Privacy Policy – Havering Women's Aid

GDPR & and Privacy Policy

Since 25th May 2018 all agencies including Havering Women’s Aid (HWA)& Men’s Domestic Abuse Service (MENDAS)must be able to demonstrate that they are compliant with the General Data Protection Regulations (GDPR) and accompanying Data Protection Act 2018 (DPA).

Our services are committed to protecting and respecting the confidentiality of sensitive information relating to our clients, our staff and volunteers.

It is our responsibility to ensure that we can demonstrate which lawful basis applies to the sharing purpose. Where it may be necessary or desirable our service will only share information with other agencies. Information about adults, children and young people at risk will only be shared between agencies, where relevant (has a rational link to the purpose) and limited to what is necessary, not simply all the information held is adequate and sufficient to properly fulfil the stated purpose for sharing with the relevant people who need all or some of the information; and when there is a specific need for the information to be shared at that time.

Introduction

Our organisation is required to keep certain information about our employees, clients and other stakeholders to allow us, for example, to monitor support, impact and health and safety.

To comply with the law, information must be collected and used fairly, stored safely. (‘storage limitation’) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

Failure to comply with the principles may leave our organisation open to substantial fines. Article 83(5)(a) states that infringements of the basic principles for processing personal data are subject to the highest tier of administrative fines.

To do this, we must comply with the Data Protection Principles which are set out in the Data Protection Act 1998. In summary these principles state that personal data shall:

be obtained and processed fairly and lawfully,
be obtained for a specified and lawful purpose, shall not be processed in any manner incompatible with that purpose,
be adequate, relevant and not excessive for that purpose,
be accurate and kept up to date, not be kept for longer than is necessary for that purpose,
be processed in accordance with the data subject’s rights,
be kept safe from unauthorised access, accidental loss or destruction.

All staff who process or use personal information must ensure that they follow these principles at all times. In order to ensure that this happens, our organisation has developed this Data Protection Policy which is for all our services which are being delivered. This policy does not form part of the contract of employment for staff, but it is a condition of employment that employees will abide by the rules and policies made by our organisation, from time to time. Any failures to follow the policy can therefore result in disciplinary proceedings.

The Data Controller and the Designated Data Controllers

Our organisation, as a body, is the Data Controller under the 1998 Act, and the Trustees are therefore ultimately responsible for implementation of the policy. However, the Designated Data Controllers will deal with day-to-day matters. Our service has identified its Designated Data Controllers as:

The CEO

Any member of staff, client or other individual who considers that the Policy has not been followed in respect of personal data about themselves should raise the matter with the CEO, in the first instance.

Responsibilities of Staff

All staff are responsible for:

checking that any information that they provide to HWA in connection with their employment is accurate and up to date,
informing HWA of any changes to information that they have provided, e.g. change of address, either at the time of appointment or subsequently.

Our organisation cannot be held responsible for any errors unless the staff member has informed the CEO of such changes.

Data Security

All staff are responsible for ensuring that:

any personal data that they hold is kept securely,
personal information is not disclosed either orally or in writing or via Web pages or by any other means, accidentally or otherwise, to any unauthorised third party.

Staff should note that unauthorised disclosure will usually be a disciplinary matter, and may be considered gross misconduct in some cases. Personal information should: be kept in a cupboard, drawer, or safe in a secure office, etc. If it is computerised, be password protected both on a local hard drive and on a network drive that is regularly backed up; and if a copy is kept on a USB memory key or other removable storage media, that media must itself be password protected.

Lawful Basis

The first principle requires that our organisation process all information lawfully, fairly and in a transparent manner. Sharing information is only lawful if you have a lawful basis under Article 6, and to comply with the accountability principle in Article 5(2), our service must be able to demonstrate that a lawful basis applies. The individual’s right to be informed under Article 13 and 14 requires the service to provide victims of abuse with information about your lawful basis for sharing. Our organisation includes these details in our privacy notice. We must not use personal information in a way that is unfair. This means we must not share information in a way that is “unduly detrimental, unexpected or misleading to the individuals concerned”.

