Skip to content
Exit site now
0800 008 6622 mail@gilgalbham.org.uk
Donate
Get help
Donate
Get help
Sign up to the Gilgal Newsletter

Data Protection and Security of Information Policy

Updated Feb 2024

Contents

  1. Purpose of the Data Protection Policy.
  2. Overview of the Data Protection Act 2018.
  3. Confidentiality and Security.
  4. Ownership of Data.
  5. Obtaining, Recording, Using and Disclosing.
  6. Data Subjects Rights.
  7. Use of Children’s Data.
  8. Training.
  9. Security.
  10. Policy Review.
  11. How to complain
  12. Contact us

1. Purpose of the Data Protection Policy

Gilgal Birmingham (Gilgal) recognises its responsibilities under the Data Protection Act 2018 and will make every effort to ensure all employees/casual workers/students/volunteers (employees) are aware of their responsibilities under the Act.

Gilgal will ensure that all employees understand that personal data is information about ‘living’ individuals which enables them to be identified e.g. name, address, email.

Gilgal requires that all employees processing personal data will be responsible for their processing activities and comply with the eight Data Protection Principles of ‘Good Information Handling’, as follows:

  1. Personal data shall be processed fairly and lawfully.
  2. Personal data shall be obtained only for one or more specified and lawful purposes.
  3. Personal data shall be adequate, relevant and not excessive.
  4. Personal data shall be accurate and, where necessary, kept up to date.
  5. Personal data shall not be kept for longer than is necessary.
  6. Personal data shall be processed in accordance with the rights of data subjects (individuals to whom the data/information relates).
  7. Security Principle – protection against unauthorised/unlawful processing.
  8. Transfers outside of the EEA – requires adequate levels of protection.


Gilgal understands that Data Protection law and policy aims to ensure that individual’s rights and freedoms are protected. Gilgal also understands that using personal data to abuse, discriminate or deny access to services is unlawful. In addition, Gilgal is committed to ensuring that personal data it holds is used fairly and lawfully and in a non-discriminatory manner.

This policy applies to all personal data held by Gilgal. It includes manual/paper records and personal data electronically processed. This also includes information gathered on CCTV systems.

We may change this policy periodically, so please check this page from time to time to ensure that you are happy with any changes.

2. Overview of the Data Protection Act 2018

The Data Protection Act 2018 is not optional. It is mandatory and there can be harsh penalties imposed for non-compliance with the Act. In a Crown Court fines can be unlimited and all organisations processing personal data can be affected.

3. Confidentiality and Security

Personal data can be of a confidential nature and this confidentiality must be preserved in compliance with the Data Protection Principles as defined in the Data Protection Act 2018. Confidential information can be the most valuable asset of our business and employees will automatically have duties to Gilgal as their employers to ensure that confidential information is not knowingly or recklessly misused, whether in relation to employees or service users.

All employees at Gilgal recognise the need to maintain confidentiality and security around the receipt of emailed and faxed information. Gilgal confirms that all email accounts are password protected and accessible only by permitted individuals. Confidentiality and security of faxed information is maintained at all times and accessible only to pre-determined employees.

Manual Files

(paper records) access must be restricted to solely to relevant Staff and stored in secure locations (eg: lockable cabinets), to prevent unauthorised access. Files will be destroyed in a confidential manner after 7 years of closure/inactivity.

Shredding

all confidential material to be destroyed will be carried out by predetermined employees within the office environment. Shredded material will be disposed of to maintain confidentiality of information.

Computer Systems

will be configured and computer files created with adequate security levels to preserve confidentiality. Those who use our computer equipment will have access only to the data that is both necessary for the work they are doing and held for the purpose of carrying out that work. All systems are password protected to ensure access only by the specified individuals.

After closure of a case, electronic files will be stored offline for up to 7 years before following a process of deletion.

Personal Data

will be disclosed only to the person who is the subject of the data/information and other organisations and persons who are pre-defined as notified recipients within Gilgal. It may be necessary for personal data to be disclosed under one of the exemptions within the Data Protection Act 2018. In such cases an audit trail will need to be kept to provide accurate records of any disclosures of personal data.

Preventing Abuse and Discrimination

Gilgal shall take appropriate technical and other measures to prevent unauthorised or unlawful processing or accidental loss or destruction of or damage to personal information. Gilgal will ensure that we maintain our responsibilities under the Equality Act 2010 to prevent instances of abuse or discrimination occurring in relation to the protected characteristics and appropriate action will be taken.

Protected Characteristics

  • People of all ages
  • Race (this includes ethnic or national origins, colour and nationality)
  • Disability
  • Religion or belief
  • Gender reassignment
  • Sex
  • Sexual orientation
  • Marriage and civil partnerships
  • Pregnancy and maternity


Sensitive personal data consists of the following information:

  • The racial or ethnic origin of an individual.
  • Their political opinions.
  • Their religious beliefs or other beliefs of a similar nature.
  • Trade union membership.
  • Physical or mental health or condition.
  • Sexual life.
  • Commission or alleged commission of any offence.
  • Any proceedings for any offence committed or alleged to have been committed.


4. Ownership of Data

Gilgal is responsible for the personal data that it holds. This responsibility also extends to personal data that is processed by a third party on behalf of Gilgal.

The Data Protection Officer on behalf of Gilgal Birmingham is Sanja Kalik, who can be contacted at sanja.kalik@gilgalbham.org.uk.

The Data Protection (Charges and Information) Regulations 2018 require every organisation that processes personal information to pay a data protection fee to the Information Commissioner’s Office (ICO), unless they are exempt. Gilgal Birmingham is registered with the ICO for this purpose and our registration number is Z2448511. Current registrations can also be checked on the ICO’s website at any time here.

