Consultants, contractors and volunteers (including trustees) of the charity will be required to comply with the content of this policy.
We are committed to the values of integrity, accountability and openness. We are also committed to ensure the safety of personal data and to enforcing the message that misuse of personal data within the organisation is not acceptable and will not be tolerated.
We will act in compliance with current guidelines and best practice to provide high quality, timely, accurate and secure information.
This policy will outline our methods of managing and ensuring the security of personal data and health information.
Purpose of the policy
Information governance is a framework for handling and managing information to ensure appropriate and reliable collection, storage, processing, access, security and confidentiality.
This policy aims to ensure that all KCSN consultants, contractors, volunteers and trustees are aware of their individual responsibilities in relation to the management and governance of information.
The guidelines within this policy cover all types of information retained by KCSN. This includes but is not limited to information held in:
- Electronic equipment such as computers, tablets, smart phones, dictation equipment, MP3 players and cameras
- Paper-based records.
The information/data covered by this policy includes, but is not limited to the following:
Personal data constitutes all information that:
- Can be used to identify an individual
- Can be combined with other information to identify an individual
Sensitive personal data relates to any identifiable information regarding the subject’s:
- Racial or ethnic origin
- Political opinions
- Religious belief or similar
- Trade union affiliation
- Information relating to an individual’s sexual orientation
- Commission or allegation of any offence
KCSN data relates to any sensitive organisational information, including:
- Meeting schedules, agendas and minutes of trustees’ meetings
- Financial accounts
- Policies and procedures
Failure to follow this policy could result in contractual/agreement action.
This policy will establish a consistent approach by which we address all aspects of the management of information; including generation, collection, processing, access, use, storage and ultimately disposal. It will do this by:
- Requiring that information is kept confidential in line with the requirements of the EU General Data Protection Regulation 2018
- Establishing mechanisms for members of the KCSN community to have access to their own information and can easily update this information, with clear procedures and arrangements for handling queries from members
- Ensuring that members have given appropriate consent for the collection and processing of their personal data/information
- Establishing a procedure for the deletion of personal data/information that is no longer of use to KCSN, or at the request of members of the KCSN community when consent is withdrawn
- Ensuring that processing of personal data/information is stopped at the request of members of the KCSN community
- Ensuring KCSN has clear procedures and arrangements for handling information requests from the press and broadcasting media
- Establishing mechanisms to allow the purpose and quality of KCSN information to be monitored and maintained, and to ensure that it is appropriate for the purposes intended
- Making every effort to follow the recommendations and principals set out by the National Data Guardian.
This policy applies to all consultants, contractors and volunteers working with KCSN, including trustees.
It is the policy of KCSN to ensure that:
- Information is protected against unauthorised or unlawful access
- Confidentiality of information is assured
- Technical integrity of information is maintained
- Regulatory requirements and guidelines are met
- Information technology systems are used in a manner that prevents the release of information (by accident or deliberate/criminal act), ensures their safe use, and avoids damage to the specific system or any other system to which it is connected
- Information that can be used to identify a person, including confidential information about that person, business information, and confidential corporate information, is restricted to authorised users only
- All consultants, contractors, volunteers and trustees working with KCSN are to be made aware of the Information Governance Policy so that an assurance can be provided that they understand the policy.
All breaches of information security, actual or suspected, will be reported to and reviewed by the Board of Trustees.
Roles and responsibilities
A member of the Board of Trustees will be appointed to have overall responsibility for the information governance within KCSN, and advise the board on the effectiveness of information risk management across the organisation. This person will also act as the Data Protection Officer and be responsible for ensuring consultants, contractors and volunteers working for KCSN comply with the requirements of the EU General Data Protection Regulation 2018 and other mandatory national standards and processes.
All consultants, contractors, volunteers and trustees operating on behalf of KCSN are required to comply with the guidelines of the EU General Data Protection Regulation 2018 when dealing with sensitive personal data, and the requirements of the KCSN Information Governance Policy. They are responsible for protecting the integrity, security and confidentiality of personal data/information (both manual and electronic), and to ensure that any personal information gathered in the course of their work is only used for the stated purpose of gathering the information and kept secure.
