DS Achieve Data Protection Policy

Introduction

As part of our everyday activities DS ACHIEVE receives and stores personal data. The rights of individuals are protected by the Data Protection Act (the DPA) up to and including 24 May 2018, and from 25 May 2018 by the General Data Protection Regulation (Regulation EU) 2016/679) (now retained as the UK GDPR). The DPA and GDPR impose restrictions and controls over the way that DS ACHIEVE collects and uses personal data.

This policy should be read in conjunction with the ‘DS ACHIEVE Cyber Security policy’, ‘DS ACHIEVE Privacy Policy’, the ‘DS ACHIEVE Privacy Statement for Staff and Volunteers’, the ‘DS ACHIEVE Subject Access Request Procedure’ and the ‘DS ACHIEVE Cookie Policy’.

Definitions

Charity: Means DS Achieve, a registered charity.

GDPR: Means the General Data Protection Regulation.

DPA: Means the Data Protection Act

Responsible Person: Means the Treasurer, one of the Trustees of DS Achieve.

Register of Systems: Means a register of all systems or contexts in which personal data is processed by the Charity.

DEfinitions

The DPA includes a number of specific definitions and further information can be found on the Information Commissioner’s Office website: https://ico.org.uk/for-organisations/advice-for-small-organisations/key-data-protection-terms-you-need-to-know/ . Data protection is the fair and proper use of information about people and part of the fundamental right to privacy. The DPA requires us to treat people fairly and openly, recognising their right to control over their identity and how they interact with the Charity.

Data protection principles

The Charity is committed to processing data in accordance with its responsibilities under the UK GDPR and the key principles which lie at the heart of the general data protection regime. Our privacy notices set out how we do this in practice.

Article 5 of the GDPR requires that personal data shall be:

  1. processed lawfully, fairly and in a transparent manner in relation to the data subject  (lawfulness, fairness and transparency);

  2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes or to meet a clear legal obligation or function shall not be considered to be incompatible with the initial purposes (purpose limitation);

  3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimisation);

  4. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (accuracy);

  5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals (storage limitation); and

  6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (integrity and confidentiality).”

General provisions

  1. This policy applies to all personal data processed by the Charity. 

  2. The Responsible Person shall take operational responsibility for the Charity’s ongoing compliance with this policy. 

  3. The Board of Trustees has ultimate responsibility for this data protection policy. All trustees, staff and volunteers share responsibility for the day to day application of the policy. 

  4. This policy shall be reviewed at least annually. 

  5. The Charity is currently exempt from registering with the Information Commissioner’s Office. This exemption shall be reviewed each year to ensure compliance with ICO guidelines.

Lawful, fair and transparent processing 

  1. To ensure its processing of data is lawful, fair and transparent, the Charity shall maintain a Register of Systems. 

  2. The Register of Systems will be reviewed at least annually. 

  3. The Charity is committed to ensuring that trustees and staff are suitably trained and understand their responsibilities under the GDPR.

  4. Individuals have the right to access their personal data and any such requests made to the charity shall be dealt with in a timely manner and in accordance with the DS ACHIEVE Subject Access Request Procedure.

  5. Consent for processing personal information may be required for children age 12 or over. When parents provide express consent to us we presume they have the authority of their child to share their data (if appropriate). In some circumstances we may seek to obtain express consent from a child as well as their parent before processing their data.

Lawful purposes

  1. All data processed by the charity must be done on one of the following lawful bases: consent, contract, legal obligation, vital interests, public task or legitimate interests (see ICO guidance for more information). 

  2. The Charity shall note the appropriate lawful basis in the Register of Systems.

  3. Where consent is relied upon as a lawful basis for processing data, evidence of opt-in consent shall be kept. Special category data is personal data that is sensitive in nature and as a general rule explicit consent of the data subject is required to process it.

  4. Where communications are sent to individuals based on their consent, the option for the individual to revoke their consent should be clearly available and systems should be in place to ensure such revocation is reflected accurately in the Charity’s systems..

Data minimisation

  1. The Charity shall ensure that personal data is adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. 

  2. The Charity shall conduct an annual data audit to ensure that only the minimum amount of personal data is held.

Accuracy

  1. The Charity shall take reasonable steps to ensure personal data is accurate. 

  2. Where necessary for the lawful basis on which data is processed, steps shall be put in place to ensure that personal data is kept up to date.

Archiving / removal

To ensure that personal data is kept for no longer than necessary, the Charity shall put in place a data archiving/removal procedure for each area in which personal data is processed. These procedures will be noted on the Register of Systems and reviewed annually.

Security

  1. The Charity shall ensure that personal data is stored securely using modern software that is kept-up-to-date. 

  2. Access to personal data will be limited to personnel who need access to the information with appropriate security put in place to avoid unauthorised sharing of information. 

  3. When personal data is deleted this should be done safely such that the data is irrecoverable. 

  4. Appropriate back-up and disaster recovery solutions shall be in place.

Breach

In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, the Charity shall promptly assess the risk to people’s rights and freedoms and if appropriate report this breach to the ICO (more information on the ICO website). A data breach should be reported immediately to the Responsible Person or Chair of Trustees for investigation and onward reporting where relevant.

Version 7.0 December 2023