Data Protection & good governance in the community sector

A picture of Brenda Morris smiling In the Community & Voluntary sector, we often have to be masters of all trades. And it’s not easy.

We rely on our small teams and boards to have knowledge of many diverse topics that are often far removed from our specific areas of expertise.

I have been involved in rolling out a framework of Quality Standards within which any service providing mental and emotional wellbeing support and suicide prevention across Northern Ireland should operate. This work focuses on supporting the Community & Voluntary sector to self-evaluate their compliance with good practice.

With that in mind, I thought that it would be useful to share some of my recent experience in updating data protection policies - another important area for good governance. Hopefully, this will support you to do the same in your organisations.

Consulting an expert

As a first step I engaged with a GDPR Consultant Solicitor. I know that this may be beyond some of the budgets of some groups but, if possible, I highly recommend taking advice as this can often help to pinpoint gaps or specific areas to target when updating policies. It also ensures that you have advice specific to your organisation.

Otherwise, hopefully some of the information that I share below will help to set you on the right track or you. I am providing links to a number of our policies which you may want to use as initial templates which can then be tailored to your own organisations.

NICVA also has a great Data Protection Toolkit. This guide focuses on what you need to know and focus on now, with signposting to more practical advice and resources.

Access NICVA Toolkit

Why now?

Data protection legislation changed significantly almost two years ago and although, at Developing Healthy Communities, we made initial changes when the EU General Data Protection Regulation (GDPR) came into effect, it was time for a ‘root & branch’ review of our policies, procedures and templates. Importantly it was also timely to review how our employees were trained on data protection and, as I’ve learned, that is something that needs to be built into an annual training programme.

Here are some of the main changes the new legislation brought in:

Individual rights - There has been a strengthening of individual rights such as the right to be informed. It’s really important to consider who is on mailing lists, what information is gathered from our websites and how to make sure that we are taking into account contact preferences expressed by users.
Privacy by design and default – This means you should be taking privacy into account from the very start if you are introducing a new service. So, consideration for any costs should be built into funding applications and any news team members should be data protection trained.
Breach notification - The new breach notification means you have a duty to report certain personal data within 72 hours of becoming aware of the breach.
Fines for breaches – These are higher and are linked to your turnover.
Liability extension - New rules around liability extension means these principles are the responsibility of every employee of the organisation:
Third party information governance – you need to be aware of how other organisations handle the information you share. Get agreement in writing to the measures they will take to secure their systems.

What did it mean for our policies and procedures?

The review of our policies and procedures showed that it was important to review them in line with what was happening across the organisation. For example, we were in the process of redeveloping our website and developing a new regular newsletter so it was important to consider how that particular project could impact on how we comply with data protection legislation.

As a result, there were a number of policies which we revised:

Privacy Policy – The main document for external clients and you will see this published on our website
Data Protection Policy – An internal document for staff and volunteers.
Record Retention Policy – Shows the minimum retention period for a variety of records.
DHC Website Policies – Includes Website Policies, Copyright Policy, Disclaimer, Exclusion of liability, Website links policy and Cookies policy.

I’m including links to these documents – some of which are already available on our website – as these may be useful starter documents for your own review policy. Please remember though that these are specific to our organisation and you should carefully consider specific ways that your organisation uses data and build that into your policy refresh.

Additional governance

We also identified the need for two new policies. We felt that these were important because of the type of information and personal data that we manage. These were:

Security Policy – Covers physical, technical and procedural security controls.
Confidentiality and Non-disclosure Policy – Outlines our responsibilities on confidentiality, integrity and availability of personal, sensitive and confidential information.

Registers and logs

Policies are reviewed annually but there are a number of other data protection documents which we put in place which keep the focus on how those policies are being implemented on a daily, weekly or monthly basis. These registers and logs are saved centrally for easy access and help with record keeping:

Data Register (Controller)
IT Equipment Disposal Register
Keys and Access Codes Log
Subject Access Request Log
Visitors Log
Template Information Asset Register

Please feel free to get in touch if you want copies of our registers and logs.

Other sources of support

The review of policies and procedures can seem daunting but remember it is an important part of your organisation’s governance requirements.

Short, regular reviews can often be quicker and easier than leaving it for many months between looking at your policies. It also keeps issues like data protection at the front of your mind and ensure that you are building it into new plans or projects.

