Safeguarding Children & Young Adults Policy

Last reviewed: Oct 2023

 

1.  Statement of Policy                    

 

1.1.    Introduction

Drive Forward regards the health, safety and welfare of all beneficiaries’ as one of its highest priorities. The charity recognises and fully accepts its moral and statutory duty to safeguard and promote the welfare of children, young people and vulnerable adults and its duty to protect staff and volunteers from unfounded allegations of abuse.

 

Safeguarding is everyone’s responsibility and all staff and volunteers involved in the organisation’s activities have a role to play. Drive Forward will ensure that staff and volunteers undergo safeguarding training at induction, advanced training (as appropriate) and will take part in the annual CPD programme where safeguarding updates/refreshers will be programmed.

This policy should be read in conjunction with the following Drive Forward policies;

 

  • Staff Code of Conduct Policy
  • Recruitment and Selection Policy
  • Staff Disciplinary Policy and Procedures
  • Allegations against Staff Policy
  • Volunteer Policy
  • Whistleblowing Policy
  • Data Protection Policy
  • Staff Handbook
  • Social media policy

1.2.    Scope and purpose of this policy

 

This policy applies to all staff, including senior managers and trustees, paid staff, consultancy staff, agency staff, volunteers or anyone working on behalf of Drive Forward.

Drive Forward Foundation believes that a child, young person or vulnerable

 

adult should never experience abuse of any kind. We all have a responsibility to promote the welfare of all children and young people and to keep them safe both on our face-to-face programmes and online. We are committed to practice in a way that protects them.

 

The purpose of this policy:

 

  1. to protect participants including children, young people and vulnerable adults who take part in our programmes and events
  2. to provide staff and those to whom this policy applies with the overarching principles that guide our approach to child protection and protect them from unfounded accusations or from behaving in ways which may be well intended but inadvisable
  3. To ensure that where personal data is processed for the purposes of safeguarding that appropriate measures are taken to provide for our lawful obligations including but not limited to the use of the lawful bases. It is likely in such circumstances that special arrangements will be required and therefore this policy includes an appendix for an Appropriate Policy Document (APD).

We will ensure:

1.3.    Principles of Safeguarding at Drive Forward

 

  • A safe and trusted environment for all beneficiaries, staff and other
  • Those suffering or at risk of suffering significant harm or abuse are identified and referred to the necessary agencies as appropriate.
  • All staff and volunteers learn about safeguarding, the organisation’s policies and procedures and how to keep themselves and others safe.

We will do this by:

 

  • Appointing and training a Designated Safeguarding Lead (DSL) and a Deputy to lead on all safeguarding matters.
  • Following safe recruitment procedures which ensure that staff are carefully selected, vetted and have relevant qualifications and

experience.

  • Raising awareness of issues relating to the welfare and safeguarding of children, young people and vulnerable adults
  • Promoting a safe and trusted environment
  • Engaging with our partners to ensure their commitment to
  • Ensuring staff and volunteers recognise the signs of abuse or that an individual may be at risk of significant harm
  • Working with other agencies as appropriate (e.g. Police, Children and Adult Services, Safeguarding Partners) where an individual is being, or at risk of being, significantly harmed
  • Providing a framework for reporting and dealing with concerns and disclosures
  • Establishing clear procedures for the reporting and handling of allegations of abuse against staff or volunteers.
  • Requiring staff and volunteers to undertake safeguarding training as
  • Reviewing the safeguarding policy and procedures on an annual

1.4.    Legislative Frameworks

The legislative frameworks that underpin this policy are:

 

  • Children’s Act (2014), which is fundamental to people working with children and young adults in the UK.
  • The Care Act (2014) sets out a clear legal framework for how local authorities and others should protect vulnerable adults at risk of abuse or neglect.
  • Safeguarding Vulnerable Groups Act (2006) sets out the type of activity in relation to children and adults at risk for which employers and individuals will be subject to disclosure and barring service checks.
  • The Prevent Duty (2015) to have due regard to preventing people being drawn into terrorism.
  • UK General Data Protection Regulation (2020) and Data Protection Act (2018) to protect personal data stored electronically or in an organised paper filing system
  • Modern Slavery Act (2015) designed to combat modern slavery in the UK and consolidates previous legislation relating to trafficking and slavery.
  • Working Together to Safeguard Children (2018) reaffirms safeguarding as everyone’s responsibility and the sharing of information between
  • Sexual Offences Act (2003) makes it is an offence for a person over 18 to have a sexual relationship with a child under 18 where that person is in a position of trust in respect of that child, even if the relationship is
  • Safeguarding for Charities and Trustees (2021) sets out charities’ responsibilities to ensure they don’t cause harm to anyone who has contact with them.

