Data Protection - Your Legal Rights

For a summary - please refer to our Privacy Notice.

All data/information obtained, stored and processed by the organisation is covered by these policies and procedures. 

 

Citizens Advice Edinburgh recognises that the handling of identifiable, personal and sensitive information may be necessary for the effective functioning of the organisation and the services we provide.  This may include information obtained from a 3rd party.  Information may be held about individuals using and providing the organisation's services and about individuals in organisations we work in partnership with. 

 

We all have a responsibility to protect the data we hold about people including how we process that data, whether that is citizens, volunteers, employees or partners.  Our reputation as an organisation people can trust also depends on our ability to uphold and maintain data protection standards, in accordance with the law and best practice. 

 

The main aims of this policy are to: 

 

  • Ensure that the organisation complies with the Data Protection Act 2018 and the associated Codes of Practice and Regulations (including the General Data Protection Regulation (GDPR). 

  • Ensure that information given in trust by users of the organisation services, our employees and volunteers or information that is held by the organisation for any other reason; is treated in compliance with the law and associated regulations. 

  • Ensure that information is protected in terms of how it is stored, processed and shared in compliance with the law and associated regulations. 

  • Ensure that the boundaries of confidentiality and individuals rights in relation to data protection are clear and understood by users of our service, our employees and our volunteers and that we are therefore confident that they are able to provide informed consent.  

  • Ensure users are aware of the organisation's responsibilities to protect, control, process and store their information, including requests for access.  

  • Make explicit the responsibilities of employees and volunteers concerning data protection, confidentiality and management of a Data Breach. 

  • Ensure that we remain compliant with Data Protection, including maintaining an up-to-date Data Asset Register, carrying out regular Data Protection Audits, providing continuing professional development for employees and volunteers and applying a Data Protection Impact Assessment to any new services or processes we undertake.  

 

Responsibility for the control of personal data: 

 

The organisation’s Data Protection Officers are Thorntons Law.  The Senior Information Risk Owner is the Chief Executive, they are responsible for ensuring all data is controlled in compliance with the Data Protection Act 2018 and associated Codes of Practice and Regulations.  In accordance with our Data Protection Authorisation, the Scottish Association of Citizens Advice Bureau (Citizens Advice Scotland) is a Joint Data Controller.  More information about their Data Protection Policies and Procedures can be found at www.cas.org.uk  

 

Information and Training: 

 

All employees and volunteers will be provided with this policy document and new employees and volunteers will receive a copy of this policy on taking up appointment. 

All employees and volunteers must complete CASLearn online training on Data Protection.  It is the responsibility of their line manager to ensure this has been completed.  Completion of CASLearn provides the organisation with an audit trail that this standard of knowledge and understanding has been achieved for all employees and volunteers. 

The organisation will provide continuing professional development on issues relating to confidentiality and the contents of this policy in order to ensure that our practices remain up to date and compliant. 

Compliance with this policy is a condition of employment and/or continued volunteering and any deliberate breach of this policy will result in disciplinary action, which may include dismissal and possible legal action. 

All staff and volunteers must sign their agreement to the Confidentiality and Data Protection Mandate. 

Principles: 

 

Everyone responsible for using data in the organisation must understand and comply with Data Protection Legislation and associated regulations. They must make sure the information is: 

 

•used fairly and lawfully 

•used for limited, specifically stated purposes 

•used in a way that is appropriate, relevant and not excessive 

•accurate  

•kept for no longer than is absolutely necessary 

•handled according to people’s data protection rights 

•kept safe and secure 

•not transferred outside the European Economic Area without adequate protection 

 

There is stronger legal protection for more sensitive information, such as: 

•Age 

•Gender 

•Ethnic background 

•Race 

•Political opinions 

•Religious beliefs 

•Health 

•Sexuality 

•Commission or alleged commission of an offence 

 

The principle of confidentiality runs through all of the organisation’s interactions with employees, volunteers and people who use or access our service.  Information should only be shared when there is a clear and legal justification for doing so and where possible, with the informed consent of the individual involved. 

