Terms & Conditions - Data Protection, Privacy and Confidentiality Policy

[Last updated: January 2012]

On this page:

1. Summary
2. Data Protection
      2.1 General
      2.2 Notification to the Information Commissioners Office
      2.3 Data Protection Principles
      2.4 Processing personal data
      2.5 Processing sensitive data
      2.6 Requests for access to data held
3. Privacy
      3.1 Summary
      3.2 What the law says regarding personal information
      3.3 Who we are
      3.4 What we mean when we say ‘your information’
      3.5 When we collect your information
      3.6 How we use your information
      3.7 Who we share your information with
      3.8 The security of your information we store
      3.9 Our website
4. Confidentiality
      4.1 General policy
      4.2 Exceptions to confidentiality
      4.3 Confidentiality and UNLOCK’s Information & Advice Service
5. Implementation of this policy

1. Summary Back to top

This document sets out how we handle personal information that is provided to us. It is intended to be useful to our members, clients, website visitors and donors in understanding our approach to confidentiality and privacy, but also for UNLOCK staff, volunteers and trustees, in ensuring that this policy is incorporated into normal working practice. Reference to staff in this document also includes UNLOCK volunteers and trustees.

UNLOCK takes the privacy and confidentiality of its members, clients, website visitors and donors very seriously. Given that much of the personal information that we deal with is extremely sensitive, it is important that the information we collect is both collected and used fairly.

By accessing or using our website (www.unlock.org.uk), becoming an UNLOCK member, subscibing to the monthly magazine, requesting information or advice, making a donation, or otherwise giving us your personal information by other means, you consent to the use of your information in accordance with this policy. This policy should be read in conjunction with our Terms & Conditions, which are available to view on our website. The document covers data protection, privacy and confidentiality issues.

• Data Protection concerns data. A policy relating to data protection refers to how an organisation handles your personal data.
• Confidentiality also concerns data. A policy relating to confidentiality refers to how your identifiable personal information will be handled, managed and disseminated.
• Privacy concerns people. A policy relating to privacy refers to a person’s desire to control the access of others to you. For example, you may not want to be seen to be receiving letters from us as it may be seen by others who do not know about your criminal record.

2. Data protection Back to top

2.1 General Back to top

The Data Protection Act 1998 (DPA) protects personal data and places restrictions on the ability to disclose personal data. The DPA uses specific terminology when outlining data protection requirements and these are explained briefly below.

Personal data is regarded as information relating to an individual from which they can be identified, e.g. name, address, national insurance number. We are often entrusted with personal data given to us by individuals and organisations, and are under a duty to protect the confidentiality of personal information and to process it fairly.

The DPA regulates when and how an individual’s ‘personal data’ may be obtained, held, used, disclosed and generally processed. It applies to computerised processing of personal data and certain paper based files and records.

The term ‘personal data’ refers to information about identifiable living individuals. Personal data includes a significant amount of information stored in paper records as well as information held on computers. A ‘data subject’ is the individual who is the subject of the personal data.

Those who decide how and why personal data are processed are termed ‘data controllers’. Data controllers must comply with the rules of good information handling that are set out in eight ‘data protection principles’.

Personal data covers both facts and opinions about an individual. It also includes information regarding the intentions of the data controller towards the individual.

The DPA covers all personal data that are recorded as part of a ‘relevant filing system’. This is a set of information in which the records are structured by either reference to individuals or by reference to criteria relating to individuals, so that ‘specific information relating to a particular individual is readily accessible’. This definition means that a significant proportion of the information held in our paper and electronic files falls within the scope of the DPA.


2.2 Notification to the Information Commissioners Office Back to top

The DPA requires every data controller who is processing personal data to notify the Information Commissioners Office (ICO), unless they are exempt. Failure to notify is a criminal offence. Register entries have to be renewed annually. If you are required to notify but do not renew your registration you are committing a criminal offence. Notification can be done by either email, the internet, telephone or by requesting a notification form. The ICO maintains a public register of data controllers. Each register entry includes the name and address of the data controller and a general description of the reasons why processing of personal data by a data controller is being undertaken. Members of the public can consult the register to find out what processing of personal data is being carried out by a particular data controller.

‘Notification’ is the process by which a data controller’s details are added to the register. Notifications are renewable annually.

UNLOCK is required to notify because the charity handles and stores a significant amount of personal data about individuals, particularly as a result of the Information & Advice Service (IAS), which we may need to share with others where consent has been given. We have notified the ICO of the purposes for which personal data are held, and as a result the organisation’s name is on the public register maintained by the ICO as a data controller. Chris Bath, UNLOCK’s Executive Director, is responsible for UNLOCK’s data protection policy and procedures. All those associated with the organisation’s operations – employees, volunteers and trustees - must comply with the DPA requirements in respect of the storage and handling of personal data at all times.