2.  Definitions                     

 

2.1.   Definitions of Abuse

The following are recognised as definitions of abuse, although any act which harms a child, young person or vulnerable adult should also be considered:

Physical Abuse – may involve hitting, shaking, throwing, poisoning, burning, scalding, drowning or suffocating. It may be done deliberately or recklessly, or be the result of a deliberate failure to prevent an injury occurring

Neglect – the persistent or severe failure to meet a child’s, young person’s, or vulnerable adult’s physical and/or psychological needs, which may result in serious impairment of their health or development

Sexual Abuse involves a child, young person or vulnerable adult being forced or coerced into participating in or watching sexual activity of any kind. Any apparent consent or awareness is irrelevant

Emotional Abuse – persistent emotional ill treatment or rejection; includes abusive or offensive electronic communications. This causes severe and adverse effects on behaviour and emotional development, resulting in low self-esteem. Some degree of emotional abuse is present in all forms of abuse.

Financial Abuse – in intimate or parental relationships is a way of controlling a person’s ability to acquire, use, and maintain their own money and financial resources

Extremism and Radicalisation – Extremism is defined as ‘vocal or active opposition’ to fundamental British values; democracy, the rule of law, individual liberty and mutual respect for and tolerance of those with different faiths and beliefs and for those without faith. Radicalisation is defined as ‘the way in which a person comes to support terrorism and encourages other people   to   believe   in   views   that   support   terrorism’

 

Criminal Exploitation – is a form of modern slavery that sees victims being forced to work under the control of highly organised criminals in activities such as drug dealing, forced begging, shoplifting and financial exploitation.

Female Genital Mutilation – all procedures involving partial or total removal of the external female genitalia for nonmedical reasons. FGM is illegal in England and Wales under the FGM Act 2003.

Forced Marriage – as distinct from a consensual arranged one, is a marriage conducted without the full consent of both parties and where duress is a factor. Duress cannot be justified on religious or cultural grounds. A child who is being forced into marriage is at risk of significant harm through physical, sexual and emotional abuse.

 

2.2.   Other definitions

 

Safeguarding – protecting children, young people and vulnerable adults from maltreatment, preventing impairment of their health or development and ensuring they are growing up in circumstances consistent with the provision of safe and effective care

Significant Harm – The Children’s Act introduced the concept of significant harm as the threshold that justifies compulsory intervention in family life in the best interest of the children. Some children may be in need of help because they are suffering or likely to suffer significant harm

Child/Young Person – anyone under the age of 18

 

Vulnerable Adult – anyone over the age of 18 who has need for care or support, is experiencing or is at risk of abuse or neglect, is unable to protect themselves from the abuse or neglect or the risk of it.

 

Regulated Activity – Those working in specified activities will be classed as engaging in regulated activity. Put simply, this is anyone who is teaching, training, instructing, coaching, caring for or supervising children or providing personal care, healthcare, social work, assistance with household matters and personal affairs, and transportation to vulnerable adults.

 

3.  Roles & Responsibilities                    

3.1.   Designated Safeguarding Leads and Deputy (DSL and DDSL)

 

Drive Forward’s DSL is Nina Dei, 07393 045743

Drive Forward’s DDSL is Juno Schwarz, 07584 664366

 

The DSL and DDSL will be responsible for;

 

  • Managing the referral of cases of suspected abuse or allegations to the relevant agencies
  • Providing advice and support to staff and volunteers who have made referrals to other agencies
  • Referring cases to the Channel programme via the MASH team where there is a radicalisation concern
  • Maintaining secure and accurate records of any safeguarding concern, referral, complaint or allegation
  • Attending case conferences and review meetings as appropriate
  • Communication of the policy and arrangements to all relevant parties including but not limited to children, young people and vulnerable adults, their parents and families, staff and volunteers
  • Engaging with local authorities and other agencies as appropriate
  • Ensuring that staff and volunteers receive safeguarding training appropriate to their roles and update this annually
  • Maintaining accurate and up to date employment records of all staff and volunteers including DBS checks
  • Maintaining safeguarding training
  • Safety of all clients, including when a young person or vulnerable adult is absent or missing, without explanation
  • Providing periodic reports to the trustees about safeguarding incidents or referrals as well as policy implementation
  • Act as a source of support, advice and expertise for staff and volunteers

3.2.   Safeguarding Trustee Responsibilities

 

Drive Forward’s Safeguarding Trustee is Maggie Collier.

