Data protection policy
We are committed to protecting the fundamental rights and freedoms of individuals, with regards to the processing of personal data and their right to have their privacy respected.
Data protection policy
Last reviewed: June 2020
- Why do we need this policy?
- Who needs to follow this policy and why?
- What’s our policy and how will we implement it?
- Roles and responsibilities
- Related policies, procedures and information sources
- Data protection, equality and diversity
Why do we need this policy?
The purpose of this policy is to provide a clear understanding of what is expected of our board members, directors, employees, workers and partners, as well as any third parties processing personal data on behalf of the organisation.
It sets out our commitment to ensuring that our actions in respect of personal data, including special category personal data and data on criminal convictions and offences, comply with data protection law.
We will ensure that good data protection practice is embedded within the organisation. We will process the personal data of members of the public, social workers, employees, applicants, consultants and other individuals with whom we interact (collectively referred to as “data subjects”) in the course of our operations.
We are committed to a policy of protecting and promoting the fundamental rights and freedoms of individuals, including the right to privacy. We will comply with other relevant legislation outlined in Section 5, which may impact on how and why we process an individual’s personal data.
Who needs to follow this policy and why?
This policy applies to all those who have access to personal data held by our organisation, whether board members, directors, employees, workers, partners or third parties processing personal data for or on behalf of the organisation. The policy also covers those who work from home or have remote or flexible patterns of work.
The key objective of this policy is to ensure that we fulfil our obligations as a controller and processor of personal data, whether it is held electronically or in paper form.
When we engage a third party under a contract, we will ensure that the contract includes adequate assurances in relation to data protection. This includes, for example, ensuring that the third party will meet its obligations under the General Data Protection Regulation (GDPR) (for example, the requirements of Article 28 where applicable) and the Data Protection Act 2018 (DPA 18).
What’s our policy and how will we implement it?
As an organisation, we seek to comply with the data protection principles which require that personal data is:
- processed lawfully, fairly and in a transparent manner
- collected for specified, explicit and legitimate purposes
- adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed
- accurate and kept up to date; inaccurate data is deleted or rectified without delay
- kept for no longer than is necessary
- protected against unauthorised or unlawful processing and loss
In order to comply with these principles, we will take a proactive approach to:
- ensure that the legal basis for processing personal data is identified prior to that processing taking place, and ensure that all processing is lawful
- ensure that all processing activities are recorded
- ensure that appropriate privacy notices are in place, advising data subjects about their individual rights, the keeping of records, the processing of their personal data and the disclosure of personal data to third parties, through the use of privacy notices
- ensure that any requests made by data subjects in relation to their rights are responded to in accordance with the law and Social Work England procedures
- only collect and process personal data in accordance with the stated purpose
- ensure that the personal data we hold is accurate and that processes are in place to keep it up to date
- in accordance with the data retention schedule, only hold personal data for as long as it is needed
- ensure that appropriate security measures are in place to protect personal data and that it can only be accessed by those who need access to it
- ensure that when sharing personal data with other organisations, there is a lawful basis for doing so and it is transferred securely, to prevent unauthorised access or loss
- ensure that those who handle personal data are aware of their responsibilities and are adequately trained and supervised
- ensure that appropriate governance is in place to identify and address any issues encountered, and to promote continuous improvement
We aim to comply with data protection legislation by:
- complying with the data protection principles set out in Article 5 of the GDPR (lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality (security) and accountability)
- ensuring a data protection officer is appointed, who acts as point of contact with the Information Commissioners Office
- ensuring that we have the necessary internal data protection and information technology security policies, privacy notices and data sharing agreements and that these are amended as necessary following changes in relevant legislation
- ensuring that communication systems are properly secured to prevent unauthorised access to, or alteration, destruction or loss of, personal data
- providing board members, directors, employees, workers and partners with regular data protection compliance training
- keeping a log of any personal data breaches and informing the ICO and the data subjects where necessary
- maintaining a record of all data processing activities
- responding appropriately to all requests made by data subjects in the exercise of their rights
- implementing Privacy by Design when processing personal data and completing a Data Protection Impact Assessment (DPIA) where data processing is likely to result in a high risk to the rights and freedoms of data subjects
- maintaining appropriate governance and accountability at the highest management level and throughout the organisation
Roles and responsibilities
4.1 The board
- Ensuring that Social Work England has effective systems for managing processes and potential risks associated with the use of personal data
4.2 The information governance steering group
- Providing assurance to the Social Work England board and executive leadership team that robust and effective policies, procedures and practices for information governance and data protection are in place within the organisation
4.3 The chief executive
- Appointing a suitably qualified data protection officer for Social Work England
4.4 The executive leadership team
- Ensuring robust and effective policies, procedures and practices for information governance and data protection are in place within the organisation
- Maintaining appropriate organisational governance in respect of data protection and ensuring data protection-related policies and procedures are given effect
4.5 The data protection officer
- Acting as the point of contact for the Information Commissioner’s Office (ICO)
- Monitoring compliance with the GDPR, DPA 18 and other laws and policies pertaining to the protection of data
- Raising awareness through the delivery of internal training
- Carrying out or commissioning an internal audit to ensure compliance with the DPA 18 and the GDPR
- Providing advice regarding DPIAs and monitoring the process
- Monitoring risks to personal data
- Advising the board, executive leadership team and senior leadership team on compliance with data protection laws and organisational risks.