An external IT consultancy will provide robust security measures to adequately support the KCSN server holding all personal data/information. The IT consultancy will also be responsible for anonymisation and pseudonymisation of personal data for transfer to external organisations for data management, analysis and reporting. The IT consultancy will provide assurances to the Board of Trustees, including the processes used for anonymisation and pseudonymisation of personal data.
- Establish and maintain policies and procedures to ensure compliance with the EU General Data Protection Regulation 2018, the Common Law Duty of Confidentiality, and any other legislation that is relevant to the processing of personal information
- Establish mechanisms to ensure that consultants, contractors, volunteers and trustees are aware of and understand their responsibilities
- Recognise the need for an appropriate balance between openness and confidentiality in the management and use of information
- Be publicly accountable and needs to ensure that the principles of corporate governance are fully supported
- Regard person identifiable information relating to the members of KCSN and their relatives as confidential, except where there is an overriding legal requirement to share information
- Regard person identifiable information about consultants, contractors, volunteers and trustees as being confidential, except board members that may require otherwise, and where legislation permits
- Recognise that equal importance must be placed on the need to ensure high standards of data protection and confidentiality to safeguard both personal data/information and KCSN data
- Comply with the appropriate legal and regulatory frameworks and guidelines relating to the EU General Data Protection Regulation 2018 and the Common Law Duty of Confidentiality.
Protection of information
This includes the maintenance of standards associated with the EU General Data Protection Regulation 2018 and the Common Law Duty of Confidentiality.
High standards within this area will be ensured by KCSN through:
- Maintenance of policies to effectively incorporate the requirements of key legislation within KCSN’s processes for the effective and secure management of information
- Promotion of effective confidentiality, data protection and security practice to consultants, contractors, volunteers and trustees through policies and procedures.
Data security arrangements
- Manual paper records containing person identifiable information should be stored in locked cabinets
- Access to any computer or tablet must be password protected, and the password must not be shared. Computers and tablets should not be on view or accessible to unauthorised persons, and password-protected screen savers should be in use
- Personal data/information must be held on the KCSN server, not stored on local hard drives. KCSN consultants, contractors, volunteers and trustees must be aware of the high risk of storing information locally and take appropriate security measures
- Personal data/information sent by email must be safely stored and archived. Great care should be taken in sharing personal data/information via email – it should be password protected and procedures undertaken to ensure that the correct person has received it.
Systems and applications
The following rules must apply:
- Consultants, contractors, volunteers and trustees who require access to KCSN’s systems must be appropriately authorised
- Levels of access to KCSN’s systems must be given based upon the role of the consultant, contractor or volunteer
- Access to KCSN’s systems will be given on a need to know basis and such access will be recorded
- Password access is given to individuals; authorised consultants, contractors and volunteers should not under any circumstances allow their access to be used by others.
Anonymisation is a process by which identifiable information is removed from data so that the individuals from whom the information was collected remain anonymous. If personal data is shared, either internally or externally, all identifying factors should be removed.
Pseudonymisation is a process by which a pseudonym is applied to identifiable data for the purposes of sharing the data. If personal data is shared, either internally or externally, all identifying factors should be removed.
Sharing information with external organisations
When sharing personal data with external organisations, KCSN must seek assurance that these organisations have appropriate processes for receiving personal data. KCSN must be assured that these organisations will comply with the requirements of this policy, and meet legislative and related guidance requirements relating to the EU General Data Protection regulation 2018 and the Common Law Duty of Confidentiality.
Consultants, contractors, volunteers and trustees sharing personal data with other organisations should be aware of the agreements between KCSN and the organisation concerned.
- Be responsible for the pseudonymisation of personal data before the data are shared with external organisations
- Support the transition processes of pseudonymised personal data back to identifiable data, if subsequently required
- Only supply identifiable personal data to consultants, contractors, volunteers or trustees authorised to use these data
- Be responsible for most of the inter-organisational communication and transfers of pseudonymised personal data to external organisations.
Monitoring and review
This policy will be monitored by the KCSN management team annually to judge its effectiveness, and will be updated in accordance with changes in the law. We will report to the Board of Trustees on any actions or activities undertaken that are covered by this policy. Any information provided by consultants, contractors, volunteers, trustees or members of the KCSN or their families for monitoring purposes will be used only for these purposes and will be dealt with in accordance with the EU General Data Protection Regulation 2018.
Policy Updated: June 2019
Next Review: June 2021