Dementia Jersey is the only local charity for people with dementia and those who care for them. We were registered with the Jersey Charity Commission under registration number 42 on 14th May 2010.

‘The Charity’ within the context of this policy, refers to Dementia Jersey.

We take your privacy very seriously and are committed to protecting your personal data. This data protection policy describes how this data is collected, handled and stored to meet the Charity’s data protection standards – and to comply with the Law.

Our Data Protection Officer is our CEO Claudine Snape. If you have any questions regarding our policy, please write to:

The Data Protection Officer,
Dementia Jersey,
Osprey House,
Old Street,
St Helier,
JE2 3RG

Email: Claudine@dementia.je

If you wish to discuss your preferences for how we communicate and process your information please contact Nadine@dementia.je or call on 01534 723519 between 9am and 4pm Monday to Friday.

This policy includes:

  • Scope
  • The data protection officer and principles of data protection
  • Purposes of data processing
  • Recipients of personal data
  • Transfer of personal data to a third country
  • Retention of personal data
  • Retention of personal data
  • Client personal data
  • Data subject rights
  • Consent
  • Reporting a personal data breach
  • General

SCOPE

This Data Protection Policy applies to all Personal Data the Charity may Process regardless of the media on which that data is stored (whether on paper or electronically on a computer or other device) or whether it relates to past or present employees, workers, volunteers, trustees, clients, client’s families or supplier contacts, website users or any other Data Subject.  The Charity recognises that the correct and lawful treatment of Personal Data will maintain confidence in the organisation and will provide for successful business operations.  Protecting the confidentiality and integrity of Personal Data is a critical responsibility that all Charity Personnel must take seriously at all times.

This policy has been approved by the Board of Trustees of the Charity and all Charity Personnel are responsible for ensuring compliance with this Data Protection Policy and need to implement appropriate practices, processes, controls and training to ensure such compliance.

THE DATA PROTECTION OFFICER AND PRINCIPLES OF DATA PROTECTION

The Charity does not believe it has a requirement for a data protection officer (as defined in the Law) and therefore the Charity appoints the Chief Executive Officer as responsible for ensuring that the Processing of Personal Data complies with the data protection principles and should be the first point of contact for any queries or concerns regarding data protection.

The data protection principles require that Personal Data is:

  • processed lawfully, fairly and in a transparent manner in relation to the data (“lawfulness, fairness and transparency”);
  • collected for specified, explicit and legitimate purposes and, once collected, not further processed in a manner incompatible with those purposes (“purpose limitation”);
  • adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimisation”);
  • accurate and, where necessary, kept up to date. Reasonable steps are taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (“accuracy”);
  • kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the data are processed (“storage limitation”); and
  • processed in a manner that ensures appropriate security of the data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures “integrity and confidentiality”).

PURPOSES OF DATA PROCESSING

The Charity will normally only Process Personal Data for the following four lawful grounds:

  • the performance of a contract to which the Data Subject is a party or the taking of steps at the request of the Data Subject with a view to entering into a contract;
  • to pursue its legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the Personal Data which overrides those legitimate interests;
  • to meet its legal requirements; or
  • consent including the Data Subject giving (where required) explicit consent to the Processing of Special Category Data.

The Law requires Data Controllers to provide detailed, specific information to Data Subjects depending on whether the information was collected directly from Data Subjects or from elsewhere.  Such information will be provided through appropriate Privacy Notices which will be concise, transparent, intelligible, easily accessible, and in clear and plain language so that a Data Subject can easily understand them.

The Charity will or has provided its Charity Personnel with Privacy Notices when the Data Subject first provides the Personal Data.