4.6 Head of data protection and information governance
- Advocating for good standards in internal governance in relation to personal data drafting appropriate policies and approaches to risk management
- Leading the data protection and information governance team
- Influencing organisational strategy as regards data protection and information governance
4.7 All employees, other workers, partners and third parties
- Reading, complying with and maintaining up-to-date awareness of this policy, associated procedures and any contracts applicable to their roles
- Attending training to enable them to comply with this policy and any associated procedures
4.8 Policy authors
- Developing the policy and keeping the policy updated
- Ensuring the approved policy is implemented in accordance with the agreed implementation plan
- Ensuring the necessary equality assessment has been carried out prior to the document entering the approval process (see Appendix 1)
- Ensuring that appropriate communication has taken place with the relevant individuals and groups
- Ensuring that training needs and resources required for implementation are clearly identified
Related policies, procedures and information sources
Data protection, equality and diversity
A data protection impact assessment (DPIA) and equality impact assessment (EIA) have been completed for this policy.
If you have a query about this policy, please contact Greg Lawton, head of data protection and information governance.
A natural person (individual) or legal body (such as Social Work England or another legal entity) that decides the purposes and means of the processing of personal data.
Anyone or any organisation who processes personal data for or on behalf of the controller, for example a sub-contractor. In relation to Social Work England, sub-contractors may be employed to undertake processing work, for example organisations who undertake payroll and pension administration.
8.3 Data subject
An individual to whom the personal data relates, and who can be identified from that data alone, or in conjunction with other data available, for example where publicly available or held by or on behalf of the Controller.
8.4 Personal data
Information relating to a person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location, online identifier or to one or more factors specific to the physical, physiological, mental, biometric, genetic, economic, cultural or social identity of that person.
8.5 Special categories of personal data
Personal data revealing sensitive personal information. The special categories defined in the GDPR are: ethnic origin, political opinion, religious or philosophical belief, trade-union membership, data concerning health or data concerning a natural person's sex life or sexual orientation. This does not include information relating to allegations of criminal activity, or criminal convictions and sentences, but there are separate safeguards in law for this kind of personal data.
8.6 Data protection impact assessment (DPIA)
This is a process that helps to identify and minimise the data protection risks of projects and changes. It requires us to describe how personal data will be processed, assess its necessity and proportionality and manage the risks to the rights and freedoms of the data subjects. DPIAs must be performed where the processing is likely to result in a high risk to individuals.
States in detail how the process will operate. Describes what happens, in what order, who does what and how.
8.8 Board members
Members appointed by the Secretary of State to the Social Work England Board.
All people directly employed by Social Work England.
Individuals who undertake to do or perform personally any work or service for Social Work England, whether engaged under a contract of employment or any other contract.
People working under a contract of service to Social Work England. Includes fitness to practise adjudicators, fitness to practise legal assessors, registration advisers and education inspectors.
In relation to personal data, this means any operation or set of operations performed on personal data or on sets of personal data (whether or not by automated means), such as collection, recording, organisation, structuring, storage, alteration, retrieval, consultation, use, disclosure, dissemination, restriction, erasure or destruction.
Last reviewed: June 2020
Policy owner: Philip Hallam, executive director – registration, quality assurance, and legal
Policy reference: POL_DATAP_01
If you require a PDF version of this policy, please contact us.