5. Obtaining, Recording, Using and Disclosing Personal Data

Processing

Processing in relation to information or data, means obtaining, recording or holding the information or data (which includes personal data).

Processing also involves any activity/operation performed on personal data – whether held electronically or manually, such as obtaining, recording, holding, disseminating or making available the data, or carrying out any operation on that data.

Including organising, adapting, amending and processing the data, retrieval, consultation, disclosure, erasure or destruction of the data.

All processing of personal data will comply with the Data Protection Principles as defined in the Data Protection Act 2018.

In the situation where a third-party processes data on behalf of Gilgal, the third party will be required to act in a manner which ensures compliance with the Data Protection Act 2018 and must also have adequate safeguards in place to protect the personal data.

Organisation Services Provided

Microsoft: IT software provider
Orbit: IT service provider
EvolveNet: IT service provider / website host
CAF: Banking
Sage: Banking software provider
Google Ads: Advertising
Ontruck by Oasis: Software provider
ShredPro: Confidential Waste Disposal

Recording and Using Data

Data will only be processed for the purposes for which it was collected and should not be used for additional purposes without the consent of the individual to whom the data/information relates.

Gilgal will endeavour to inform all individuals of why their personal data is being collected. In line with the first Data Protection Principle, all information will be collected fairly and lawfully and processed in line with the purpose for which it has been given.

Disclosure

Personal data must not be disclosed, except to authorised users, other organisations and people who are pre-defined as a notified recipient or if required under one of the exemptions within the Data Protection Act 2018.

National Research

Gilgal sometimes takes part in national research to improve the kind of support women and children receive around domestic abuse. This research also helps to predict trends in the type of abuse being experienced.

In taking part in such research, any information used will be anonymised and nothing that could identify any woman or child (e.g. names, addresses, birthdays etc.) would ever be shared or made public.

All service users will be given the opportunity to confirm whether they would like to have their anonymised information used for research or, whether they would prefer that we did not use their information in this way. The decision would be confirmed in the completion of our Information (Data) Handling Statement.

6. Data Subject Rights/Rights of Individuals

The Right of Subject Access

A written request received by Gilgal Management Team/Staff from an individual wishing to access their rights under the provisions of the Data Protection Act 2018 is known as a Subject Access Request. The Act gives an individual the rights to request access to any ‘personal data’ that they believe may be held about them. This can include requests from children under the age of 16 years (or those acting on their behalf).

If the Management Team/Staff does hold requested information, then it will provide a written copy of the information held and details of any disclosures which have been made. The information requested will be provided promptly and in any event within 30 days of receipt of the subject access request.

If the information cannot be disclosed within the time period specified, the data subject/individual will be kept fully informed.

Prevention of Processing Causing Damage or Distress

If an individual believes that the Management Team/Staff is processing personal data in a way that causes them substantial unwarranted damaged or substantial unwarranted distress, they can send a notice to the Management Team/Staff requesting, within a reasonable time, the data controller to stop the processing.

Right to Prevent Processing for Purposes of Direct Marketing

An individual is entitled to request (in writing) the Management Team/Staff to cease, or not to begin, processing their personal data for the purpose of direct marketing. When the Management Team/Staff receives a written notice they must comply as soon as is practically possible.

An individual may apply to a Court for an Order if the Management Team/Staff fails to comply with a written notice.

Rights in Relation to Automated Decision Taking

An individual is entitled, by written notice, to require the Management Team/Staff to ensure that no decision, which significantly affects that individual, is based solely on the data processing, by automatic means, of personal data in respect of that individual.

Dealing with Inaccuracy

The individual may apply to the Court for an order requiring the Management Team/Staff to rectify, block, erase or destroy such data relating to the individual which contain an expression of opinion which the Court finds is based on the inaccurate data.

7. Use of Children’s Data

Gilgal is aware that Data Protection law (at European and domestic level) does not draw any explicit distinction between individuals (who are the subject of the data) who are adults and those who are children. Instead, it works on the basis of whether the individual is able to give consent to the processing of their data, with the full understanding of the implications of providing such consent, especially in light of the data processed.

Therefore, in using children’s data, consideration should be given to ensuring that data protection principles are appropriately applied. These will include obtaining consent for the use, processing and sharing of their information. In the UK only children aged 13 or over are able provide their own consent. Using the data of children under 13 will require parental consent, which should be reviewed once the child in question turns 13.

8. Training

Gilgal recognises the need to ensure all employees are trained in relation to the Data Protection Act 2018. All employees need to be aware of their obligations relating to any personal data they process as part of their work at Gilgal.

Failure of employees to adhere to the eight data Data Protection Principles can lead to disciplinary action.

9. Security

There are three key points we need to understand and have clearly in mind when thinking about information security.

  1. “information exists in many forms; printed or written on paper, stored electronically, transmitted by post or electronic means, shown on films or spoken in conversation”.
  2. “Information Security Management is a combination of management and technological processes”.
  3. “We all have a part to play in making sure that our information assets are safe”.


10. Policy Review

This Policy will be reviewed every 3 years or sooner, as necessary in line with legislation update and reviews in service delivery.

11. How to complain

If you are unhappy about the way we handle your personal data please let us know verbally or in writing by contacting us at the email or PO box address given below.

We will explain how we have processed your personal information and if we have made a mistake will tell you how we will put this right.

If you are still dissatisfied, you may report your concern to the Information Commissioner’s Office (ICO) by contacting:

Wycliffe House, Water Lane, Wilmslow SK9 5AF
Tel. 0303 123 1113

12. Contact us

If you have any questions about this or any of our other policies, our website, or our organisation, please contact our Data Protection Officer Sanja Kalik sanja.kalik@gilgalbham.org.uk

Or write to us at:
Gilgal Birmingham
PO Box 3918
Birmingham
B9 5AQ