Data Protection Instructions for Support Workers
During your work for Clear Links Support you will be processing the personal data of students you support. These instructions are provided to assist you with compliance with data protection legislation.
As per the terms of the Data Processing Agreement you must only act on these written instructions (unless required by law to act without such instructions).
Data Protection Legislation: the General Data Protection Regulation (GDPR) and any national implementing laws, regulations and secondary legislation in the UK and then any successor legislation to the GDPR or the Data Protection Act 1998.
GDPR – New EU regulation on data protection and privacy for all individuals within the European Union introduced on the 25th May 2018.
ICO – Information Commissioner’s Office. The UK’s independent body set up to uphold information rights.
Personal data – any information relating to a person that could be used to identify that person (possibly in combination with other data). The personal data that you are likely to process includes names, contact details, and information about a student’s course.
Special category data – sensitive personal data which needs more protection. The special category data that you are likely to process is information about health, medical conditions and disability associated with each student.
Processing – any activity involving data. Saving, copying, storing and deleting are all examples of processing.
Data controller – a person/organisation who determines the purposes for which and the manner in which any personal data is processed. Clear Links is the data controller.
Data processor – any person (other than an employee of the data controller) who processes the data on behalf of the data controller. You are a data processor.
Data Protection Officer (DPO) – an appointed person who monitors internal compliance, informs and advises on data protection obligations and acts as a contact point for data subjects and the supervisory authority. Clear Links has appointed its own DPO and that post is held by Dexter Johnstone, 0114 2786866, firstname.lastname@example.org.
Data subject – the individual who is the subject of the data held. In your case the student assigned to each applicable assignment.
Data breach – “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just losing personal data.”
Why does it matter?
Clear Links staff and support workers process a large amount of personal data and special category data. We are all required to adhere to the GDPR.
It is vital to our reputation that we adhere to the GDPR.
Failure to follow GDPR rules can result in large fines of up to €20 million for both controller and processor.
Secure processing of data
What personal data can I record/process?
Only as much as you need in order to arrange and provide non-medical help support to the student you have been matched with. You must not process their personal data for any other purpose. You must not request or record information which is not necessary for the support role.
For example, in a study skills support session you can record which strategies were discussed but you must not record details about the student’s wellbeing or health.
You must maintain a record of your processing activities. We will provide you with this record which will be stored in Crystal.
How should I securely store data?
You must take appropriate measures to ensure the security of processing.
Personal data you hold must be stored securely. If you store student’s personal data, for example contact details, on an electronic device (phone, tablet, computer etc) then this device must have a secure password or passcode which is not shared with anyone else.
You must ensure that any electronic device which is used to store personal data has the latest system updates/patches installed.
You must ensure that any computer which is used to store personal data has an up-to-date antivirus programme installed and running.
Personal data must not be stored on publicly accessible computers. Personal data must only be accessible to you.
If you create records of the support and these records contain personal data which can be used to identify the student, then these records will need to be kept securely. If they are electronic records, then the device they are stored on must have a password or passcode. If hard copy records (e.g. hand-written notes, printed electronic data) are created, then these must be kept in a safe and secure place.
If you do create records of the support you deliver you must consider ways of anonymising the records and record as little personal data as possible within the record.
Support workers must ensure that personal data in any format is not left in any public place.
For example, if you create written notes about the support you are delivering use the student’s initials rather than their name and refer to them as ‘the student’ in these records rather than naming them. You can then destroy the paper copies when you have submitted your records online.
Data in emails
Emails are not a secure way of transferring data, however, it is not practical to encrypt them and they are an essential tool for our business. It is therefore essential that you take steps to reduce the risk of inappropriate sharing, disclosure or loss of data via email.
You must not use a shared email account for correspondence about your support work.
You must be the only person who has access to the email account.
You must include only the minimum personal data required within the email.
You must not email a message to more than one student at a time or copy in other people to emails about students. You must not forward emails that contain any personal data about students to 3rd parties. This ensures that the student’s email address or any personal data contained within the email are not shared with others.
You must only include information about one student in an email.
For example, if you are emailing us about a student do not copy in members of staff at the student’s Higher Education Provider (HEP).
You must ensure that when making and receiving calls no one can overhear personal information.
When leaving messages for a student on a landline or mobile number you must only use the students first name, say who you are and ask to be called back, or state when you will call back again. You must not mention the student’s personal data or circumstances in phone messages. You must be aware that messages left on landline numbers may be accessed by other people.
For example, when on the phone to your Clear Links Support Supervisor do not discuss the support of one student in the presence of another student.
Keeping records up to date and removing inaccurate data
Personal data must be kept up to date. If you become aware that the personal data you are processing is out of date then it must be updated or deleted.
If you become aware that a student’s contact details have changed you must inform your Support Supervisor. If we become aware that a student’s contact details have changed we will inform you.
For example, if a student tells you they have a new phone number you must inform us.
Under no circumstances should you share student’s personal data with any other party, other than Clear Links. Please refer any such requests to Clear Links Date Protection Officer.
For example, do not discuss the student or the support you are delivering for that student with members of staff of an HEP.
Securely deleting or destroying data
Once an assignment with a student ends any personal data you have about that student must be permanently deleted or destroyed as there is no longer a purpose for retaining the data. You must not retain any personal data about a student once the assignment has ended.
Data which must be destroyed could include assignment confirmations, Assessment of Needs extracts or reports, timesheets, session records, plans and reviews, emails, text messages, phone numbers, voicemails, and any other stored data related to the student.
Destruction must be carried out in a secure manner. Hard copy documents must be shredded. Data stored electronically must be deleted and data emptied from your ‘recycle bin’ or ‘deleted items’ folder.
The personal data must be deleted within 7 working days from the end date of the assignment.
For example, you create records of what has been covered during support sessions in a notebook. Once the assignment has ended you should tear out and shred the pages containing information about that assignment.
Data breach reporting
You must assist us in meeting our GDPR obligations in relation to the notification of personal data breaches.
Clear Links is required to record and possibly report data breaches to the ICO within 72 hours of becoming aware of the breach.
If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms we must also inform those individuals without undue delay.
You must report a data breach to Clear Links Data Protection Officer (DPO) as soon as you become aware of it. If you are unsure but think a data breach may have occurred you must also report it to Clear Links DPO.
For example, your mobile phone is lost or stolen. You have the contact details of students stored on it. You must inform us as soon as possible.
Subject access requests
You must assist the data controller in providing subject access and allowing data subjects to exercise their rights under the GDPR.
Data subjects have the right to request to see the data that is held about them both by us, the data controller, and by you, the data processor. This data must be provided to them within 30 days.
You must inform Clear Links Data Protection Officer within 3 working days if a student makes a data subject access request to you.
When recording information about a student you must be aware that they have the right to see this data.
For example, a student makes a data access request to us. You will need to provide to us all the personal data (including text and email messages) you have about that student as soon as possible.
Cooperating with the data controller and supervisory bodies
You must submit to any audits and inspections which may be required. You must provide us with whatever information we need to ensure that we are both meeting our GDPR obligations. You must inform Clear Links Data Protection Officer immediately if you are asked to do something which breaches the GDPR.
You must co-operate with supervisory authorities (such as the ICO).