Derry Well Women

Data Protection Policy

Scope of Policy

This policy relates to all Derry Well Women activities both within Derry Well Women premises and external locations.

Policy Operational Date

This Policy will take effect from 25th April 2018 and will be reviewed annually.

Policy Statement

Derry Well Women regards the lawful and correct treatment of personal information as very important and therefore ensures that personal information is treated lawfully and correctly. To this end Derry Well Women fully endorses and adheres to the Principles of Data Protection, as detailed in the Data Protection Act 1998.

Derry Well Women is committed to:

  • Comply with both the law and good practice
  • Respect individual’s rights
  • Be open and honest with individuals whose data is held
  • Provide training and support for staff who handle personal data, so that they can act confidently and consistently

Derry Well Women needs to collect and use certain types of information about staff, service users, volunteers and possibly other individuals who are involved with the centre. This personal information must be dealt with properly however it is collected, recorded and used, whether on paper, in a computer, or recorded on other material, and there are safeguards to ensure this in the Data Protection Act 1998 to which there are two elements:

  1. It provides individuals with the right to have access to data held on them
  2. It provides the individual with the right to privacy


The purposes which Derry Well Women collects data/personal information are as follows:

  • To create a profile of user groups
  • To make returns to funding bodies
  • To provide participant profiles North West Regional College in relation to courses run in partnership with it
  • To maintain profile  data bases for VSS and CLEAR
  • To maintain contact data bases
  • To conduct research (this is always anonymised)
  • To maintain personnel records
  • To maintain attendance records including Creche Register
  • To conduct staff screening through Access NI
  • To record the attendance and engagement of counselling clients including issues presented and outcomes.
  • Counselling Assessment forms
  • To record accidents and incidents.
  • To record referrals to Social Services eg UNOCINI

Data Protection Principles

The Data Protection Act 1998 only applies to data which is personal, i.e. data which consist of information relating to an identifiable living individual.  Obvious examples of where personal data can be found include application forms, enquiry forms, enrolment forms, assessment forms, counsellor’s notes, UNOCINIs, appraisal forms, permission request forms, claim forma, contracts, attendance records, Access NI forms, personnel records, interview records, accident / incident book etc.  Less obvious examples include information held about a contract with a sole trader, e.g. facilitator, as information about the business will amount to information about the individual.  In most cases personal data will be obvious.  However Derry Well Women Management should be consulted in instances where there is any doubt.

Those who process personal data must comply with the eight enforceable principles of good practice contained in Schedule 1 of the Data Protection Act of 1998.

 The Eight Principles dictate that personal information shall be:

  1. Fairly and lawfully processed
  2. Processed for limited purposes
  3. Adequate, relevant and not excessive
  4. Accurate
  5. Not kept longer than necessary and in line with statutory and funder’s requirements when applicable.
  6. Processed in accordance with the data subject’s rights
  7. Secure in a locked fire proof filing cabinet.
  8. Not transferred to countries outside the European Economic Area without adequate protection.

What do these principles mean?

  1. Personal data shall be processed fairly and lawfully

Derry Well Women should only process information where it has the consent

of the women.  Legitimate purposes include collecting and retaining

information about any individual who wishes to participate on a Derry Well

Women programme or access a service administered by Derry Well Women.

  1. Personal data shall be obtained only for one or more specified and lawful

purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.

The individual woman who provides information should know in advance what the information is going to be used for.  It also means that data collected for a specific purpose cannot then be used for some unrelated purpose.  In order to comply with this principle (and the first principle, outlined above) all information-gathering forms should include a Confidentiality Statement, advising the woman why the information is needed and what Derry Well Women intends to do with it.

If there is reason to believe that a woman may not understand this statement, time will be taken to explain the basic principles and give assurance that her personal data will be processed in accordance with the Data Protection Act 1998.

  1. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

Derry Well Women must gather sufficient data in order to do its duties, but this should be restricted to data that is relevant.  Data should not be collected just because it may be useful in the future.  Rather, the question should be asked, What is the minimum information that will allow me to fulfil my duties and allow efficient management.

  1. Personal data shall be accurate and where necessary kept up to date.

Reasonable steps should be taken to ensure compliance with this principle.

The holding of records on individuals places Derry Well Women under an

obligation to update data as and when it is received.  For example, every time

a woman provides additional or new information this should be added to this

record.  Any previous information that is no longer relevant as a result of this

new data should be deleted.  In addition, if a woman informs us that the data

held on her is incorrect, the inaccuracy should be corrected immediately.

  1. Personal data processed for any purpose or purposes shall not be kept for

      longer that is necessary for that purpose or those purposes.

To comply with this principle, personal data should be reviewed regularly and information which is no longer required should be deleted.  If personal data has been recorded because of a relationship between Derry Well Women and the woman, the need to keep information should be reconsidered when the relationship ceases to exist.  For example, once a woman has ceased counselling, it becomes necessary to review how long their information should be retained.  The end of the relationship will not necessarily cause Derry Well Women to delete all personal data e.g. it may be necessary in some cases to retain certain information to enable Derry Well Women to defend potential future legal claims.  Unless there is some other reason for keeping it, however, the personal data should be deleted when the possibility of a claim arising no longer exists, i.e. when the relevant statutory time limit has expired.  It is the responsibility of Derry Well Women to determine the appropriate retention periods for documents containing personal information generated by different areas of business within the organisation.

