Camberwell After School Program

For the purposes of this policy, wherever the term “employee” is used, this shall include volunteers and trainees on temporary placement to CASP in addition to paid staff. The term “members of CASP” shall mean all paid staff, volunteers, trainees and members of the Executive Committee.

CASP processes information about members of CASP, applicants, children and other individuals for purposes of the administration and promotion of the organisation, the effective provision of child protection and welfare services and to operate the payroll. This policy aims to ensure that in doing so CASP complies with the Data Protection Act 1998 (“the Act”) and that personal information is collected and used fairly, stored safely and not disclosed to any unauthorised person.

SCOPE OF THE DATA PROTECTION POLICY
This policy applies to all members of CASP where they are acting in the course of their duties and to the children, parents, carers and families using CASP’s services. It applies to all personal data processed in the course of the activities described above, regardless of format (paper, digital or audio-visual) and location (processed on CASP premises or elsewhere). Personal data are any data relating to an identified individual or to an individual who may be identifiable from those data if put together with other data.

RESPONSIBILITIES
1. Data Protection Officer: CASP’s Data Protection Officer is the Centre Manager, telephone: 020 7708 2711 or email: Carmen.lindsay@caspuk.org with “FAO THE DATA PROTECTION OFFICER” in the subject line.

2. Data Protection Principles: CASP complies with the Data Protection principles which are set out in the Act. In summary these state that personal data shall:
• Be processed fairly and lawfully.
• Be obtained for specified and lawful purposes and shall not be processed in any manner incompatible with those purposes.
• Be adequate, relevant and not excessive for those purposes.
• Be accurate and kept up-to-date.
• Not be kept for longer than is necessary for those purposes.
• Be processed in accordance with the data subject’s rights.
• Be the subject of appropriate technical and organisational measures against unauthorised or unlawful processing, accidental loss or destruction.
• Not be transferred to a country outside the European Economic Area, without equivalent levels of protection for personal data.

3. Processing: In relation to information or data, means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including:
• organisation, adaptation or alteration of the information or data,
• retrieval, consultation or use of the information or data,
• disclosure of the information or data by transmission, dissemination or otherwise making available, or
• alignment, combination, blocking, erasure or destruction of the information or data.

4. Employee checklist for Processing Data: Before processing any personal data, all employees should consider the checklist set out below:
(i) Do you really need to collect the information?
(ii) Do you really need to collect all of it?
(iii) Is the information ’ordinary’ or is it ‘sensitive’?
(iv) Do we have the data subject’s consent? Is it unambiguous and freely given?
(v) Are you authorised to collect/store/process the data?
(vi) Unless the data have been obtained from a reliable source, have you checked with the data subject that the data is accurate?
(vii) Are you sure that the data is secure?
(viii) If you do not have the data subject’s consent to process, are you satisfied that you do not need it?
(xi) For how long should the data be retained? When should it be updated or destroyed? What steps should be taken to ensure that this happens?
(x) Who are you sending the data to? Is this authorised?

5. Obtaining Information on a Data Subject: All queries about CASP policy and all requests for access to personal data should be addressed to the Data Protection Officer (see “Rights to Access Personal Data” below)

6. Data Processors: All members of CASP who process personal data in any form must ensure they comply with the requirements of the Act and with CASP’s data protection policy (including any additional data protection procedures and guidelines that may be issued by CASP from time to time). In particular, no member of CASP may, without the prior written authorisation of the Data Protection Officer:
A) Develop a new computer system for processing personal data;
B) Use an existing computer system to process personal data for a new purpose;
C) Create a new paper filing system containing personal data;
D) Use an existing paper filing system containing personal data for a new purpose.
The above does not apply to databases which are maintained by individual CASP employees for their private domestic uses, for example, private address books. However, individuals should consider whether their private domestic use falls within the scope of the Act. A breach of the Act and/or CASP’s Data Protection policy may result in disciplinary proceedings.

7. Employee Checklist for Data Creation: The Act means that any recorded opinion about or intentions regarding a person are personal data to which a data subject may gain access. This should be borne in mind when written or other records are made (and this includes hand written notes, e-mails and audio recordings, in addition to computer and manual files) and when information is to be destroyed. The following is a useful test to apply to 'doubtful' comments:
(i) Is this comment fair, accurate and justifiable?
(ii) If I were to show this to the data subject, would I still be confident that the comment is fair, accurate and justifiable?

8. Data Security and Disclosure: All members of CASP are responsible for ensuring that:
• Any personal data they hold is classified and managed in accordance with this policy
• Personal data is not disclosed to any unauthorised third party and that every reasonable effort will be made to see that data is not disclosed accidentally. Unauthorised disclosure is a disciplinary matter and may be considered gross misconduct.

