasgow Women's Aid works from a feminist perspective which acknowledges that the root cause of the abuse of women and children is the imbalance of power which exists within our society and allows some people to have more power than others.
The development of our service provision over the last 40 plus years has been guided by the women, children, and young people that we have supported. They are our inspiration.