Data protection and confidentiality policy

Reviewed and updated February 2018

To be reviewed annually. Next review scheduled: Feb 2019.

Policy Statement

ESC is committed to ensuring that any personal and confidential data stored and utilised by our staff in the course of their work is handled appropriately and securely and is not shared without consent or where the organisation has a legal obligation to disclose personal data held by us. We will ensure that where we engage a third party to process data on our behalf that they operate within the requirements of the General Data Protection Regulations (as amended) .

We recognise that whilst the liabilities under the GDPR rests with our Directors all staff and volunteers have responsibilities to ensure that our systems and processes are robust. To this end we will ensure that training briefings and awareness will form part of our induction processes and that the issue is regularly reviewed and discussed. This will ensure that we have a good organisational knowledge of what data protection is and why it’s important.


Data protection is a statutory requirement. This means that all staff must make sure they read and understand this policy. It is very important that data is kept securely, used appropriately and only ever shared with consent.

The data protection checklist must be completed at the start of every project to ensure that data is collected, held and processed in a confidential and secure way.

Here are some examples which illustrate the type of personal and confidential data that is used and held by ESC:

  • Householder data held for home insulation scheme works.
  • Householder data held for case work and energy advice, including health and finance.
  • Personal data held for community-based projects.
  • Personal and confidential data held for analysis in research projects.
  • HR and finance information.

GDPR Principles

ESC has adopted the GDPR Principles to ensure that we are following best practice in how we use our client’s data. The principles are:

  1. The right to be informed
  2. the right of access
  3. The right to rectification
  4. The right to erasure
  5. The right to restrict processing
  6. The right to data portability
  7. The right to object
  8. The right not to be subject to automated decision making including profiling

Monitoring and Reporting

ESC keeps a database of anonymous statistical information for funding and reporting purposes, which will be kept secure, using the appropriate passwords/permissions, and will only be shared between staff as appropriate under the guiding principle of this policy.

Data protection procedure

  • A checklist is used for each new project during the setup stage to ensure that any data collected, stored or used during the course of the work is managed in line with these principles (see annex).
  • We use standard clauses in our contracts to ensure that appropriate data protection responsibilities and practices are clearly established requirements for members of staff and our sub-contractors.
  • Personal data on staff held internally for employment management purposes is password protected with limited to HR staff.

Data storage

  • Data should be kept for no longer than required. Unless there is a special reason, data should be securely deleted once it is no longer needed.
  • Data should be held securely. The ‘Checklist for New Projects’ should be completed at the start of each project to decide on the level of security needed e.g. how is data held electronically kept safe?

Consent to hold and share data

  • Consent must be freely given, specific, informed and unambiguous. Participants must give ‘opt in’ consent for their data to be stored or shared with a third party.
  • There must be a simple way for people to withdraw their consent.

Subject Access Requests

Clients have the right to request to see the information we hold about them and to request that their data is deleted. It lies with the Data Protection Officer to process their request. The Data Protection Officer has a month to respond to the request. If a request is refused then the individual must be told within a month why and that they have the right to complain to a supervisory authority for judicial remedy. Any information provided as part of a Subject Access Request will be made available in a single readable form.

Portability requests

We recognise that Data subjects may request that their data is provided to another named organisation. We will respond in a timely manner to any requests we receive or advise the Data subject about any issues which may cause a delay.


Annex: Definitions

Personal data

Personal data that is not needed should not be collected. Personal data that is collected should have explicit consent from the individual to be used for the purposes for which is it collected.

Sensitive personal data 

Sensitive personal data means personal data consisting of information as to –

(a) the racial or ethnic origin of the data subject,

(b) his political opinions,

(c ) his religious beliefs or other beliefs of a similar nature,

(d) whether he is a member of a trade union (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992),

(e) his physical or mental health or condition,

(f) his sexual life,

(g) the commission or alleged commission by him of any offence, or

(h) any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.