Home » About Us » Policies & Procedures » Access to Information Policy & Procedure

Access to Information Policy & Procedure

1.

Introduction and background

1.1

Devon Mind aims to operate in an open, accountable way and recognises the importance of making information available about its activities and services. As an organisation, Devon Mind receives requests from individuals and organisations to access certain information. At times, Devon Mind receives specific requests to access personal data held about individuals.

1.2

The opportunity to see, comment on, and correct personal data held by Devon Mind helps to ensure that the information is complete, accurate, clear, and unbiased.

1.3

Personal data is any information about an identifiable living individual and in some circumstances, we also process special category personal data (for example, health information). For the purposes of this policy, references to personal data shall include special category personal data unless stated otherwise.  Information held in a manner purely for statistical purposes, which is anonymous or does not otherwise identify individuals, is not considered to be personal data.

1.4

Some of the personal data we process include:

  • the reason that someone is using Devon Mind services,

  • medical conditions, and

  • lived experiences.

1.5

Devon Mind has a dedicated Data Privacy Officer (DPO). The DPO can be reached:

  • via post to DPO, Devon Mind, Guild House, 156 Mannamead Road, Plymouth PL3 5QL,

  • via email to admin@devonmind.com, or

  • via telephone on 01752 512 280.

1.6

Devon Mind is registered with the Information Commissioner’s Office, ICO number ZA508665.

2.

Purpose and aims of this policy

2.1

The aim of this Policy is to ensure that information held by Devon Mind is:

  • processed fairly, lawfully, and in a transparent manner by providing individuals with the opportunity to access their personal data,

  • to support best practice with regards to compliance with the Data Protection Legislation (including the General Data Protection Regulation) and other relevant legislation, guidance, and requirements, and

  • to ensure that Devon Mind has the legal justification to disclose personal data to third parties that request information that contains such personal data.

3.

Scope of this policy

3.1

This policy applies to all staff, volunteers, board members, contracted third parties, and members of consultative fora. If there is any doubt about the applicability of this policy, guidance should be sought from a manager or the Quality & Compliance Committee.

4.

Policy statement — Access to personal data (SARs)

4.1

Under the Data Protection Legislation (Data Protection Act 2018), individuals have a right to understand how an organisation is processing their personal data and have access to their information. This is called a subject access request (SAR). In exercising this right, an individual can contact us at any point to request copies of the personal data we hold about them, why we are processing it, whether it will be shared with any third parties and request details of the source of the data.

4.2

A SAR can be made in different forms, but in most instances must be in writing. A request sent by email is equally as valid as one sent in hard copy and requests made by means of social media are also valid (this includes requests made through any Devon Mind Facebook page, Twitter, or other social media account). Verbal requests to access personal data should generally be followed up by with a request in writing. However, in some instances (for example where a disabled person who finds it difficult to make a SAR in writing), a verbal SAR can be treated as though it was a valid SAR, to ensure we comply with the Equality Act 2010.

4.3

A SAR must be in relation to personal data relating to the individual requesting the SAR. Occasionally we may receive a SAR from a third party acting on behalf of an individual (an agent). These agents may include parents, guardians, legal representatives, and those acting under a power of attorney or other legal authority. The agent must provide sufficient evidence that he or she is authorised to act on behalf of the individual.

4.4

If you receive a request, you must forward it immediately to the DPO who will determine how to respond to it.  It is important that you do this because we must deal with these requests within certain mandatory time limits. Do not respond or reply to the SAR without the CEO’s authority.

4.5

Further information in relation to SARs and the procedure for dealing with SARs is included as Appendix 1; guidance on dealing with individuals who have made SARs is at Appendix 2; and a form to be completed when Devon Mind has received a SAR is included as Appendix 3.

4.6

When considering the provision of personal data about an individual to the individual concerned or their agent, Devon Mind will always act in accordance with the requirements of the Data Protection Legislation and advice and guidance about the right of subject access issued by the Information Commissioner’s Office (ICO).

4.7

Any individual who feels that this policy has been unfairly applied, or who has suffered loss or damage as a result of actions by Devon Mind may appeal by using the complaints/grievance procedure.

5.

Policy statement — Personal data requested by third parties

5.1

Devon Mind shares personal data with certain third-party organisations where there is an information sharing agreement and protocols in place.  Please see the Data Sharing Policy for further information.

5.2

Devon Mind may receive ad-hoc requests for information which contains personal data. Whilst we have a duty to co-operate with the police, regulators and other third parties, we also have duties under the Data Protection Legislation to safeguard personal data we hold, and we may only disclose it if permitted by law. 