Our organisation will have sight of our Local Information Sharing Policy and MARAC (Multi Agency Domestic Abuse Conference) Operating Policy which details the purpose for sharing information and the lawful basis. Our privacy notice includes lawful basis for processing as well as the purposes of the processing.

Consent

The GDPR sets a high standard for consent. Our service does not always need consent from clients in some circumstances. Consent means offering individuals real choice and control. Genuine consent should put individuals in charge, build trust and engagement, and enhance our professional relationship. If we have assessed a victim of abuse to be at high risk of serious harm or homicide (i.e meeting the MARAC threshold) then our service will have grounds for sharing information in law. This therefore means that individual does not have choice and is not in control of information sharing; our service would process the personal information without consent, asking for consent is misleading and inherently unfair.

Consent is one lawful basis for sharing information, and explicit consent can also legitimise use of special category data. Moreover, consent is important when sharing information where the risk to the victim of abuse has NOT been assessed to be high (so grounds in law do not exist). See the ICO’s full guidance on Consent. Many of the lawful bases for sharing information depend on the processing being “necessary”. This does not mean that sharing information always has to be essential. However, it must be a targeted and proportionate way of achieving the purpose. The lawful basis will not apply if we can reasonably achieve the purpose by some other less intrusive means.

Purpose

At the heart of a MARAC is the working assumption that no single agency or individual can see the complete picture of the life of a victim, but all may have insights that are crucial to their safety. A victim of abuse identified to be at high risk of serious harm or homicide needs a coordinated, multiagency response with all agencies sharing relevant information including our service to develop an action plan that is comprehensive, robust and addresses the risk to all parties. The purpose of sharing information in the MARAC process is to safeguard victims and any children that are affected by the domestic abuse.

To safeguard these victims of domestic abuse the MARAC process must:

Address the behaviour of the perpetrator.
Make links with other public protection arrangements in relation to children, perpetrators and vulnerable adults;
and safeguard agency staff

Rights to Access Information

All staff, clients and other users are entitled to:

know what information our organisation holds and processes about them and why,
know how to gain access to it,
know how to keep it up to date,
know what our organisation is doing to comply with its obligations under the 1998 Act.

Our services will, upon request, provide all staff and clients and other relevant users with a statement regarding the personal data held about them. This will state all the types of data our organisation holds and processes about them, and the reasons for which they are processed. All staff, clients and other users have a right under the 1998 Act to access certain personal data being kept about them either on computer or in certain files. Any person who wishes to exercise this right should make a request in writing and submit it to the CEO. Who will respond in a reasonable timeframe sending any request of documents by recorded delivery.

Special Category and criminal conviction information

If you are sharing special category data our organisation needs to identify both a lawful basis for general processing under Article 6 and an additional condition for sharing this type of information under Article 9. There are ten conditions for processing special category data in the GDPR itself, but the Data Protection Act 2018 introduces additional conditions and safeguards. The conditions are listed in Article 9(2) of the GDPR and you can find these listed on the ICO Website If you are processing criminal conviction information or information about offences you need to identify both a lawful basis for general processing.

An individual is only entitled to their own personal data, and not to information relating to other people. The GDPR does not prevent an individual making a subject access request via a third party such as a solicitor. In these cases, our Staff need to be satisfied that the third party making the request is entitled to act on behalf of the individual, but it is the third party’s responsibility to provide evidence of this entitlement. This might be a written authority to make the request or it might be a more general power of attorney. Responding to a subject access request may involve providing information that relates both to the individual making the request and to another individual (perhaps the perpetrator). The DPA 2018 says that our organisation does not have to comply with the request if it would mean disclosing information about another individual who can be identified from that information, except if: the other individual has consented to the disclosure; or it is reasonable to comply with the request without that individual’s consent. In determining whether it is reasonable to disclose the information, our organisation must consider all the relevant circumstances, including:

the type of information that we would disclose.
any duty of confidentiality you owe to the other individual.
any steps you have taken to seek consent from the other individual.
whether the other individual is capable of giving consent;
any express refusal of consent by the other individual.
Safeguarding of individual.

