Citizens Advice Rotherham & District: Data protection policy
1. Statement of policy
Citizens Advice Rotherham & District (CARD) is fully committed to compliance with the requirements of the General Data Protection Regulation (GDPR), Data Protection Act 1998 and any successor legislation (together, the ‘data protection legislation’). Citizens Advice is committed to a policy of protecting the rights and freedoms of individuals with respect to the processing of their personal data and special category personal data.
CARD will, therefore, follow procedures which aim to ensure that all employees and volunteers, and others who have access to any personal data held by or on behalf of the local office, are fully aware of and responsible for the handling of personal data in line with the data protection legislation.
In order to operate efficiently, CARD has to collect and use information about people with whom it works. These may include current, past and prospective clients; current, past and prospective employees; current, past and prospective volunteers; and our suppliers.
Data protection legislation and in particular Article 5 (1) of the GDPR requires that personal data shall be used in accordance with the following principles:
a) processed lawfully, fairly and in a transparent manner in relation to individuals;
b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”
Article 5 (2) of the GDPR requires that:
“the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”
Lawful basis for processing personal data under the data protection legislation
CARD primarily uses legitimate interest to process client personal data.
CARD also process personal data under the following lawful bases:
Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
Lawful basis for processing special category personal data
Citizens Advice Rotherham & District process special category personal data under the follwing lawful bases:
Explicit consent: the data subject has given explicit consent to the processing of those personal data for one or more specified purposes.
2. Handling of personal data and special category personal data
CARD will, through appropriate management and the use of appropriate controls adhere to the following in regards to our use of personal data and special category personal data;
Provide up to data privacy notices to data subjects.
Collect and process appropriate information and only to the extent that it is needed to fulfil operational needs or to comply with legal requirements.
Ensure the quality and accuracy of information when collected or received and during its use.
Apply checks to determine the length of time information is retained.
Take appropriate technical and organisational security measures based on risks to data subjects.
Not transfer outside the EEA without suitable safeguards.
Ensure that any information incidents are reported to national Citizens Advice and where appropriate the data subject and the Information Commissioner’s Office.
Mitigate risks to the data subjects in the event of an information incident using an appropriate data breach policy.
Ensure that the rights of our data subjects can be properly exercised.
These rights include:
The right to be informed
The right of access
The right to rectification
The right to erase
The right to restrict processing
The right to data portability
The right to object
Rights in relation to automated decision making and profiling.
In addition, we will ensure that:
There is someone with specific responsibility for data protection in the organisation. The post responsible for data protection is Chris Griffin Organisational information and in particular, privacy risks are risk assessed, documented and controlled.
Everyone managing and handling personal data and special category personal data understands that they are responsible for following good Information Governance / Assurance practice and for complying with the data protection legislation.
Everyone managing and handling personal data and special category personal data is appropriately trained and supervised to do so.
Queries about processing personal data and special category personal data are promptly and courteously dealt with within the requirements of the data protection legislation.
Data sharing and processing is carried out under an appropriate written agreement, setting out the scope and limits of the sharing. Any disclosure of personal data will be in compliance with approved procedures.
All employees and volunteers are to be made fully aware of this policy and their duties and responsibilities under it. All employees and volunteers will take steps to ensure that personal data is kept secure at all times against unauthorised or unlawful loss or disclosure.
3. Client management systems
As part of our membership of Citizens Advice, CARD will use the relevant case management system provided by Citizens Advice, (currently Casebook) and by doing so agrees to adhere to the data sharing agreement between the respective parties.
Citizens Advice and each individual local Citizens Advice are joint data controllers for the personal data and special category personal data within the Casebook application and therefore each have a joint responsibility to ensure compliance with data protection legislation.
Casebook is used to process information, personal data and special category personal data provided by clients in the course of seeking advice and guidance from the Citizens Advice service.
All information, personal data and special category personal data is to be regarded as being confidential between the individual and the Citizens Advice service unless expressly indicated otherwise.
Data sharing is required so that both the client and Citizens Advice have flexibility in where, how and when clients receive the service and the need to only enter this client data once. The data protection legislation provides the legal framework under which personal data and special category personal data can be processed.
Data is shared to provide the service to clients, to refer clients to other organisations, for following up with the client for feedback, to enable Citizens Advice to act on behalf of the client when authorised, to understand trends and carry out research to enable policy work. The data shared will always be the minimum necessary required to carry out the business purpose.
In all cases the relevant consent must be obtained, or alternative lawful basis determind, for any processing or sharing of client personal data and special category personal data.
4. Relationship with existing policies and supporting documentation
This policy has been formulated within the context of a range of policies such as those relating to IT security, confidentiality and information assurance.
Citizens Advice Rotherham & District (CARD) has tried to ensure that the information on this website is accurate. However, CARD will not accept liability for any loss, damage or inconvenience arising as a consequence of any use of or the inability to use any information on this website. CARD endeavours to provide a service of the highest quality. However, we cannot guarantee that our service will be uninterrupted or error-free. We are not responsible for claims brought by third parties arising from your use of this website
CARD assumes no responsibility for the contents of linked websites. The inclusion of any link should not be taken as endorsement of any kind by CARD of the linked website or any association with its operators. Further, we have no control over the availability of the linked pages.