The Safeguarding Trustee is responsible for making sure the charity complies with its safeguarding responsibilities including checking safeguarding policies and procedures, acting as a critical friend to review cases and reporting to the board of trustees.

 

3.3.   Staff Responsibilities

 

If any member of staff or volunteer is concerned about the welfare or safety of a child, young person or vulnerable adult, they must report their concerns to the DSL, the DDSL as soon as practicably possible. Staff and volunteers will receive training on how to deal with disclosures made by a child, young person or vulnerable adult. Written notes of the disclosure will be made by the member of staff or volunteer, and these will be held in a secure location and shared with the relevant agencies as appropriate.

 

3.4.   Partner Employer Organisations

 

Drive Forward Foundation is committed to working in partnership with its employer organisations that offer work placements. As this involves an agreement for another organisation to provide services on its behalf, Drive Forward Foundation will ensure that the partner organisation has appropriate safeguarding and associated policies in place which will include safe recruitment and selection practices and formal complaints procedures for users. The written contract, agreement or protocol detailing the services to be provided should include the procedure to be followed in the event of concerns about abuse or inappropriate behaviour. If a member of staff becomes aware

of allegations relating to a partner organisation, this should be discussed in the first instance with the Designated Safeguarding Lead.

 

4.  Safer Recruitment                  

4.1.   Employment Checks

Drive Forward operates safer recruitment and employment practices. Staff checks and critical process undertaken include:

  • Enhanced Disclosure and Barring Service (DBS) check where the member of staff, volunteer or trustee is involved or likely to be involved in ‘regulated’ activity. Where this is not the case a standard DBS check will be made.
  • Where a conviction is recorded, the DSL will carry out a risk assessment

and decide whether to confirm or reject the individual’s appointment. (Anyone that is barred from working with children will NOT be appointed)

  • 2 employment/education     references     including     the     most recent employment
  • Check on gaps in work history
  • Evidence of identity is obtained, including the right to work in the UK
  • Qualifications are checked and verified with original certificates
  • Areas of concern in the CV or application will be addressed during the interview
  • Applicants sign the application form to declare the information they have provided is true

4.2.   Allegations against Staff or Volunteers

The primary concern in the event of safeguarding concern and allegation being made against a member of staff is to ensure the safety of the child, young person or vulnerable adult. In all cases, action will be taken quickly, confidentially, and professionally, with all parties clear that suspension is not an indicator of guilt, but a required part of a process.

 

Where an allegation is made, the DSL will liaise with the trustee with safeguarding responsibilities to discuss the required action. In order that a full and fair investigation can be carried out, consideration must be given to suspending the member of staff or volunteer. Where it is clear that a criminal offence may have occurred, the matter must be reported to the police. Serious safeguarding matters must be reported to the Charities Commission. Any subsequent dismissal and/or must also be reported to the Disclosure and Barring Service.

In the event that a member of staff or volunteer suspects any other member of staff or volunteer of abusing a child, young person or vulnerable adult, it is their responsibility to report these concerns to the Designated Safeguarding Lead. If the allegation is against the DSL, the matter must be referred to the trustee with safeguarding responsibility.

 

5.  Safeguarding Training                  

 

Drive Forward is committed to ensuring that those linked to the organisation understand their safeguarding responsibilities and keep their knowledge up to date. For this reason, when joining Drive Forward, new staff, volunteers and trustees will be required to carry out safeguarding training via e-learning and attend organised face-to face training where possible. Refresher training will be organised for all staff to ensure that they are up to date with legislation and guidance and best practice in the sector. All training will provide guidance on how to deal with safeguarding concerns and disclosures.

