Consent for storage & processing of sensitive personal data

Any organization that collects personal information about people is known as a ‘data controller’ and must follow the Data Protection Act 1998 (to be superseded by the General Data Protection Regulations May 2018) . There are strict rules about sharing information which is stored on a computer or in paper files which could identify a person. Money Advice Plus is signed up to Data Protection Act which means that as a general rule we must not share information unless we have permission.

Some of the information that we need to keep on people’s files includes sensitive personal data, including information about health conditions, and other personal information which is relevant to the advice and support services which we provide, and sometimes required by our funders for anonymized reports. We keep this information securely, so that it cannot be accessed by anyone outside Money Advice Plus.
If you have any questions or concerns about the way we keep or use your information, please ask your Money Advice Plus worker. You have a right to see information about you that we hold.

Information about sharing personal data

More information about your circumstances, for example mental health problems or other difficulties can help us to work with you better. If you tell us about specific needs which you have, we will record the information on your file and will check with you how we can tailor our service to accommodate any needs. You can be confident that we will not share this information without explicit consent from you to do so.

Privacy Notice – More information about Data Protection

Data Controller

Money Advice Plus keeps your personal data in our office, and the data controller is Andrea Finch, who can be contacted on 01273 664000.

Client Data

This information applies to any client of Money Advice Plus. Where we have received data relating to an individual who does not become a client (eg a referral where the person referred declines an appointment) we store the data for as long as is required to track the progress of the referral, and provide feedback to the referrer where appropriate. We do not process this data.

Processing Your Data

Personal Data is processed to provide reports to funders on what we are doing. For example, for some projects we are required to say what percentage of our clients are in different age ranges, and what their genders are. We only process this data once it is separated from information which could identify individuals (eg addresses, names etc). If a funder asks us to provide a report that could identify individual clients, then you will be separately notified and we will not share this information without explicit permission.

We also process information for our own internal reports, eg equalities monitoring to check that we are providing a service that is accessible to all sections of our community. We only process this data once it is separated from information which could identify individuals (eg addresses, names etc).

Categories of Data

Much of the data that we hold is necessary in order that we can provide a full comprehensive advice service relevant to the individual circumstances of each client. We need to retain this after the end of our work with an individual, so that we can check the accuracy & quality of advice given, and in case we are contacted with any questions or complaints after the end of our work. This is in line with recommended advice sector best practice.
There is also a small amount of data which we collect and hold solely because we are required to report about it. This data is collected separately on an equal opportunities monitoring form, and clients are given the option to withhold all or any of this information, without it affecting the service that we provide.
Each year we review what categories of data we collect and hold on our database, and check that it is still required for a good reason.

These are the categories of data that we hold on clients:

Anonymising Data

We are mindful that 2 pieces of data that alone do not identify a client may do so when pieced together: eg if a client’s postcode is shared together with details of their medical condition. The data controller checks report formats to ensure that client confidentiality will not be breached by reporting and that data cannot be pieced together in this way.

Sources of Data

Most data is provided directly by clients. Some data is provided at the point of referral by a third party. We ask referrers to satisfy themselves that they have gained consent to share data with us.

Data Transfers

Personal data is never transferred from Money Advice Plus without explicit consent for information sharing from a client, and as is necessary to do work (eg with your permission we might send information required to make a referral to another agency) or in specific circumstances without consent (eg safeguarding: see our confidentiality policy).

Data is never transferred outside the EU.

On occasion we may contract outside agencies to process data on our behalf. We may also share data with our database support service, for the purpose of identifying systemic faults in the database. We follow our confidentiality policy and before data is shared for either of these purposes we must be satisfied that the outside agency has arrangements to securely store the data and dispose of it properly as soon as the work is completed.

Retention of Data

In accordance with recommended advice industry best practice all data is stored for 7 years after the end of our work with a client, except those kept longer: see below.

The following are stored for 14 years:

  • All cases at closure where there has been a complaint, or a case involving significant corrective action
  • During the 7 year storage period, when a client or representative contacts us with a significant question or complaint
  • When cases are identified by casework supervisors as concerning unusual or novel points of law, at the point of closure, or when checking closed files
  • When a client dies and we have been unable to contact any next of kin, and we are left holding a residual estate.

Clients are advised of the storage period and how to access their closed files during that time in the closing letter.

Your Rights

You have a right to withhold data:

When we collect data normally it is required for the provision of good advice, and we tell you if we are asking for monitoring/reporting purposes only. If you can withhold data without it affecting the advice we can give, we will tell you. If by withholding data you limit the service we are able to provide we will also explain how our service is limited, eg if you do not want to tell us your earnings then we will not be able to do a benefits check.

Some data is required so that we can provide a service eg where we are funded to work with people living in Brighton & Hove then we will be required to satisfy ourselves of a client’s address, and we will not be able to provide a service without this information.

Where a client wishes to remain anonymous and/or to not have their personal data stored we will always seek to accommodate this, but it may not always be possible.

You have a right to be forgotten:

When you have agreed to Money Advice Plus storing and processing your data, you can withdraw this consent. You should do this in writing to the data controller. If you withdraw consent then this may affect our ability to continue working with you (see above). We may have to close your case, if it is not already closed. We will keep records of the work we have done, but any identifying data (eg your name and address etc) will be removed from the record. This would mean that after the closure of your case we would be unable to deal with query or complaint about the service or advice that we provided.

You have a right to see all the data about you that we hold

You should request this in writing to the data controller, specifying an address to which we can post the data, or specifying if you require the information emailed in an electronic format. Information will be provided at the latest within one month of receipt. If requests for data are repetitive or otherwise excessive, then we will follow GDPR guidance.

You have a Right to correct data if we have got it wrong

You should address requests for correction to the data controller.

Your Right to Restrict Processing of Personal Data

If you object to our legitimate processing of data, please speak with the data controller. Most of our funding is conditional on our providing reports to the funders, which necessitates the processing of personal data. It is not normally possible for us to continue providing a service to a client who wishes to opt out of data processing.

Your Right to Complain

You have a right to complain. See our complaints procedure for more information.

Responsive website designed & developed by