Material on this website, including text and images, is protected by copyright. It may not be copied, reproduced, republished, downloaded, posted, broadcast or transmitted in any way except for your own personal, non-commercial use. Prior written consent of the copyright holder must be obtained for any other use of material. Copyright in all materials and/or works comprising or contained within this website remains with CARD and other copyright owner(s) as specified. No part of this site may be distributed or copied for any commercial purpose.
The cookies we use include ‘analytical’ cookies. They allow us to recognise and count the number of visitors to our website and see how those visitors move around the website. This helps us to improve the way our website works, for example by making sure users can find what they want more easily.
In your web browser, you can set your preferences to either accept all cookies, notify you when a cookie is issued, or not receive cookies at all. Note that opting not to receive cookies means you may not be able to take full advantage of all the features of a website. As each web browser works differently, you will need to look in the ‘Help’ menu of the browser you use to find out how to change your cookie preferences.
Can I refuse or opt out of cookies?
More information about cookies generally can be found at http://www.allaboutcookies.org/.
You can find out how to opt out of being tracked by Google Analytics by visiting https://tools.google.com/dlpage/gaoptout.
At Citizens Advice we collect and use your personal information to help solve your problems, improve our services and tackle wider issues in society that affect people’s lives.
We only ask for the information we need. We always let you decide what you’re comfortable telling us, explain why we need it and treat it as confidential.
When we record and use your personal information we:
- only access it when we have a good reason
- only share what is necessary and relevant
- don’t sell it to anyone
At times we might use or share your information without your permission. If we do, we’ll always make sure there’s a legal basis for it. This could include situations where we have to use or share your information:
- to comply with the law – for example, if a court orders us to share information. This is called ‘legal obligation’
- to protect someone’s life – for example, sharing information with a paramedic if a client was unwell at our office. This is called ‘vital interests’
- to carry out our legitimate aims and goals as a charity – for example, to create statistics for our national research. This is called ‘legitimate interests’
- for us to carry out a task where we’re meeting the aims of a public body in the public interest – for example, delivering a government or local authority service. This is called ‘public task’
- to carry out a contract we have with you – for example, if you’re an employee we might need to store your bank details so we can pay you. This is called ‘contract’
- to defend our legal rights – for example, sharing information with our legal advisors if there was a complaint that we gave the wrong advice
We handle and store your personal information in line with the law – including the General Data Protection Regulation and the Data Protection Act 2018.
You can check our main Citizens Advice policy for how we handle most of your personal information.
This page covers how we, as your local charity, handle your information locally in our offices.
How Citizens Advice Rotherham & District collect your data
The information you provide is to help solve your problems that face you. We only share this information with third parties if you clearly tell us that’s ok. We may also use your data internally to:
- Improve our training and quality
- To get feedback about our services
- To investigate complaints
Before we store any data, we ask clients to complete a consent form. This is where you can tell us what we can and cannot store. You can also approve or deny us permission to contact you for feedback.
What Citizens Advice Rotherham & District ask for
How Citizens Advice Rotherham & District use your information
Working on your behalf
When you give us authority to act on your behalf, for example to help you with a Universal Credit claim, we’ll need to share information with that third party.
Sharing depends on the kind of case you come in about, but could include:
- Department for Work and Pensions
- Rotherham Metropolitan Borough Council
- The Insolvency Service
- Her Majesty’s Revenue and Customs
How Citizens Advice Rotherham & District store your information
We might store your details on our internal systems. For instance, if we email you the email will be stored, or if we draft a letter a copy of this will be kept. The main two places this data may be stored is on our local server, and also in our GSuite environment.
How Citizens Advice Rotherham & District share your information
We will only share you data with your consent. Some services rely on us being able to provide your data, for instance our partnerships with Yorkshire Water, HMRC, DWP and the Money Advice Service. If this is the case, you will always be told this is the case before you provide any data, and you will have the opportunity to decline the service.
Contact Citizens Advice Rotherham & District about your information
If you have any questions about how your information is collected or used, you can contact our office.
Telephone: 01709 515680 open Monday to Friday 9am-5pm
You can contact us to:
- find out what personal information we hold about you
- correct your information if it’s wrong, out of date or incomplete
- request we delete your information
- ask us to limit what we do with your data – for example, ask us not to share it if you haven’t asked us already
- ask us to give you a copy of the data we hold in a format you can use to transfer it to another service
- ask us stop using your information
Who’s responsible for looking after your personal information
The national Citizens Advice charity and your local Citizens Advice operate a system called Casebook to keep your personal information safe. This means they’re a ‘joint data controller’ for your personal information that’s stored in our Casebook system.
Each local Citizens Advice is an independent charity, and a member of the national Citizens Advice charity. The Citizens Advice membership agreement also requires that the use of your information complies with data protection law.