●      Signature

●      Name & Position

David Lett

Operations Director

Marcus Gale

People Manager

Policy

The organisation is committed to ensuring any personal data will be dealt with in line with the Data Protection Act 2018. To comply with the law, personal information will be collected and used fairly, stored safely and not disclosed to any other person unlawfully.

The aim of this policy is to ensure that everyone handling personal data is fully aware of the requirements and acts in accordance with data protection procedures. This document also highlights key data protection procedures within the organisation.

This policy covers students, staff, clients, partners and sponsors.

●      Be obtained fairly and lawfully and shall not be processed unless certain conditions are met

●      Be obtained for a specific and lawful purpose

●      Be adequate, relevant but not excessive

●      Be accurate and kept up to date

●      Not be held longer than necessary

●      Be processed in accordance with the rights of data subjects

●      Be subject to appropriate security measures

●      Not to be transferred outside the European Economic Area (EEA)

The definition of ‘Processing’ is obtaining, using, holding, amending, disclosing, destroying and deleting personal data. This includes some paper based personal data as well as that kept on computer.

The Personal Data Guardianship Code suggests five key principles of good data governance on which best practice is based. The organisation will seek to abide by this code in relation to all the personal data it processes, i.e.

●      Accountability: those handling personal data follow publicised data principles to help gain public trust and safeguard personal data.

●      Visibility: Data subjects should have access to the information about themselves that an organisation holds. This includes the right to have incorrect personal data corrected and to know who has had access to this data.

●      Access: Everyone should have the right to know the roles and groups of people within an organisation who have access to their personal data and who has used this data.

●      Stewardship: Those collecting personal data have a duty of care to protect this data throughout the data life span.

●      Student personal details (including passport and national insurance numbers and progress

●      Client names, contact details, orders and agreed rates

●      Staff contact, banking, qualifications details, appraisal notes, observations notes

●      Sponsor contact details and grants made

Personal information is kept in the following forms: electronic contacts listings, paper based (for students and staff) and spreadsheets for distribution list management.

Groups of people within the organisation who will process personal information are: (employed staff, contracted staff and board members)

If there are any interim changes, these will be notified to the Information Commissioner within 28 days.

The name of the Data Controller within our organisation as specified in our notification to the Information Commissioner is David Lett, Director, Woodcote House, High Street South, Stewkley, LU7 OHR

The governing body delegates tasks to the Data Controller. The Data Controller is responsible for:

●      understanding and communicating obligations under the Act

●      identifying potential problem areas or risks

●      producing clear and effective procedures

●      notifying and annually renewing notification to the Information Commissioner, plus notifying of any relevant interim changes

Breach of this policy will result in formal disciplinary action.

Implementation

●      Ensure any personal data is collected in a fair and lawful way;

●      Explain why it is needed at the start;

●      Ensure that only the minimum amount of information needed is collected and used;

●      Ensure the information used is up to date and accurate;

●      Review the length of time information is held;

●      Ensure it is kept safely;

●      Ensure the rights people have in relation to their personal data can be exercised

We will ensure that:

●      Everyone managing and handling personal information is trained to do so.

●      Anyone wanting to make enquiries about handling personal information, whether a member of staff, volunteer or service user, knows what to do;  ● Any disclosure of personal data will be in line with our procedures.

●      Queries about handling personal information will be dealt with swiftly and politely.

●      On induction: the data protection policy is to provide to all new staff and they are asked to sign that they have read it

●      General training/ awareness raising: once every 12 months all staff are asked to re-read the policy

We will inform people whose information is gathered about the following: how the information is stored, why it is being collected in the first place and who will have access to it.

We will take the following measures to ensure that personal information kept is accurate: by sending reminders to people asking them to check the accuracy of the information and that they are happy for us to continue to hold it.

Personal sensitive information will not be used apart from the exact purpose for which permission was given.

Data Security

The organisation will take steps to ensure that personal data is kept secure at all times against unauthorised or unlawful loss or disclosure. The following measures will be taken:

●      All paper based personal data will be stored in a locked filing cabinet

●      All electronic personal data will be stored in password protected folders and access granted by the data controller

Any unauthorised disclosure of personal data to a third party by an employee may result in disciplinary proceedings and could lead to formal dismissal.

Any unauthorised disclosure of personal data to a third party by a volunteer or trustee may result in in disciplinary proceedings and could lead to formal dismissal.

Requests

●      What information we hold and process on them

●      How to gain access to this information

●      How to keep it up to date

●      What we are doing to comply with the Act.

They also have the right to prevent processing of their personal data in some circumstances and the right to correct, rectify, block or erase information regarded as wrong.

Individuals have a right under the Act to access certain personal data being kept about them on computer and certain files.  Any person wishing to exercise this right should apply in writing to: David Lett, Director, Woodcote House, High Street South, Stewkley, LU7 OHR.

We may make a charge of £10 on each occasion access is requested.

The following information will be required before access is granted:

●      Full name and contact details of the person making the request

●      Their relationship with the organisation (former/ current member of staff, trustee or other volunteer, service user

●      Identification (e.g. passport, birth certificate etc.)

Queries about handling personal information will be dealt with swiftly and politely.

We will aim to comply with requests for access to personal information as soon as possible, but will ensure it is provided within the 40 days required by the Act from receiving the written request.

I am connected with this organisation in my capacity as a

•      Member of staff

•      Volunteer

•      Trustee/ management committee member

Signature: ___________________________

Print name: __________________________

Date: __________________

Please return this form to the Centre Manager