Do have a look at NICVA’s Data Protection Toolkit. Or get in touch if you’d like any further information about our experience.

Comments (1)

Please verify your action

Comment (maximum 3500 characters) (required)

Add a picture

Notify me when someone makes a comment

First name (required)

Last name (required)

Email (required)

Which country do you live in?

Postcode (required)

Address line 1

Address line 2

Town or city

Keeping In Touch

We'd love to keep you posted with our news, activities and how you can help in other ways. We'll never sell or swap your details with anybody else. You are free to change your mind at anytime. Please indicate how you would like to hear from us by using the tick boxes below

Via email

Via telephone

Via SMS

Via post

Which country do you live in?

Postcode (required)

Address line 1

Address line 2

Town or city

Your Privacy

We will always store your personal details securely. We'll use them to provide the service that you have requested, and communicate with you in the way(s) that you have agreed to. Your data may also be used for analysis purposes, to help us provide the best service possible. For full details see our Privacy Policy

By submitting this form you are agreeing to our terms and conditions

The Developing Healthy Communities Project (DHC) reserves the right to make changes to these terms and conditions at any time. Please refer back to this section regularly because any amendments will be posted here and will apply to your continued use of the website.

Copyright policy (last update 25th September 2017)
Disclaimer (last update 25th September 2017)
Exclusion of liability (last update 25th September 2017)
Privacy policy (last update 25th September 2017)
Our website links policy (last update 25th September 2017)
Definitions used in these terms and conditions
The terms "this site" and “this website” means all Internet pages in the dhcni.com.
"DHC" includes any person or organisation involved in any part of the design, development, moderation, response-handling, marketing, promotion or other similar aspects of this site.
"User(s)", “visitor(s)”, “you”, “your” and “yours” means the person(s) accessing or interacting with the website.
"Content" means any information, data, text, graphics, photographs, publications, documents, links, programming code or other material published, contained or available on the website.
“indemnify” means to exempt.
Contact us
If you have questions about anything in these terms and conditions, please email [email protected] or write to us at DHC, Lilac Villa, Gransha Park, Derry / Londonderry, BT47 6TG.

Feedback
We welcome your feedback. Please send us your comments via our feedback form.

Copyright policy
DHC holds the copyright for the content of this website. Unless otherwise stated, the following copyright statement applies to all content found on this site.

Permitted use
Visitors to the DHC website are granted permission to access this copyright material (written or images) and to download the copyright material onto electronic, optical or similar storage media provided that such activities are for personal, non-commercial use.

Restricted use
Visitors to the DHC website must not reproduce, modify, display, distribute or publish any of the copyright material on this website without prior written permission from DHC. Commercial use or publication of all or any part of the content of this website is strictly prohibited without prior written authorisation from DHC.

Disclaimer
All text, illustrations, photographs, videos and any other media presentation provided on the DHC website is provided for information purposes only. Information on this website is subject to change without prior notice and it is the responsibility of the website visitor to check for relevant updates on a regular basis. Whilst every reasonable effort is made to ensure that the information on the website is complete, accurate and up-to-date, this cannot be guaranteed.

DHC shall not be liable whatsoever for any error, omission or damages incurred as a result of the use of information posted on this website.

The mention of specific organisations, projects or of certain manufacturers' products does not imply that they are endorsed or recommended by DHC in preference to others of a similar nature that are not mentioned.

DHC is not responsible for, and cannot guarantee the accuracy of, information on sites that it does not manage, nor should the inclusion of a hyperlink be taken to mean endorsement by DHC of the site to which it points.

We refer to our website links policy [see below] when considering requests for us to include a link to another website. While DHC makes all reasonable attempts to exclude viruses from the website it cannot guarantee such exclusion and no liability is accepted for damage caused through the downloading of viruses or other malicious programmes. Therefore, we strongly recommended that you take appropriate safeguards to protect your computer before downloading information from this, or any other, website.

Exclusion of liability
DHC hereby excludes all and any losses, liabilities, claims, damages, expenses or costs (whether as a consequence of its negligence or otherwise) arising in connection with:

your use or inability to use this site
any unauthorised access to or alterations of information provided on this site
your use of any third party websites (including without limitation those that may be connected by hyperlink to this site)
any arrangements entered into with any third party in connection with any information provided by or in connection with this site
the inaccuracy, incompleteness or tardiness of any information supplied or available through this site
loss or damage due to viruses that may infect your computer equipment, software, data or other property on account of your access to or use of the DHC website or other websites linked to this site
any costs associated with servicing, repair or correction of your equipment, software or data that may arise from your use of the website.
Website links policy
Here we summarise our policy on website links from and to DHCNI and other associated sites.

