Data Protection & Information Policy
25 May 2018
The Data Protection Act 1998 (DPA) and the EU General Data Protection Regulations (2018) (GDPR) regulate the way in which certain information about individuals is held and used.
The purpose of this policy is to enable the organisation to:
• ensure users are aware of and comply with the law in respect of the data it holds about individuals;
• ensure information is available to those who need it to fulfil their roles within the organisation
• be open and honest with individuals whose data is held
• protect the organisation from the consequences of a breach of its responsibilities
• maintain confidentiality
This policy applies to:
• All Officers and Trustees and any persons not directly employed by the organisation who may have legitimate access to data held by the organisation
• All personal data, sensitive personal data and confidential operational information processed by the organisation pursuant to its general activities.
Use of data and information
• Information held on individuals in relation to grant applications is stored and processed in accordance with our legitimate interest to do so.
• Information held on other individuals (ie trustees) is stored and processed in accordance with our legal obligation to do so.
• In any case, information is only to be accessed and used by Officers and Trustees in line with the DPA and GDPR in connection with the execution of their duties.
• The organisation will not hold more personal or sensitive personal data than is needed to fulfil its core objectives and shall obtain consent prior to sharing such data outside of the organisation, other than in the fulfilment of any statutory or regulatory obligations
• Personal information held (and the categories of personal information) is reviewed on a regular basis to ensure the information held is still relevant to our work and is accurate. If we discover that certain information we are holding is no longer necessary or accurate, we will take reasonable steps to correct or delete this information as may be required. All personal or sensitive personal data covered by this policy will be held for a maximum period of 7 years and thereafter anonymised or securely destroyed.
Security of data
• All Officers and Trustees storing data covered by this policy are responsible for ensuring that all computers and all mobile devices are password protected and/or encrypted.
• Paper records and other non-electronic formats of personal, sensitive or confidential information must be kept securely with appropriate security measures in place and access restricted to appropriate persons only.
• All information covered by this policy should always be encrypted or password protected where possible when in transit.
• All information held by Officers and covered by this policy should be securely backed up on an encrypted device on a regular basis.
Roles and responsibilities
• Under the DPA, the Board of Trustees is responsible for ensuring that the Trust complies with its legal obligations.
• All Officers and Trustees are required to read, understand and accept this policy. All Officers and Trustees shall be responsible for the operational security of the information system they use, whether electronic or paper based.
• The Charity Adviser holds the following responsibilities:
- Briefing the board on Data Protection responsibilities and issues
- Reviewing the Data Protection Policy annually or sooner if required by legislation
- Maintaining the organisation’s notification with the ICO (Ref no Z8218105)
- Ensuring that Data Protection induction and training takes place as appropriate
Access to information
Individuals who have data held about them have the right to see any data that identifies them or is specific to them as an individual. Requests to access data are to be made in writing to the Charity Adviser by the individual concerned or their recognised appointed representative. Prior to providing information, the identity of the individual and their right to be provided with the information will be verified. The required information will be provided in accordance with the requirements of GDPR.
Reporting breaches of the DPA/GDPR
In the event that an Officer or Trustee feels that a breach of the DPA may have occurred, the incident must be reported immediately to the Charity Adviser or the Chairman of Trustees, who will investigate and implement a recovery plan where appropriate and decide on any further action. If a breach is likely to result in a risk to an individual’s information rights and freedoms, we will inform them as soon as possible and may also report it to the ICO.