Data Protection Policy for NYFM and Mediators

1 Overview

1.1 NYFM and the Mediators take the security and privacy of personal data seriously. We need to gather and use information or ‘data’ as part of business of the provision of mediation services. And to manage the relationship with the parties. We intend to comply with our legal obligations under the Data Protection Act 2018 (the ‘2018 Act’) and the EU General Data Protection Regulation (GDPR) about data privacy and security. We have a duty to notify the parties of the Privacy Policy.
1.2 This policy applies to all mediations. Each party invited to a MIAM and in mediation is a ‘data subject’ for the purposes of this policy. Each party should read the Privacy Policy, the Information about Mediation leaflet and agreement to mediate.
1.3 NYFM and each Mediator is a ‘data controller’ for the purposes of personal data. This means that we determine the purpose and means of the processing of personal data.
1.4 This policy explains how NYFM and the Mediators will hold and process data and information; our obligations when obtaining, handling, processing or storing personal data in the course of working for, or on behalf of NYFM and the Mediators.
1.5 This policy does not form part of the contract for mediation services and can be amended by NYFM and the Mediators at any time. It is intended that this policy is fully compliant with the 2018 Act and the GDPR. If any conflict arises between those laws and this policy, NYFM and the Mediators intend to comply with the 2018 Act and the GDPR.

2 Data Protection Principles

2.1 Personal data must be processed in accordance with six ‘Data Protection Principles.’ It must:
be processed fairly, lawfully and transparently;
• be collected and processed only for specified, explicit and legitimate purposes;
• be adequate, relevant and limited to what is necessary for the purposes for which it is processed;
• be accurate and kept up to date. Any inaccurate data must be deleted or rectified without delay;
• not be kept for longer than is necessary for the purposes for which it is processed; and
• be processed securely.
We are accountable for these principles and must be able to show that we are compliant.

3 How we define personal data

3.1 ‘Personal data’ means information which relates to a living person who can be identified from that data (a ‘data subject’) on its own, or when taken together with other information which is likely to come into our possession. It includes any expression of opinion about the person and an indication of the intentions of us or others, in respect of that person. It does not include anonymised data.
3.2 This policy applies to all personal data whether it is stored electronically, on paper or on other materials.
3.3 This personal data might be provided to us by any party party, or someone else (such as a partner/former partner or solicitor), or it could be created by us. It could be provided or created during the referral process or during or after the end of the provision of mediation services.
3.4 We will collect and use the following types of personal data about a party

Contact details and date of birth
Gender;
Bank details
Any other category of personal data required for the provision of mediation services.

4 How we define special categories of personal data

‘Special categories of personal data’ are types of personal data consisting of information about racial or ethnic origin; political opinions; religious or philosophical beliefs; genetic or biometric data; health; sex life and sexual orientation; and any criminal convictions and offences.

We may hold and use any of these special categories of personal data required to provide mediation services in accordance with the law.

5 How we define processing

‘Processing’ means any operation which is performed on personal data such as collection, recording, organisation, structuring or storage; adaption or alteration; retrieval, consultation or use; disclosure by transmission, dissemination or otherwise making available; alignment or combination; and restriction, destruction or erasure. This includes processing personal data which forms part of a filing system and any automated processing.

6 How will we process personal data?

6.1 NYFM and the Mediators will process personal data (including special categories of personal data) in accordance with all obligations under the 2018 Act.

6.2 We will use personal data for:

performing the assessment and contract for mediation services;
complying with any legal obligation; or
if it is necessary for our legitimate interests (or for the legitimate interests of someone else). However, we can only do this if the parties interests and rights do not override ours (or theirs). The parties have the right to challenge our legitimate interests and request that we stop this processing. See details of the party’s rights below.

We can process personal data for these purposes without the knowledge or consent of the party. We will not use personal data for an unrelated purpose without telling the party about it and the legal basis that we intend to rely on for processing it.

If any party chooses not to provide certain personal data then we may not be able to carry out mediation services. It might also stop us from complying with certain legal obligations and duties which we have or to make reasonable adjustments in relation to any disability a party may suffer from.

7 Examples of when we might process personal data

7.1 We must process personal data in various situations during the assessment for and course of the mediation process
to carry out the mediation service and agreement to mediate including where relevant, its termination;
to carry out a disciplinary or grievance investigation or procedure.
to monitor diversity and equal opportunities;
to monitor and protect the security (including network security) of NYFM, any Mediator, a party, other people in the building and others;
to monitor and protect the health and safety of a party, anyone else including other people who work in the building, customers and third parties;
monitoring compliance by a party, us and others with our policies and our contractual obligations;
to comply with employment law, immigration law, health and safety law, tax law and other laws which affect us;
to answer questions from insurers in respect of any relevant insurance policies;
running the mediation service business and planning for the future;
the prevention and detection of fraud or other criminal offences;
to defend NYFM and the Mediators in respect of any investigation or litigation and to comply with any court or tribunal orders for disclosure;
for any other reason which we may notify the parties about from time to time.
7.2 We will only process special categories of personal data (see above) in certain situations in accordance with the law. For example, we can do so if we have explicit consent. If we ask for consent to process a special category of personal data then we must explain the reasons for the request. We must keep in mind such consent can be refused or later withdrawn.
7.3 We do not need consent to process special categories of personal data when we are processing it for the purposes:
where it is necessary to protect a party’s vital interests or those of another person where they are physically or legally incapable of giving consent;
where the party has made the data public;
where processing is necessary for the establishment, exercise or defence of legal claims.
We will not take automated decisions about using personal data or use profiling in relation to the parties.

