"Charity" means The Magdalene Project, a registered charity.
"GDPR" means the General Data Protection Regulation.
"Responsible Person" means the Administrator.
"Register of Systems" means a register of all systems or contexts in which personal data is processed by the Charity.
1. Data protection principles
The Charity is committed to processing data in accordance with its responsibilities under the GDPR.
Article 5 of the GDPR requires that personal data shall be:
processed lawfully, fairly and in a transparent manner in relation to individuals;
collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”
2. General provisions
This policy applies to all personal data processed by the Charity.
The Responsible Person shall take responsibility for the Charity’s ongoing compliance with this policy.
This policy shall be reviewed at least annually.
The Charity shall register with the Information Commissioner’s Office as an organisation that processes personal data.
3. Lawful, fair and transparent processing
To ensure its processing of data is lawful, fair and transparent, the Charity shall maintain a Register of Systems.
The Register of Systems shall be reviewed at least annually.
Individuals have the right to access their personal data and any such requests made to the charity shall be dealt with in a timely manner.
4. Lawful purposes
All data processed by the charity must be done on one of the following lawful bases: consent, contract, legal obligation, vital interests, public task or legitimate interests (see ICO guidance for more information).
The Charity shall note the appropriate lawful basis in the Register of Systems.
Where consent is relied upon as a lawful basis for processing data, evidence of opt-in consent shall be kept with the personal data.
Where communications are sent to individuals based on their consent, the option for the individual to revoke their consent should be clearly available and systems should be in place to ensure such revocation is reflected accurately in the Charity’s systems.
5. Data minimisation
The Charity shall ensure that personal data is adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
The Charity shall take reasonable steps to ensure personal data is accurate.
Where necessary for the lawful basis on which data is processed, steps shall be put in place to ensure that personal data is kept up to date.
7. Archiving / removal
To ensure that personal data is kept for no longer than necessary, the Charity shall put in place an archiving policy for each area in which personal data is processed and review this process annually.
The archiving policy shall consider what data should/must be retained, for how long, and why.
The Charity shall ensure that personal data is stored securely using modern software that is kept-up-to-date.
Access to personal data shall be limited to personnel who need access and appropriate security should be in place to avoid unauthorised sharing of information.
When personal data is deleted this should be done safely such that the data is irrecoverable.
Appropriate back-up and disaster recovery solutions shall be in place.
In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, the Charity shall promptly assess the risk to people’s rights and freedoms and if appropriate report this breach to the ICO (more information on the ICO website).
Confidentiality of Information Statement to be given to the client.
The Magdalene Project holds information relating to clients both in written form and computerised. This information is protected and guarded to the best of our ability to ensure that your details are not accessible to anyone unauthorised to see them. The persons authorised to see your details are your counsellor, the Project Director, the Assistant Project Director(s), the Administrator and the Assistant Administrator.
Below is a list of the information held.
Information on the computer
The unique reference number we allocate to you.
Your date of birth, gender and ethnicity.
Your post code (the first two letters and number).
The date you were referred to us, the date you were assessed and who assessed you.
How you were referred to us: name, agency, self, friend etc.
The name of your Doctor and the surgery/health centre he/she works with, your NHS reference number and any medication you may be on.
What your presenting issues are including the PHQ9 and GAD7 scores: whether there was domestic violence or sexual trauma/abuse involved and whether there is any connection to the armed services.
The name of your assigned counsellor, what date your counselling started and finished, and how many sessions you have attended or not attended.
Whether on completing your therapy are you in a better place than when you started determined by: your opinion, your counsellor’s opinion and the difference in PHG9 and GAD7 scores from when you first started to that at the end of therapy.
Information in written form
We also hold on file: notes on your assessment, PHQ9 and GAD7 score sheets, review forms, evaluation forms, counselling contracts, financial contribution agreement and a counselling closure form.
Where information is obtained
We obtain this information from several sources. A form is completed when you are referred and another form is completed at your assessment including a written contract for your counselling and you are given this Confidentiality of Information Statement. At your counselling sessions you will be required to complete the PHQ9 and GAD7 forms and periodic review forms. At the end of your treatment evaluation statements are taken and recorded.
Why we keep the information
The information we hold is to enable us to provide the most suitable therapy for you and for us to monitor our own effectiveness and to ensure that our service is continually improved. We hold your information in a secure and highly confidential manner to GDPR (General Data Protection Regulation) standards.
The GDPR gives ‘rights’ to individuals:-
the right to be informed
the right of access
the right to highlight errors and have them corrected
the right to have your information removed
the right to restrict processing
the right to data portability
the right to object
the right not to be subject to automated decision making including profiling
the right to withdraw your consent
How long is information stored
The information is stored for seven years. In electronic form it is deleted and in paper form it is shredded. The cull is carried out twice a year after the end of the seven years in February and August.
Staff with full access to clients information
Pauline Ellison - Project Director
Debbie Winstanley - Assistant Project Director
Dena Lord - Assistant Project Director
Robin Jones - Administrator
Sally Barnes - Assistant Administrator
Staff with access to their own client ONLY
Irene Alderson (plus clients assessed by her)
Anthony Myers (plus clients assessed by him)
Arlene Creed (plus clients assessed by her)
Access to Computer Based Information Systems
Access to the computer is restricted to the following people:
The Project Director
The Assistant Project Director(s)
The computer is accessed initially by using a password.
The files with sensitive information are also password accessed.
Allocating and removing access rights to the system has been assigned to the administrator.
Compliance is monitored quarterly as is access privileges remaining appropriate and where access is no longer required it is disabled or revoked.
Access will be allocated on a ‘need to know’ basis.
The wireless router is not available for private use and has been ‘hidden’ and access codes not issued.
In the event of loss of IT systems
The Magdalene Project data on the computer is direct to the Cloud and a standalone hard drive. The Cloud is backed up as work is processed, the hard drive to a daily schedule.
All Project passwords (not just relating to the computer) are held by the Project Director and the Chair of the Trustees.
The Project is registered under the Data Protection Acts.