 

6.  Data Protection Law                    

 

Where personal data is required to be processed in conjunction with safeguarding action according to this policy, the processing activity must be undertaken in accordance with our data protection policy. In particular, there must be a suitable lawful basis agreed prior to the safeguarding action. This may include but is not limited to;

  1. Where an individual’s life may be at risk we may process the data according to the UK GDPR Article 6(d) where such processing is vital to the individual’s life
  2. Where an individuals or child is at risk – UK GDPR Article 6(f), Article 9(b), DPA 2018 Schedule 1, Part 2 paragraph 18 “Safeguarding of children and of individuals at risk”.
  3. The prevention or detection of crime – DPA 2018 Schedule 1, Part 2 paragraph 10 “Preventing or detecting unlawful acts”. Where the processing is substantially in the public interest and there is an Appropriate Policy Document (APD) in place.

Records of such processing must be kept to account for the action taken. The principles of the UK GDPR must be observed at all times.

 

Where the lawful basis is either b or c above, some of the data subject rights may not apply. These include but are not limited to, the right to be informed, the right of erasure and the right of access.

As indicated in section 7 of this document, consent is unlikely to be required and may prejudice the outcome of some safeguarding actions. The Appropriate Policy Document is appended to this document.

 

6.1.   Lawful basis when processing service user information under Legitimate Interest

When processing service user information using Legitimate Interest when they are not vulnerable or receiving counselling and the information is shared with a third party.

Article 6 (f) Legitimate Interest – it is necessary for the purposes of the Legitimate Interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular, where the subject is a child.

Where special category data is being processed under its Legitimate Interest, you will require an additional lawful basis in order to process such data. This can be found under; Article 9 (h) – Processing is necessary for the purposes of preventative or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health and social care treatment or social care systems and services on the

 

basis of domestic law or pursuant to contract with health professional and subject to the conditions and safeguards.

When processing service user information using Legitimate Interest when they are not vulnerable or receiving counselling and the information is not shared with a third party.

Article 9 (d) – Processing is carried out in its Legitimate Interest activities with appropriate safeguards by a not-for-profit body.

The additional lawful basis is then supported by a law found in the Data Protection Act

2018 (DPA)

Under Schedule One Part One “Health or Social Care Purposes” – This condition is met if the processing is necessary for health or social care purposes. Health or social care purposes means the purposes of the assessment of the working capacity of an employee (b) medical diagnosis (c) The provision of health care of treatment (d) the provision of social care (e) the management of health care systems or services or social care systems or services.

 

When processing service user information using Legitimate Interest when they are vulnerable or receiving counselling.

Article 6 (f) Legitimate Interest – it is necessary for the purposes of the Legitimate Interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular, where the subject is a child.

Where special category data is being processed under its Legitimate Interest, you will require an additional lawful basis in order to process such data. This can be found under; Article 9 (h) – Processing is necessary for the purposes of preventative or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health and social care treatment or social care systems and services on the basis of domestic law or pursuant to contract with health professional and subject to the conditions and safeguards.

When processing service user information using Legitimate Interest when they are vulnerable or receiving counselling and the information is not shared with a third party.

Article 9 (d) – Processing is carried out in its Legitimate Interest activities with appropriate safeguards by a not-for-profit body.

The additional lawful basis is then supported by a law found in the Data Protection Act 2018 (DPA)

Schedule One Part Two Paragraph (17) “Counselling”- This condition is met if the processing is necessary for the provision of confidential counselling, advice or support or of another similar service provided confidentially (a) is carried out without the consent of the data subject for one of the reasons listed in sub-paragraph (2) (b), and is necessary for substantial public interest (c). Sub-paragraph (2) the reasons mentioned in sub-paragraph (1)(b) are; in the circumstances, consent to the processing cannot be given by the data subject (a), the controller cannot reasonably by expected to obtain the consent of the data subject to the processing (b), and the processing must be carried out without the consent of the data subject because obtaining the consent of the data subject would prejudice the provision of the service mentioned in sub-paragraph (1)(a).

When processing service user information using Legitimate Interest when they are vulnerable

 

or receiving counselling and the information is shared with a third party.

Where you may feel a service user is at risk and is need of help or support or immediate attention, you will be processing information under the exemption listed below.

 

Schedule One Part Two Paragraph 18 “Safeguarding of children and of individuals at risk”. This condition is met if the processing is necessary for the purposes of protecting an individual from neglect or physical, mental or emotional harm, or protecting the physical mental or emotional well-being of an individual. The individual is aged under 18 or aged 18 or over and at risk. The processing is carried out without the consent of the data subject for one of the reasons listed below.