 

Although personal/sensitive data is protected by the organisation, there are exceptional circumstances when confidential information would have to be disclosed in accordance with the Adult Support and Protection (Scotland) Act 2007, the Children (Scotland) Act 1995 and/or the Children and Young People (Scotland) Act 2014 and CAE’s related policy.  In these circumstances, the CEO will make the final decision if personal/sensitive information should be disclosed. If the CEO is absent and not contactable, the Advice Services Manager or Project Manager will be authorised to share information where they believe that information needs to be disclosed in accordance with the legislation above and in accordance with CAE’s related policy and procedures.    

 

Confidentiality Policy  

 

Confidentiality is one of the fundamental principles of the CAB service.  Citizens Advice Edinburgh assures confidentiality to all clients, and nothing learned by bureaux from clients, including the fact of their contact(s) will be passed on to anyone outside the service without their consent. The services’ Data Protection Policy and Procedure contains details of the limits of how client’s data is recorded, stored and processed. 

 

Confidential information will only be disclosed with client’s knowledge and informed consent or in accordance with a lawful basis under this Policy and Procedure, our Data Protection Policy and Procedure and/or if necessary, our Protecting Vulnerable Groups Policy and Procedure.  

 

All employees and volunteers with access to client information must sign a Declaration of Confidentiality and Data Protection (appendix 1). Any person who has not signed the Declaration of Confidentiality and Data Protection should not have access to client identifiable information. 

  

Where members of the management committee/Board require access to client information e.g., to investigate a complaint, a Declaration of Confidentiality must be signed, which will have a “limited life” of 3 months. This limitation exists to limit access to client records to that which is essential. 

 

Confidentiality Procedure 

 

  1. All Citizens Advice Edinburgh staff, volunteers and Directors, must sign the Confidentiality and Data Protection Declaration. Any person who has not signed the Declaration of Confidentiality must NOT have access to information, which will enable a client to be identified without the informed consent of the client. 

 

  1. Whilst basic information may be asked for the purposes of triage at reception, the client will always be given the option to discuss information in private if they wish to do so. Clients must not be forced to state the nature of their enquiry in the presence of others.  

 

  1. Clients will be given the option of having their interview in aural privacy, but some contact may be better served in a more public contact area.  The client will always be given the choice of how they wish to access their service. 

 

  1. No referrals will be made without the knowledge and informed consent of the client. 

 

  1. No information about a client will be given to a third party without the knowledge and informed consent of the client, unless, as stated above this is required in order to carry out our duties in accordance with our Supporting Vulnerable Groups Policy and Procedure and its related legal requirements. 

 

  1. Advisers should check with clients and record on the case record if they agree to the service making contact with them by phone or in print and record their preference, including clearly stating if no contact has been agreed. 

 

  1. Case records and case notes should only be removed from a designated service area in exceptional circumstances and only on the authorisation of the relevant manager and in accordance with our Data Protection Policy and Procedures. 

 

 

Procedure for any circumstance where Citizens Advice Edinburgh believe they may need to breach a client’s confidentiality:  

 

  1. The decision to breach a client’s confidentiality can only be taken by a Manager. If a staff member or volunteer feels a breach of confidentiality may be necessary, they must consult their line manager before taking any further action. If the manager is not available, the consultation should be with the person nominated to be responsible in the manager's absence. 

 

  1. If the manager considers that a breach of confidentiality may be justified, they must agree this with the Chief Executive, unless this has been delegated to them in the Chief Executives absence.  In any case, the manager will also discuss and agree this course of action with the Data Protection Officers and the Network Services Manager at Citizens Advice Scotland unless there is an urgent need to protect the safety and wellbeing of the client, in which case the Network Services Manager will be informed of the course of action and reasons thereafter.   

 

  1. Where a breach of confidentiality is agreed, reasons for the breach and specific details of the actions taken will be recorded on the client's file and unless there is a lawful basis not to do so, the client must be fully informed. 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Personal data regarding employees and volunteers: 

 

Personal data relating to employees or volunteers may be collected primarily for the purposes of: 

 

  • recruitment, promotion, training, redeployment, and/or career development; 

  • administration and payment of wages and sick pay; 

  • calculation of certain benefits including pensions; 

  • disciplinary or performance management purposes; 

  • performance review; 

  • recording of communication with employees, volunteers and their representatives; 

  • compliance with legislation, including data protection and related IT Security; 

  • provision of references to financial institutions, to facilitate entry onto educational courses and/or to assist future potential employers and; 

  • Staffing and volunteer levels and service planning. 

