RedbridgeCVS Data Protection Policy
The Data Protection Act 1998 sets out basic principles which must be adhered to by any ‘Data Controller' - a person or organisation controlling the use of personal data. Personal data includes both computerised records and structured manual records from which a living individual may be identified. Anyone processing personal data must comply with the eight enforceable Principles of good practice. They say that data must be:
- fairly and lawfully processed;
- processed for limited purposes;
- adequate, relevant and not excessive;
- not kept longer than necessary;
- processed in accordance with the Data Subject's rights;
- kept secure;
- not transferred abroad without adequate protection.
- Personal data covers both facts and opinions about the individual, and can be any type of material, including text, photographs, video or audio material.
This policy is intended to assist staff in complying with the requirements of the Act. Frequently the points set out below are based directly on the legal requirements; at other times they represent good practice.
It is the policy of RedbridgeCVS that all personal data will be held in accordance with the principles and requirements of Data Protection and other relevant legislation, and that procedures will be put in place to ensure the fair processing of data relating to individuals (‘data subjects').
All services and departments within RedbridgeCVS will draw up operating procedures in accordance with this policy. These procedures will be monitored by Data Protection officers, appointed for each data type (staff, service users, etc.), who will ensure that mechanisms for sharing data across RedbridgeCVS comply with current Data Protection legislation.
Information covered by the Act
The Data Protection Act covers all personal information held on computer or which can be accessed through a structured filing system.
It applies to all paper filing systems in which information on our individual employees, trustees, parents, children, supporters, members, volunteers and enquirers can be accessed, as well as to computerised data held on such individuals.
The Act excludes personal information held incidentally in other paper files.
Overall responsibility for Data Protection will lie with the Information Officer.
For each set of personal data an ‘owner' will be identified. The ‘owner' will take responsibility for how the information is collected and kept up to date, for obtaining consent from the Data Subject or offering opt-outs where relevant, and for giving guidance to other potential users of the data within RedbridgeCVS on what they may and may not do with the data.
The ‘owner' of each set of information should identify a Data Protection Officer who can:
- coordinate policy matters relating to the data, liaising with Data Protection Officers in other areas of RedbridgeCVS to monitor arrangements for sharing of data;
- deal with any questions from Data Subjects or from other users of the data within RedbridgeCVS;
handle Subject Access requests.
General provisions applying to all Data Subjects
When RedbridgeCVS holds information about anyone it will ensure that they can easily get answers to any questions they have about why and how the information is used.
RedbridgeCVS will only collect information about people for a good reason.
All staff have the responsibility to ensure that personal data is held securely, and not disclosed to anyone unless they are authorised to have access to it.
RedbridgeCVS will not give out information about any individual over the telephone or by e-mail unless it is satisfied that:
- giving the information over the telephone or by e-mail is appropriate because of urgency or because the level of risk is low.
- the identity of the person making the request has been verified.
- the person making the request is authorised to have the information.
- the Data Subject knows that this type of disclosure may be made (or that there is some over-riding reason for the disclosure).
The web site will not contain any personal data that is not absolutely necessary. Where information is captured on the web site, a clear policy statement will be provided, and no personal data will be captured without the knowledge of the Data Subject.
Children and families
Where RedbridgeCVS holds information about children and their families for administration of its services, parents will be given every opportunity to know what is in the files, to know whom the information is shared with, and to have access to the files if they wish, as set out in the Access to Information Policy, which specifies the material to which this applies in more detail.
Records of children and their families will be treated as completely confidential.
Parents will be given a clear opportunity to opt out in advance of any use of their details for marketing or fundraising.
Case study material and photographs of identifiable individuals will not be used without consent. Consent will be sought in two stages:
- preliminary written consent for photographs to be taken and for the family's details to be held as potential case study material. This will be a standard form used by all departments.
- specific consent for use to be made of a photograph or of the family's details as case study material. This consent need not be in writing, but a record will be made of how the consent has been obtained.
No material will be used unless stage (1) consent has been given. Photographs may be used without stage (2) consent for news items and other one-off uses. They will not be used for brochures or other long-lived material without stage (2) consent.
Family details will not be disclosed to journalists, etc, without stage (2) consent.
Care will be taken not to use material that is inappropriate or out of date. Where material is more than three years old RedbridgeCVS will check (a) the continued accuracy of the information and (b) that the parent's consent still applies.
Photographs and names of children will not be used on the web site without specific, informed consent.
No charge will be made for Subject Access by children or their families.
Actual and potential donors, members, supporters
All marketing, publicity and fundraising material which invites people to contact RedbridgeCVS will state that any data supplied will be used for these purposes, and will give Data Subjects the opportunity to opt out. Where data items are optional (e.g. telephone numbers, e-mail addresses), this will be made clear.
No details of individuals will be passed to other organisations for marketing or fundraising purposes unless the Data Subjects have been told that this might happen and been given the opportunity to opt out.
All communications to individuals from the Marketing and Fundraising Department will be treated as marketing, including membership renewals. Communications to individuals (for example invitations to an event) from other departments, except for one-off letters, phone calls or e-mails, will be treated as marketing if they are unsolicited. [Note: This takes account of the Information Commissioner's wide interpretation of what constitutes marketing.]
The Marketing and Fundraising Department will only use information collected by other services or departments if the Data Subjects clearly know that their data might be used for fundraising or marketing purposes and have been given the opportunity to opt out.
Departments passing information across for fundraising or marketing purposes will ensure that the people concerned know that this is happening and have been given the opportunity to opt out.
All people added to a fundraising or marketing database - whether the source is internal or external - will be sent a welcome letter which will include information on their Data Protection rights.
RedbridgeCVS will respect the additional restrictions on marketing by phone, fax, e-mail, text message and on the web which are set out in the Privacy and Electronic Communications (EC Directive) Regulations 2003 and other relevant legislation.
No staff will be given access to the fundraising or marketing databases or information related to them unless they have a clear need and understand fully the importance of confidentiality.
Professionals who contact RedbridgeCVS will not have their data used for purposes they are unaware of.
Where RedbridgeCVS wishes to make unsolicited contact with professionals in future, this will only be done after they have been given the opportunity to opt out.
Information that RedbridgeCVS holds about professionals will not be disclosed outside RedbridgeCVS without the individual's knowledge.
Information about professionals who use our training or information services will be held for no more than six months unless it is to be used for future contact.
RedbridgeCVS will include an opt-out statement on at least one mailing to professionals per year, to give people an opportunity to be taken off the marketing database (e.g. for future training events) if they wish.
Staff and volunteers
RedbridgeCVS will follow the Information Commissioner's Code of Practice on employment records. Where it is felt that this is not possible, the reasons will be documented.
Volunteer records will be treated as far as possible on the same principles as records of paid staff.
RedbridgeCVS will ensure that it identifies all Data Processor relationships and obtains suitable written evidence of the contract.
Subject Access charges
No charge will be made for Subject Access by children, parents, staff or volunteers. All other Data Subjects will be charged £10.
Agreed by the Board of Trustees of RedbridgeCVS