Norwich Unity Hub CIO
Data Protection Policy
Introduction and Scope
This policy outlines Norwich Unity Hub’s commitment to data protection and compliance with the UK Data Protection Act. The purpose of this policy is to ensure that all personal data held by the charity is processed lawfully, fairly, and transparently, and that the rights of data subjects are protected. This policy applies to all individuals working on behalf of Norwich Unity Hub, including trustees, staff, and volunteers.
Data Protection Lead
Norwich Unity Hub will appoint a Data Protection Lead who will be responsible for overseeing data protection and leading on any incident investigation and reporting. The Data Protection Lead will also ensure that all staff and volunteers are provided with any induction, on the job or other training and made aware of their data protection responsibilities.
Data Protection
Data protection is the practice of safeguarding personal information by applying data protection principles and complying with the Data Protection Act. The Data Protection Act is a UK law that regulates the processing of personal data. The UK Information Commissioner’s Office (ICO) provides guidelines on data protection that Norwich Unity Hub will follow.
UK GDPR: The UK General Data Protection Regulation, which outlines the rules for processing personal data in the UK.
Data Processor: An individual or organisation that processes personal data on behalf of a data controller.
Data Controller: An individual or organisation that determines how and why personal data is processed.
Data Subject: An individual whose personal data is being processed.
Processing: Any operation performed on personal data, including collection, storage, use, and disclosure.
Personal Data: Any information that can identify a living individual, such as name, address, or email address.
Sensitive Personal Data: Personal data that requires extra protection, such as health information or ethnic origin.
Direct Marketing: Any communication aimed at promoting a product or service directly to an individual.
PECR: The Privacy and Electronic Communications Regulations, which govern electronic direct marketing.
Valid Consent: Consent given freely, specifically, and informed, and can be withdrawn at any time.
Legitimate Business Purpose: A lawful reason for processing personal data that is necessary for the legitimate interests of the data controller or a third party.
Data is:
- Processed lawfully, fairly and in a transparent manner.
- There are several grounds on which data may be collected, including consent.
- We are clear that our collection of data is legitimate and we have obtained consent to hold an individual’s data, where appropriate.
- We are open and honest about how and why we collect data and individuals have a right to access their data.
- Collected for specified, explicit and legitimate purposes and not used for any other purpose.
- We are clear on what data we will collect and the purpose for which it will be used.
- And only collect data that we need.
- When data is collected for a specific purpose, it may not be used for any other purpose, without the consent of the person whose data it is.
- Adequate, relevant and limited to what is necessary.
- We collect all the data we need to get the job done.
- And none that we don’t need.
- Accurate and, where necessary, kept up to date.
- We ensure that what we collect is accurate and have processes and/or checks to ensure that data which needs to be kept up-to-date is, such as beneficiary, staff or volunteer records.
- We correct any mistakes promptly.
- Kept for no longer than is necessary. We understand what data we need to retain, for how long and why.
- We only hold data only for as long as we need to.
- That includes both hard copy and electronic data.
- Some data must be kept for specific periods of time (eg accounting, H&SW).
- We have some form of review policy that ensures data no longer needed is destroyed.
- Processed to ensure appropriate security, not only to protect against unlawful use, but also loss or damage.
- Data is held securely, so that it can only be accessed by those who need to do so. For example, paper documents are locked away, access to online folders in shared drives is restricted to those who need it, IT systems are password protected, and/or sensitive documents that may be shared (eg payroll) are password protected.
- Data is kept safe. Our IT systems have adequate anti-virus and firewall protection that’s up-to-date. Staff understand what they must and must not do to safeguard against cyber-attack, and that passwords must be strong and not written down or shared.
- Data is recoverable. We have adequate data back-up and disaster recovery processes.
Individual Rights
We recognise that individuals’ rights include the right to be informed, of access, to rectification, erasure, restrict processing, data portability and to object.
Staff and personnel
It is Norwich Unity Hub’s policy to educate and inform employees about the dangers of inappropriate and illegal use of the personal data they may have access to.
Whenever you are involved in processing any personal data, you must ensure that all associated procedures have been sanctioned by your manager. You must only operate within sanctioned procedures:-
· If for any reason registration of the information is withdrawn you must stop using the particular data immediately. Your manager will advise you of this
· You must ensure that your appropriate records are maintained and safe and are only used to perform your particular job
· You must ensure that all personal data is used, held and disclosed only for the registered purpose: you should not use any of the systems outside of this criteria
· Information must be collected and processed in a prudent and lawful manner and should be kept up to date and accurate at all times
· Information must not be transferred to countries outside the EU without authorisation from your Line Manager
· The information should only be retained for the period necessary, and for the purpose for which it is held
If you have any concerns or questions regarding the processing or use of personal data you should contact your manager as soon as possible. If in any doubt you should cease to process the information.
If you are required to use electronic equipment such as a computer or data-holding device your actions should comply with this and the ICT Use Policy. It is your responsibility to ensure that reasonable measures are taken to ensure the security of information contained within them. Such measures include keeping equipment in a lockable location when not in use and/or using password protection for files containing information covered by data protection legislation.