Charity Personnel should be aware that the Charity also holds Personal Data concerning its Clients and its Clients’ families. Care should be taken by Charity Personnel to ensure that they Process all Personal Data in accordance with the Law and do not disclose any Personal Data concerning Clients or Clients’ families to third parties without appropriate authorisation

Purpose Limitation

Personal Data must be collected only for specified, explicit and legitimate purposes. It must not be further Processed in any manner incompatible with those purposes.  This means that Charity Personnel must not use Personal Data for new, different or incompatible purposes from that disclosed when it was first obtained unless Charity Personnel have informed the Data Subject of the new purposes and Consent has been obtained, where necessary.  The Chief Executive Officer must also be informed so that accurate records are kept.

Data Minimisation

Personal Data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is Processed.  Charity Personnel may only Process Personal Data when performing their required job duties.  Charity Personnel cannot Process Personal Data for any reason unrelated to their job duties. Charity Personnel may only collect Personal Data that they require for their job duties and not collect excessive data.  They must also ensure any Personal Data collected is adequate and relevant for the intended purposes.

Charity Personnel must ensure that when Personal Data is no longer needed for specified purposes, it is deleted or anonymised in accordance with the Charity’s data retention guidelines.

Accuracy

Personal Data must be accurate and, where necessary, kept up to date. It must be corrected or deleted without delay when inaccurate.  Charity Personnel must take reasonable steps to ensure that the Personal Data the Charity use, and hold is accurate, complete, kept up to date and relevant to the purpose for which it was collected.  Charity Personnel must check the accuracy of any Personal Data at the point of collection and at regular intervals afterwards. Charity Personnel must take all reasonable steps to destroy or amend inaccurate or out-of-date Personal Data after speaking with the Chief Executive Officer.

Storage Limitation

The Charity will ensure Data Subjects are informed of the period for which data is stored and this can be found in the data retention guidelines in this policy.

Personal Data must not be kept in an identifiable form for longer than is necessary for the purposes for which the data is processed.  Charity Personnel must not keep Personal Data in a form which permits the identification of the Data Subject for longer than needed for the legitimate business purpose or purposes for which the Charity originally collected it including for the purpose of satisfying any legal, accounting or reporting requirements.

The Charity will maintain retention policies and procedures to ensure Personal Data is deleted after a reasonable time for the purposes for which it was being held, unless an alternative law requires such data to be kept for a certain specific minimum time.

Charity Personnel will take all reasonable steps to destroy or erase from Charity systems all Personal Data that is no longer required in accordance with the Charity’s applicable retention policies.  This includes requiring third parties to delete such data where applicable.

Integrity and Confidentiality

Personal Data must be secured by appropriate technical and organisational measures against unauthorised or unlawful Processing, and against accidental loss, destruction or damage.

The Charity will develop, implement and maintain safeguards appropriate to its size, scope and business, its available resources, the amount of Personal Data that it may Process on its behalf or on behalf of others and identified risks (including use of encryption and pseudonymisation where applicable). The Charity will regularly evaluate and test the effectiveness of those safeguards to ensure security of its Processing of Personal Data.

When assessing appropriate technical measures, the Charity will consider the following:

  • password protection;
  • automatic locking of idle terminals;
  • virus checking software and firewalls;
  • role-based access rights including those assigned to temporary staff;
  • encryption of devices that leave the Charity’s premises such as laptops;
  • password protection of Charity Personnel’s personal devices;
  • security of network; and
  • privacy enhancing technologies such as pseudonymisation and anonymisation.

When assessing appropriate organisational measures, the Charity will consider the following:

  • the appropriate training levels throughout the Charity;
  • the reliability of Charity Personnel (such as references etc.);
  • the inclusion of data protection in employment contracts;
  • identification of disciplinary action measures for data breaches;
  • monitoring of Charity Personnel for compliance with relevant security standards;
  • physical access controls to electronic and paper-based records;
  • adoption of a clear desk policy;
  • storing of paper-based data in lockable cabinets;
  • restricting the use of portable electronic devices outside of the workplace;
  • restricting the use of employee’s own personal devices being used in the workplace;
  • adopting clear rules about passwords; and
  • making regular backups of Personal Data and storing the media off-site.