 

The processing is carried out in the circumstances where consent cannot be given by the data subject; where the controller cannot reasonably be expected to obtain the consent of that data subject to the processing; the processing must be carried out without the consent of the data subject because obtaining the consent of the data subject would prejudice the provision of the protection of the data subject.

 

An individual aged 18 or over is at “risk” if the controller has reasonable cause to suspect that the individual has needs for care and support; is experiencing, or at risk of, neglect or physical, mental or emotional harm; and as a result of those needs is unable to protect himself or herself against the neglect or harm or the risk of it.

 

7.  Information sharing                    

Data protection is not a barrier to sharing concerns about a young person. Always be open and honest about what you will do with the information. You should try to gain consent from a young person to share their information but do not let “no consent” prevent you from sharing when it comes to safeguarding. In the instances of not gaining consent, the decision to share should be noted in the safeguarding report. If you have any concerns about information sharing, contact the NSPCC helpline for advice.

For guidance on information sharing, see: https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/721581/Infor mation_sharing_advice_practitioners_safeguarding_services.pdf.

 

*The DFF Advisory Committee consists of the Senior Leadership Team, who review safeguarding incidents, and external consultants

Persons Responsible will:

 

  • Develop DFF’s approach to Safeguarding, reviewing the policy and procedures on a regular basis.
  • Implement a training strategy for staff and volunteer mentors to ensure that the policy and procedures are implemented throughout the organisation and with our partner employing organisations.
  • Provide advice and support to worried employers, volunteer mentors or any other stakeholder of DFF.
  • As required, manage referrals/cases reported and work with senior management to address any issues arising, reporting concerns to the authorities as appropriate.
  • Audit the operation of the policy and procedures

Appendix B – Procedure to follow in the event of a safeguarding concern              

Abuse and neglect are forms of maltreatment – a person may abuse or neglect a child by inflicting harm, or by failing to act to prevent harm. Children and young people may be abused

in a family or in an institutional or community setting; by those known to them or, more rarely, by a stranger.

 

Staff, volunteers and members of partner employing organisations are not expected to be Child Protection experts. However, there are a number of circumstances under which staff might have concerns that a child, young person or vulnerable adult has been or is being abused:

 

  • They may talk about abuse they have experienced
  • A third party – a relative, carer, another young person, other professionals sharing concerns
  • A bruise or injury which is unusual for example on a part of the body which is not

normally prone to such injuries for example on the cheeks

  • Injuries which require but have not received medical attention
  • Unexplained changes in behaviour either over time or suddenly for example becoming aggressive, quiet or withdrawn
  • Nonattendance at activities
  • The young person being discouraged or unable to make friends or from socialising with others
  • The young person becoming unusually dirty or unkempt

Discussing the observation of some of the above symptoms or others might also help Drive Forward Foundation with its work in general to support a young person, whether or not one suspects that the cause is due to any sort of abuse. An element of the client group DFF works with is, by nature, vulnerable and it is the charity’s mission to support young people to overcome and conquer that vulnerability.

 

It is not the responsibility of DFF or its employees to decide whether or not abuse has taken place. It is the responsibility for staff, volunteers and responsible stakeholders to act if they have a concern in order that appropriate agencies can be notified, investigate and take action if necessary. The legal framework differs depending on the age of the child, young person or vulnerable adult. Where staff concerns relate to someone below their 18th birthday, any suspicion, allegation or incident of abuse must be reported to the DSL or Deputy DSL the same working day. The member of staff, volunteer or stakeholder should record the allegation/incident/suspicion.

 

It is important that all concerns are properly recorded. It is important not to write speculative comments but to stick to the facts. Staff’s opinion may be crucial but it should be recorded as an opinion and any evidence stated to support these opinions. Records pertaining to issues of child protection may be accessible to third parties such as Children’s Services, Police, the Courts and Solicitors.

 

The DSL/DDSL will make a decision on whether to refer the matter onto the relevant Children’s Services Department and/or the Police. Referrals should preferably be made within the same working day and certainly within 24 hours. If you have concerns about someone over 18 then you should discuss these with the MD in the first instance.

