The purpose of this policy is to enable the Ottery Feoffee Charity to comply with the law (the DPR and DPA 2018) in respect of the data it holds about individuals.
The Ottery Feoffee Charity will ensure that the information the charity holds about its residents, beneficiaries, employees etc is used in accordance with the law. The charity will only collect and use personal data in compliance with this policy and the rules set out below.
The charity will:
This policy applies to all the information that we control and process relating to identifiable, living individuals includes contact details, test and exam results, bank details, photographs, audio and digital recordings.
The Ottery Feoffee Charity will company with General Data Protection Regulations 2018 as follows:
In addition, when collecting personal data, the charity will only collect those details which are necessary for the purposes for which that personal data is being obtained. Any use of personal data will be for the identified purposes and any different or new purposes will have a lawful basis. Personal data that is not necessary for any legitimate business purpose will not be collected or accessed.
Ottery Feoffee Charity has identified that the charity has a legitimate interest in keeping personal data about residents as trustees must be satisfied that each resident qualifies as a beneficiary of the charity in accordance with the Governing Document dated [ ]
The Charity considers the processing and storing of such personal data is necessary to comply with the Governing Document. All personal data, including details of residents’ next of kin will be stored securely, data on computer will be password protected and paper copies of data will be kept in a locked filing cabinet. Only authorised members of staff and trustees will have access to personal data.
Privacy Impact Assessment and Privacy by Design
The trustees consider that the use of personal data is unlikely to result in significant risks for the rights and freedoms of individuals and therefore a Privacy Impact assessment is not necessary. The Charity will ensure that systems, databases and tools that collect and use personal data are designed to promote privacy protection.
Ensuring data quality
Processing inaccurate information can be harmful to individuals and the Charity. The main way of ensuring that personal data is kept accurate and up to date is by ensuring that the sources the charity uses to obtain personal data are reliable. Individuals will be actively encouraged to inform the Charity should their personal data change.
To ensure that personal data is accurate, it will generally be collected directly from individuals. All residents will be actively encouraged to update their contact details by notifying the Charity of any changes in their personal data.
Retaining and disposing of data
Any personal data must only be kept where there is a business or legal needs to do so. When the Charity disposes of personal data, this will be undertaken in a secure manner.
Documents (including paper and electronic versions and e-mail) containing personal data will not be kept indefinitely and will always be securely deleted and destroyed once they have become obsolete or when that personal data is no longer required.
Personal data will not be retained simply on the basis that it might come in useful one day without any clear view of when or why.
The Charity’s data retention policy is:
The Charity will not keep person data for longer than is necessary. This means that:
The Charity will reply to queries and complaints from individuals about how the Charity uses their personal data within 30 days.
Individuals are entitled by law (by making a request) to be supplied with a copy of any personal data held about them (including both electronic and paper records). Individuals are also entitled to know the logic involved in decisions made about them.
An individual also has the right to seek erasure of their data and to request portability of their date i.e. that the Charity provides their data to them in a structured, commonly used and machine-readable format.
Where the Charity receives a request from an individual exercising their legal right to control their personal data, the Charity will respond promptly. If a valid request concerns a change in that individual’s personal data, such information will be rectified or updated, if appropriate to do so.
Taking appropriate security measures
Personal data will be kept secure. Technical, organisational, physical and administrative security measures (both computer system and non-computer system related steps) are necessary to prevent the unauthorised or unlawful processing or disclosure of personal data, and the accidental loss, destruction of, or damage to personal data.
The Charity will monitor the level of security applied to personal data and take into account current standards and practices. As a minimum the Charity will ensure that:
Any suspicion of any data security breach should be reported immediately to the Chairman and the Trustees. When the Charity becomes aware of a breach, protective measures will be taken to effectively mitigate the consequences of the breach.
Using Subcontractors and Vendors
Under EU data protection law, where a provider of a service has access to personal data (e.g. as a payroll provider) the Charity will impose strict contractual obligations dealing with the purposes and ways personal data may eb used and the data security of that information. These are third parties who act as processors (i.e. only holding the personal data according to the Charity’s instructions) and this will include telecare companies that provide services to the Charity (Housing Benefit and Government officers are not vendors).