  1. Personal data shall be processed in accordance with the rights of data subjects under the Data Protection Act 1998.

The rights provided by the Act include:

  • A right to access to personal data about the individual
    • The right to prevent processing which is likely to cause damage or distress
    • The right to compensation
    • The right to rectify, erase or destroy inaccurate data and expressions of opinion based on inaccurate data
    • The right to request assessment from the Information Commissioner
  1. Appropriate technical and organisational measures should be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

This principle determines that Derry Well Women should ensure the security of data held, both in terms of the staff it employs and the processing of data.  Security covers a number of issues.  Privacy is of paramount importance.  Derry Well Women must adopt a risk-based approach to determining what measures are appropriate in terms of security.  For example, in Derry Well Women, staff must be fully aware of the importance of ensuring that other service users cannot see personal details of other service users on staff’s computer screens and computers are password protected for specific workers, and that manual record forms must be stored securely and never left unattended on desks etc. Staff must be fully aware that client notes are the property of Derry Well Women and must never be taken from the building for any purpose including supervision nor destroyed.

  1. Personal data shall not be transferred to a country or territory outside the

      European Economic Area unless that country or territory ensures an

      Adequate level of protection for the rights and freedoms of a woman in

      relation to the processing of personal data.

       It is appreciated that this principle will not apply in Derry Well Women, as

       there are no transfers of information to countries outside the European

       Economic Area i.e. the member states of the European Union plus Iceland,

       Liechtenstein and Norway.  Should a situation arise where it is thought 

       information is being transferred outside the European Economic Area, then

       the Information Commissioner may need to be notified

Policy Implementation

While the Management Committee of Derry Well Women has overall responsibility for the effective implementation of this policy they delegate implementation to the Manager so that Derry Well Women will, through appropriate management, ensure strict application of criteria and controls:

  • observe fully conditions regarding the fair collection and use of information,
  • meet its legal obligations to specify the purposes for which information is used,
  • collect and process appropriate information and only to the extent that it is needed to fulfil operational needs or to comply with any legal requirements,
  • ensure the quality of information used,
  • apply strict checks to determine the length of time information is held,
  • ensure that the rights of people about whom information is held, can be fully

            exercised under the Act. (These include: the right to be informed that

            processing is being undertaken, the right of access to one’s personal

            information, the right to prevent processing in certain circumstances and the

            right to correct, rectify, block or erase information which is regarded as wrong


  • take appropriate technical and organisational security measures to safeguard personal information,
  • ensure that personal information is not transferred abroad without suitable safeguards,
  • treat people justly and fairly whatever their age, religion, disability, gender, sexual orientation or ethnicity when dealing with requests for information,
  • set out clear procedures for responding to requests for information.

(Appendix 1)

Security and storage


  • Information contained in financial documents will not be released without the necessary approval
  • Financial documents will be held in the office for a period of up to 10 years and destroyed in accordance with the data protection policy.  Derry Well Women shall make sure that all records, financial and otherwise, relating to specific funders are maintained within the funders’ guidelines.  If Derry Well Women ceases to exist all documentation held will be handed over to the relevant funder.
  • All manual files will be kept in locked cabinets within a locked office.
  • All electronic files will be kept on pass-worded computers.


  • Information disclosed during counselling sessions is considered confidential
  • Notes taken on the session (written or recorded), are anonymised and will not directly identify the client by name or in any other way.

Staff must be fully aware that client notes are the property of Derry Well Women and must never be taken from the building for any purpose including supervision nor destroyed.

Protection and Disposal

  • All electronic files will be kept on pass-worded computers.

Access to computer database is password protected

  • Manual data will be disposed of by shredding and computer hard drives will be over written prior to disposal.

Confidentiality: Exemptions

The Rights of Children and Vulnerable Adults

Derry Well Women is bound by the UN Convention on the rights of the child and children (N.I Order 1995) which necessitates the considerations of confidentiality should not be allowed to impinge on the rights of children to be protected from harm. 

SEE ALSO:-  Confidentiality Policy, Child Protection Policy and Procedure and Protection from Abuse (Vulnerable Adults) Policy and Procedure.

Any breach of this policy by a staff member will be handled initially under Derry Well Women’s Disciplinary Procedure and if deemed to be deliberate may under the Data Protection Act (1998) create a number of criminal offences.

In addition, Derry Well Women will ensure that:

This policy will be updated as necessary to reflect best practice in data management, security and control and to ensure compliance with any changes or amendments made to the Data Protection Act 1998.

Appendix (i)

Data Protection Procedure

  • A request for access to data stored by Derry Well Women may initially be verbal but must be in writing before this procedure is acted upon. A standard request form is available on request from a staff member (Appendix 2)
  • The request must be specific to the person.
  • The request must be brought to the attention of the Manager, immediately
  • A written acknowledgement and request for identification will be made available for viewing by the Manager, as soon as possible  (Appendix 3)
  • Record actual identification viewed and verification (if applicable)

(Appendix 4)

  • Arrange access and relevant support and communicate this in writing to the person.
  • Manager to receive report on the access and any possible implications for the organisation.
  • In carrying out this process it is understood that support will be provided to all parties involved.