This means that although our services sometimes be able to disclose information relating to a third party, we need to decide whether it is appropriate to do so in each case. This decision will involve balancing the data subject’s right of access against the other individual’s rights. If the other person consents to you disclosing the information about them, then it would be unreasonable not to do so. However, if there is no such consent, our services must decide whether to disclose the information anyway. Under the Data Protection Act 2018 (DPA 2018), it is an offence to make any amendment with the intention of preventing its disclosure. For more information about Subject Access Requests please see the ICO website Last update

At least one of these must apply whenever you share information (see also special category data above):

a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.

b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.

c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).

d) Vital interests: the processing is necessary to protect someone’s life.

e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.

f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)

For more detail on each lawful basis, read the relevant page of the ICO guide Main grounds in UK legislation which require the sharing of information

Requirement Legal authority Prevention and detection of crime s.115 Crime and Disorder Act 1998
To protect vital interests of the data subject; serious harm or matter of life or death Schedule 8, DPA 2018
For the administration of justice (usually bringing perpetrators to justice) Part 3 & Schedule 8 DPA 2018
For the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. Part 3 s.31 & 35 DPA 2018
Child protection. Disclosure to Children’s Social Care or the Police for the exercise of functions under: Children Act 1989 & 2004
In accordance with a court order (so requests to share information must show why it is relevant for the purpose for which they are requested, including a Court Order)
Overriding public interest Common law Right to life Right to be free from torture or inhuman or degrading treatment Human Rights Act, Articles 2 & 3
Prevention of Abuse and Neglect The Care Act 2014
Person lacks the mental capacity to make the decision regarding consent Mental Capacity Act 2005

To assist our organisation decisions we will use the Information Commissioner’s Office data sharing checklist. Decisions should be defensible and not defensive decisions; confidentiality must not be confused with secrecy.

Our service will record this on the Oasis System. The record will include whether the sharing is proportionate, that there is a pressing need and summarise why.

The Care Act 2014 puts a legal responsibility on Local authorities to make enquiries, or ensure others do so, if it reasonably suspects an adult who has care and support needs and is, or is at risk of, being abused or neglected and unable to protect themselves against the abuse or neglect or risk of it because of those needs. An enquiry is the action taken or instigated by the local authority in response to a concern that abuse or neglect may be taking place. If in doubt, we will always seek specialist advice and staff can consult with the CEO

Remember: Information shared must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

Further advice on information sharing

Confidentiality and Information Sharing for Direct Care (Department of Health)
Making effective use of data and information to improve safety and quality in adult safeguarding (Association of Directors of Adult Social Services and the Local Government Association, 2013)
Adult safeguarding: sharing information (Social Care Institute for Excellence)

Retention of Data

Our organisation has a duty to retain some staff and client personal data for a period of time following their departure from our services, mainly for legal reasons, but also for other purposes such as being able to provide references. Different categories of data will be retained for different periods of time.

Monitoring and Evaluation

This is ongoing; where any clarifications or actions are needed the Policy will be amended at its next review.

Privacy Notice (also see details on Lawful basis above)

Under data protection law, individuals have a right to be informed about how the our organisation uses any personal data that we hold about them. We comply with this right by providing ‘privacy notices’ (sometimes called ‘fair processing notices’) to individuals where we are processing their personal data.

How we collect, store and use personal data about clients.

The personal data we hold

Personal data that we may collect, use, store and share (when appropriate) about clients includes, but is not restricted to:

contact details, contact preferences, date of birth, family background, identification documents
characteristics, such as ethnic background
details of any medical conditions, including physical and mental health
safeguarding information
details of any support received, including care packages, plans and support providers
photographs
CCTV images captured in any of our offices/properties

Why we use this data

We use this data to:

support clients individual needs
support bringing clients to safety
provide appropriate pastoral care
protect welfare
assess the quality of our services
administer admissions to our refuges
carry out research
comply with the law regarding data sharing
contact you, or designated emergency contacts, when we need to do so.

