CONFIDENTIALITY, DIVERSITY & PRIVACY
At Rahab we operate a strict confidentiality policy to protect people’s right to privacy and relationship of trust with the organisation.
Confidential, personal identifiable or sensitive information is not shared without informed consent or legal requirement.
As a registered data controller, we also have a legal duty to protect any person identifiable and sensitive information from unauthorised disclosure.
CONFIDENTIALITY FOR WOMEN (INFORMATION SHARING)
Within the team
Information is shared on a ‘need to know’ basis and in ways that best protects women’s autonomy and trust in Rahab.
Not all information is shared, but only information that is required to deliver support, ensure a woman’s wellbeing, protection and safety.
Members of the team are required to maintain confidentiality during the course of their duties, in their private capacity and when no longer working or volunteering with Rahab.
As part of our working practice
Discussions, conversations and telephone calls concerning the women are not to be carried out where they might be overheard by anyone not bound by the same requirements of confidentiality.
Information and records relating to and/or identifying a woman are kept securely to prevent intentional or accidental viewing e.g.
- Confidential, person identifiable or sensitive material – either on paper or a computer – is not left unattended and/or where it can be seen by unauthorised persons.
- Computers with access to women’s information is switched off or put into password protected mode when not being used.
- Written records are stored in a securely locked cabinet when not attended to.
- Confidential, person identifiable or sensitive information may not be removed from Rahab’s premises without prior knowledge or permission from the organisation.
With a third party
Information about the women may not be shared with a third party / with persons not authorised to receive such information / not bound by the same requirements of confidentiality. This includes information about whether a woman uses our services.
Confidentiality within counselling
Confidentiality within counselling is an essential aspect of the client-counsellor relationships, and Rahab counsellors are bound by professional conduct not to share information with anyone who does not hold confidentiality of the information shared in the counselling sessions.
Within the public domain
Any material identifying the women may not be posted on digital platforms such as social media or used for publicity without informed consent.
Data protection and third-party information
Women have the right, under the Data Protection Act 1998, to access their records at any time. This does not apply however to records passed to Rahab by a third party. These are confidential and permission should be gained from the third party before disclosure.
There are circumstances where we have a legal obligation, or other justifiable reason, to breach confidentiality. Examples include:
- Where ordered to do so by a judge (i.e. a court order).
- Acts which contravene Child Protection legislation.
- Serious risk of harm to self, from others, to others.
- When it is for the benefit of the individual and believed that consent would be given e.g. a medical emergency.
- Where absolutely necessary to maintain the reputation of Rahab.
As an organisation we are ethically accountable for any breach of confidentiality and will always endeavor to act in ways which balance the right to confidentiality against the need to communicate with others.
Decisions about whether to breach confidentiality will never be made by one person in isolation, but discussed with management and, if necessary, further information and advice sought from the Board (and/or externally if needed).
Whenever possible, individuals concerned will be informed in advance of the need to breach confidentiality, or as soon as possible afterwards if prior notification is not possible.
Where information is disclosed without consent, full details of the information disclosed and reasons for disclosure will be recorded.
We are committed to inclusiveness and equality of opportunity, and to maintaining an environment where people from all backgrounds who seek support from us, are employed or volunteer with us*, feel represented and respected, and treated fairly, with dignity and respect.
Any and all forms of discrimination, intimidation, harassment, victimisation against any person due to their protected characteristics under the Equality Act 2010 is not tolerated under any circumstances.
Specifically, no person will be discriminated against or treated less favourably on the grounds of age, disability, gender / gender reassignment, marital status / marriage and civil partnership, pregnancy and maternity, race (including skin colour, nationality, ethnic origin or country or region of origin), religion or beliefs.
* Rahab reserves the right to select women only for roles working directly with the women (exemption under section 7.2e of the Sex Discrimination Act 1975).
Rahab is a registered data controller under the UK Data Protection Act 1998 and committed to ensuring the privacy and security of your personal data. All personal information is held securely and not made available to a third party without consent. This policy explains what personal information we collect about you when you come into contact with our organisation and through your interactions with us. It includes information on why and how we collect your personal data, how it is processed and kept safe, as well as your rights as the ‘data subject’ under applicable data protection law. We hope this policy will provide you with the confidence and assurance that we treat your information with care, and are duty bound by law to protect the confidentiality and security of your personal data at all times.
- Lawful / justified under data protection laws
- Fair and transparent
- Limited for its purpose
- Adequate and necessary
- Accurate and proportional
- Not kept longer than needed
- Integrity and confidentiality
In this policy when we refer to “personal data”, we mean information which could directly identify you (for example, your name or ID number) and information which could indirectly identify you, meaning that it could identify you when combined with other information which we hold about you (for example, your gender or date of birth).