A breach of the data protection regulations or failure to adhere to Norwich Unity Hub’s policies could have serious repercussions for Norwich Unity Hub and for yourself, if you are found responsible. It may also be treated as a serious disciplinary matter and may result in the termination of your employment.
If you are aware of any breech of Data Protection you must bring it to the attention of your Line Manager immediately. Any failure to do this may result in disciplinary action against you.
If you have access to or are responsible for collecting personal information that relates to any of Norwich Unity Hub’s clients or employees, the above guidelines should be strictly adhered to.
As a member of staff, you need to be aware that Norwich Unity Hub will hold details pertinent to your employment on file as part of its personnel records. This may include sensitive information. This information may be processed for administrative or legal purposes or as required by your continued employment. This may include passing certain employment related data to third parties such as government authorities, suppliers or contractor organisations supplying services which require the use or creation of employee data (for example, payroll). Your data may also be used in emergency situations, to protect the legal interests and other rights of , Norwich Unity Hub or in other situations where you have consented to the disclosure of such information.
The following are examples of information which may be retained by Norwich Unity Hub as part of its personnel records. The list is not exclusive or exhaustive:-
· References obtained during recruitment
· Details of terms of employment
· Payroll, tax and National Insurance information
· Performance information
· Details of grade and job duties
· Health records
· Absence records, including holiday records and self-certification forms
· details of any disciplinary investigations and proceedings
· Training records
· Contact names and addresses
It should also be noted that Norwich Unity Hub might hold the following information about you, for which disclosure will be made only when strictly necessary for the purposes set out below:-
· Your health, for the purposes of compliance with our health and safety and our occupational health obligations
· For the purposes of personnel management and administration, for example, to consider how your health affects your ability to do your job and, if you are disabled, whether you require any reasonable adjustment to be made to assist you at work
· The administration of insurance, pension, sick pay and other related benefits in force from time to time
· In connection with unspent convictions to enable us to assess your suitability in employment for relevant roles
Norwich Unity Hub will endeavour to update personnel files on a regular basis. It is your responsibility to ensure that any changes in personal details are communicated in writing to Norwich Unity Hub immediately, or as soon after the change as is practicable; and to inform your next of kin (or whoever you give as an emergency contact) that their details may be held on a personnel file.
Use of Imagery/Video
All imagery is protected by copyright and cannot be used without the consent of the owner, usually the person who took the image. You may also need consent from the individuals in images of individuals and small groups, which may well fall within the Data Protection Act. However, there is some ambiguity, so err on the side of caution and obtain consent wherever this is reasonably possible. Particular care is to be taken when using images of children or other vulnerable people.
Here are some questions to consider when using imagery:
- For what purpose was the original image taken? If it was for one purpose, such as personal use, it cannot be used for another without the consent of the individuals concerned
- Is the image sensitive personal data? If it is, do you have the individual’s consent?
- For small groups and individuals, has an image consent form been used?
- When using images of children, or people who may not be competent, do you have valid consent?
- When using images of children or other vulnerable people, are you confident your use of the image will not place them at risk? Particularly, if it is to be used publicly, such as in the Media or on the web.
- When photographing large groups, have the individuals been given a chance to opt out of the photograph?
- Has the person/people in the image been told how the image will be used?
- Are you using the image according to how the person/people were told it would be used?
A breach is more than only losing personal data. It is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
We will investigate the circumstances of any loss or breach, to identify if any action needs to be taken. Action might include changes in procedures, where there will help to prevent a re-occurrence or disciplinary or other action, in the event of negligence.
We will notify the ICO within 72 hours, of a breach if it is likely to result in a risk to the rights and freedoms of individuals. If unaddressed such a breach is likely to have a significant detrimental effect on individuals. For example:
- Result in discrimination.
- Damage to reputation.
- Financial loss.
- Loss of confidentiality or any other significant economic or social disadvantage.
People Who Are Not Competent
Some people are unable, or may be unable to give consent, and this must be obtained from the person who is able to make decisions on their behalf, such as a Lasting Power of Attorney. Any decisions that you may make on their behalf, must always be in their best interests.
Special category (sensitive) data is more sensitive, and so needs more protection. For example, information about an individual’s race, ethnic origin, politics, religion, trade union membership, genetics, biometrics (where used for ID purposes), health, sex life or sexual orientation.
Privacy And Electronic Communications
Known as PECR, there are special regulations covering electronic marketing messages (by phone, fax, email or text), cookies and electronic communication services to the public.
Fundraising
We will ensure that our fundraising complies with the Data Protection Act and ICO guidelines and also the Fundraising Regulator guidelines including, if applicable, direct marketing and PECR. We will respect the privacy and contact preferences of our donors.
Fundraising Preference Service
We will respect the privacy and contact preferences of our donors. We will respond promptly to requests to cease contacts or complaints and act to address their causes.
Artificial Intelligence
We have adopted and comply with the Charity AI Ethics & Governance Framework and ICO AI guidance.
Version Control – Approval and Review
Version No | Approved By | Approval Date | Main Changes | Review Period |
1.0 | Board | May 24 | Initial draft approved | Annually |