These controls have been selected on the basis of identified risks to Personal Data, and the potential for damage or distress to Data Subjects whose Personal Data is being Processed.

Charity Personnel are responsible for protecting the Personal Data the Charity holds. Charity Personnel must implement reasonable and appropriate security measures against unlawful or unauthorised Processing of Personal Data and against the accidental loss of, or damage to, Personal Data. Charity Personnel must exercise particular care in protecting Special Category Data from loss and unauthorised access, use or disclosure.

Charity Personnel must follow all procedures and technologies the Charity puts in place to maintain the security of all Personal Data from the point of collection to the point of destruction. Charity Personnel may only transfer Personal Data to third-party service providers who agree to comply with the required policies and procedures and who agree to put adequate measures in place, as requested.

Any request for information by a third party about a Client or Client family should be referred to the Chief Executive Officer.

The Charity has ensured that its Clients have been informed that they must obtain permission from their own family for the Charity to Process Personal Data including Special Category Data of Clients’ families and personal circumstances.

RECIPIENTS OF PERSONAL DATA

The Charity may pass Personal Data concerning its Charity Personnel and/or its Client’s Personal Data to other entities on a need to know basis, for the pursuance of the Charity’s legitimate business purposes.  In addition, certain Personal Data of Charity Personnel such as details of names, professional qualifications, work experience, and business addresses, may also be provided to Clients and others for marketing and business development purposes.

Third Party Providers

Personal Data of Charity Personnel may also be accessed by contracted third party providers:

  • in order to fulfil the requirements of payroll processing and HR administration recording the Charity uses an outsourced HR provider and a hosted payroll provider;
  • in order to provide IT solutions, the Charity uses a cloud-based desktop provider, which has a hosting centre in the Netherlands; and
  • in order to fulfil the Charity’s requirements to keep statutory records, the Charity has appointed an accountancy firm to create its financial statements.

Each third-party provider has assured the Charity that any Personal Data is secured by appropriate technical and organisational measures against unauthorised or unlawful Processing, and against accidental loss, destruction or damage.

Any new arrangements with third party providers will be subject to a Data Protection Impact Assessment (DPIA), which will require signoff by the Chief Executive Officer, in advance of any contractual arrangements being entered into.

TRANSFER OF PERSONAL DATA TO A THIRD COUNTRY

The Charity does not envisage that any Personal Data will be transferred to countries outside of the European Economic Area.

RETENTION OF PERSONAL DATA

The Charity’s intention is to ensure that it will carry out an annual audit of its documentation to delete and/or destroy documents which have passed the retention periods listed below.  Therefore, documents will be retained for the periods below and deleted and/or destroyed at the following audit.

The Charity will retain Personal Data for the following statutory periods:

Document Type: Period:
Accident books; accident records/reports 3 years from the date of the last entry
Accounting records Not less than 6 years after the end of the financial year to which they relate
Income Tax and Social Security returns Not less than 3 years after the end of the financial year to which they relate
Medical records involving the control of substances hazardous to health (“COSHH”), Asbestos, Control of Lead, Ionising Radiations 40 years from the date of the last entry or until the person reaches of 75 years of age
Test or examination records for COSHH 5 years from the date the test was carried out.
Retirement benefit schemes 6 years from the end of the scheme year in which the event took place
Payroll and /or working time records and statutory pay requirements, such as maternity pay, minimum wage records 10 years following employment

The Charity will retain Personal Data for the following non-statutory periods:

Document Type: Period:
Application forms and interview notes (for unsuccessful candidates) 6 months to a year
References (Personal and Employment) During employment
Assessments under health & safety regulations and records of consultations with safety reps/committee permanently
Parental leave, including maternity, adoption 5 years from birth/adoption of the child or 18 years if the child receives a disability allowance
Pension scheme investment policies 12 years from the ending of any benefit payable under the policy
Actuarial valuations reports permanently
Pensioners records 12 years after benefit ceases
Personnel files and training records 10 years after employment ceases
Redundancy details 6 years from the date of redundancy
Senior Executives’ records Permanently for historical purposes
Statutory Sick Pay records; calculations, certificates, self-certificates A minimum of 3 months after the end of the period of sick leave
Trade Union Agreements 10 years after ceasing to be effective

CLIENT PERSONAL DATA

Where it has a legal reason to do so the Charity will retain Client Personal Data and Clients’ families Personal Data along with Special Category Data for a minimum period of 10 years from the period the Client ceases to be a Client.

