One Big Family
Helping the Homeless
Data Protection Policy
Date policy passed by One Big Family - Helping the Homeless
Update 1 date
Detail updated section
Update 2 date
Detail updated section
Update 3 date
Detail updated section
Formal policy review date (annual)
1. Aims of this Policy
One Big Family – Helping the Homeless, hereinafter referred to as ‘the Charity’, needs to keep certain information on its trustees, volunteers and service users to carry out its day to day operations, meet its objectives, ensure the Charity and its activities are effective, and comply with legal obligations.
The Charity is committed to ensuring any personal data will be dealt with in line with the 2018 General Data Protection Regulations (GDPR). To comply with the law, personal information will be collected and used fairly, stored safely and not disclosed to any other person unlawfully.
The aim of this policy is to ensure that everyone handling personal data is fully aware of the requirements and acts in accordance with data protection requirements and procedures. This document also highlights key data protection procedures within the Charity. This policy covers all trustees and volunteers, and should be read in conjunction with the Confidentiality and Information Sharing Policy, as well as our privacy notice.
Definitions and Guiding Principles
In line with GDPR principles, the Charity will ensure that personal data will:
Be processed fairly and lawfully, and in a manner that is transparent
Be obtained for specific, explicit and legitimate purposes only
Be adequate, relevant but not excessive
Be accurate and kept up to date
Not be held longer than necessary for the purposes for which the information was processed
Be processed in accordance with the rights of data subjects
Be subject to appropriate security measures
“Processing” includes: collecting, storing, using, holding, amending and deleting personal data. This includes some paper based personal data as well as that kept on computer. A “data subject” is the person about whom personal information is processed.
The Personal Data Guardianship Code suggests five key principles of good data governance on which best practice is based. The Charity will seek to abide by this code in relation to all the personal data it processes, i.e.
Accountability: those handling personal data follow publicised data principles to help gain public trust and safeguard personal data
Visibility: Data subjects should have access to the information about themselves that an organisation holds. This includes the right to have incorrect personal data corrected and to know who has had access to this data
Consent: The collection and use of personal data must be fair and lawful and in accordance with the GDPR’s data protection principles
Access: Everyone should have the right to know the roles and groups of people within an organisation who have access to their personal data and who has used this data
Stewardship: Those collecting personal data have a duty of care to protect this data throughout the data life span
Under the GDPR, the Charity must have a lawful basis to collect and process personal information. Our understanding is that the Charity has a “legitimate interest” to process information about volunteers, trustees and service users, so that we can do our job properly as an organisation. The charity further deems it is important for us to process some information to help keep people safe. This is known as “vital interests”. In certain circumstances, processing information may also be necessary for compliance with a “legal obligation”.
The needs we have for processing personal data are recorded on the public register maintained by the Information Commissioner. We notify and renew our notification on an annual basis as the law requires. If there are any interim changes, these will be notified to the Information Commissioner within 28 days. The charity is registered as a data controller with the Information Commissioners Office (ICO).
Under the Data Protection Guardianship Code, overall responsibility for personal data in a not for profit organisation rests with the governing body. In the case of the charity, this is the trustees.
The governing body delegates tasks to the Data Controller. The Data Controller is responsible for:
understanding and communicating obligations under the GDPR
identifying potential problem areas or risks
producing clear and effective procedures
notifying and annually renewing notification to the Information Commissioner, plus notifying of any relevant interim changes
All trustees and volunteers who process personal information must ensure they not only understand but also act in line with this policy and the data protection principles. Breach of this policy will result in disciplinary proceedings, and may result in legal proceedings.