 

The organisation considers that the following personal data falls within the categories set out above: 

 

  • Personal details including name, address, phone number, any health information required for reasonable adjustments or an individual’s safe care and protection, age, status and qualifications. Where specific monitoring systems are in place, ethnic origin and nationality will also be deemed as relevant; 

  • References and CVs; 

  • Emergency contact details; 

  • Notes on discussions between management and the employee or volunteer; 

  • Appraisals, Supervision and Development Records and documents relating to grievance, discipline, promotion, demotion, or termination of employment or volunteering; 

  • Training records; 

  • Salary, benefits and bank/building society details; and  

  • Absence and sickness information. 

Employees, volunteers or potential employees and volunteers will be advised of the personal data which has been obtained or retained, its source, and the purposes for which the personal data may be used or to whom it will be disclosed.  

 

For Volunteer HR we also use Volunteero, details of their privacy statement can be found here Volunteero Security Policy – Protecting Your Data & Privacy 

 

 

Data Protection Procedure: 

 

Data Asset Register: 

 

The Organisation will maintain a Data Asset Register which records a summary of all of the data the organisation holds, its purpose and location.  This will be reviewed on a quarterly basis to monitor compliance with the law and associated regulations. 

 

The Chief Executive will undertake an annual audit of the organisations compliance with this policy and procedure and report findings and any areas for improvement to the Board.  

  

Informing clients of their Data Protection Rights and signposting to our Privacy Notice: 

 

All new service users will either be given a paper copy of the Data Protection Mandate (copy below) detailing their rights to Data Protection and explaining how and where we will store any information, they share with us, or they will be signposted to the Privacy Notice and Data Protection information on our website, if contact is first being made by phone or online.  When a paper record has been obtained, this information will be scanned and uploaded to their Case Record on CASTLE and the CASTLE Casenote will also confirm they have been signposted to our Privacy Notice. Thereafter, all information relating to that contact with the service user will be managed in accordance with that agreement. 

 

Where an existing or previous service user asks for advice in relation to another matter that requires them to share new personal or sensitive information, it is imperative that the adviser re-confirms the clients understanding and agreement to the Data Protection Mandate and signpost them to the Privacy Notice for the management of that new information.   

 

If a client has been referred to Citizens Advice Edinburgh from one of our National Helplines, the above process must be completed again by the Citizens Advice Edinburgh Adviser, to ensure consistency and compliance with our own data protection requirements.  

 

Posters will be displayed in our Bureau and any other location where we are providing a service (unless we are unable to do so) which remind users of our service about their rights to Data Protection (copy below).  This information will also be available and promoted through our website, with regular reminders posted through our social media.  

 

 

 

 

 

Circumstances in which we might use someone’s information without their permission: 

 

In very specific circumstances, we might need to use or share your information without your permission. If we do, we will always make sure there's a lawful basis for it. Examples of these circumstances include: 

 

  • to comply with the law, called 'legal obligation' - for example, if a court orders us to share information 

  • to protect someone's life, called 'vital interests' - for example, sharing information with a paramedic if a client was unwell at the bureau or one of our outreaches 

  • to carry out a contract we have with you, called 'contract' - for example, if you're an employee we might need to store your bank details so we can pay you 

  • to defend our legal rights - for example, to resolve a complaint that we gave the wrong advice 

  

Requests for access to or amendment of data (Subject Access) Request: 

 

If an existing service user asks for access to any personal or sensitive information or for that information to be amended or removed from our records, in accordance with their legal rights, they should be given the “Data Protection (Subject Access) Request” (copy below) to complete and this must be passed onto the bureau manager and to the CEO for action.  An employee or volunteer can make a request at any time directly to their line manger to see their HR Record.  In both circumstances, information should be provided within 30 calendar days of the request being made.  

