Data Protection Policy
Version
[01.02.2021]
1. Data protection principles
The charity is committed to processing personal data in compliance with its GDPR obligations.
Personal data, according to Article 5 of the GDPR, must be:
· in regard to individuals, processed lawfully, equitably, and transparently;
· collected for specific, explicit, and lawful reasons, and not further processed in a way that contradicts those aims; Further processing for the objectives of public interest archiving, scientific or historical research, or statistical purposes is not regarded incompatible with the original purposes;
· sufficient, relevant, and limited to what is required in connection to the processing purposes;
· precise and, where necessary, up-to-date; Every reasonable action must be taken to ensure that inaccurate personal data is destroyed or corrected as soon as possible, taking into account the reasons for which they are collected.
· kept in a form that allows data subjects to be identified for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods if they are processed solely for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, subject to the GDPR's technical and organizational measures.
· handled in a way that ensures the personal data's proper security, including protection against unauthorised or unlawful processing, as well as accidental loss, deletion, or damage, through the use of appropriate technical or organisational measures."
· The Charity must keep a Register of Systems to guarantee that its data processing is legal, fair, and transparent.
· At least once a year, the Register of Systems must be reviewed.
· Individuals have the right to view their personal information, and any such requests made to the charity will be responded to promptly.
.
3. General provisions
a. This policy covers all of the Charity's personal data processing.
b. The Responsible Person is accountable for the Charity's continued adherence to this policy.
c. As an organisation that processes personal data, the Charity must register with the Information Commissioner's Office.
d. This policy must be reviewed at least once a year.
4. Data minimization
a. [Include considerations specific to the Charity's systems]
b. In respect to the purposes for which personal data is processed, the Charity shall ensure that personal data is adequate, relevant, and limited to what is necessary.
a. Where communications are provided to individuals based on their consent, the opportunity to revoke consent should be explicitly available, and measures should be in place to ensure that such revocation is appropriately documented in the Charity's systems.
b. Where consent is used as a legal basis for processing personal data, proof of opt-in consent must be retained with the personal data.
c. In the Register of Systems, the Charity shall record the proper legal basis.
d. The charity must process all data on one of the following legal bases: consent, contract, legal obligation, vital interests, public task, or legitimate interests (see ICO guidance for more information).
a. To guarantee that personal data is stored for no longer than is necessary, the Charity must establish an archiving policy for each area where personal data is processed and evaluate it annually.
b. The archiving policy should address what data should/must be kept, how long it should be kept, and why it should be kept.
a. Where the lawful basis for data processing requires it, steps must be taken to ensure that personal data is kept up to date.
b. The charity must take reasonable steps to ensure the accuracy of personal data.
c. [Include any other considerations specific to the Charity's systems]
a. Appropriate disaster recovery and backup solutions must be in place.
b. Access to personal data should be restricted to those who require it, and sufficient security should be in place to prevent unauthorised information sharing.
c. When personal data is removed, it should be done in a secure manner so that it cannot be recovered.
d. The Charity shall guarantee that personal data is maintained securely and that it is kept up to date using modern software.
In the event of a security breach resulting in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data, the Charity will assess the risk to people's rights and freedoms and, if necessary, report the breach to the Information Commissioner's Office (ICO) (more information on the ICO website).
Director