Home FAQs
SECTION MENU

FAQ

FAQsRSS FeedAtom Feed

Answer:
A Data Protection Officer (DPO) is a named individual who is responsible for supporting an organisation to comply with data protection regulations. It is unlikely a small VCS organisation will be statutorily required to appoint a DPO but it may be good practice, especially for organisations who process special category data.
Answer:

The first step is to carry out an information audit to find out what personal data your organisation holds and where it is. You should then know:

  • What kind of data do you process? For example do you process special category data that requires a high level of security?
  • Who processes that data? - Who within your organisation processes and has access to data. Are they aware of their responsibilities? Do they need training? How do you keep data safe? What systems do you use? If you keep information internally then is the information kept somewhere secure. If you use electronic systems what are their security arrangements? • How do you process consent? Are people aware of what information you collect about them and do they give their consent for you to do this?
  • Why are you collecting that data? What is the purpose for collection? If this is understood then it will be possible to identify the lawful basis for collecting data. This may require the consideration of a legitimate interests assessment.
Answer:
This is a process which helps organisations assess if their data processing meets the legitimate interests of their organisation whilst also balancing the rights of individuals. More information about legitimate interests assessments can be found here.
Answer:

A personal data breach refers to a breach of security that has led to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

Example: A list of client details is accidentally attached to an email.

An organisation needs to have processes in place that tell individuals what to do in the case of a personal data breach. This will depend on the severity of the breach and the kind of personal data that has been involved.

In the event of a data breach an organisation is required to assess the severity of the breach. The main concern is to assess the potential for any negative consequences that could happen for an individual as a result of the breach. This assessment should also take into consideration whether any special category data was involved in the breach. If a decision is made not to report the breach then this decision must be justifiable and documented.

If the organisation determines that the breach could cause potential negative consequences then there two actions they must take:

  • Report the breach to the ICO within 72 hours of its occurrence.
  • Inform individuals involved that their data has been compromised.

Failure to report a breach can result in a fine of up to £8.7 million or 2 per cent of the organisation’s global turnover.

Answer:

There are certain documents that every organisation which is processing personal data will need. These documents support good practice in data protection, enable organisations to meet their legal requirements, and enable organisations to demonstrate how they are complying with the law. A checklist is provided at the bottom of this resource.

Privacy notice: A privacy notice is a legal requirement. It is a publicly facing document which outlines the ways in which an organisation collects, uses, and protects personal data. It gives individuals the information they need in order to be confident that their data is secure and to be able to access and exercise control over their personal data.

Data protection policy: This is an internally facing document which outlines the processes the organisation employs to ensure data is safe and that they comply with the law. It will document the lawful basis for data processing.

Consent: An organisation needs to document how it obtains consent from individuals and keep a record of that consent.

Roles and responsibilities: An organisation needs to document that it knows who is processing data and levels of responsibility such as if they have appointed a DPO.

Processing activities: Organisations processing special category data or large volumes will need to have a record of processing activities including categories of data processed, purposes of processing, legal bases for processing, data sharing arrangements, data retention periods and security measures.

Answer:

Equality, equity, diversity and inclusion (often shortened to EEDI) is the term used for policies and practices to ensure fair treatment and opportunity.   The terms around EEDI are used in slightly different ways depending on context, but when putting together a policy these definitions are helpful to consider:

Equality means ensuring that people have equal opportunities. Organisations should ensure that people are treated fairly and are not treated less favourably because of their protected characteristics.

Equity means ensuring people are not unfairly prevented from accessing resources or opportunities, and also that others do not benefit from unfair advantages. For example, an equitable approach to project planning would consider what changes might be needed to help people get equal outcomes from a project, service or process, and might mean - e.g. providing different opening hours, facilities or support for key groups of clients.

Diversity is about recognising and respecting differences. This can mean working with and including people with different protected characteristics, but can cover other factors like class background, nationality and working style. A diverse environment is one with a wide range of backgrounds, life experiences and mindsets.

Inclusion means creating an environment where everyone feels welcome and valued. An inclusive environment can only be created once issues of bias, prejudice and inequality are identified and actively challenged.

