top of page

Data Protection

One Big Family

Helping the Homeless




Data Protection Policy


May 2018



Date policy passed by One Big Family - Helping the Homeless

May 2018

Update 1 date


Detail updated section

Update 2 date


Detail updated section

Update 3 date


Detail updated section

Formal policy review date (annual)

May 2019




1.    Aims of this Policy


One Big Family – Helping the Homeless, hereinafter referred to as ‘the Charity’, needs to keep certain information on its trustees, volunteers and service users to carry out its day to day operations, meet its objectives, ensure the Charity and its activities are effective, and comply with legal obligations.

The Charity is committed to ensuring any personal data will be dealt with in line with the 2018 General Data Protection Regulations (GDPR).  To comply with the law, personal information will be collected and used fairly, stored safely and not disclosed to any other person unlawfully. 


The aim of this policy is to ensure that everyone handling personal data is fully aware of the requirements and acts in accordance with data protection requirements and procedures. This document also highlights key data protection procedures within the Charity.  This policy covers all trustees and volunteers, and should be read in conjunction with the Confidentiality and Information Sharing Policy, as well as our privacy notice.



2    Definitions and Guiding Principles


In line with GDPR principles, the Charity will ensure that personal data will:


  • Be processed fairly and lawfully, and in a manner that is transparent

  • Be obtained for specific, explicit and legitimate purposes only

  • Be adequate, relevant but not excessive

  • Be accurate and kept up to date

  • Not be held longer than necessary for the purposes for which the information was processed

  • Be processed in accordance with the rights of data subjects

  • Be subject to appropriate security measures


“Processing” includes: collecting, storing, using, holding, amending and deleting personal data. This includes some paper based personal data as well as that kept on computer.  A “data subject” is the person about whom personal information is processed.


The Personal Data Guardianship Code suggests five key principles of good data governance on which best practice is based. The Charity will seek to abide by this code in relation to all the personal data it processes, i.e.

  • Accountability: those handling personal data follow publicised data principles to help gain public trust and safeguard personal data

  • Visibility: Data subjects should have access to the information about themselves that an organisation holds. This includes the right to have incorrect personal data corrected and to know who has had access to this data

  • Consent: The collection and use of personal data must be fair and lawful and in accordance with the GDPR’s data protection principles

  • Access: Everyone should have the right to know the roles and groups of people within an organisation who have access to their personal data and who has used this data

  • Stewardship: Those collecting personal data have a duty of care to protect this data throughout the data life span


Under the GDPR, the Charity must have a lawful basis to collect and process personal information.  Our understanding is that the Charity has a “legitimate interest” to process information about volunteers, trustees and service users, so that we can do our job properly as an organisation.  The charity further deems it is important for us to process some information to help keep people safe.  This is known as “vital interests”.  In certain circumstances, processing information may also be necessary for compliance with a “legal obligation”. 

The needs we have for processing personal data are recorded on the public register maintained by the Information Commissioner.  We notify and renew our notification on an annual basis as the law requires.  If there are any interim changes, these will be notified to the Information Commissioner within 28 days.  The charity is registered as a data controller with the Information Commissioners Office (ICO).



3.    Responsibilities


Under the Data Protection Guardianship Code, overall responsibility for personal data in a not for profit organisation rests with the governing body. In the case of the charity, this is the trustees.


The governing body delegates tasks to the Data Controller. The Data Controller is responsible for:

  • understanding and communicating obligations under the GDPR

  • identifying potential problem areas or risks

  • producing clear and effective procedures

  • notifying and annually renewing notification to the Information Commissioner, plus notifying of any relevant interim changes


All trustees and volunteers who process personal information must ensure they not only understand but also act in line with this policy and the data protection principles.  Breach of this policy will result in disciplinary proceedings, and may result in legal proceedings.