Process or processing
“Process” or “processing” means any conceivable use of personal data, including recording, storing, viewing or disclosing personal data.
The Rahab Project Ltd (company number 6820663) is the data controller of your personal data. Data controller means a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed.
Data subject refers to the identifiable natural person whose personal data is processed by the data controller.
We may revise this policy from time to time to reflect changes in our organisation or applicable laws. The revised policy will be effective as of the published date.
If you have any questions about your personal data which are not answered by this policy, please contact our Data Protection Officer by emailing email@example.com.
Why we collect your personal data
We collect your personal data to give you the best possible experience when you interact with our organisation, when it is necessary to provide our services and associated functions, and when it is justified by our legitimate interest or our legal obligations. This covers all channels of communication with us, including over the telephone, email, website, by post and in person.
Legislation that protects you
Your personal data is protected under data protection laws, which require us to maintain at all times all appropriate security measures in relation to how we may collect, record, use, retain, process, store, destroy, share and transfer your personal data, and not knowingly do anything or permit anything to be done which might lead to a breach.
What type of personal data we collect
The data we collect will vary depending on the nature of your engagement with us, for example as a client, employee, volunteer, partner or supporter. It may include the following:
- Name and contact data. We may collect your first and last name, email address, postal address, home address and address history, home and mobile telephone numbers and other similar contact data.
- Demographic data. We may collect data about you such as your age, gender, ethnicity, nationality, country and preferred language.
- Content. We may collect additional personal data about you, your situation and circumstances, personal history, interests, contacts and relationships.
- Data from third party sources. We may obtain information from third party sources such as other agencies, organisations, statutory bodies where permitted by law.
- Other information we may collect relating to your use of our services. We may collect additional information from you when we are in contact with you, and you with us, and keep a record of our interaction and communication.
In most cases, the information described above will be provided to us by you because you want to take up services we offer or engage with us. In these instances, giving information to us is therefore your choice and you consent to our lawful processing of personal data as outlined in this policy.
When you are asked to provide personal data you may decline, however this may limit the services we are able to offer to you. You may also withdraw your consent at any time.
Where information is collected on our behalf by a third party, or when you request us to disclose your personal data to other people or organisations, or otherwise agree to disclosures, you will be asked to consent to this. If you choose not to give your consent, or you later remove your consent, this may limit the services we are able to offer to you.
How we use your personal data – the legal basis and purpose
Data protection laws require that, where we process your personal data, we must satisfy at least one prescribed condition for processing. These are set out in data protection law and we rely on a number of different conditions for the activities we carry out.
To provide the services you request / we offer/fulfill our contractual obligations
We process personal data about you as necessary to provide you with the services you request / we offer/fulfill our contractual obligations. Wherever possible we will tailor services to ensure our engagement with you is relevant, useful and timely, and that you receive a seamless, consistent and personalized experience. This may involve combining data that we collect to help us make informed decisions on the necessary steps to take to be able to provide the best response based on the information we have.
We may use your personal data where the benefit of doing this is not outweighed by your interests or fundamental rights or freedoms as the data subject. The law calls this the ‘legitimate interests’ condition for processing.
Where we rely on the legitimate interests’ condition, or those of other persons and organisations, the reasons for us to do so would include compliance with legal and regulatory requirements, including for activities and associated disclosures relating to the detection, investigation and prevention of crime, good governance, managing and auditing the charity.
To comply with our legal obligations and for the establishment, exercise or defense of legal claims.
Like any organisation, we are required to comply with many laws and regulations. We will, where necessary, use our personal data to the extent required to enable us to comply with these requirements and our legal and regulatory obligations. For example, to meet our data protection obligations to verify your identity and ensure your contact details are correct, to resolve any disputes, for the detection, investigation and prevention of crime, to offer priority service for at risk and vulnerable clients such as those where there is a safeguarding concern.
We may use your personal data to stay in contact with you, for example by telephone, email, website, post and in person. Communication may include providing you with information related to our organisation and services, your use of our services, as part of a joint agreement. On occasion we may send you information or recommendations about other services that could be of interest to you.
You will not be inundated with information. All communication will be carefully screened and selected to match your specific interest and area of engagement with us. Wherever possible we will also personalize our communications with you and contact you by means and at intervals and times agreed with you.
You can manage how we communicate with you or opt out of receiving communications from us at any time by simply contacting us and letting us know.
Evaluation and learning
We may invite you to be involved in / ask for your feedback to help us improve our services. If you accept this invitation we will use the feedback you give us to provide better services and improve our knowledge.
To maintain our records and other administrative functions
Like any organisation, we need to ensure that we maintain comprehensive and uptodate records of our services and activities. We will therefore process the information you provide for record keeping, updates and general administrative purposes.