When notifying the ICO, we provided details of the personal data that we process, the purposes for which the data are to be processed, details of who we intend to disclose data to, and a description of the security measures to be taken to ensure that personal data is protected.

We have notified the ICO that we process data for a number of purposes. Details of our entry on the register is available at www.ico.gov.uk (direct link as of April 2011 is http://www.ico.gov.uk/what_we_cover/promoting_data_privacy/keeping_the_register.aspx)


2.3 Data Protection Principles Back to top

The Data Protection Principles, which are set out in the DPA and which must be complied with, state that personal data are set out below.

1. Processed fairly and lawfully and shall not be processed unless certain conditions are met
2. Obtained for specified and lawful purposes and not further processed in a manner which is incompatible with that purpose
3. Adequate, relevant and not excessive
4. Accurate and, where necessary, kept up to date
5. Kept for no longer than is necessary
6. Processed in accordance with the data subject’s rights
7. Protected by appropriate security
8. Not transferred to a country outside the European Economic Area, unless that country has equivalent levels of protection for personal data.
9. Subject to some exceptions for organisations that only do very simple processing all entities that process personal information must register with the Information Commissioners Office.

2.4 Processing personal data Back to top

The action of ‘processing’ is broadly defined in the DPA and takes place when any operation or set of operations is carried out on or using personal data. The DPA requires that personal data is ‘processed fairly and lawfully’. Personal information is not to be treated as processed fairly unless we ensure, so far as is practicable, that individuals have, are provided with, or has made readily available:

1. the identity of the organisation in control of the processing;
2. the purpose, or purposes, for which the information will be processed;
3. any further information necessary, in the specific circumstances, to enable the processing in respect of the individual to be fair.

This policy intends to satisfy these requirements.

2.5 Processing sensitive data Back to top

The DPA makes specific provision for sensitive personal data. Sensitive data includes racial or ethnic origin; political opinions; religious or other beliefs; trade union membership; personal health; sex life; criminal proceedings or convictions. Much of our work includes the processing of sensitive data, in particular information relating to criminal convictions. This data can only be processed under strict conditions, including:

1. having the explicit consent of the individual data subject;
2. being required by law to process the data for employment purposes;
3. the need to process information in order to protect the vital interests of the data subject or another;
4. dealing with the administration of justice or legal proceedings and the exercise of functions under an enactment.

2.6 Requests for access to data held Back to top

If you wish to see a copy of all personal information about you held by us, this can be provided on request. Requests need to be sent in writing, either by post, fax or email. Requests will be responded to within 40 calendar days.

In a request for access to data held, the following information is required.

1. Full name
2. Address (including postcode)
3. Telephone number
4. Email address
5. UNLOCK membership number (if applicable)
6. A description of the data that you are requesting, and any additional information which will enable us to locate it
7. Evidence of your identity (e.g. a copy of your passport, driving licence – please do not send originals)
8. A fee of £10 (cheques should be made payable to ‘UNLOCK’)
9. How you would like to receive the information (either by email or by post).

If a third party is acting on your behalf proof of the third party’s identity and your authority to disclose your information to them must also be provided in writing.

In addition to the right to receive a copy of all the personal data held you, you are also entitled to be told that we, or somebody on our behalf, are processing data about you, to be given a description of the personal data, the purposes for which the data is being processed and a description of those to whom the data may be disclosed. This will be met by providing a copy of this policy alongside a copy of any information that we hold.

Under the right of subject access, you are entitled only to your own personal data, and not to information relating to other people (unless they are acting on your behalf). Neither are you entitled to information simply because you may be interested in it. Subject access provides a right to see the information contained in personal data, rather than a right to see the documents that include that information.

The Act requires that the information provided is in “intelligible form”. At its most basic, this means that the information provided should be capable of being understood by the average person. However, the Act does not require that the information is provided in a form that is intelligible to the particular individual making the request.

You can ask us to stop processing information relating to you at any given time, but this may prevent us from providing a particular service to you. Our contact details can be found at the end of this document.


3. Privacy Back to top

3.1 Summary Back to top

Under the DPA, UNLOCK have a legal duty to protect any personal information we collect from you. This section is designed to explain how we manage and use personal information that we are in possession of.

Given that much of the information that UNLOCK deal with is regarded as ‘sensitive personal data’, we feel it is important for us to be clear about the following factors.

