In the Community & Voluntary sector, we often have to be masters of all trades. And it’s not easy.
We rely on our small teams and boards to have knowledge of many diverse topics that are often far removed from our specific areas of expertise.
I have been involved in rolling out a framework of Quality Standards within which any service providing mental and emotional wellbeing support and suicide prevention across Northern Ireland should operate. This work focuses on supporting the Community & Voluntary sector to self-evaluate their compliance with good practice.
With that in mind, I thought that it would be useful to share some of my recent experience in updating data protection policies - another important area for good governance. Hopefully, this will support you to do the same in your organisations.
Consulting an expert
As a first step I engaged with a GDPR Consultant Solicitor. I know that this may be beyond some of the budgets of some groups but, if possible, I highly recommend taking advice as this can often help to pinpoint gaps or specific areas to target when updating policies. It also ensures that you have advice specific to your organisation.
Otherwise, hopefully some of the information that I share below will help to set you on the right track or you. I am providing links to a number of our policies which you may want to use as initial templates which can then be tailored to your own organisations.
NICVA also has a great Data Protection Toolkit. This guide focuses on what you need to know and focus on now, with signposting to more practical advice and resources.
Why now?
Data protection legislation changed significantly almost two years ago and although, at Developing Healthy Communities, we made initial changes when the EU General Data Protection Regulation (GDPR) came into effect, it was time for a ‘root & branch’ review of our policies, procedures and templates. Importantly it was also timely to review how our employees were trained on data protection and, as I’ve learned, that is something that needs to be built into an annual training programme.
Here are some of the main changes the new legislation brought in:
- Individual rights - There has been a strengthening of individual rights such as the right to be informed. It’s really important to consider who is on mailing lists, what information is gathered from our websites and how to make sure that we are taking into account contact preferences expressed by users.
- Privacy by design and default – This means you should be taking privacy into account from the very start if you are introducing a new service. So, consideration for any costs should be built into funding applications and any news team members should be data protection trained.
- Breach notification - The new breach notification means you have a duty to report certain personal data within 72 hours of becoming aware of the breach.
- Fines for breaches – These are higher and are linked to your turnover.
- Liability extension - New rules around liability extension means these principles are the responsibility of every employee of the organisation:
- Third party information governance – you need to be aware of how other organisations handle the information you share. Get agreement in writing to the measures they will take to secure their systems.
What did it mean for our policies and procedures?
The review of our policies and procedures showed that it was important to review them in line with what was happening across the organisation. For example, we were in the process of redeveloping our website and developing a new regular newsletter so it was important to consider how that particular project could impact on how we comply with data protection legislation.
As a result, there were a number of policies which we revised:
- Privacy Policy – The main document for external clients and you will see this published on our website
- Data Protection Policy – An internal document for staff and volunteers.
- Record Retention Policy – Shows the minimum retention period for a variety of records.
- DHC Website Policies – Includes Website Policies, Copyright Policy, Disclaimer, Exclusion of liability, Website links policy and Cookies policy.
I’m including links to these documents – some of which are already available on our website – as these may be useful starter documents for your own review policy. Please remember though that these are specific to our organisation and you should carefully consider specific ways that your organisation uses data and build that into your policy refresh.
Additional governance
We also identified the need for two new policies. We felt that these were important because of the type of information and personal data that we manage. These were:
- Security Policy – Covers physical, technical and procedural security controls.
- Confidentiality and Non-disclosure Policy – Outlines our responsibilities on confidentiality, integrity and availability of personal, sensitive and confidential information.
Registers and logs
Policies are reviewed annually but there are a number of other data protection documents which we put in place which keep the focus on how those policies are being implemented on a daily, weekly or monthly basis. These registers and logs are saved centrally for easy access and help with record keeping:
- Data Register (Controller)
- IT Equipment Disposal Register
- Keys and Access Codes Log
- Subject Access Request Log
- Visitors Log
- Template Information Asset Register
Please feel free to get in touch if you want copies of our registers and logs.
Other sources of support
The review of policies and procedures can seem daunting but remember it is an important part of your organisation’s governance requirements.
Short, regular reviews can often be quicker and easier than leaving it for many months between looking at your policies. It also keeps issues like data protection at the front of your mind and ensure that you are building it into new plans or projects.
Do have a look at NICVA’s Data Protection Toolkit. Or get in touch if you’d like any further information about our experience.