The Health And Wellbeing Trust

Data Protection Policy

Data Protection Policy

Version

Notes

Policy Owner

Review Date

September 2023

To be read in conjunction with Privacy Policy and Data Breach Policy – Updated September 2023

Project Lead

 

August 2025

September 2025

As above – updated September 2025

HWT Chairperson

August 2028

 

 

 

 

 

 

 

 

 

 

 

 

Data Protection Officer (DPO): HWT Chairperson

  1. Introduction

The Health and Wellbeing Trust (HWT) is required to hold, maintain and process personal data about:

 

  • Individuals who sign up for HWT’s mailing list/s
  • Individuals and organisations who donate to HWT
  • Individuals who receive education or clinical bursaries from HWT
  • Partner Organisations
  • Organisations that receive commissions or grant funding from HWT
  • Suppliers

for the purposes of satisfying its operational and legal obligations.

HWT has a legal responsibility to safeguard the information utilised by and entrusted to it, and to process it both fairly, lawfully and transparently.

This policy describes how HWT mandates the management of information and ensures compliance with the General Data Protection Regulation 2016 and Data Protection Act 2018.

The purpose of this Policy is to ensure HWTs adherence to statutory and legal frameworks relating to personal data including: 

The policy provides a framework to ensure a consistent approach to both compliance and best practice across the organisation. It applies to all HWT staff and contractors.

All staff and contractors must comply with this policy. A breach involving unwarranted disclosure of information may result in disciplinary action or contract termination.

  1. Scope

The scope of the information covered by this policy includes all personal data held by HWT.

  1. Definitions

Personal Data 

Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. 

Data Controller 

Data Controller means the person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. HWT is a data controller, and this policy sets out how it will comply with its responsibilities as such. 

 

Data Processor 

Data processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of a data controller. Employees and others acting under the direct authority of HWT are not regarded as data processors. 

 

Information Asset

An information asset is a body of information, defined and managed as a single unit so it can be understood, shared, protected and exploited effectively, or the hardware, software, system or environment in which that information is stored.

 

Other Terms 

Terms used in this policy which are defined in GDPR or DPA have the same meaning as so defined. 

  1. Duties, Roles and Responsibilities 

HWT Board of Directors /Trustees

  • The HWT Board of Directors/Trustees is the data controller for the purposes of the GDPR and DPA
  • The Board of Directors/Trustees is responsible for ensuring that information within HWT is processed according to statutory requirements. 

HWT Project Team

  • Providing evidence to the Board of Directors that information is processed according to prevailing legislation and regulation
  • Responsibility for overseeing the status of all risk to HWT, including information risks which captured in HWT’s Risk Register and reviewed by the Board of Directors at Board meetings
  • Making sure that HWT, or any organisation that is provided with clinical bursary or community project grant funding, follows the 7th Caldicott Principle:

 

‘The duty to share information can be as important as the duty to protect client confidentiality…for the purposes of direct care, relevant personal confidential data should be shared among the registered and regulated health and social care professionals who have a legitimate relationship with the individual…”

Data Protection Officer (DPO)

  • Ensuring all policies linked to data protection are up to date and accessible.
  • Responding to requests about data and data handling, such as Freedom of Information and Subject Access requests.
  • Responding to complaints about information handling and liaising with the Information Commissioners Office (ICO).

All Staff (including volunteers) and Contractors

  • All staff (including volunteers) and contractors must understand and carry out their responsibilities and duties towards the lawful use of information and compliance with this policy. 
  • All staff (including volunteers) and contractors have personal responsibility for undertaking training on data protection suitable to the requirements of their individual roles. 

  1. Policy Statement and Provisions 

  •      Subject Consent

 

The need to process data for normal purposes must be communicated to all data subjects. In some cases, if the data is sensitive, for example information about health, race or gender, express consent to process the data must be obtained.

Where processing is required to take place without consent, data subjects will be given clear explanations including confirmation of the legal basis unless GDPR or DPA provides an exemption and there is good and lawful reason to apply that exemption. Where processing is by consent, HWT will ensure that such consent is freely given, specific, informed and unambiguous and obtained via a statement or by a clear affirmative action and in the case of special category data such consent is explicit.

  •      GDPR

 

HWT and its staff (including volunteers) and contractors will at all times comply with the data protection principles set out in Article 5 of the GDPR.

These principles specify (in summary) that personal data must be: 

  • processed lawfully, fairly and in a transparent manner in relation to the data subject;
  • collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
  • adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
  • accurate and, where necessary, kept up to date;
  • kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; and
  • processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

  •      Data Protection Act and the Caldicott Principles

 

A fundamental principle of the Data Protection Act 1998 is to use the minimum personal data necessary to satisfy a principle. This is also set out in the Caldicott Principles (familiar to NHS and Social Care organisations) and the GDPR principles.

 

This is supported by both common law confidentiality obligations and the Human Rights Act 1998 which provides a privacy right for individuals.

