Data Protection, Confidentiality, and Record Keeping Policy – Pride Space CIC
Version: 1.0
Effective Date: 21/2/25
Review Date: 20/2/26
1. Policy Statement
Pride Space CIC is committed to ensuring the privacy and confidentiality of all personal data held and processed in line with data protection laws, including the UK’s Data Protection Act 2018 and the General Data Protection Regulation (GDPR). We recognise that maintaining the confidentiality of sensitive information is essential to building trust with our clients and service users. This policy outlines how we collect, store, process, and dispose of personal data, and the measures in place to ensure data protection and confidentiality.
2. Scope
This policy applies to all employees, volunteers, contractors, and third parties who handle personal data or have access to confidential information related to the organisation’s activities.
It includes:
Personal data related to clients, employees, volunteers, contractors, and stakeholders.
Client records, case notes, and therapy-related documents.
Confidential information exchanged within the organisation or with external parties.
3. Principles of Data Protection
In handling personal data, Pride Space CIC is committed to the following principles:
Lawfulness, fairness, and transparency: We will process personal data lawfully, fairly, and in a transparent manner.
Purpose limitation: Personal data will be collected only for specified, legitimate purposes and not further processed in a way incompatible with those purposes.
Data minimisation: We will ensure that personal data is adequate, relevant, and limited to what is necessary for the purposes for which it is processed.
Accuracy: Personal data will be accurate and kept up to date, with every reasonable step taken to ensure that inaccurate data is rectified.
Storage limitation: We will keep personal data in a form that allows identification of data subjects for no longer than necessary for the purposes for which the data is processed.
Integrity and confidentiality: Personal data will be processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing, accidental loss, destruction, or damage.
Accountability: Pride Space CIC will take responsibility for ensuring compliance with data protection principles.
4. Confidentiality
General Principles: All staff, volunteers, and contractors will treat any personal information and sensitive data they encounter as confidential, whether the information relates to employees, clients, or any other individuals. Confidentiality should be maintained both during and after the term of employment or engagement with Pride Space CIC.
Disclosure: Personal information will not be disclosed to unauthorised persons without the express consent of the individual concerned, unless required by law or necessary for the delivery of services.
Exceptions to Confidentiality: Confidential information may be disclosed without consent in certain circumstances, such as:
Where there is a legal obligation to do so (e.g., safeguarding concerns, law enforcement requests).
Where failure to disclose the information may result in harm or danger to the individual or others (e.g., in cases of serious medical conditions, self-harm, or risk of violence).
5. Data Collection and Processing
Data Collection: We will collect only the necessary information required for the purpose of delivering services. This may include:
Personal details: Name, date of birth, contact details.
Health and well-being information: Medical history, therapy records, treatment plans.
Sensitive data: Data relating to race, ethnicity, sexual orientation, and other personal characteristics relevant to service delivery.
Processing: Personal data will be processed for the specific purposes for which it was collected, including service delivery, record-keeping, monitoring, and reporting.
Consent: Whenever required, explicit consent will be obtained from the individual whose data is being processed, particularly when handling sensitive data. Consent will be obtained in a clear and informed manner.
6. Data Security and Access Control
Data Storage: Personal data will be stored securely, whether in physical or electronic form. This includes using locked cabinets for physical records and password-protected systems for digital data.
Access Control: Access to personal data will be restricted to authorised personnel only, and on a need-to-know basis. All staff will be provided with access controls and guidance regarding data security.
Digital Data: Electronic records will be stored on secure systems, protected by appropriate encryption, firewalls, and anti-virus software.
Physical Data: Paper records will be stored in locked, secure cabinets or rooms. Any confidential information that is no longer required will be shredded or securely disposed of.
Third-Party Access: If third parties (e.g., contractors, service providers) need access to personal data, appropriate data protection agreements will be in place to ensure compliance with this policy and applicable data protection laws.
7. Record Keeping and Retention
Record Retention Period: Personal data will not be kept longer than necessary for the purposes for which it was collected. Different types of data may have different retention periods, and records will be reviewed regularly to ensure they are not kept unnecessarily.
Record Disposal: When records are no longer needed, they will be securely destroyed. Paper records will be shredded, and digital records will be permanently deleted in a secure manner.
Client Records: Client records, including case notes and therapy records, will be kept for a minimum of 6 years after the last service interaction, in line with industry standards and legal requirements. After this period, they will be securely destroyed.
8. Staff Responsibilities and Training
Confidentiality Training: All staff, volunteers, and contractors will receive training on data protection, confidentiality, and this policy as part of their induction and regularly thereafter.
Staff Responsibilities: All staff are responsible for ensuring that personal data is handled in accordance with this policy. This includes:
Ensuring data is stored securely.
Reporting any data breaches or potential breaches to management immediately.
Adhering to the principles of confidentiality in all interactions with clients and colleagues.
9. Data Subject Rights
Under data protection laws, individuals have certain rights regarding their personal data, including:
Right to Access: Individuals can request a copy of the data held about them.
Right to Rectification: Individuals can request that inaccurate or incomplete data be corrected.
Right to Erasure: Individuals can request that their personal data be deleted in certain circumstances.
Right to Restrict Processing: Individuals can request that the processing of their data is limited.
Right to Data Portability: Individuals can request a copy of their data in a commonly used electronic format.
Right to Object: Individuals can object to the processing of their data in certain situations.
Requests to exercise these rights should be submitted in writing to datamanager@pridespace.org
10. Breach of Policy and Data Breaches
In the event of a data breach or a breach of this policy, Pride Space CIC will take the following steps:
Investigation: The breach will be investigated, and appropriate action will be taken.
Notification: If the breach is likely to result in a risk to the rights and freedoms of individuals, affected individuals will be notified without undue delay. If necessary, the Information Commissioner’s Office (ICO) will be notified within 72 hours.
Corrective Actions: Any weaknesses or failures identified during the investigation will be addressed, and corrective measures will be implemented to prevent recurrence.
11. Review of Policy
This policy will be reviewed annually or whenever there are significant changes to data protection laws, business processes, or the services we offer. Updates to this policy will be communicated to all staff.
12. Contact Information
For any questions regarding this policy or data protection, please contact the service manager.