Colleague Handbook
Colleague Handbook
The UK GDPR and the UK’s Data Protection Act focus on the protection of personal data. As Barnardo’s volunteers and colleagues, we must all be aware of these laws and how they affect our working practices. All colleagues have a duty to comply with the law, and Barnardo’s Data Protection Policy, and are required to complete mandatory annual Data Protection and Security training.
Through guidance and regular training, you will be provided with the relevant level of data protection knowledge so you can play your part in ensuring that Barnardo’s is compliant with the law - protecting and processing hundreds of thousands of personal data records on behalf of our service users, customers and supporters, as well as our own personal data.
The UK GDPR and the 2018 Data Protection Act aim to ensure that people know where their data is held, what it is used for and with whom it’s shared. They also make sure that personal information is treated correctly and that we have systems in place to manage that information.
There are six data protection principles that should be followed in the handling of personal data. These principles require that personal data must:
â– be used fairly, lawfully and transparently;
â– be used for specified, explicit purposes;
â– be used in a way that is adequate, relevant and limited to only what is necessary;
â– be accurate and, where necessary, kept up to date;
â– be kept for no longer than is necessary;
â– be handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage.
Under the UK GDPR and the Data Protection 2018, you have the right to:
â– be informed about how your data is being used;
â– access your personal data (as Subject Access Request);
â– have incorrect data updated;
â– have data erased;
â– stop or restrict the processing of your data;
â– data portability (allowing you to get and reuse your data for different services);
â– object to how your data is processed in certain circumstances, including automated decision-making and profiling;
■lodge a complaint with a supervisory authority, i.e. the Information Commissioner’s Office.
In the course of performing your role, you may be required to handle, collect, or share information of a sensitive nature. It is vital that our policies and processes are followed when you handle personal information. This will ensure that our colleagues and service users’ rights, dignity and wellbeing are promoted at all times.
It is important that you understand that if we discover that our policies and procedures have been breached, this may result in disciplinary action including dismissal.
During or after your employment with us, you must not disclose any trade secrets or any information of a confidential or sensitive nature about:
1. Barnardo’s; or
2. any of our service users; or
3. Supporters; or
4. any of our colleagues. There is an exception if you need to share this information as part of your role or if you are required to do so by law (e.g. as part of an investigation, or in order to claim gift aid)
It is the responsibility of all colleagues to ensure data security. You will be responsible for the confidentiality, integrity and availability of all data which you have access to in the course of your work:
■Confidentiality: ensuring that personal and confidential information is not disclosed – either purposefully or accidentally – to people who do not have the right to see it. Normally when people talk about data breaches, they mean confidentiality breaches.
■Integrity: ensuring that data is accurate and unchanged. A good example is a care plan – we need to know who has inputted the information (so they are accountable for it) and that the record is accurate. For example, if there is missing or incorrect data in a case management system (paper based or electronic), this could potentially cause significant harm to an individual.
■Availability: ensuring that data is available to those who are authorised to see it. A breach can be caused when – either maliciously or accidentally – data cannot be accessed by those who need it. For example, ransomware attacks on computers – a hacker locks you out of your device until you pay the ransom to have your data unlocked.
If any of these three areas are compromised, then a data security incident has occurred. To ensure that Barnardo’s responds effectively to incidents and data breaches and learns lessons over time, please see the guidance on Inside Barnardo’s.
If you have a complaint about the way your personal data has been handled, you can raise it via Barnardo’s internal procedures. You may also have the right to make a complaint to the Information Commissioner’s Office.
From time-to-time CCTV systems monitoring premises may be put in place and will be carried out in accordance with Barnardo’s CCTV and Monitoring Devices Policy Where CCTV systems capture data Barnardo’s will comply with its obligations under the UK GDPR and Data Protection Act 2018 to ensure that data is stored and deleted securely. Colleagues should be aware that recorded CCTV footage will be monitored and used for the purposes of correcting alleged infringements of policies or procedures, or as part of a Conduct process under Barnardo’s Resolution Policy and Procedure.
Barnardo’s holds and processes personal data 30 relating to your employment. This data is confined to that which is considered necessary to ensure that we have adequate records for employment and related purposes, to meet our legal obligations, business requirements and to be able to respond to emergencies. Categories of data collected for this purpose can be found in Barnardo’s Privacy Notice under 2d (Volunteering and Job Applicants) and 2e (current and former colleagues).
From time-to-time Barnardo’s may need to share your personal information. For further information about how we do this, please see Barnardo’s privacy notice at https://www. barnardos.org.uk/privacy-notice.
If you wish to access your personnel record you should apply to the People Relations team, specifying whether you wish to view the data or receive a copy of the information held. The request will be dealt with within 30 days. Please see the guidance on Inside.Barnardo’s.
Where the request is for copies of information, every effort will be made to ensure the information is as legible as possible. Multiple requests may incur an administrative fee and requests deemed to be manifestly unfounded or excessive may be refused.
Colleagues have the right to request that incorrect information be corrected, or inaccurate and/or irrelevant information be removed. Any such request must be made in writing to the Strategic People Business Partner. Further guidance is contained within our Data Protection Policy.