8 Sharing personal data

8.1 We might share personal data with our regulatory bodies, the Family Mediation Council, Legal Aid Agency, supervisors or our contractors and agents to carry out our obligations under our contract to provide mediation services or for our legitimate interests.
8.2 We require those who share personal data to keep it confidential and secure and to protect it in accordance with the law and our policies. They must be permitted to process data only for the lawful purpose for which it has been shared and in accordance with our instructions.
8.3 We do not send personal data outside the European Economic Area. Should this change we will notify the parties and the protections which will be put in place for the security of data will be explained.

9 How should personal data be processed for NYFM and the Mediators?

9.1 Everyone who works for or on behalf of NYFM has some responsibility for ensuring data is collected, stored and handled appropriately, in line with this policy.
9.2 The Data Protection Manager is Teresa Bennion who is responsible for reviewing this policy and updating the Mediators of NYFM about data protection responsibilities and any risks in relation to the processing of data. The parties must be informed that they should direct any questions in relation to this policy or data protection to this person.
9.3 NYFM and the Mediators should access personal data covered by this policy only if needed for the work done for or on behalf of parties to mediation. The data should be used for the specified lawful purpose for which it was obtained.
9.4 Personal data should not be shared or used informally.
9.5 Personal data must be kept securely and not shared with unauthorised people.
9.6 We should regularly review and update personal data which we must deal with for the provision of mediation services.
9.7 We should not make unnecessary copies of personal data and should keep and dispose of any copies securely
9.8 We shall use strong passwords
9.9 We shall consider anonymising data or using separate keys/codes so that the data subject cannot be identified.
9.10 Personal data should never be transferred outside the European Economic Area except in compliance with the law and authorisation of the Data Protection Manger.
9.11 We shall not leave paper with personal data lying about.
9.12 Any deliberate or negligent breach of this policy by a Mediator may result in disciplinary action being taken. It is a criminal offence to conceal or destroy personal data which is part of a subject access request (see below).

10 How to deal with data breaches

10.1 We have robust measures in place to minimise and prevent data breaches from taking place. Should a breach of personal data occur then we must take notes and keep evidence of that breach. If the breach is likely to result in a risk to the rights and freedoms of individuals, then we must also notify the Information Commissioner’s Office within 72 hours.
10.2 If a party indicates any awareness of a data breach that party must be told to contact the Data Protection Manager immediately and keep any evidence about the breach. Any Mediator who is aware of such an indication form any party must contact the Data Protection Manager immediately.

11 Subject access requests

11.1 Data subjects can make a ‘subject access request’ (SAR) to find out the information we hold about them. This request must be made in writing. If such a request is made we will forward it immediately to the Data Protection Manager who will coordinate a response.
11.2 Any party who wishes to make a SAR about personal data should be informed to make this in writing to the Data Protection Manager. We must respond within one month unless the request is complex or numerous in which case the period in which we must respond can be extended by a further two months.
11.3 There is no fee for making a SAR. However, if such request is manifestly unfounded or excessive we may charge a reasonable administrative fee or refuse to respond to the request.

12 Data subject rights

12.1 To information about what personal data we process, how and on what basis as set out in this policy.
12.2 To access his/her own personal data by way of a subject access request (see above).
12.3 To correct any inaccuracies in personal data. To do this the party must be informed s/he should contact the Mediator assigned or the Data Protection Manager
12.4 To request that we erase personal data if we were not entitled under the law to process it or it is no longer necessary to process it for the purpose it was collected. Any party who makes a request to do so should be informed that s/he should contact, and the mediator must contact the Data Protection Manage
12.5 If a party requests that personal data is corrected or erased or contests the lawfulness of our processing, s/he can apply for its use to be restricted while the application is made. To do so the party should be informed s/he should, and the Mediator must contact the Data Protection Manager.
12.6 To object to data processing when we are relying on a legitimate interest to do so and the party thinks that his/her rights and interests outweigh our own and wishes us to stop.
12.7 To object if we process personal data for the purposes of direct marketing.
12.8 To receive a copy of his/her personal data and to transfer personal data to another data controller. We will not charge for this and will aim to do this within one month.
12.9 With some exceptions, the right not to be subjected to automated decision-making.
12.10 To be notified of a data security breach concerning personal data.
12.11 In most situations we will not rely on consent as a lawful ground to process data. If we do request consent to process personal data for a specific purpose, the parties have the right not to consent or to withdraw consent later. To withdraw consent, the party must be informed s/he should, and the Mediator must contact the Data Protection Manager.
12.12 To complain to the Information Commissioner. You can do this by contacting the Information Commissioner’s Office directly. Full contact details including a helpline number can be found on the Information Commissioner’s Office website (www.ico.org.uk). This website has further information on your rights and our obligations.