All processing of personal data must be lawful and comply with any confidentiality principles:

  • HWT will identify the legal bases for processing the personal data it holds.
  • All processing of personal data is kept to the minimum necessary for compliance with HWT’s work and purposes and access to any personal data is restricted to those who need it for their work.
  • Personal data is not informally shared with or disclosed to any third party. Any such sharing or disclosure will be controlled and appropriately authorised, will only be done where it is lawful to do so and notified to data subjects (if consent has not been obtained) unless GDPR or DPA provide an exemption and there is good and lawful reason to apply that exemption. When sharing personal data HWT will comply with the Information Commissioner’s Office (ICO) Data Sharing Code of Practice.
  • Personal data will be kept no longer than is necessary for the purposes for which it is held and the secure destruction of personal data which has passed its retention date is ensured.
  • Where possible without interfering with HWT’s necessary work, or that of any third party with whom data is shared or to whom data is disclosed, any personal data is anonymised or pseudonymised before being used, shared or disclosed.
  • Personal data is kept secure from unauthorised use, access, disclosure or accidental deletion at all times in accordance with HWT guidance on IT Security or physical security guidelines. Personal data stored on paper or other physical media will be kept in a secure place, when not in use, where unauthorised people cannot see it and shredded or otherwise disposed of securely when no longer required.
  • Appropriate ‘safe-haven’ procedures will be maintained for the transmission of personal data (cloud-based client record systems).
  • All staff (including volunteers) and contractors handling personal data understand that they are legally and contractually responsible for following good data protection practice and have appropriate training. This will be included in induction training.

Unauthorised copies of personal data are not held or processed:

  • Personal data held is regularly reviewed for adequacy and relevance and to ensure that it is up to date. Where no longer required personal data will be destroyed securely in accordance with retention schedules.
  • Data subjects are given straightforward procedures to enable them to exercise their rights. Subject access requests can be made in writing by emailing: info@healthelearning.online. HWT will have 1 month to respond to your request. If further time is needed, for example is the request is complex, then it may take up to a further 2 months to process the request. HWT will inform you within 1 month if further time is needed, usually via email. A fee may be charged for processing the subject access request. HWT will comply with the Information Commissioner’s Office (ICO) Subject Access Code of Practice.
  • Breaches or suspected breaches of data protection, confidentiality and/ or information security will be reported in accordance with HWT’s Data Breach Policy.
  • Registers of data sharing and data processing agreements with third parties are maintained.
  • Appropriate guidance is available to staff on the steps they must take to comply with this policy.
  • HWT appoints a data protection officer (HWT Project Lead).

Appropriate procedures and guidance for both staff (including volunteers) and contractors and those interacting with HWT are maintained including: 

  • The right to information about the processing of their personal data under Articles 13 and 14 of GDPR in the form of privacy notices on the HWT website and in contracts, and explanations in correspondence where appropriate; 
  • The right of access to their personal data under Article 15 of GDPR; 
  • The rights of rectification, erasure and to restrict processing under Articles 16-18 of GDPR; and
  • The right to object to processing under Article 21 GDPR and to limit automated individual decision making under Article 22. 

 

  •      Transfer of Personal Data 

 

HWT may, from time to time, desire to transfer personal data to countries or territories outside of the European Union (EU) in accordance with purposes made known to individual data subjects. For example, the names and contact details of members of staff on a website may constitute a transfer of personal data worldwide.

HWT will ensure that any transfer of personal data outside of the UK is compliant with Articles 44-49 of GDPR. Such transfers will not be made without consultation with HWT’s data protection officer and in the case of confidential data without the approval of the Chair or Project Lead of the organisation.

 

Staff (including volunteers) and contractors must take special care in connection with requests for the transfer of personal data outside the UK. In particular, they should not:

  • disclose personal data requested by non-UK governments, agencies and organisations for the purposes of assessing the names, numbers and whereabouts of foreign nationals studying overseas without the specific and informed consent of the data subjects concerned.
  • personal data requested by non-UK governments for the purpose of determining liability to attend National Service, without the specific and informed consent of the data subjects concerned.

 

  •      Data Processing Checklist

 

Before processing any personal data, all HWT staff (including volunteers) and contractors should consider the checklist set out below:

  • Do you really need to record the information?
  • Is the information ‘ordinary’ or is it ‘sensitive’?
  • Does HWT have the data subject’s consent?
  • Are you authorised to collect/store/process the data?
  • Unless the data have been obtained from a reliable source, have you checked with the data subject that the data is accurate?
  • Are you sure that the data are secure?
  • If you do not have the data subject’s consent to process, are you satisfied that it is in the best interests of the learner or the staff member to collect and retain the data?