Any request for deletion or amendment of records will also have to be risk assessed for insurance purposes and if we believe there is a risk to the organisation whereby we may need to defend our legal rights, we may not be able to delete or amend a record.  In such circumstances the client will be fully advised on that outcome.  

In any circumstances, a manager or the CEO can seek advice from our Data Protection Officers, this will be done by using the Data Subjects Rights Register on the Thorntons Protect Portal, allowing all requests and subsequent advice to be recorded.  

 

 

 

 

 

Storage and Disposal of Information: 

 

All information we obtain about users of our service will only be stored on our electronic data base CASTLE.   

 

Employees of CAS or other Citizens Advice Bureaux in Scotland may access this record, where necessary, in order to provide advice seamlessly across the Scottish network of Citizens Advice Bureaux. 

 

Some of our services are also subject to external audit by the Scottish Legal Aid Board (SLAB) and The Immigration Advice Authority (IAA).. They check that we are providing you with the highest quality of service and are allowed to access your information for audit and quality assurance purposes only, under the legal basis of ‘public task’. 

 

In some circumstances, temporary paper records will also need to be kept for Case Managed Contacts and Tribunal Representation, where access to paper records are required for purposes of the service we provide. These paper records will be scanned onto CASTLE once access to the paper record is no longer necessary and the paper record will be destroyed.  In circumstances where that paper record is extensive and it is not practical or efficient to scan all of the documentation to CASTLE, a paper record may be maintained and will be held securely for the same duration as the CASTLE Record.  In these circumstances, an alert will be added to the CASTLE record, so that any paper record will be directly connected to it. 

 

We may record information on a note pad during an interview, but this information will be transferred onto CASTLE within 28 days and the paper record destroyed.   

 

Where a service user shares personal or sensitive information with us in paper form (which is not a Case Managed Contact or for a Tribunal Representation) and it is necessary for us to keep a record of that information, this will be scanned onto CASTLE and the paper record either returned to the service user or destroyed within 28 days.   

 

If we are required to produce any other record on paper that will be scanned to CASTLE within 28 days and the paper record destroyed. 

 

Where a paper record is maintained, that record will be held in a secure and lockable storage facility accessible only to designated representatives of CAE. In certain circumstances an Adviser may be required to transport paper records out with the organisations premises, this may be for purposes of attending a tribunal, meeting a client in another service or home visit, or transferring files from one location to another.  CAE recognise that this may be necessary for the services we provide and that during such circumstances we cannot provide the same level of security.  Advisers must therefore only transport information when it is absolutely necessary and only the information that is required for that purpose.   

 

It is the responsibility of the organisation’s employees and volunteers who are handling that data to ensure that personal/sensitive information about service users (individual clients, members, groups and organisations) is treated as confidential and stored securely in accordance with the details above.  

 

The organisation uses the services of an external confidential waste collection agency and has monitored their policy for compliance with Data Protection Legislation and associated Regulations.  

 

If you browse our website: 

 

When you browse our website, we collect 'cookies' to help us understand more about how our site is used by visitors, and to develop and enhance our services to you. 

A 'cookie' is a bit of information kept on your computer. It tells us things like what device you're using and what pages you click on. 

 

We use cookies to: 

  • track aspects of user visits, including the length of a user's visit, their browser, geographic location and the use of the search facility on this website 

  • Please note - If you use our Chat function, we will be collecting and processing different data about you and specific privacy policies and data protection rules apply to this service.  For those specific details, please see appendix 1 below.  

 

Telephone Calls and Letters: 

 

Any mail we receive in relation to a client, will either be scanned immediately onto CASTLE or stored in a secure and locked cabinet until it is transferred onto CASTLE and the paper record subsequently destroyed within 28 days. 

Access to a room where phone calls can be made in private will be available to employees and volunteers working in open plan offices. 

 

Other Platforms Used to help you reach and engage with our Services: 

 

If you contact us by phone: 

 

We use a company called Soho 66 as our phone provider.  If you phone us, a record of your phone number will be available on our secure online customer portal which can only be accessed by a secure user name and password and is only accessed by our Management Team.  More details about Soho 66 data protection and privacy policy can be found here:  

 

https://soho66.co.ukPrivacy-Policy.    