Our legal basis for using this data

We only collect and use client’s personal data when the law allows us to. Most commonly, we process it where:

we need to comply with a legal obligation
we need it to perform an official task in the public interest

Less commonly, we may also process client’s personal data in situations where :

we need to protect the individual’s vital interests (or someone else’s interests)
we have obtained consent to use it in a certain way
we have legitimate interests in line with reasonable expectations

Where we have obtained consent to use client’s personal data, this consent can be withdrawn at any time. We will make this clear when we ask for consent, and explain how consent can be withdrawn.

Some of the reasons listed above for collecting and using client’s personal data overlap, and there may be several grounds which justify our use of this data.

Collecting this information

While the majority of information we collect about clients is mandatory, there is some information that can be provided voluntarily.

Whenever we seek to collect information from you, we will make it clear whether you must provide this information (and, if so, what the possible consequences are of not complying), or whether you have a choice.

How we store this data

We keep personal information about clients while they being supported by our services, for as long as is necessary. We may also keep it beyond their support provided if this is necessary in order to comply with our legal obligations.

Data Sharing

We do not share information about clients with any third party without consent, unless the law and our policies allow us to do so.

Where it is legally required, or necessary (and it complies with data protection law), we may share personal information about clients with:

our local authority, the London Borough of Havering – to meet our legal obligations to share certain information with it, such as safeguarding concerns
suppliers and service providers (where necessary) – to enable them to provide the service we have contracted them for such as housing, counselling …
health and social welfare organisations – to meet our legal obligations to share certain information with them, such as safeguarding concerns
police forces, courts, tribunals – to meet our legal obligations to share certain information with them, such as safeguarding concerns

Clients rights regarding personal data

Individuals have a right to make a ‘subject access request’ to gain access to personal information that our organisation holds about them.

Clients can make a request with respect to their data.

If you make a subject access request, and if we do hold information about you, we will:

give you a description of it
tell you why we are holding and processing it, and how long we will keep it for
explain where we got it from, if not from you
tell you who it has been, or will be, shared with
let you know whether any automated decision-making is being applied to the data, and any consequences of this
give you a copy of the information in an intelligible form
give you a copy of the information within 30 days

Individuals also have the right for their personal information to be transmitted electronically to another organisation in certain circumstances.

If you would like to make a subject access request, please contact the organisation CEO.

Other rights

Under data protection law, individuals have certain rights regarding how their personal data is used and kept safe, including the right to:

object to the use of personal data if it would cause, or is causing, damage or distress
prevent it being used to send direct marketing
object to decisions being taken by automated means (by a computer or machine, rather than by a person)
in certain circumstances, have inaccurate personal data corrected, deleted or destroyed, or restrict processing
claim compensation for damages caused by a breach of the data protection regulations

To exercise any of these rights, please contact the organisation CEO.

Data Breaches

Any data breaches that may occur are notified to organisation CEO who will identify an appropriate person to act as the Data Protection Office DPO). The DPO will document and record all breaches, and will assess the potential consequences of any breach, based on how serious they are, and how likely they are to happen. The DPO will also consider whether the breach must be reported to the Information Commissioner’s Office (ICO). Where data breaches are to be notified to the ICO, the DPO must do so via the ICO website within 72 hours of the breach being reported. The DPO works with our services and the CEO to review all data breaches, and how they can be prevented from happening again.

Complaints

We take any complaints about our collection and use of personal information very seriously. If you think that our collection or use of personal information is unfair, misleading or inappropriate, or have any other concern about our data processing, please raise this with us in the first instance by contacting the organisation’s CEO.

Alternatively, you can make a complaint to the Information Commissioner’s Office by:

reporting a concern online at https://ico.org.uk/concerns/
telephoning 0303 123 1113
writing to: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Contact us

If you have any questions, concerns or would like more information about anything mentioned in this Privacy Notice, please contact the CEO

CEO Vicki Thomas 01708 728759 vickithomas@haveringwomensaid.co.uk

This policy has been reviewed and no individual or group are disadvantaged by the policy or process therein.

Policy updated 15/03/2025