1. What the law says regarding personal information
2. Who we are
3. What we mean when we say “your information”
4. When we collect your information
5. How we use your information
6. Who we share your information with. As it is sensitive, we need explicit consent / positive agreement unless sharing is necessary (i.e. cannot expect to receive service without sharing) then agreement not needed
7. The security of your information
8. Our website
9. Who to contact for more information

3.2 What the law says regarding personal information Back to top

The law says that personal information shall be processed fairly; processing includes obtaining, using or disclosing information. It goes on to say that personal information is not to be treated as processed fairly unless the organisation in control of the processing ensures, so far as is practicable, that the individual has, is provided with, or has made readily available:

1. the identity of the organisation in control of the processing;
2. the purpose, or purposes, for which the information will be processed;
3. any further information necessary, in the specific circumstances, to enable the processing in respect of the individual to be fair.

This policy intends to satisfy these legal requirements.


3.3 Who we are Back to top

UNLOCK, the National Association of Reformed Offenders, is an independent charity and membership organisation, led by reformed offenders. We aim towards equality for reformed offenders, defined as a society in which reformed offenders are able to fulfil their positive potential through equal opportunities, rights and responsibilities.

UNLOCK is a Registered Charity (Charity Number 1079046) and a Company Limited by Guarantee (Company Number 3791535).

UNLOCK is registered as a data controller. Contact details for us can be found at the end of this document.


3.4 What we mean when we say “your information” Back to top

"Your information" means any information about you which is personally identifiable, including, without limitation, your name, address, date of birth, telephone number, email address, other contact details, criminal conviction information, and other information from which, when looked at completely, may allow you to be personally identified.


3.5 When we collect your information Back to top

We may collect your information from you when you:

1. contact us by telephone, letter, fax, email;
2. use our website or Member’s Forum;
3. make a donation to us;
4. otherwise disclose your information to us at any other point.

We will only request your information where it is necessary to carry out a particular function. You are under no obligation to provide us with your information, but this may limit our ability to help where certain information is needed to undertake a particular activity.


3.6 How we use your information Back to top

We may use your information to:

1. process and deal with any enquiry or application made by you, including any request for information, advice, guidance, advocacy or other service;
2. process any donation your make, including the administration of payments that you may make to us;
3. monitor, develop and improve the services that we provide, including our website;
4. monitor and investigate any suspected breach of the website terms & conditions, members’ forum rules or any suspected unlawful activity;
5. send you information about us.

Unless it falls within the above, we will always seek your explicit consent before using your information in a way that personally identifies you.

We may use your information in a way that does not personally identify you so as to support the aims, objectives or activities of the organisation. We will not seek your consent to using your information in a way that doesn’t personally identify you, and therefore falls outside of the remit of data protection. For example, we may use your case (but removing any personal information) when compiling a case study to evidence the discrimination that people with criminal records face in a particular area. However, where there is a serious question mark as to whether it would lead to you being personally identified, we will seek your explicit consent beforehand.


3.7 Who we share your information with Back to top

We may pass your information outside of UNLOCK in the following circumstances:

1. where you (or the person to whom the information relates) consent;
2. where the information is already available to the public from other sources;
3. where the information is in the form of a summary or collection of information so framed that it is not possible to ascertain from it information relating to any particular person;
4. when there appears to be a serious risk of harm to you, e.g. a threatened suicide;
5. to protect others (e.g, information about possible child abuse will be disclosed to the appropriate agency;
6. to prevent a serious criminal act where others may be endangered (e.g. an act of terrorism).

Other than as set out above, we will not:

1. provide your information to any third party without your explicit prior consent;
2. pass your information to third parties for marketing purposes without your consent;
3. share your information with any government department or agency without your consent.

3.8 The security of your information we store Back to top

We endeavour to take all reasonable steps to protect your information.

All the information collected by our website is stored on a secure server. We will not knowingly transfer your information outside of the EEA for any purpose other than in connection with the potential storage of information and systems on servers that may be located elsewhere.

Documents containing personal data (e.g. membership forms, letters) are stored in a room which is locked when unoccupied. UNLOCK operate a ‘clean desk’ policy to ensure that these records are not left unattended in our offices or in areas accessible to the members of the public, and only staff who need to use this data has access to it. We do this to protect your personal information.

All other forms of information will be held securely and in confidence at all times. We will take all reasonable steps to protect it from unauthorised disclosure to, or access by, a third party.


3.9 Our website Back to top

This section only applies to your use of our website, and should be read alongside the website Terms & Conditions.

If you join as a member through our website, you will be given the option of how you wish to be contacted. If you have consented to being contacted via email, we may in future communicate with you to inform you about our activities and services. You can unsubscribe by emailing christopher.stacey@unlock.org.uk at any time, or by following instructions from within any emails we may send you.