4.    Policy Implementation


To meet our responsibilities, volunteers and trustees will:

  • Ensure any personal data is collected in a fair and lawful way;

  • Explain why it is needed at the start;

  • Ensure that only the minimum amount of information needed is collected and used;

  • Ensure the information used is up to date and accurate;

  • Annually review the length of time information is held;

  • Ensure it is kept safely;

  • Ensure the rights people have in relation to their personal data can be exercised

  • Regularly review and publicise our privacy notice


We will ensure that:

  • Everyone managing and handling personal information is trained to do so;

  • Anyone wanting to make enquiries about handling personal information, whether a trustee, volunteer or service user, knows what to do;

  • Any disclosure of personal data will be in line with our procedures;

  • Personal data will be destroyed within 1 year of cessation of their involvement with the Charity or specific activity, or if a legitimate request is made by the data subject



5.    Training


Training and awareness raising about the GDPR and how it is followed in this organisation will be covered during volunteer inductions and meetings, as well as formal training in data protection for relevant trustees.  We will also make available our privacy notice through emails, referral forms and volunteer agreements, as well as verbally.



6.    Gathering and Checking Information


Before personal information is collected, the charity will consider:


·         Why information is being gathered

·         What details are necessary for our purposes

·         What the information will be used for

·         Who will have access to the information


We will apply a three-part test to processing information; namely, identifying a legitimate interest, showing that the processing is necessary to achieve it, and balancing this interest it against the individual’s interests, rights and freedoms.  We will inform people whose information is processed about their rights to control and protect their information, including verbally, in writing and through our privacy notice on the charity’s website.  Sensitive information will not be used apart from the exact purpose for which permission was given, unless there is an overriding vital interest or legal obligation to do so.



7.    Data Security


The organisation will take steps to ensure that personal data is kept secure at all times against unauthorised or unlawful loss or disclosure. The following measures will be taken:

·         Personal data will be stored in a locked filing cabinet at the Charity’s registered address or address of the head of service in London and Yorkshire, accessible only to the trustees

·         If essential for information to be taken off site, personal data will be kept safe by being securely stored in a lockable folder/ bag/ case

·         Any electronic files or email attachments containing sensitive personal information will be password protected

·         Personal information is not to be shared via text message, WhatsApp or other messaging system unless essential to do so.  If it is shared, information must be in an anonymised form that ensures individuals and organisations cannot be identified 


Any unauthorised disclosure of personal data to a third party by a volunteer or trustee may result in disciplinary proceedings, including the termination of the volunteering agreement.  The charity’s trustees are accountable for compliance of this policy.  A trustee could be personally liable for any penalty arising from a breach that they have made.




9. Data Subject Rights


The GDPR provides individuals with a number of rights with regards their personal information.  The Charity respects and will uphold these rights, including:


·         The right to be informed: individuals have the right to be informed about the collection and use of their personal data by the charity

·         The right of access: individuals have the right to request a copy of information the charity holds about them 

·         The right to rectification: individuals have the right to request inaccurate personal data is rectified, or completed if it is incomplete

·         The right to erasure: an individual has a right to request their personal information is erased (‘the right to be forgotten’)

·         The right to restrict processing: individuals may request the restriction or suppression of their personal data.  In this case, the Charity may continue to store the personal data, but not use it

·         The right to object: individuals have the right to object to the processing of their personal data and the charity will stop processing information about them as soon as an objection is received.  This right is absolute in the case of processing information for direct marketing purposes.  The charity will consider guidance within the GDPR when considering other requests (such as whether or not there are compelling legitimate grounds for the processing, which override the individual’s interests, rights and freedoms; or the processing is for the establishment, exercise or defence of legal claims).

  •          Rights in relation to automated decision making and profiling, and to data portability: The charity will respond to such requests in line with GDPR



All trustees, volunteers and service users will be made aware of their rights with regards their personal information via the privacy notice and volunteers and trustees will be briefed on how to handle requests, including the need to escalate requests to trustees as quickly as possible so as to avoid any undue delay. 


All requests will be considered and dealt with swiftly and politely by the charity’s trustees in line with the GDPR.  This will include consideration of the grounds for the request, and time frames for response.  Usually, copies of information will be provided free of charge.  However, if the access request is manifestly unfounded, excessive, or repetitive, the Charity may charge a ‘reasonable fee’, based on the administrative cost of providing the information



10. Review


This policy and our privacy notice will be reviewed at intervals of 1 year or if there are changes to legislation, to ensure it remains up to date and compliant with the law.

bottom of page