 

  •      Data Security

 

The need to ensure that data is kept securely means that precautions must be taken against physical loss or damage, and that both access and disclosure must be restricted. All staff (including volunteers) and contractors are responsible for the following:

                       

  • Preventing unauthorised access to personal or sensitive data, whether in paper or electronic form;
  • Ensuring its method of storing personal or sensitive data in any form is secure including the keeping of sensitive data in a secure room or secure lockable storage device and controlling access by personnel to such locations where data is stored;
  • Ensuring the hardware and software used in processing the data is reliable and protected against viruses and other electronic intruder devices;
  • Using password protection on computers and central server systems on which data is stored and ensure that only authorised personnel are given details of the relevant password(s);
  • Preventing computer screens from being overlooked by unauthorised persons;
  • Ensuring that all individuals who have access to the data are reliable and are full understand the Data Protection Policy;
  • Putting in place methods for detecting and dealing with breaches of security including the ability to identify which individuals have worked with specific data and having a proper procedure in place for investigating and remedying breaches of data protection procedures;
  • Having a secure procedure for backing up and storing back-ups separately from originals; and
  • Having a secure method of disposal for back-ups, disks and printouts.

 

No member of HWT staff may, without the formal authorisation of the Data Protection Officer (DPO):

 

  • Develop a new computer system for processing personal data;
  • Process any personal data, all staff should consider the checklist set out below;
  • Use an existing computer system to process personal data for a new purpose;
  • Create a new manual filing system containing personal data;
  • Use an existing manual filing system containing personal data for a new purpose.

 

Note: The DPO is the HWT Project Lead

 

Staff (including volunteers) and contractors should make reasonable efforts to ensure that all personal information is kept securely but should pay particular attention to the security of sensitive data. All personal data should be accessible only by those who need to use it and sensitive data must be:

 

  • Kept in a lockable room with controlled access, or
  • Kept in a locked filing cabinet, or
  • Kept In a locked drawer, or
  • If computerised, be password protected

 

  •      Data Retention

 

HWT will retain some items of information for longer periods than others in order to comply with statutory time limits, e.g.,

 

  • Individuals who sign up for the HWT’s mailing list (unlimited – unless they unsubscribe)
  • Individuals and organisations who donate to HWT (7 years)
  • Individuals who receive education or clinical bursaries from HWT (7 years)
  • Partner Organisations
  • Organisations that receive commissions or grant funding from HWT (7years)
  • Staff and Volunteers (See note below)
  • Suppliers / Contractors (7years)

Notes:

  1. i) Staff and volunteers – HWT will keep more detailed information such as address, relevant financial and professional details relating to its staff members or contractors for a maximum of 3 years from the end of their employment. Those individuals who were unsuccessful when applying for employment with HWT will have their information kept for 6 months’ subject to any changes in existing legislation. Other information relating to Income Tax, Maternity Pay etc., will be retained for the statutory time limits.
  2. ii) Financial records will be held for 7years.
    •      Learner obligations

 

Learners have access to the Privacy Policy on our website which outlines the information that HWT will collect, use and retain about them, and those to whom such information will be disclosed to.

 

They must ensure that all personal data provided to HWT is accurate and up to date. They must ensure that any changes, of address, for example, are notified to the HWT. HWT cannot be held accountable for errors arising from changes about which it has not been informed.

 

  •      Bursary Applicants Obligations

 

Bursary applicants have access to the Privacy Policy on our website  which outlines  the information that HWT will collect, use and retain about them, and those to whom such information will be disclosed to

 

They must ensure that all personal data provided to HWT is accurate and up to date. They must ensure that any changes, of address, for example, are notified to the HWT. HWT cannot be held accountable for errors arising from changes about which it has not been informed.

 

  • Personal Data – Subject Entitlement

 

All individuals who are the subject of personal data held by HWT are entitled to:

 

  • Ask what information HWT holds about them and why;
  • Ask how to gain access to it;
  • Be informed how to keep it up to date; and
  • Be informed what HWT is doing to comply with its obligations under the Data Protection Act 2018

 

This applies to data held electronically and manual records that are held in a relevant filing system. Any individual who wishes to exercise this right should make the request in writing to: info@healthelearning.onlinewho will pass it on to the Data Protection Officer. The requested information will be provided within one month of receipt of the completed form, unless there is sufficient reason for delay. The right of access applies to all individuals: HWT staff, Board members, and any other individual for whom HWT holds personal data.

 

Certain information (for example confidential references given by a third party) will not be disclosed to staff without obtaining the referee’s consent to disclose the information.

 

  • Publication of Organisational Information

 

Any individual member of staff who has good reason for wishing any personal details to remain confidential should contact the Data Protection Officer.

 

  • Emails

 

It is recognised that email is used for communications and that as such emails should form part of the HWT’s records.

 

All staff / contractors need to be aware that:  

 

  • The Data Protection 1998 Act applies to emails which contain personal data about individuals which are sent or received by members of HWT; and
  • Subject to certain exceptions, individual data subjects will be entitled to make a data subject access request and have access to emails which contain personal data concerning them, provided that the individual data subject can provide sufficient information for the organisation to locate the personal data in the emails.