Answer:

In the UK, the primary legal obligations around equality, diversity, and inclusion are set out in the Equality Act 2010. This Act brings together elements of equalities law that were previously addressed by separate legislation. It prohibits discrimination based on nine protected characteristics:

  • Age.
  • Disability.
  • Gender reassignment.
  • Marriage and civil partnership.
  • Pregnancy and maternity.
  • Race.
  • Religion or belief.
  • Sex.
  • Sexual orientation.

The Act requires organisations, in their role as both employers and service providers, to treat everyone equally and take steps to prevent discrimination against any of these characteristics.  The Equality and Human Rights Commission (EHRC) is responsible for upholding the Equality Act and investigating complaints of discrimination.

Answer:

People will have overlapping identities and may be at risk of experiencing discrimination under more than one of the nine characteristics and across different contexts. Taking an intersectional approach means considering situations where multiple forms of discrimination may compound inequalities and create unique barriers that might be overlooked if we assess each characteristic in isolation.

Exceptions for charities

Charities are not exempt from the Equality Act, but are allowed to restrict their services to people with a particular protected characteristic if it is included in their governing document, and either

  • it is objectively justified, or
  • it is done to prevent or compensate for disadvantage linked to the protected characteristic.

The Equality Act includes additional exemptions for all organisations, including occupational requirements that may allow you to limit roles to people with specific protected characteristics. It also allows certain forms of positive action to address underrepresentation and disadvantage.

Answer:

Organisations must follow equalities law, both as employers and as providers of services. Whilst there is no legal requirement to have an EEDI policy, laying out your organisational commitments, priorities and processes in a specific document is definitely good practice.

Discussing and agreeing your approach to EEDI helps show that you understand and are committed to following equalities law. Current and potential staff, volunteers, trustees and organisational members will want to know that you are compliant with the law, as will service users, partners and funders.

Having an EEDI policy shows that you have considered the ways in which issues around equality, equity, diversity and inclusion may apply to your particular client group and team, and lets people know what to do if they have experienced, witnessed, or are concerned about discrimination or unfair treatment in your organisation.

If properly implemented and regularly reviewed, your EEDI policy can be one of the elements that helps to make your organisation a safe, accessible, positive space for everyone.

Key terms to understand from the Equality Act 2010

Direct discrimination: Treating someone less favourably than another due to a protected characteristic.

Indirect discrimination: Applying a policy or practice that appears neutral but disadvantages people with a protected characteristic. 

Positive action: Taking steps to encourage applications or participation from underrepresented groups, as long as it doesn’t involve discriminating against others. 

Duty to make reasonable adjustments: Employers and service providers must make reasonable changes to accommodate disabled employees, clients and members of the public.

Reasonable adjustments can be for physical or mental health conditions. The duty to make adjustments is owed to all disabled employees and all disabled people who want to access your services. It applies regardless of whether the organisation is aware that someone is disabled.

The legal duty is ‘anticipatory’, which means you must think in advance (and on an ongoing basis) about what disabled people with a range of impairments might reasonably need, such as people who have a visual impairment, a hearing impairment, a mobility impairment, or a learning disability.

Victimisation: Taking action against someone because they have raised a complaint about discrimination. 

Answer:

Your board is ultimately responsible for setting the direction and overarching strategic commitments to equalities, diversity and inclusion in your organisation. Creating a safe and inclusive environment for service users, volunteers, staff and other visitors will require involvement and commitment from everyone. Every organisation is different and will have different concerns, biases or priorities that need discussion and action as part of your EEDI policy. Creating and/or updating your policy should be a collaborative process. Take time to talk to the people you work with, do research, and understand any equalities data you may have collected. Think about who you want to reach with your work, as well as what sort of environment you want to create for staff and volunteers.

Equalities, diversity and inclusion will affect many areas of your work, so you should make sure that your EEDI policy links to other policies and procedures. Examples of these are Recruitment, Data Protection, Bullying and Harassment and/or Code of Conduct.

As well as these policy commitments, consider how your organisation and its leadership will

  • Model inclusive behaviours.
  • Actively challenge discrimination and injustice.
  • Ensure there are resources and commitments in place to support effective action.
  • Establish and use effective processes for addressing discrimination.
  • Make an action plan including what steps will be taken to make sure the policy is put into everyday practice.
  • Communicate your organisation’s approach to EEDI and the steps you are taking to make sure your workplace and service are accessible and welcoming to all.
  • Commit to building an equitable organisational culture.
Displaying 711 to 720 of 755
Previous 70 71 72 73 74 Next