The Charity will always enter into a written contract with any Vendor that deals with personal data being provided by the Charity. The contract will meet the requirements under the GDPR Article 28.
Disclosure to Third Parties
At times, the Charity may disclose personal data to vendors, contractors, service providers and other selected third parties.
Prior to disclosing personal data to these parties, the Charity will take reasonable steps to ensure that:
In certain circumstances, the Charity may be required to disclose personal data to third parties when required by law, when necessary to protect the Charity’s legal rights, or in an emergency situation where the health or security of an individual is endangered. Prior to such disclosures, the Charity will take steps to confirm that the personal data is disclosed only to authorised parties and that the disclosure is in accordance with this Policy and applicable law.
Safeguarding the use of special categories of data
Special categories of data is information revealing an individual’s racial or ethnic origin, political opinions, religious or other beliefs, trade union membership, processing of generic data or biometric data (for the purpose of uniquely identifying an individual), health and sex life or sexual orientation. Since this information is more intrusive, the Charity will only use it where absolutely necessary and often with the explicit consent of the individual affected.
The Charity will only hold and make available special categories of data on an individual without their explicit consent if the Charity have another lawful basis under applicable law. This may be the case, for example, where the Charity holds information about an indiviual’s health where this is necessary to exercise any obligation conferred by law on us in connection with the Charity.
For residents and beneficiaries the Charity may also collect and use their special category date where:
The Charity will always assess whether special categories of data are essential for the proposed use and will only collect special categories of data when it is absolutely necessary in the context of the organisation. Application (or other) forms used to collect special categories of data will include suitable and explicit wording expressing the individual’s consent when the Charity are collecting explicit consent.
Consent must be demonstrable. Therefore, it if its collected verbally it will be recorded in such a form as to prove that the requisite information was provided to the individual and their response was able to be verified.
Where consent is not relied upon, the Charity will take steps to ensure that there is another lawful basis under applicable law for the collection and use of such information. In certain circumstances, the Charity may be required to consult with the Information Commissioner’s Office about the proposed use of such special categories of data.
Collecting children’s data
Data pertaining to children will only be collected when strictly necessary, for example where the Charity appoints families and needs to record ages of children. The Charity will only collect a minimum amount of data about children as is necessary for the Charity’s purpose. Trustees are aware that children’s data is considered more sensitive and will be protected accordingly.
Data storage and processing:
Ottery Feoffee Charity recognises that data is held about:
This information is always stored securely and access is restricted to those who have a legitimate need know. We are committed to ensuring that those about whom we store data understand ho and why we keep that data and who may have access to it. We do not transfer data to third parties without the express consent of the individual concerned.
Archived records are stored security and the Charity has clear guidelines for the retention of information as set out in point 5 above.
Rights of individuals
All individuals who come into connect with Ottery Feoffee Charity have the following rights under the DPA:
The Trustees recognise their overall responsibility for ensuring that the Charity complies with its legal obligations. A trustee, [name], [or the Data Protection Officer if there is one] is responsible as follows:-
Roles and Responsibilities
All trustees, staff and volunteers are required to read, understand and accept any policies and procedures that relate to the personal data they may handle in the course of their roles.
Significant breaches of these policies will be handled under disciplinary procedures.
Key risks to the safely of data control and process:
The Trustees have identified the following potential key risks:
The trustees will review the Charity’s procedures regularly, ensuring that the Charity’s records remain accurate and consistent and in particular:
Subject access requests
Any individual who wants to exercise their right to receive a copy of their personal data can do so by making a Subject Access Request (“SAR”) to the Clerk. The request must be made in writing and the individual must satisfy the Clerk of their identity before receiving access to any information.
A SAR must be answered within 30 calendar days of receipt by the Charity.
Collecting and using personal data
The Ottery Feoffee Charity typically collects and used data in connection with the provision of [objects of the Charity]. The Charity collects personal data mainly in the following ways:-
The Ottery Feoffee Charity will:-
Keeping data secure
The Ottery Feoffee Charity will take all appropriate measures to prevent unauthorised or unlawful processing of personal data and to protect personal data against loss, damage or destruction. The means that:-
[these are examples}
This policy has been approved for issue by the board of trustees of Ottery Feoffee Charity