PARENTS, CARERS AND EMPLOYEES OBLIGATIONS
All parents, carers and employees must ensure that any personal data provided to CASP is accurate and up to date. They must ensure that any changes of address or other personal details are notified to a Play Leader or a senior member of staff.

RIGHTS TO ACCESS PERSONAL DATA
Individuals have the right under the Act to access any personal information that is being held about them by CASP and to request the correction of such information if it is incorrect. An individual who wishes to exercise his/her right of access is asked to complete and return CASP “Access to Personal Data” form to the Data Protection Officer. Any inaccuracies in data disclosed in this way should be communicated immediately to the Data Protection Officer who shall take appropriate steps to make the necessary amendments. CASP will make a charge of £10 (or such other charge as is permitted from time to time by the Act) on each occasion that access is requested and this fee should accompany the Access to Personal Data form. In accordance with the Act, CASP reserves the right to refuse repeated requests where a reasonable period has not elapsed between requests. CASP will normally respond to the request for access to personal data within 40 days (including bank holidays and weekends) of the request or payment of the fee, whichever is the later.

DISCLOSURES OUTSIDE OF THE EUROPEAN ECONOMIC AREA
CASP may, from time to time, wish to transfer personal data to countries or territories outside of the European Economic Area (EEA) in accordance with purposes made known to individual data subjects. For example, the names and contact details at CASP of members on a website may constitute a transfer of personal data worldwide. CASP will always seek the express consent of data subjects before posting such personal information on the worldwide section of CASP website. Other personal data, even if it would otherwise constitute fair processing, must not, unless certain exemptions apply or protective measures are taken, be disclosed or transferred outside the EEA to a country or territory which does not ensure an adequate level of protection for the rights and freedoms of data subjects.

SUBJECT CONSENT
In many cases, CASP can only process personal data with the consent of the individual. In some cases, if the data is sensitive, express consent must be obtained. Agreement to CASP processing some specified classes of personal data is a condition of acceptance of a child into any of CASP’s services, and a condition of employment for staff and volunteers. This includes information about previous criminal convictions in accordance with the Rehabilitation of Offenders Act 1974. CASP has a duty of care to all employees, parents, carers and children and must therefore make sure that employees and those who use CASP’s facilities do not pose a threat or danger to others. Therefore, all prospective employees and placements will be asked to consent to their data being processed when an offer of employment or a placement is made. A refusal to sign such a form may result in the offer being withdrawn.

PROCESSING SENSITIVE INFORMATION
Sometimes it is necessary to process information about a person's criminal convictions, race, gender, health and family details. This may be to ensure CASP is a safe place for everyone, or to operate other CASP policies, such as the equal opportunities policy. CASP may also ask for information about particular health needs, such as allergies to particular forms of medication, or any conditions such as asthma or diabetes or disabilities. CASP will only use the information in the protection of the health and safety of the individual, but will need consent to process for example, in the event of a medical emergency. Because this information is considered sensitive, and it is recognised that the processing of it may cause particular concern or distress to individuals, employees, parents and carers will be asked to give express consent for CASP to do this.

CCTV
CASP operates a number of CCTV cameras in order to ensure the security of employees and service users of CASP and its property. If you have any queries regarding the operation of the CCTV system, please speak to the Centre Manager. If you wish to access any personal data about you on the CCTV system, you are asked to complete and return an Access to Personal Data form (with the requisite £10 fee) with as much information as possible to enable the data to be located (including, if possible, details of the relevant camera, date and time).

EMAIL
It is permissible and appropriate for CASP to keep records of internal communications which are relevant to an individual’s ongoing relationship with CASP either as an employee or as a service user, including information concerning performance and conduct issues, provided such records comply with the Data Protection principles. It is recognised that email is used for such communications and that such emails form part of CASP’s records. All members of CASP need to be aware that:
• The Act applies to emails which contain personal data about individuals which are sent or received by employees of CASP (other than for their own private purposes as opposed to CASP purposes);
• Subject to certain exceptions, individual data subjects will be entitled to make a data subject access request and have access to emails which contain personal data concerning them, provided that the individual data subject can provide sufficient information for CASP to locate the personal data in the emails; and
• The legislation applies to all emails from and to members of CASP which are sent and received for CASP purposes, whether or not the emails are sent through CASP’s email system or on an individual’s own email account.

11 ARCHIVES
After an employee leaves CASP, his or her file(s) will be transferred to semi-current storage, and from there to CASP’s archives once they are no longer required for administrative purposes. The personal information contained in these files form part of the archives of CASP, and will be retained indefinitely for consultation by third parties for statistical, historical or biographical purposes. Access to the archives by CASP will be managed in accordance with the Act.