Monitoring, reporting and analytical purposes
Your personal data may be converted into anonymized statistical or aggregated data that can’t be used to identify you, and then used for management information and reporting purposes to helps us understand how our services are used and continually improve our services.
Complaints and dispute resolution
Whilst we will try and make sure that you are happy with the services we provide, in instances where this is not the case we will use the information we have about you to help us respond as quickly and efficiently as possible to resolve matters for you.
If we use your personal information for any purposes that are not set out in this policy we promise to let you know what we will use it for before we go ahead and use it, and to obtain your consent where appropriate.
How long we keep your personal data for
We will retain your personal data in an identifiable format for as long as is necessary to fulfill the purposes outlined in this policy. This can vary from one data type and piece of information to another, so the amount of time we keep your personal data for can vary significantly.
The criteria we use to determine retention periods include:
- The least amount of time necessary to operate the services we are providing and/or fulfill our legal and regulatory obligations. This is the general rule that establishes the baseline for most data retention periods.
- We may retain personal data for longer periods than is required by law if it is in our legitimate interest and not prohibited by law.
In all cases, our need to use your personal information will be reassessed on a regular basis, and information which is no longer required for any purposes will be disposed of securely.
Who we share your personal data with
Access to your personal data is restricted to those who need to know the information.
- Within the organisation to help manage and provide you with the services you have requested / we offer / to fulfill our legal and regulatory obligations.
- With third parties involved in providing you with the services you have requested / we offer on our behalf and at your direction.
Your personal data may also be shared with third parties (e.g. accessed, transferred, disclosed, preserved)
- For our purposes, for example to support our audit, compliance and corporate governance functions;
- Where it is in our legitimate interest to do so, for example, to manage, grow and develop our organisation;
- To comply with a valid legal process or lawful request, including requests from law enforcement or other government agencies or third parties pursuant to a subpoena, a court order or other legal process or requirement;
- If we believe, in our sole discretion, and have a good faith belief that disclosure is necessary or appropriate to protect your vital interests and/or to protect the security and integrity of our services and operations. This includes for the prevention, investigation and management of suspected or actual risk and other harmful acts, violations or illegal activity.
Any third parties with whom we share your personal data are limited by law and by contract in their ability to use your personal data for the specific purposes identified by us.
Save as expressly detailed above, we will never share, sell or rent any of your personal data to any third party without notifying you and/or obtaining your consent. Where you have given your consent for us to use your personal data in a particular way, but later change your mind, you should contact us and we will stop doing so.
Your rights under applicable data protection law
As a ‘data subject’ you have a number of rights in respect of your personal date. These include:
- The right to decline to provide your personal data when it is requested.
- The right to be informed about our processing of your personal data.
- The right to restrict processing of your personal data.
- The right to have your personal data erased.
- The right to request access to and rectification of your personal data.
- The right to move, copy or transfer your personal data.
- The right to complain to the Information Commissioner’s Office. It has enforcement powers and can investigate compliance with data protection law: www.ico.org.uk/ Helpline 0303 123 1113.
You can exercise these rights at any time by contacting our Data Protection Officer by emailing firstname.lastname@example.org.
Data subject access request
You have the right to find out what information, if any, is held about you. This is known as a data subject access request.
When exercising your right to access a copy of your personal data, please contact us with a description of the information you would like to see. We will provide our response to you without undue delay and within one month of receipt of your request. Please note, however, that in certain circumstances we are not required to provide the information requested. If an exemption applies, we will tell you this when responding to your request.
- We may request that you provide us with information necessary to confirm your identity before responding to any request you make.
- A data subject access request is not designed to deal with general queries that you may have about what information, if any, is held about you. We will aim to respond to general enquiries you have without you having to make a formal data subject access request.
- Where requests are manifestly unfounded or excessive, in particular because they are repetitive, we may charge a reasonable fee, taking into account the administrative costs of providing the information, or refuse to provide the information. Where we refuse a request, we will explain our reasons for the refusal.
How we protect your personal data
We maintain physical, electronic and procedural safeguards designed to provide reasonable protection against loss, misuse, unauthorized access, disclosure and alteration of your personal data. For example, personal data is stored on computer systems that have limited access and authorization controls and are in controlled facilities. Written records are stored securely in locked cabinets to prevent unauthorized access, intentional or accidental viewing. Person identifiable data and / or confidential material – either on paper or a computer – are not left unattended and/or where it can be seen by unauthorized persons. When personal data is destroyed it is done so securely i.e. paper records shredded and electronic data deleted from systems.
We protect data obtained from third parties according to the practices described in this statement, plus any additional restrictions imposed by the source of the data.