DATA SUBJECT RIGHTS

Data Subjects have rights when it comes to how the Charity handles their Personal Data. These include rights to:

  • make a right of access request regarding the nature of the Personal Data that the Charity holds about them;
  • receive certain information about the Data Controller’s Processing activities;
  • ask the Charity to take action to rectify, block, erase (including the right to be forgotten), or destroy Personal Data if it is no longer necessary in relation to the purposes for which it was collected or Processed;
  • prevent the Charity use of their Personal Data for direct marketing purposes;
  • withdraw Consent to Processing at any time;
  • restrict Processing in specific circumstances;
  • challenge Processing which has been justified on the basis of the Charity’s legitimate interests or in the public interest;
  • object to decisions based solely on automated processing, including profiling (ADM);
  • prevent Processing that is likely to cause damage or distress to the Data Subject or anyone else;
  • be notified of a Personal Data Breach which is likely to result in high risk to their rights and freedoms;
  • make a complaint to the supervisory authority; and
  • in limited circumstances, receive or ask for their Personal Data to be transferred to a third party in a structured, commonly used and machine-readable format.

Right of access requests

Charity Personnel are entitled to apply to the Chief Executive Officer to request information, in writing, regarding their Personal Data that is being Processed by the Charity in relation to the following:

  • the purpose for which the data is being processed;
  • the categories of Personal Data concerned;
  • the recipients or classes of recipients to whom they are or may be disclosed;
  • where possible, the envisaged period for which the Personal Data will be stored for;
  • the existence of the right to request rectification or erasure of Personal Data or restriction of Personal Data concerning the Data Subject;
  • the right to lodge a complaint with the Information Commissioner as outlined within the Law;
  • where the Personal Data was not collected from the Data Subject, any information as to its source; and
  • meaningful information about the logic involved in any automated decision-making process, along with the envisaged consequences of such Processing.

The Chief Executive Officer will action the request within 4 weeks of the receipt of the request (this may be extended by a further 8 weeks where necessary) unless the request is considered to be manifestly vexatious, unfounded or excessive, in which case the Chief Executive Officer may either charge a reasonable fee taking into account the administrative costs of providing the information or refuse to act on the request.  The Charity has created a pro forma for such a request. The information will be provided by electronic means where possible.

Non-Charity Personnel Right of Access Requests

As all Data Subjects have the same rights under the Law, Charity Personnel may receive Data Subject Access Request from Client’s.  Therefore, it is vitally important that Charity Personnel inform the Chief Executive Officer immediately should any such request be received.

If possible, Charity Personnel should verify the identity of an individual requesting data under any of the rights listed above (Charity Personnel must not allow third parties to persuade them into disclosing Personal Data without proper authorisation).

Right to rectification

Charity Personnel who dispute the accuracy or completeness of Personal Data may make a written request to the Chief Executive Officer to rectify or change their Personal Data.  The request must state the inaccuracy or explain why the Personal Data is incomplete. The Charity has created a pro forma for such a request.

Right to erasure

The Chief Executive Officer will erase Personal Data where:

  • the Personal Data is no longer necessary for the purpose for which it was collected; or
  • the Personal Data has to be erased to comply with a legal obligation.

The Data will not be erased where the Processing of the Personal Data is necessary in line with legislation or other lawful purpose as provided in the Law.