Links from this site to other websites
This site may contain links to websites operated by parties other than DHC. Such links are provided for your convenience only. Links to third party sites are identifiable because clicking on them will display the third party's website URL.

When you access any other website by means of a link from this website you should understand that DHC does not control such websites and is not responsible for their content. Inclusion of links to such websites does not imply any endorsement of the material on such websites or any association with their operators.

We cannot guarantee that these links will work and we have no control over the availability of the linked pages.

It is DHC’s policy to obtain permission to link to other websites, and contextual links are provided to sites deemed by us to be appropriate to DHC aims and objectives. However, such links are subject to our disclaimer [see above].

Linking to the DHC website
DHC is committed to working with other organisations which share our aims and values and encourages the development of websites which support these aims and objectives.

We are happy for other organisations and individuals to link from their own websites to DHC’s website, however prior agreement must be sought from DHC via email to [email protected]. Should permission be granted, nothing on your site should imply that any part of the DHC site is part of your own site and any page or file that you link to on the DHC site must be called with its URL displayed.

DHC retains the right to withdraw permission to link to our site without explanation or notice if we think that such links are excessive, inappropriate or have other concerns in relation thereto.

Requests for reciprocal links
When considering requests for links from our website to other websites we use the following criteria:

must be directly related to DHC aims and objectives
must not be commercial sites.*
* It is our policy not to link from our site to commercial sites whose primarily purpose is to endorse or sell products or services.

Cookie policy
What are cookies?
Cookies are small text files stored on your computer by the websites you visit.

They track your interactions with a website to make it work more efficiently for future sessions.

Cookies have many different uses. For example, they can store information to help you enter a site without having to log in. They can also help a website remember your preferred settings so it reloads them on your next visit.

Cookies have the ability to store personal information in some circumstances, but do not normally do so.

Managing cookies
In your web browser you can choose to turn cookies on or off. You can also delete specific cookies or clear your browser's cache (history).

If you choose to disable cookies, some parts of this website may not work properly.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Who can see these comments?

From: Brenda Morris

Published: 25 March 2022

Latest

Three key mental health messages from recent Clear Forum event

Catch up on the most important points made at the recent Reach, Remit, Referral event at the Omagh Enterprise Centre
Clear Project Training Outcomes

Here you will information on the Clear Project's training outcomes.
Seeking your expertise: Establishing diabetes wellbeing hubs in the north west

In the Western Trust area there a 17,500 people living with diabetes. A further 10,500 are living with prediabetes. Join community leaders to discuss planning and design of a local community-based Wellbeing Hub with Diabetes UK
Clear Forum event: Reach, Remit and Referral

Reach, Remit Referral - Focussing on mental health emotional wellbeing and suicide prevention within in the Western Area The aim of the event is to highlight support and services available through the Protect Life 2 Strategy

World Suicide Prevention Day 2023

Join the movement this World Suicide Prevention Day with the theme 'Creating Hope Through Action.' From September 11th to October 9th, Northern Ireland unites to prioritize mental health and community well-being
Our mental health strategy response

An integrated role for community groups and clear, measurable outcomes – Developing Healthy Communities’ response to the Department of Health draft Mental Health Strategy.
Independent review of mental health crisis services in Northern Ireland

Seeking views to inform the development of mental health crisis services
Gathering input for the Mental Health Strategy

Brenda Morris highlights why we need to ensure the community & voluntary sector's voice is heard as part of this consultation
Reaching out with mental health training

We know that it is increasingly important to look after our own mental health and that of others. The Clear Project has been working with the PHA to highlight free, easy to access training and to find innovative ways to work with harder to reach groups.
Age Friendly Calendar

Somewhere to keep your dates and to support your emotional wellbeing. This project was made possible with Department of Health funding through the Western Protect Life Implementation Group
Free resources to support better Mental Health during COVID-19

Learn about free resources which can help you look after your mental health during the COVID-19 pandemic.
Protect Life 2

What is it and what work is being delivered to prevent suicide and self-harm in Northern Ireland