In addition to information given explicitly by you, we also collect information about your visit to our website (for example, the date and time of your visit and the pages that you view). This information is not connected to you personally, and is in aggregate form. This kind of information helps us to understand how our visitors use our site so that future website development can better meet your needs. By using this website, you consent to the processing of statistical (non-personal) information.

Cookies are small pieces of information stored by your browser on your computer's hard drive. We use cookies on our website to allow us to understand who has seen which pages, to determine how frequently particular pages are visited and to determine the most popular areas of our website. Most web browsers automatically accept cookies, though you do not have to. We do not control the use of cookies by third parties. If you wish to disable cookies then you can do so by readjusting your browser settings although please note that by disabling cookies you may not be able to use all features of the website. For more information on cookies and how to disable them, you can consult the information provided by the Interactive Advertising Bureau at www.allaboutcookies.org.


4. Confidentiality Back to top

4.1 General policy Back to top

UNLOCK has a policy of providing confidentiality to those we are in contact with. Members, clients and others regularly entrust us with sensitive personal information in good faith that it will not be shared with others.

To ensure that you can be confident in sharing this information with us, personal information will not be shared externally without your consent.


4.2 Exceptions to confidentiality Back to top

Personal information will not normally be passed on to others outside of UNLOCK. However, confidentiality may not be applied in the following circumstances (as was outlined above in ‘Who we share your information with’):

1. Where you (or the person to whom the information relates) consent
2. Where the information is already available to the public from other sources
3. Where the information is in the form of a summary or collection of information so framed that it is not possible to ascertain from it information relating to any particular person
4. When there appears to be a serious risk of harm to you, e.g. a threatened suicide
5. To protect others. For example, information about possible child abuse will be disclosed to the appropriate agency.
6. To prevent a serious criminal act where others may be endangered, e.g. an act of terrorism.

There is no obligation in general for UNLOCK to pass on knowledge of a crime. However, it is a criminal offence to:

1. deliberately mislead the police;
2. receive a reward of any kind in return for not notifying the police about a criminal act;
3. fail to notify the police about an act that could be construed as an act of terrorism;
4. fail to notify the police about an act that could be construed as drug trafficking;
5. knowingly take monies from a benefits agency fraudulently.

If a member of UNLOCK staff has to break confidentiality then the person whose personal information it is will be told that this is going to happen verbally if possible, or in writing if suitable. The member of staff will only take this course of action after all attempts to persuade the individual to disclose the information voluntarily have failed. The data controller will be consulted before disclosure. They will be responsible for making the final decision about breaching confidentiality and ensuring that the correct action is taken.


4.3 Confidentiality and UNLOCK’s Information & Advice Service Back to top

UNLOCK’s Information & Advice Service (IAS) follows the above policy on confidentiality.

Many of the enquiries that UNLOCK receives relate to an individual’s personal information and circumstances, and in particular their criminal record. As a result, we will always ensure that we obtain your agreement to the sharing of this information before doing so.

All individuals who contact us have the right to decide what information they choose to share with us. However, it may sometimes be necessary for a certain level of information to be disclosed before we are in a position to assist.

You will be sent a copy of any letters, forms, faxes, emails or other communications containing your personal information that have been sent relating to you (removing any third-party details if necessary).

Written permission will be obtained before publishing case studies that personally identify an individual. Alternatively, we may produce anonymous case studies, but in this situation they will be sufficiently disguised so that the individual concerned cannot be identified.


4.4 Confidentiality and UNLOCK’s Advocacy Service Back to top

UNLOCK’s Advocacy Service also follows the above policy on confidentiality. 

Advocacy, by its very nature, will usually involve the client sharing a substantial amount of confidential information with the advocate. This is necessary to enable the advocate’s full involvement in supporting the client. 

Any necessary sharing of this information outside UNLOCK’s Advocacy team, however, will be limited in extent and only shared when necessary to either undertake the role or advocate, or to prevent harm to the client or any third party.  The nature, extent and circumstances under which information might be shared in these ways will be discussed in detail and agreed with the client at the start of the advocacy relationship.


5. Implementation of this policy Back to top

UNLOCK will ensure that all staff, volunteers and trustees are issued with this policy. The policy will also be made available on the UNLOCK website, and provided to individuals on request. A paper copy of these policies can be obtained by sending a self-addressed envelope to the address below. Clients of the Advocacy Service will receive a copy of this policy once their application for advocacy has been approved.

This policy will be reviewed regularly.

If you have any comments or queries in connection with this document, you can contact us using the details below:

By letter:         UNLOCK, National Association of Reformed Offenders, 35a High Street, Snodland, Kent, ME6 5AG
By telephone:  01634 247350
By email:        enquiries@unlock.org.uk