5.3

For example, we may disclose personal data which is not special category personal data to third parties:

  • to comply with the law,

  • to comply with a court order or in connection with legal proceedings, or

  • anonymously for bona fide statistical or research purposes, provided it is not possible to identify individuals to whom the information relates.

5.4

We may be able to disclose an individual's special category personal data, such as their health data, in certain circumstances, for example, to the extent it is necessary to protect the vital interests of the individual or another person.

5.5

You must forward requests from the police, regulatory bodies, or any other third parties to the DPO immediately.  Devon Mind will normally seek to cooperate as fully as possible with such requests as outlined in Appendix 3.

5.6

Unless prohibited from doing so under applicable law, Devon Mind will always inform the individual when, and why, disclosure without informed consent has taken place and will keep a central log of all such disclosures.

6.

Roles and responsibilities

6.1

The Board of Trustees is responsible for gaining assurance that confidentiality is managed appropriately within Devon Mind and that adequate resources are made available to implement this policy.

6.2

The CEO is responsible for ensuring that access to information is handled in line with this policy and associated procedures, for providing assurance of such to the Board, and for responding to SARs.

6.3

Line managers will be responsible for ensuring that all Devon Mind staff working in a service delivery role have read the Confidentiality Policy and this policy and are working to the required standards. They will ensure that a high standard of record keeping is maintained by conducting regular audits and will provide training for staff.

6.4

All Devon Mind staff who have access to personal data and charity information have responsibilities to ensure that they comply with this policy and with any guidance subsequently produced.

7.

Monitoring, audit, and review

7.1

The Board of Trustees is responsible for managing this policy and overseeing its implementation. The CEO is responsible for implementing the policy within their areas of work, and for overseeing adherence by staff and volunteers. Every member of staff and volunteer should take personal responsibility for conforming to it.

7.2

It is the responsibility of the CEO to audit compliance with all policies as part of the charity’s normal audit cycle, and to undertake or direct remedial action as required.

8.

Associated policies and procedures

 

Confidentiality Policy & Procedure

Consent Policy & Procedure

Data Retention and Disposal Policy & Procedure

Data Protection Policy & Procedure

Information Breach Policy & Procedure

Information Security Policy & Procedure

Information Sharing Policy & Procedure

Staff Privacy Policy

Appendix 1: Procedure for dealing with subject access requests

The following sets out the procedure Devon Mind will follow when responding to a subject access request (SAR).

  1. Individuals are entitled to ask whether Devon Mind is processing any personal data about them, and if so to be given:

    • confirmation that their personal data is being processed, and

    • access to their personal data and told:

      • why Devon Mind processes it,

      • the categories of personal data processed,

      • who Devon Mind shares it with,

      • how long Devon Mind stores it or Devon Mind's retention criteria,

      • their rights to rectification, erasure, to restrict processing, and to object to processing,

      • their right to lodge a complaint,

      • if Devon Mind did not get the data from them directly, any available information as to the source, and

      • whether Devon Mind carries out automated decision-making which has legal or significant effects for the individual, the logic involved, as well as the significance and consequences of the processing for the individual.

  2. Such requests are called subject access requests (SARs).

  3. SARs should ideally be made in writing using Devon Mind’s Subject Access Request Form; however, requests in writing by other means will still be valid as long as sufficient information is provided for Devon Mind to be able to process the request.

  4. The individual may be asked to provide evidence as to their identity in the form of a current passport/driving licence and the signature on the identity must be cross-checked with that on the Subject Access Request Form.

  5. Note that the individual is entitled to ask for all personal data that Devon Mind holds on them, without specifying that personal data.

  6. The date the identification evidence and the specification of the personal data sought are received must be recorded on the application; Devon Mind then has one month from this date to provide the requested information. Failure to provide the requested information within the month is a breach of the Data Protection Legislation unless Devon Mind have a justifiable reason for an extension. The one-month period may be extended by two further months where necessary, taking into account the complexity and number of requests.

  7. The SAR should be immediately notified to the Data Privacy Officer who will ensure that the request is logged, and the requested data collected and authorised for release within the time frame. If it is not possible to complete the request fully, the Data Privacy Officer will write to the requestor explaining why it is not possible to process the request and record this accordingly. Collection will entail:

    • Searching all relevant databases and filing systems (manual files) held by or on behalf of Devon Mind, including all relevant back-up and archived files, whether computerised or manual, and including all relevant email folders and archives. The Charity maintains an information asset register that should identify where all personal data is stored; and

    • Collecting the data specified by the requestor. The Data Privacy Officer maintains a central record of requests for data and of its receipt, including dates. Note that personal data may not be altered or destroyed in order to avoid disclosing it.