4. Policy Implementation
To meet our responsibilities, volunteers and trustees will:
Ensure any personal data is collected in a fair and lawful way;
Explain why it is needed at the start;
Ensure that only the minimum amount of information needed is collected and used;
Ensure the information used is up to date and accurate;
Annually review the length of time information is held;
Ensure it is kept safely;
Ensure the rights people have in relation to their personal data can be exercised
Regularly review and publicise our privacy notice
We will ensure that:
Everyone managing and handling personal information is trained to do so;
Anyone wanting to make enquiries about handling personal information, whether a trustee, volunteer or service user, knows what to do;
Any disclosure of personal data will be in line with our procedures;
Personal data will be destroyed within 1 year of cessation of their involvement with the Charity or specific activity, or if a legitimate request is made by the data subject
Training and awareness raising about the GDPR and how it is followed in this organisation will be covered during volunteer inductions and meetings, as well as formal training in data protection for relevant trustees. We will also make available our privacy notice through emails, referral forms and volunteer agreements, as well as verbally.
6. Gathering and Checking Information
Before personal information is collected, the charity will consider:
· Why information is being gathered
· What details are necessary for our purposes
· What the information will be used for
· Who will have access to the information
We will apply a three-part test to processing information; namely, identifying a legitimate interest, showing that the processing is necessary to achieve it, and balancing this interest it against the individual’s interests, rights and freedoms. We will inform people whose information is processed about their rights to control and protect their information, including verbally, in writing and through our privacy notice on the charity’s website. Sensitive information will not be used apart from the exact purpose for which permission was given, unless there is an overriding vital interest or legal obligation to do so.
7. Data Security
The organisation will take steps to ensure that personal data is kept secure at all times against unauthorised or unlawful loss or disclosure. The following measures will be taken:
· Personal data will be stored in a locked filing cabinet at the Charity’s registered address or address of the head of service in London and Yorkshire, accessible only to the trustees
· If essential for information to be taken off site, personal data will be kept safe by being securely stored in a lockable folder/ bag/ case
· Any electronic files or email attachments containing sensitive personal information will be password protected
· Personal information is not to be shared via text message, WhatsApp or other messaging system unless essential to do so. If it is shared, information must be in an anonymised form that ensures individuals and organisations cannot be identified
Any unauthorised disclosure of personal data to a third party by a volunteer or trustee may result in disciplinary proceedings, including the termination of the volunteering agreement. The charity’s trustees are accountable for compliance of this policy. A trustee could be personally liable for any penalty arising from a breach that they have made.
9. Data Subject Rights
The GDPR provides individuals with a number of rights with regards their personal information. The Charity respects and will uphold these rights, including:
· The right to be informed: individuals have the right to be informed about the collection and use of their personal data by the charity
· The right of access: individuals have the right to request a copy of information the charity holds about them
· The right to rectification: individuals have the right to request inaccurate personal data is rectified, or completed if it is incomplete
· The right to erasure: an individual has a right to request their personal information is erased (‘the right to be forgotten’)
· The right to restrict processing: individuals may request the restriction or suppression of their personal data. In this case, the Charity may continue to store the personal data, but not use it
· The right to object: individuals have the right to object to the processing of their personal data and the charity will stop processing information about them as soon as an objection is received. This right is absolute in the case of processing information for direct marketing purposes. The charity will consider guidance within the GDPR when considering other requests (such as whether or not there are compelling legitimate grounds for the processing, which override the individual’s interests, rights and freedoms; or the processing is for the establishment, exercise or defence of legal claims).
Rights in relation to automated decision making and profiling, and to data portability: The charity will respond to such requests in line with GDPR
All trustees, volunteers and service users will be made aware of their rights with regards their personal information via the privacy notice and volunteers and trustees will be briefed on how to handle requests, including the need to escalate requests to trustees as quickly as possible so as to avoid any undue delay.
All requests will be considered and dealt with swiftly and politely by the charity’s trustees in line with the GDPR. This will include consideration of the grounds for the request, and time frames for response. Usually, copies of information will be provided free of charge. However, if the access request is manifestly unfounded, excessive, or repetitive, the Charity may charge a ‘reasonable fee’, based on the administrative cost of providing the information
This policy and our privacy notice will be reviewed at intervals of 1 year or if there are changes to legislation, to ensure it remains up to date and compliant with the law.