 

If you make an appointment to see us: 

 

We use an online appointment system called 10to8.  If you make an appointment with us, we will record details of your name, date of birth, phone number and e-mail address, as well as a brief note about the nature of your enquiry if known (for example “help with benefits application”).  This information can only be accessed by users authorised by Citizens Advice Edinburgh Management team and accessed by a secure user name and password. More details about 10to8 data protection and privacy policy can be found here: 

 

https://10to8.comPrivacy Policy  

 

If you contact us via one of our Social Media Platforms or Chose to share personal information on the comments section: 

 

We do not seek to engage with clients using our Social Media Platforms.  Instead, these are intended for raising awareness of our services and impact.  However, we recognise that people may seek to engage with us using the comments or messaging services.   If personal information is shared on these platforms, we will seek your agreement to transfer it to our CASTLE system and engage with you by phone, e-mail or in a direct meeting and we will delete your comments and personal information from our social media platform.   

 

Every effort will be made to keep a track of such information, but we cannot guarantee that we will see every comment.  Therefore, we strongly discourage any personal information being shared on these platforms and advise you to read their Data Protection and Privacy Statements here.  If you are concerned that your data has been stored on our social media, please contact us on 0131 510 5510 so that we can seek to remove that on your behalf.  

 

https://gdpr.twitter.comGDPR HUB 

 

https://www.facebook.comGDPR HUB 

 

https://privacy.linkedin.comGDPRHUB  

 

E-mail and other Microsoft products we use to communicate with you and other third parties: 

 

We use Microsoft Office as the platform to host our e-mail, word and other Microsoft tools.  Your personal data may be recorded in e-mail communication with you and any third party you have agreed for us to contact and a record of correspondence drafted in word or details recorded on excel may be retained within our Microsoft documents portal.   Every effort will be made to delete such documents once they have been scanned and uploaded to CASTLE, but given the volume, some may remain within our Microsoft portal.  Such information can only be accessed by users authorised by Citizens Advice Edinburgh Management team and accessed by a secure user name and password. More details about Microsoft Office data protection and privacy policy can be found here: 

 

https://www.microsoft.comGDPR 

 

If we engage with you via Zoom or Microsoft Teams: 

 

You may agree to engage with your adviser by video link using Zoom or Teams.  If you do, those platforms may retain details of your name and e-mail address. More details about their data protection and privacy policies can be found here: 

 

https://zoom.usEuropean Data Protection Policy 

 

https://www.microsoftteams.comGDPR 

  

 

 

Retention of Personnel Records:  

 

Document 

Retention period 

Application form 

Duration of employment or volunteering 

References received 

Duration of employment or volunteering 

Annual appraisal/assessment/supervision /Training records 

Duration of employment or volunteering  

Annual leave records 

For the leave period 

Unpaid leave/special leave records 

3 years 

Sickness records 

3 years 

Records relating to accident or injury at work 

For at least 3 years from the date the report was made 

Disciplinary matters 

6 years  

Payroll and wage information 

6 years 

References given/information to enable references to be provided, e.g Summary of record of service, name, position held, dates of employment or volunteering 

6 years from reference/end of employment or volunteering 

Data Breach: 

 

All employees and volunteers have a responsibility to take action where they think there may have been a breach of data protection.  This will be any situation where a person’s data has not been managed in accordance with the above policy and procedure.  If you think there may have been a breach you must report this immediately to your line manager or in their absence a member of the Senior Management Team and the CEO must be informed within 24 hours. We have a legal duty to report any breach of Data Protection to the Information Commissioners Office within 72 hours, therefore immediate action must be taken by all employees and volunteers if they have any concern that a breach may have occurred.  The CEO (alongside delegated responsibility to an appropriate member of the management team) will take responsibility for management of the data breach and reporting to CAS, our Data Protection Officers, via the Portal and the ICO in accordance with our legal and regulatory requirements.  

 

A breach of data protection must also be recorded on CAE’s Incident Report and these will be recorded and reviewed for learning and development in accordance with our Incident Reporting processes.