 

If a child, young person or vulnerable adult confides to someone that they are being, have been or believe that they may be abused, they have placed that person in a position of trust.

Staff / Volunteers / Stakeholders should:

 

  • Make it clear to the individual that they cannot keep secrets and that they have to pass on information if they think the young person has been, is being or may be harmed in some way
  • React Panic may frighten or silence the person
  • Tell the person they were right to tell
  • Make it clear the person themselves is not to blame
  • Take what is said seriously recognising that there may be difficulties in interpreting what is said
  • Keep questions to an absolute minimum to ensure a clear and accurate understanding of what is being said. Only ask questions if they need to clarify what they are being told. They should not ask about explicit details; it is up to Children’s Services/the Police to investigate fully
  • Make a full record of what is being said, heard and seen as soon as possible

 Appendix C – Flow Diagram

Appendix D – Useful Numbers                         

SAMARITANS (116 123)

MIND (Mental Health Support) Information & Support | Mind, the mental health charity – help for mental health problems

 

NSPCC (National Society for the Prevention of Cruelty to Children) Child Trafficking Advice and Information Line (CTAIL) Tel 0800 107-7057

CHILDLINE (0800 1111)                       Childline | Childline

 

RUNAWAY HELPLINE (116 000) Sexual Exploitation – Runaway Helpline

 

REFUGE (Supporting women and children against domestic violence) Home | Refuge National Domestic Abuse Helpline (nationaldahelpline.org.uk)

 

ECPAT (End Child Prostitution and Trafficking) Tel 020 7233-9887 Visit www.ecpat.org.uk Barnardo’s Young Women’s Project & Trafficking Service PO Box 34727, London N7 8YQ Tel 020 7700 2253

UKHTC (United Kingdom Human Trafficking Centre) Tel 0114 252-3891 Visit www.ukhtc.org

 

CEOP (Child Exploitation and Online Protection) Centre Tel 0870 000-3344 Visit www.ceop.gov.uk UK Border Agency Tel 020 7147 5554

FGM helpline if you’re worried a child is at risk of, or has had, FGM 0800 028 3550

 

FORCED MARRIAGE UNIT Tel 020 7008 0151

 

N.B Each Local Authority Area will have their own support services. Visit the Adult Safeguarding Board or Children’s Safeguarding Board website for details of local support, advice and guidance

 

 Appendix E – Appropriate Policy Document                        

 

The Data Protection Act 2018 (DPA 2018) includes the requirement for an Appropriate Policy Document (APD) to be in place when processing special category (SC) and criminal offence (CO) data under certain specified conditions.

1.     Introduction

  • Almost all of the substantial public interest conditions in Schedule 1 Part 2 of the DPA 2018, plus the condition for processing employment, social security and social protection data, require an APD in place to support and substantiate the lawfulness of the decision. (Schedule 1 paragraphs 1(1)(b) and 5);
  • This document is intended to demonstrate that the processing of SC and CO data based on these specific Schedule 1 conditions is compliant with the requirements of the General Data Protection Regulation (GDPR) Article 5 In particular, it outlines the specific retention policy with respect to the data that will be processed. (See Schedule 1 Part 4)
  • Where SC or CO data is processed for a number of different purposes, this document identifies each of the conditions for processing Processing may alternate between conditions where the data subject’s circumstances have changed. Where applicable this policy makes reference to policies and procedures which are relevant to all of the identified processing. Additional explanation is also offered concerning compliance with the principles in general terms, including how the data subject was sufficiently informed about the processing of their SC or CO data if this is possible, and how long their data may be retained;
  • Reliance on one of these conditions, requires a documented general record of processing activities under GDPR Article 30 and must include:
    • The condition which is relied upon;
    • How the processing satisfies Article 6 of the GDPR (lawfulness of processing); and
    • Whether the personal data is retained and erased in accordance with the retention policies outlined in this APD, and if not,

the reasons why these policies have not been followed;

 

  • The APD therefore complements the general record of processing under Article 30 of the GDPR and provides SC and CO data with further protection and accountability. This is in accordance with Schedule 1 Part 4 paragraph 41;
  • For the avoidance of doubt, this APD policy will only be used in the circumstances detailed in this These circumstances are considered to be relatively unusual. General processing, including SC data where necessary will be completed using the standard data protection policy framework;
  • The APD will be kept under review and will need to be retained for six months after the date at which the relevant processing ends. If the Commissioner asks to see this policy, we will be provided free of charge in accordance with Schedule 1 Part 4 paragraph 40.
  1. Description of Processing Activity.

