Data Protection in line with GDPR regulations
Yorkshire Children’s Trust needs to keep certain information on its employees, volunteers, donors, service users and trustees to carry out its day to day operations, to meet its objectives and to comply with legal obligations.
The organisation is committed to ensuring any personal data will be dealt with in line with the GDPR. To comply with the law, personal information will be collected and used fairly, stored safely and not disclosed to any other person unlawfully.
The aim of this policy is to ensure that everyone handling personal data is fully aware of the requirements and acts in accordance with data protection procedures. This document also highlights key data protection procedures within the organisation.
This policy covers employees, volunteers, donors, service users and trustees.
- Charity means Yorkshire Children’s Trust, a registered charity.
- Data Controller means Yorkshire Children’s Trust
- GDPR means the General Data Protection Regulation.
- Responsible Person means Simon Widdop
- Register of Systems means a register of all systems or contexts in which personal data is processed by the Charity.
- Processing means obtaining, using, holding, amending, disclosing, destroying and deleting personal data. This includes some paper based personal data as well as that kept on computer.
Data protection principles
The Charity is committed to processing data in accordance with its responsibilities under the GDPR.
Article 5 of the GDPR requires that personal data shall be:
- processed lawfully, fairly and in a transparent manner in relation to individuals;
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”
This policy applies to all personal data processed by the Charity.
- The Responsible Person shall take responsibility for the Charity’s ongoing compliance with this policy.
- This policy shall be reviewed at least annually.
- The Charity shall register with the Information Commissioner’s Office as an organisation that processes personal data.
Lawful, fair and transparent processing
- To ensure its processing of data is lawful, fair and transparent, the Charity shall maintain a Register of Systems.
- The Register of Systems shall be reviewed at least annually.
- Individuals have the right to access their personal data and any such requests made to the charity shall be dealt with in a timely manner.
All data processed by the charity must be done on one of the following lawful bases: consent, contract, legal obligation, vital interests, public task or legitimate interests (see ICO guidance for more information).
- The Charity shall note the appropriate lawful basis in the Register of Systems.
- Where consent is relied upon as a lawful basis for processing data, evidence of opt-in consent shall be kept with the personal data.
- Where communications are sent to individuals based on their consent, the option for the individual to revoke their consent should be clearly available and systems should be in place to ensure such revocation is reflected accurately in the Charity’s systems.
The Charity shall ensure that personal data are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
The Charity shall take reasonable steps to ensure personal data is accurate.
- Where necessary for the lawful basis on which data is processed, steps shall be put in place to ensure that personal data is kept up to date.
Archiving / removal
- To ensure that personal data is kept for no longer than necessary, the Charity shall put in place an archiving policy for each area in which personal data is processed and review this process annually.
- The archiving policy shall consider what data should/must be retained, for how long, and why.
- The Charity shall ensure that personal data is stored securely using modern software that is kept-up-to-date.
- Access to personal data shall be limited to personnel who need access and appropriate security should be in place to avoid unauthorised sharing of information.
- When personal data is deleted this should be done safely such that the data is irrecoverable.
- Appropriate back-up and disaster recovery solutions shall be in place.
In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, the Charity shall promptly assess the risk to people’s rights and freedoms and if appropriate report this breach to the ICO (more information on the ICO website).
The Personal Data Guardianship Code suggests five key principles of good data governance on which best practice is based. The organisation will seek to abide by this code in relation to all the personal data it processes, i.e.:
- Accountability: those handling personal data follow publicised data principles to help gain public trust and safeguard personal data.
- Visibility: Data subjects should have access to the information about themselves that an organisation holds. This includes the right to have incorrect personal data corrected and to know who has had access to this data.
- Consent: The collection and use of personal data must be fair and lawful and in accordance with the GDPR’s six data protection principles. Personal data should only be used for the purposes agreed by the data subject. If personal data is to be shared with a third party or used for another purpose, the data subject’s consent should be explicitly obtained.
- Access: Everyone should have the right to know the roles and groups of people within an organisation who have access to their personal data and who has used this data.
