top of page

Data Protection Policy

Issue No: 1.0

Last Review: May 2024

Review Due: April 2026

 

1. Purpose

1.1 This policy forms part of our organisation's commitment to the safeguarding of personal data processed by staff,  volunteers and Trustees. The aim of this policy is to clarify the rights and obligations of staff, MSAs, volunteers and Trustees with respect to personal data.

1.2 This policy is supported by sub-policies that include greater detail on specific aspects of data management and security. The sub-policies cover (for copies of these please contact us):

  • Data Retention Schedule

  • Subject Access Requests

  • Data Breaches

  • Privacy Notice

  • Volunteer Privacy Notice

  • Staff Privacy Notice

  • Job Applicant Privacy Notice

2. Introduction

2.1 Our organisation processes the personal data of individuals including staff, Trustees, volunteers, members and stakeholders, including partners and funders. This processing is regulated by the Data Protection Act 2018, the General Data Protection Regulation 2018 (GDPR) and the Fundraising Regulator Code of Practice 2018.

3. Scope

3.1 This policy applies to all  staff, other volunteers and Trustees.

 

4. Data Protection Act

4.1 This Data Protection Policy follows the requirements of the Data Protection Act 2018. The Act aims to promote high standards in the handling of personal information and so protect the individual’s right to privacy.

 

5. Data Protection Principles

5.1 We fully endorses and adheres to the principles of Data Protection, as outlined in the Act. These are that personal data shall be:

  • processed lawfully, fairly and in a transparent manner in relation to individuals;

  • obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes;

  • adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;

  • accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;

  • kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;

  • processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures;

  • Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

6. Individuals' rights

6.1 Personal data shall be processed in accordance with the rights of data subjects;

  • The right to be informed;

  • The right of access;

  • The right to rectification;

  • The right to erasure;

  • The right to restrict processing;

  • The right to data portability;

  • The right to object;

  • The right not to be subject to automated-decision making including profiling.

7. Personal Information covered by this policy

7.1 This policy covers any information that relates to living individuals which is held on computer or in hard copy format. For example, this may include information such as name, address, date of birth and opinions about the individual or any other information from which the individual can be identified.

 

8. Responsibilities

8.1 All staff, volunteers and Trustees are responsible for:

  • Ensuring that their processing of personal data, including research data, is compatible with the data protection principles.

    • Ensure that paper documents containing personal data are securely stored in lockable cabinets on site and that keys used to lock them are stored securely in the key safe with access granted on a need to know basis.

    • Where possible, convert paper records to electronic form and restrict access to those that need it.

    • Implement a clear desk policy and lock their computer screen when away from their desk.

    • Ensure there is no unauthorised access when printing personal details by not leaving the printer unattended at this time and collecting printed material immediately.

    • Use strong passwords and ensure they keep the personal data held on their computer secure.

    • Ensure access to files that contain personal data is restricted on a need to know basis.

    • Password protect files that contain sensitive information in relation to individuals that is not appropriate for all team members to access.

    • Ensure the office is kept secure by locking the door wherever it is unattended, for however long this may be.

  • Completing relevant Data Protection training made available by our organisation.

  • Raising any concerns in respect of the processing of personal data in the first instance with the Data Protection lead.

  • Passing on all subject access requests and requests from third parties for personal data to the Data Protection lead.

  • Reporting unauthorised disclosures of personal data to the Data Protection lead.

  • Ensuring that any personal data provided to the organisation is up to date.

8.2 Compliance with these responsibilities should be monitored by Managers in the form of spot checks and results discussed at staff and Board meetings and communication with  volunteers, particularly where improvements in data protection practice have been identified.

8.3 In addition, the Trustees has a data protection lead responsible for ensuring that the CIO complies with this policy and the associated sub-policies. Data Protection updates are provided to each Board meeting.

 

9. Access to Personal Data

9.1 Data subjects have the right to access their personal data held by our organisation. The Subject Access Requests Policy outlines staff, volunteer and Trustee responsibilities in this respect.

9.2 Copies of any information held will be provided to the individual, in their preferred format, within 1 month.

9.3 Our organisation will not charge for any data subject access requests, unless the request is manifestly unfounded or excessive.

 

10. Third Party Access

10.1 In certain circumstances Data Protection legislation provides for disclosure of personal data to certain organisations, without the consent of the data subject. Requests for such disclosures from third parties, such as the police, UK Border Agency etc. should be made in writing and will be handled by the Head of Partnerships and Projects.

 

11. Records Management

11.1 When records are no longer required for operational reasons they must either be transferred to a secure system or disposed of securely and confidentially. All paper documents containing personal details should be shredded. our organisation owned computers and laptops should be disposed of by sending them to Agenda IT who will provide our organisation with a certificate of destruction.

Luton Community Watch

Lewsey Community Centre.

Landrace Road,

Luton,

Bedfordshire

England

United Kingdom

LU4 0SW

Email: nhw4luton@gmail.com 

  • Facebook

​Follow us on facebook

Disclaimer

Any personal views expressed in articles are not necessarily the views of Luton Community Watch 

bottom of page