When delivering services to our clients across various projects we process normal data and Special Category (SC) data as defined in the GDPR Article 9. In order to deliver services in support of clients it may be necessary to process a broad range of categories of data including health, religious belief, sexuality and sex life. Our clients are considered at risk due to their circumstances and behavioural tendencies. Our processing activities may also include personal information identifying members of their family including children and intimate partners.

 

  1. DPA 2018 Schedule One Condition for

When delivering services to members, their families and partners this policy allows for the use one of the two conditions listed below to lawfully process their personal data. Where possible we seek to process data with Explicit Consent in accordance with the GDPR Article 7. However, when this is not possible, we apply a condition from the DPA 2018 Schedule One Part 2 Section 17, for exemptions to for example, the provision of counselling services.

  • DPA 2018 Schedule One, Part 2; Section 17 – This condition is met if the processing is necessary for the provision of confidential counselling, advice or support or of another similar service provided confidentiality outlined under (1)(a). This condition is met when the processing is carried out without the consent of the data subject for one of the reasons listed in sub-paragraph (2)(a)(b)(c) in the circumstances, consent to the processing cannot be given by the data subject; in the circumstances, the controller cannot reasonably be expected to obtain the consent of the data subject to the processing; the processing must be carried out without the consent of the data subject because obtaining the consent of the data subject would prejudice the provision of the service mentioned in sub-paragraph (1)(a). and the processing is necessary for reasons of substantial public interest.
  1. Procedures necessary to comply with the Principles of the GDPR

In order to ensure the Accountability obligations for lawful processing are upheld, the procedures that ensure compliance with the six principles of the GDPR are detailed below.

  • It is fully acknowledged that there is a responsibility to demonstrate that there is adequate policy and procedural protocol in place to ensure compliance with the wider requirements of the GDPR and in particular the Principles. The sensitivity of SC and CO data means the technical and organisational measures that are in place to protect such data are crucially important. A full and comprehensive explanation of the policy and procedure used in such circumstances is detailed in the Data Protection Policy, The Accountability Policy, The Data Retention Policy and Schedule and The Data Protection Activity In addition to this and wherever it may be required, a Data Protection Impact Assessment (DPIA) has been executed and the outcome of such an undertaking carefully considered prior to the processing of personal data.
  1. Accountability Statement

We regularly review our data protection policies, procedures and staff guidance. This helps us to ensure we continue to comply with the law and that our intended processing is both clearly explained, necessary and absolutely transparent. Where we rely on Consent, we ensure it is gathered in accordance with the law. When we rely on other conditions, we consider the rights of others before we proceed.

We assess the risks we may, from time to time create, when processing data to ensure we uphold the rights and freedoms of every individual. This is especially true when we process data in a new way.

We only share data where we have a defined purpose to do so and a data sharing agreement is in place. International transfers are safeguarded with Standard Contractual Clauses where necessary.

We keep extensive records of our processing. For example, Activity and Incident logs measure our compliance and help us to identify any weaknesses in our procedures. We

actively consider the opinion and advice of others both here, in the EU and beyond. We monitor case law and the guidance of the ICO and the EDPB. We have appointed a Data Protection Officer who is an expert in data protection law and is experienced in the third sector. We positively welcome enquires from the public concerning their personal information.

To ensure we protect personal information we constantly review our security measures, both technical and physical and have instigated appropriate safeguards. These include regularly training our staff.

 

We have appointed an identifiable ’Accountable person’ to oversee our processing.’ We are registered with the ICO as a data controller and have a clear breach reporting policy. Further detail concerning this can be found below, or in the Data Protection Policies.

 

  1. Principle (a)

Transparency, fairness, and lawfulness.