Stewardship: Those collecting personal data have a duty of care to protect this data throughout the data life span.
Description of processing
The following is a broad description of the way the Charity processes personal information. To understand how your own personal information is processed you may need to refer to any personal communications you have received, check any privacy notices the organisation has provided or contact the organisation to ask about your personal circumstances.
Reasons for processing information
We process personal information to enable us to provide a voluntary service for the benefit of the public in a particular geographical area as specified in our constitution; administer membership records; to fundraise and promote the interests of the charity; manage our employees and volunteers; maintain our own accounts and records.
Type of information processed
We process information relevant to the above reasons/purposes. This may include:
- personal details
- family detail
- lifestyle and social circumstances
- membership details
- goods and services
- financial details
- education and employment details
We also process sensitive classes of information that may include:
- physical or mental health details
- racial or ethnic origin
- religious or other beliefs of a similar nature
Who the information is processed about
We process personal information about:
- service users
- staff, volunteers
- complainants, supporters
- advisers and representatives of other organisations
Who the information may be shared with
We sometimes need to share the personal information we process with the individual themselves and also with other organisations. Where this is necessary we are required to comply with all aspects of the GDPR. What follows is a description of the types of organisations we may need to share some of the personal information we process with for one or more reasons.
Where necessary or required we share information with:
- family, associates or representatives of the person whose personal data we are processing
- current, past and prospective employers
- healthcare, social and welfare organisations
- educators and examining bodies
- financial organisations
- employment and recruitment agencies
- business associates and professional advisers
- providers of goods and services
- local and central government
- other voluntary and charitable organisations
Providing financial services and advice
Personal information is also processed in order to provide financial services and advice. For this reason, the information processed may include name, contact details, family details, lifestyle and social circumstances, financial details, goods and services and sensitive classes of information that may include physical or mental health details. This information may be about clients, family and associates of clients, suppliers and enquirers. Where necessary or required this information is shared with the data subjects themselves, professional advisers and consultants, services providers.
CCTV for crime prevention
CCTV is used for maintaining the security of property and premises and for preventing and investigating crime, it may also be used to monitor staff when carrying out work duties. For these reasons the information processed may include visual images, personal appearance and behaviours. This information may be about staff, customers and clients, offenders and suspected offenders, members of the public and those inside, entering or in the immediate vicinity of the area under surveillance. Where necessary or required this information is shared with the data subjects themselves, employees and agents, services providers, police forces, security organisations and persons making an enquiry.
It may sometimes be necessary to transfer personal information overseas. When this is needed any data transferred will be in full compliance with all aspects of the GDPR.
How information is kept
Personal information is kept in paper based format in locked cabinets and password protected digital systems.
The needs we have for processing personal data are recorded on the public register maintained by the Information Commissioner. We notify and renew our notification on an annual basis as the law requires.
If there are any interim changes, these will be notified to the Information Commissioner within 28 days.
The name of the Data Controller as specified in our notification to the Information Commissioner is Yorkshire Children’s Trust.
Under the Data Protection Guardianship Code, overall responsibility for personal data in a not for profit organisation rests with the governing body. In the case of Yorkshire Children’s Trust, this is the Charity Commission.
The governing body delegates tasks to the Data Controller. The Data Controller is responsible for:
- understanding and communicating obligations under the GDPR
- identifying potential problem areas or risks
- producing clear and effective procedures
- notifying and annually renewing notification to the
- Information Commissioner, plus notifying of any relevant interim changes
All employed staff, trustees and volunteers who process personal information must ensure they not only understand but also act in line with this policy and the data protection principles.
Breach of this policy will result in appropriate disciplinary action.
To meet our responsibilities staff, volunteers and trustees will:
- Ensure any personal data is collected in a fair and lawful way;
- Explain why it is needed at the start;
- Ensure that only the minimum amount of information needed is collected and used;
- Ensure the information used is up to date and accurate;
- Review the length of time information is held;
- Ensure it is kept safely;
- Ensure the rights people have in relation to their personal data can be exercised
We will ensure that:
- Everyone managing and handling personal information is trained to do so.
