This is the data protection policy for Bearwood Community Hub CIC. As part of our work we need to collect information from the people we work with and who wish to be in contact with us. The collection of that data creates an obligation to ensure that we have informed consent to collect information and a transparent plan for managing that information within the scope of data protection regulations.
This policy sets out how we will collect information, store information and seek consent from individuals in relation to the data we store on their behalf.
This policy ensures that Bearwood Community Hub CIC complies with all legal obligations to: -
Recognise that individuals that provide us with data are the owner of that data
To store data in a method that ensures security of that data is the most important consideration
Provide individuals access to all information that is held by us on request
Protect itself and individuals from the risk of data breach
This policy has been developed in order to comply with General Data Protection Regulations (GDPR) and UK data protection legislation such as the Data Protection Act 1998. As such Bearwood Community Hub CIC commits to embed the five Data Protection principles in its business:
Personal data should be processed fairly and lawfully
Data should be collected for a clear purpose
Collection should be adequate for that purpose
Data shouldn’t be kept for too long
People supplying data should understand their rights
This policy is designed to mitigate risks that might result from data breaches. Through the implementation of this policy, in its entirety, Bearwood Community Hub CIC seeks to reduce the risk that:-
Consent is not informed when data is collected ensuring that individuals know the purpose of data collection
Breaches of confidentiality occur and that the only people, within the company that have access to data, are appropriate for the agreed processing
Data is not being maintained in a secure environment to stop loss or theft.
This policy applies to:-
All offices within the company
All employed staff
Any person acting under contract to the company
Any person acting in a volunteer capacity for the company
The policy applies to all information/data that is collected by the company and is not restricted to electronic information. The range of information collected by the company is contained within the data schema attached within Appendix 1.
The policy also applies to data that is not obtained through direct contact with individuals. For example, this could be data that comes into the company’s possession through the operation of a contract or through a transaction with a third-party organisation. All data obtained in such a manner will be treated in the same way as that obtained directly from individuals and the company will not assume that consent for processing activities have been secured by third party organisations.
Within Bearwood Community Hub CIC a number of roles in relation to data protection have been identified.
The Board of Bearwood Community Hub CIC are accountable for data protection within the organisation and Sally Taylor is the key board member that will be responsible for bringing issues relating to data protection to the Board and ensuring this policy is reviewed.
Access to Data
In managing data Bearwood Community Hub CIC will ensure that access is restricted to staff or volunteers that have a legitimate business need.
In order to access data staff and volunteers must:-
Be able to demonstrate that access is relevant to their job role.
That access is protected by strong passwords.
Have been provided with appropriate data protection training
Be aware that data cannot be shared informally within the company or to third party organisations or contractors. Formal processes must be used for all transfer of data.
Make sure to regularly review the relevance of their access to data.
Must review the data they manage to ensure it is consistent with the consent that provided access to it in the first place.
All data that is held by Bearwood Community Hub CIC must meet recognised standards of data security.
Where data is kept in paper form these steps will be taken to maintain security: -
Data will be locked in either a filing cabinet or draw
Where personal data is removed from company premises there will be a process to sign it out and back in again
Personal data will be securely shredded
Personal data will not be left in plain view
Where data is kept in electronic form these steps will be taken to maintain security: -
Data is kept behind secure passwords
Software that stores data will be regularly patched with security updates
Encryption will be used for electronic transfer
Data will not be stored on personal electronic devices
External removable storage, used for personal data, will be password protected and encrypted
Bearwood Community Hub CIC will take steps to ensure that data held is accurate and fit for purpose. To ensure accuracy these steps will be taken:-
Data will be periodically reviewed to ensure that it is up to date.
A facility will be provided to allow individuals to update data
Steps will be made to reduce data duplication
In order to be consistent with data protection regulations Bearwood Community Hub CIC will seek informed consent for the collection and use of all personal data. Consent will take the form of an affirmative action on the part of the individual. Consent will not be assumed based on the method by which the data was obtained.
Bearwood Community Hub CIC will ensure that the consent process is distinct from any need to set out terms and conditions in respect of contracts or transactions.
The consent process will set out in plain English: -
Preferred means of contact
The purpose of collecting data
The process for withdrawing consent
The limit on how long data will be held
In any case where Bearwood Community Hub CIC is made aware of a data breach Sally Taylor as the Accountable Individual, will alert the Board at the earliest opportunity. In line with Data Protection Regulations the Accountable Individual will also notify the Information Commissioners Office (ICO) of the breach and set out short term actions that will be taken to:-
Identify the scope of the breach
Identify individuals affected by the breach
Identify actions to mitigate further breach
Develop a plan to communicate with individuals
The Accountable Individual will be the main point of liaison between Bearwood Community Hub CIC and the ICO. The Accountable Individual will prepare a paper for the Board outlining all the actions set out above.
Where an external body notifies Bearwood Community Hub CIC of a data breach then the same actions outlines above will be taken.
Data and Third Parties
In working with data and third-party organisations Bearwood Community Hub CIC will ensure that all data obtained will be treated in the same manner as if it had been obtained from individuals. Consent will not be assumed for processing and, if necessary, will be sought from the individuals.
Where working with a third-party organisation requires the transfer of personal data Bearwood Community Hub CIC will ensure that explicit consent is sought from the individuals to make such a transfer.
The commitment to explicit consent will be reflected in all contracts made by Bearwood Community Hub CIC.
Subject Access Requests
All individuals who have data held by Bearwood Community Hub CIC have a right to:-
Know what data is held
Have access to data
Move data to another place (data portability)
Bearwood Community Hub CIC commits to meet all Subject Access Requests within the 30-day time limit set within the General Data Protection Regulations. To support Subject Access Requests there will be clear information on the Bearwood Community Hub CIC about how to make a request. This information will provide a clear outline of what people can request, the time limits to meet such a request and the method for making a request.
Bearwood Community Hub CIC will provide a dedicated email address for making requests as well as a phone number and correspondence address.
Appendix one is available to view here.