Right to data portability

Charity Personnel have the right to receive the Personal Data that they have provided the Data Controller in order to transmit to another data controller, where feasible.

Right to withdraw consent

Charity Personnel have the right to withdraw Consent to the Processing of their Personal Data providing there is no legitimate, legal or contractual reason for the Personal Data to be retained by the Data Controller.

Right of complaint to the Information Commissioner

The Charity will encourage any complaint relating to the manner in which Personal Data has been Processed to be made to the Chief Executive Officer to allow internal review and action.  All individuals also have the right to complain to Jersey’s Information Commissioner (as defined within the Law) if they believe any of their Personal Data is being Processed outside of the requirements of the Law.

CONSENT

The Charity will request consent to Process Personal Data only where it does not have another lawful basis to rely upon such as contractual, legitimate purpose or to meet its legal obligations. For Special Category Data, the Charity will normally be able to rely upon a legal reason to Process this type of Personal Data, however where the Charity wants to gain medical history of Charity Personnel it will continue to seek their explicit consent.

Data Subjects have the right to remove their consent. In these circumstances, unless the Charity has a lawful basis under the Law to retain the Personal Data or Special Category Data, the Charity will take all reasonable steps to destroy or delete the Personal Data.

In all cases, Personal Data and Special Category Data will only be required to the extent that it is necessary for the appropriate lawful reason.

REPORTING A PERSONAL DATA BREACH

The Law requires Data Controllers to notify certain Personal Data Breaches to the Information Commissioner and, in certain instances, to the Data Subject.

The Charity has put in place procedures to deal with any suspected Personal Data Breaches and will notify Data Subjects and/or the Information Commissioner where it is legally required to do so.

A data breach seriousness assessment will be performed to ascertain reporting requirements, and the Errors and Breaches Register will be updated accordingly.

If Charity Personnel know or suspect that a Personal Data Breach has occurred, or been attempted, they must immediately contact the Chief Executive Officer.  There should not be any attempt to investigate the matter without being instructed to do so by the Chief Executive Officer.  They should also make reasonable effort to preserve all evidence relating to the potential or actual Personal Data Breach where appropriate.

GENERAL

Direct Marketing

The Charity is subject to certain rules and privacy laws when marketing to its Clients. A Data Subject’s prior consent will commonly be sought for electronic direct marketing (for example, by email, text or automated calls). The limited exception for Clients known as “soft opt in” allows the Charity to send marketing texts or emails if it has obtained contact details in the course of a sale or providing services to that Data Subject, if it is marketing similar products or services, and if it gives the Data Subject an opportunity to opt out of marketing when first collecting the details and in every subsequent message.

The right to object to direct marketing will be explicitly offered to the Data Subject in an intelligible manner so that it is clearly distinguishable from other information. A Data Subject’s objection to direct marketing will be promptly honoured.  If a Client ‘opts out’ of direct marketing at any time, their details will be suppressed as soon as possible.Suppression involves retaining just enough information to ensure that marketing preferences are respected in the future.

Sharing Personal Data

Generally, the Charity will not share Personal Data with third parties unless certain safeguards and contractual arrangements have been put in place.

Charity Personnel may only share the Personal Data that is held with another employee, agent or representative of the Charity if the recipient has a job-related need to know basis for the information and the transfer complies with any applicable cross-border transfer restrictions.

Charity Personnel may only share Personal Data the Charity hold with third parties, such as our service providers if:

  • they have a need to know the information for the purposes of providing the contracted services;
  • sharing the Personal Data complies with the Privacy Notice provided to the Data Subject and, if required, the Data Subject’s consent has been obtained (where required);
  • the third party has agreed to comply with the required data security standards, policies and procedures and put adequate security measures in place;
  • the transfer complies with any applicable cross border transfer restrictions; and
  • a fully executed written contract that contains third party clauses as required by the Law has been obtained.

Changes to the Policy

The Charity reserve the right to change this Data Protection Policy at any time without notice and this policy is non-contractual.