- Anyone wanting to make enquiries about handling personal information, whether a member of staff, volunteer or service user, knows what to do;
- Any disclosure of personal data will be in line with our procedures.
- Queries about handling personal information will be dealt with swiftly and politely.
Training and awareness raising about the GDPR and how it is followed in this organisation will take the following forms:
- Hardcopy of the Data Protection Policy will be provided along with information on maintaining data security
General training/awareness raising:
- Regular refresher sessions on data security
- Periodic notices to change passwords
Gathering and Checking Information
Before personal information is collected, we will consider:
Whether the information to be collected is fit for purpose
Whether the information to be collected can be stored securely
We will inform people whose information is gathered about the following:
- What information we require
- What their information will be used for
- How their information will be stored
- Who will have access to their information
We will take the following measures to ensure that personal information kept is accurate:
- We will require a signature from the provider of collected information to certify that the information provided is true and accurate
- Certain details, such as disabilities in the case of a grant request, will need to be confirmed by a third party
- Hardcopies of provided information will be kept in a secured location
- Information obtained as physical copies to be transferred to digital format will be entered into our system with the utmost care
Personal sensitive information will not be used apart from the exact purpose for which permission was given.
The organisation will take steps to ensure that personal data is kept secure at all times against unauthorised or unlawful loss or disclosure. The following measures will be taken:
- All hardcopies will be stored in locked cabinets on our premises
- Only authorised persons will be issued keys to filing cabinets
- No hardcopies of information will leave our premises unless absolutely necessary
- Hardcopies must be transported in a lockable bag or case
- Digital data must be on a password protected laptop or digital drive
- Either must be kept out of sight in the locked boot of a car and never left unattended, certainly not over night
- Misprints, surplus duplicates and outdated documents containing sensitive information will be securely destroyed in a timely manner
- No sensitive documents are to be left at the printer or scanner bed
- Digitally stored information will be password protected
- Only authorised persons will be issued with personal passwords to access digitally stored information
- All business emails are to be sent to and from official email accounts and never through personal email accounts
- Confidential documents sent via email are to be password protected and the password sent separately
- PC workstations with access to the database will be locked when the operator is not at their desk, even for short periods
- Desk drawers containing sensitive data will be locked when the worker is not at their desk, even for short periods
- Charity workers will follow a ‘Clear Desk Policy’, meaning that no sensitive information will be left unsecured and unattended at a desk
- Implementation of PCI compliance policy and procedure
Any unauthorised disclosure of personal data to a third party by an employee, volunteer or trustee will result in appropriate disciplinary action up to and including immediate dismissal.
Subject Access Requests
Anyone whose personal information we process has the right to know:
- What information we hold and process on them
- How to gain access to this information
- How to keep it up to date
- What we are doing to comply with the GDPR.
They also have the right to prevent processing of their personal data in some circumstances and the right to correct, rectify, block or erase information regarded as wrong.
Individuals have a right under the Act to access certain personal data being kept about them on computer and certain files, this is known as a Subject Access Request. Any person wishing to exercise this right should apply in writing to Yorkshire Children’s Trust. To ensure compliance we will need an SAR form to be completed.
The following information will be required before access is granted:
- Proof of ID; we will require the following forms of ID to process a request:
- Photo ID, such as a passport or driving licence
- Utility bill, which must state the name and address you have provided
- Written request; a Data Protection Subject Access request must be made in writing to be valid. The request can be submitted via:
- Email to:firstname.lastname@example.org
- Post to: Yorkshire Children’s Trust, Horley Green Works, Horley Green Road, Halifax, HX3 6AS
Queries about handling personal information will be dealt with swiftly and politely. Information in regards to client sessions may not be shared if the child is Gillick Competent and they refuse to share such information or if such a request would require a court order. Should a court order be required, the charity will comply directly with any court instructions.
We will aim to comply with requests for access to personal information as soon as possible, but will ensure it is provided within the 30 days required by the GDPR from receiving the written request.
This policy, as well as PCI compliance, will be reviewed at the Annual General Meeting to ensure it remains up to date and compliant with the law.