  8. The Data Privacy Officer is responsible for reviewing all provided documents, to identify whether any third parties are identified in it and for either obtaining written consent from the third party for their identity to be revealed or redacting identifying third party information from the documentation (where it is not reasonable to disclose the information without the third party's consent).

  9. Personal data does not need to be provided to the extent that one of the exemptions under Data Protection Legislation applies. These include:

    • crime prevention and detection,

    • negotiations with the requester,

    • management forecasts,

    • confidential references given by Devon Mind (but not ones given to Devon Mind),

    • information used for research, historical, or statistical purposes, and

    • information covered by legal professional privilege.

    If it is not always clear the extent to which these exemptions apply, the Data Privacy Officer should make the final decision.

  10. The release of any personal data should be authorised by the Data Privacy Officer.

  11. The information is provided to the data subject in printed format or, if they made the request electronically, in electronic format and all the items provided are listed on a schedule that shows the data subject’s name, the date on which the information is delivered, and the signature of the data subject to indicate that the information has been received or a copy of a record of posting should be attached.

Appendix 2: Data subject access request form

Please download PDF copy of this policy for the data subject access request form.

Appendix 3: Procedure for requests for information from other organisations/individuals

The following sets out the procedure which the Quality & Compliance Committee will follow in relation to receiving requests from other organisations/individuals.

1. General principles

  • Check that the request details the information (including any personal data) required and why it is required.

  • Check that, where relevant, authorisation to disclose this personal data has been given or that the request falls into one of the exception categories. If not, explain Devon Mind’s policy.

  • Establish, where relevant, that there is a genuine need to know.

  • Verify the identity of the person making the request and/or the authority of the organisation making the request on the individual's behalf.

  • Remember that you must comply with the Data Protection Legislation at all times.

2. General callers

  • No matter how plausible the request is, explain that Devon Mind does not give out any personal data.

  • Offer to forward a letter, or in genuine emergencies pass on a telephone message, if we know the person the caller is trying to contact.

3. Written letters and requests

  • Letters from lending institutions (banks, building societies, loan companies) requesting a reference must be accompanied by a signed and dated letter of authorisation from the person concerned. If not, write to the firm explaining that written authorisation is required before a reference can be given.

  • Forward letters with a covering letter confirming that no information has been disclosed.

4. The police

  • Whenever the police ask for information, try to obtain the request in writing (by letter or email) and establish what information is required and why.

  • Such requests for information must be referred to the Data Privacy Officer and a detailed note of what has been disclosed retained on file.

  • Refer any requests for access to Devon Mind property to a member of the senior management team.

  • Where a personal relationship exists with local community police, care must be taken to avoid divulging information that the police would otherwise require a court order to obtain.

  • Guidance should be sought from a member of the senior management team when the police have been called in response to an assessed health and safety risk against an individual or a third party about the amount of information that should be disclosed.

5. The press

  • Refer all press enquiries directly to the CEO.

6. Procedures for dealing with requests for organisational information (excluding personal data)

Our procedures are designed to make it as easy as possible for interested parties to have access to information about Devon Mind's activities. Our service standard is to provide information within five working days of receiving a request.

Requests for information should be dealt with as follows:

Information that is not readily available:

  • Ask why the information is required

  • Offer any similar information that is readily available

  • Refuse any requests that are unreasonable

  • Refer requests for research purposes to your line manager (Devon Mind may wish to cooperate with the research)

Guidelines on information to be made available:

Information to be published annually:

  • Summary performance information

  • Summary of activity that demonstrates that access has been fair

  • Summary business plan

  • Financial report demonstrating future financial viability and continuity

  • A report on relations with service users and the opportunities that have been given to service users to participate

  • Information about the board members that includes:

    • the name, length of service, age, occupation, and other directorships of all members (members have agreed to their personal data being disclosed for these purposes),

    • the gender and ethnic balance, and

    • general recruitment and selection procedures for new members.

  • A customer care commitment that includes contact details for anyone who wishes to comment or make a complaint

Information to be publicly available:

  • Confidentiality Policy

  • Equal Opportunities Statement & Policy

  • Complaints Policy & Procedure

Information to be available on request:

  • Non-confidential board papers and minutes