Data Protection Policy
1. The purpose of this policy
1.1. Time to Talk Befriending collects, holds and processes certain information about its service users, volunteers, employees and donors to ensure that it can meet its commitments to those that it supports, protect those whom it helps, support its legitimate charitable activities and operate its management functions. This could, by way of example, include the holding of information regarding personal details such as name, address and date of birth, and sensitive information regarding health issues to allow us to provide services as required.
1.2. This policy has been developed to ensure that Time to Talk Befriending complies with the Data Protection Act 2018 (“the Act”) and the General Data Protection Regulations, so that any data which it holds is stored safely, processed correctly and not unlawfully disclosed to any other person.
2. Definitions used in this policy
2.1 In this policy the following words shall have the following meanings:
|“Data Subject”||means any living individual who is the subject of personal data including any Time to Talk Befriending employees, volunteers, service users, family, friends or associates of those individuals and any Time to Talk Befriending supporters, donors, suppliers, contractors or consultants.|
|“Time to Talk Befriending Individuals”||means any Time to Talk Befriending employee, volunteer and/or other person working under the umbrella of Time to Talk Befriending and who has access to information.|
3. The Data Controller
3.1 Time to Talk Befriending is Charity Incorporated Organisation. Charity Number: 1147885 Time to Talk Befriending.
3.2 Time to Talk Befriending’ Trustees are responsible for the implementation of this policy. The Time to Talk Befriending Data Protection Officer is Emily Kenward who can be contacted at Time to Talk Befriending, West Werks, 41-43 Portland Road, Hove, BN3 5DQ.
Tel: 01273 737710
3.3 The Data Protection Officer will:
- maintain Time to Talk Befriending’ registration with the Information Commissioners Office and act as the first point of contact with the Information Commissioners Office
- provide advice, guidance and direction on data protection issues within Time to Talk Befriending
- receive any complaints regarding data management
- maintain the Time to Talk Befriending Data Protection Register.
4. Compliance with the Act, this policy and the Time to Talk Befriending Data Protection Procedure
4.1 Time to Talk Befriending and any Time to Talk Befriending Individual must comply with the Act, the Regulation, this policy and any Time to Talk Befriending Data Protection Procedure. This means that personal data must be handled in accordance with the principles of good handling specified in the Act and Regulation ie that personal data is:
- processed lawfully, fairly and in a transparent manner
- collected for specified, explicit and legitimate purposes
- adequate, relevant and limited to what is necessary
- accurate and where necessary kept up to date
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which those data are processed
- processed in a manner that ensures appropriate security of the personal data. Examples of personal data within Time to Talk Befriending include an individual’s name, address, date of birth, national insurance number, email address and telephone number.
4.2 Any deliberate or reckless breach of the Act, Regulation or this policy and/or the Time to Talk Befriending Data Protection Policy may lead to disciplinary proceedings against the Time to Talk Befriending Individual and or legal proceedings against the Time to Talk Befriending Individual and or Time to Talk Befriending.
5.1 Time to Talk Befriending will:
a. ensure that data in its possession is stored securely, correctly processed and not unlawfully distributed
b. process data in accordance with the Act and Regulation
c. provide appropriate training, guidance and support to help Time to Talk Befriending Individuals comply with the Act and Regulation, this policy and any Time to Talk Befriending Data Protection Procedure
d. on receipt of a lawful request share information with United Kingdom law enforcement agencies and/or judicial bodies. If it does so Time to Talk Befriending will inform the Information Commissioners Office of its actions and record the facts in the Time to Talk Befriending Data Protection Register.
5.2 It will be the responsibility of all Time to Talk Befriending Individuals to:
a. check that any information they provide to Time to Talk Befriending in connection with their Time to Talk Befriending role is accurate and up-to-date;
b. inform Time to Talk Befriending of any error or change to the information provided; Time to Talk Befriending will not be responsible for any errors of which it has not been notified;
c. comply with the Act, the Regulation, this policy and any Time to Talk Befriending Data Protection Procedure and to ensure, for example, that any data is kept securely and is not disclosed either orally or in writing accidentally or otherwise with any unauthorised third party.
6. Sensitive personal data
6.1 Time to Talk Befriending recognises that sensitive personal data is likely to be of a private nature and that it may only be processed with the express consent of a Data Subject. The Act defines sensitive personal data as including:
- racial or ethnic origin
- political opinion
- religious beliefs or other beliefs of a similar nature
- trade union membership
- biometrics (where used for ID purposes)
- sex life or orientation.
Examples of the type of sensitive personal data that Time to Talk Befriending may hold include details of an individual’s health, medication, physical needs. Criminal convictions although no longer classed as sensitive will still be dealt with in full confidence as per the policy. Time to Talk Befriending will strive to collect and hold only data that is necessary and appropriate for the charity to provide its activities.
6.2 Time to Talk Befriending will request consent to process sensitive personal data at the earliest appropriate touch point with a Data Subject it being noted that agreement to Time to Talk Befriending processing certain types of sensitive personal data is a pre-requisite to certain roles within Time to Talk Befriending, for example those that require a DBS or PVG check where previous convictions may be referenced.
7 Rights to access information
7.1 Time to Talk Befriending acknowledges that any Data Subject has the right to request access to any personal data regarding them held by Time to Talk Befriending that is kept in electronic or paper form. Time to Talk Befriending will make no charge for requests as per the regulation
7.2 Time to Talk Befriending will on written request, notify a Data Subject of the data held by Time to Talk Befriending concerning them and the reasons as to why any data is being processed. Time to Talk Befriending will record the request and response in the Data Protection Register
8 The data protection register
8.1 Time to Talk Befriending will hold, maintain and update a Data Protection Register which will detail actions taken by the Data Protection Officer on behalf of Time to Talk Befriending in relation to specific issues arising under the Act and Regulation, and the reasons for those actions. The Data Protection Register will be:
- held by the Data Protection Officer on behalf of Time to Talk Befriending
- secured on the Time to Talk Befriending “Project” drive and Charity Log.
- accessible only by those Time to Talk Befriending Individuals explicitly authorized by CEO.
9 Retention of Data
9.1 Time to Talk Befriending is obliged by law to keep information for differing lengths of time as recorded in Time to Talk Befriending’ Data Retention Policy.
9.2 Time to Talk Befriending does and will continue to use the services of third party storage suppliers for the purpose of storage and disposal of data and will continue to select its suppliers based on their ISO credentials and security certification.
9.3 Archived data held off site in non-Time to Talk Befriending buildings will be retained in accordance with the Data Retention Policy before confidential destruction.
10 Policy review
10.1 This policy will be reviewed annually or sooner if required.