When processing special category data, we intend to gather Explicit Consent as our lawful condition and have the necessary methods in place to ensure this is collected in accordance with Article 7 of the GDPR. However, on occasion we will not be able to rely on Explicit Consent for a variety of reasons such as;

  • To do so might prejudice the provision of the service we provide;
  • Where we cannot reasonably be expected to obtain Consent;
  • In a circumstance where, Consent to processing cannot be given by the data subject;
  • We therefore use a number of the exceptions to process data as a ‘condition’ and as detailed in part 3 of this policy Where is possible to do so we deliver privacy notices on a ‘just in time’ basis. Where this is not possible, we publish full details of our intended use of data on our website and in printed form where required. There is no purpose or advantage for us to process data excessively or without clear benefit to the client, their family or partners. In order to assess fairness, we always take into account the outcome of any Impact Assessments (DPIAs) we undertake. In this way, and as far as is possible, we measure the risks we may create when processing the data of any individual and provide them with suitable safeguards.
  1. Principle (b)

We provide support to individuals at risk. This is the sole purpose of the organisation and constitutes our aims and objectives. We do not process the data of clients for any other purpose. We may process data in other circumstances and again for very specific reasons. These may include;

  • Personal data identifying members of staff where we have a contractual or legal obligation;
  • Where individuals volunteer their services to assist us with their time and resources and where we have gathered Consent;
  • Individuals and organisations that provides products and services to us and where we have a contractual or legal obligation;
  • Individuals that financially support us and where we have Consent, or it is in our Legitimate Interest;
  • Organisations that refer clients to us where there is a contractual or legal obligation, or it is in our Legitimate Interest;
  • Consultants that we may instruct where we have a contractual obligation;
  • Our Trustees where we have a Legitimate Interest or a Contractual
  1. Principle (c)

We have incorporated Data Protection by Design and by Default into our processing activities. This assists us in ensuring that we only process the data required to deliver our services and successfully operate our organisation. For example, when we request information that may identify an individual and in order to deliver our services, not all of the information we ask for is mandatory. This ensures that the data subjects rights and freedoms are upheld. We regularly review such methods of collecting data to ensure this principle is adhered to wherever possible.

 

  1. Principle (d)

We ensure we keep data up to date and accurate. We do this by periodically checking with clients, supporters, volunteers, suppliers and others that the details on record are correct. We update any changes as and when we are notified. We check as often as is appropriate but at least once in every 12 calendar months.

 

  1. Principle (e)

It is of paramount importance that any type of data processed by the Controller is only retained for as long as is necessary. This is particularly true of SC and CO data. To demonstrate this, we separate data into ‘Normal Data’ and ‘SC and CO’ data and treat these types of data with separate methodologies. SC and CO data processing methodology is regularly reviewed. We have guidelines for retention but where possible the data is deleted on a case by case basis. No SC or CO data is retained in a form that might identify an individual for any longer than is absolutely required. In these circumstances, we may delete SC and CO data but retain other ‘Normal data’ categories for different periods of time. Our Data Retention Policy includes a full schedule of retention period for different types of data. We may share data where we are legally or contractually obliged to do so or with the Consent of the data subject. We may anonymise certain data for statistical or reporting purposes.

 

  1. Principle (f)

We constantly review physical and technical security arrangements to assess the appropriateness of such measures. This includes considering new ways to prevent cyber-

 

attacks and regular staff training to ensure staff are aware of such techniques that may be used by criminals. The Data Protection Policy fully details such processes and offers further detail concerning the internal processes and procedures we have implemented. Data is accessed by staff and other authorised individuals and certain organisations on a ‘Least Privileged’ basis (POLP). This means in practise, that in order to deliver the desired service or action, only the minimum of information may be accessed and processed. For the avoidance of doubt this means that there must be a good ‘Business’ reason to process any data for which we are the Controller. All staff are aware of such requirements and have read and understood the Access and Obligations Policy.

 

  1. Data Retention and Erasure Policy

We have a full and detailed Record of Processing Activities (RoPAs) and schedule for data that we may control. The schedule details retention periods for all types of data documented in section 7 of this policy. Our policy regarding SC and CO data is to delete it as soon as possible and on a case by case basis. Data scheduled for authorised destruction is dealt with in accordance with our policy on the matter. Data is retained on secure servers and on occasion in cloud provision. The necessary data processor agreements are in place to safeguard such storage.

 

  1. APD Review Procedure

It is the policy of the organisation to review this APD regularly and to record any such changes. The review takes into account changes to legislation, opinion and any guidance issued by the ICO. Any such changes to this document are documented and version control managed. This policy will be made available to the supervisory authority upon demand and no charge will be made.

Scroll to Top

Subcribe & Stay Connected