AGE CONCERN NEWBURY & DISTRICT
FAIR CLOSE CENTRE
GENERAL DATA PROTECTION REGULATION POLICY
MAY 2018


Framework

Age Concern Newbury & District, Fair Close Centre operates a data protection policy in line with the requirements of the General Data Protection Regulations, 2018, as indicated by the Information Commissioners Office (ICO).


Awareness

Trustees, staff, volunteers, members and clients will be informed about the change to the Data Protection rules, and a copy of the Policy will be made available at Fair Close Centre.


Members & Clients

Information is gathered when members and clients join Fair Close Centre as a member or to receive Meals on Wheels service.   This information is kept in electronic and paper format.

The information contained on the membership and application forms is necessary to ensure the potential member or client qualifies to attend Fair Close Centre and receive meals on wheels with details as follows:

  • Name, address, telephone number, date of birth
  • Next of Kin details
  • GP Contact detail
  • Dietary Requirements

The member’s and clients forms will be kept at Fair Close Centre during the entire time that the person is a member or client and for a period of three years after they cease to be a member or client.

Mini-bus drivers carry information sheets of member’s names and addresses for collection to bring into the centre and return home at the end of the day. These sheets are returned to Fair Close Centre daily for appropriate disposal.

We may contact next of kin or GP’s to safeguard the health and safety of members/clients.

Meals on Wheels drivers carry information sheets of clients’ names and addresses for delivery of meals. These sheets are returned to Fair Close Centre daily for appropriate disposal.


Volunteers

Details of volunteers are kept for contact purposes for availability to attend Fair Close Centre to volunteer to assist with serving of lunches, refreshments or to deliver meals and wheels to the community. This information is kept in electronic and paper format.  This includes the following:

 

  • Name, address, telephone number, date of birth
  • Reference details
  • DBS checks

Employees

Details of employees are kept for payroll and pension purposes. This includes the following:

  • Name, address, telephone number, date of birth
  • Next of Kin details
  • Reference details
  • Bank details and National Insurance numbers
  • DBS checks/Disciplinary Records

This information is kept in electronic and paper format.


Trustees

Details of Trustees are kept for inviting to meetings via post and email, advice and administration. This includes the following:

  • Name, address, telephone number, date of birth
  • Email details
  • DBS checks

This information is kept in electronic and paper format.


Suppliers

Details of suppliers are kept for ordering and invoicing purposes. This includes the following

  • Name, address, telephone number
  • Payment details
  • Email details

This information is kept in electronic and paper format.


Contractors

Details of suppliers are kept for ordering and invoicing purposes. This includes the following

  • Name, address, telephone number
  • Payment details
  • Email details

This information is kept in electronic and paper format.


Supporters & Friends of
Fair Close

We may collect and process data about supporters from information provided when a supporter contacts the charity, either through our website or via email.   We hold information on persons who have supported us and donated money to us.  This information includes:

  • Name, address, telephone number, email addresses, bank details, financial information, history of donations or other support.    

This information is kept in electronic and paper format.


Individual Rights

 

The GDPR includes the following rights for individuals:

  • the right to be informed;
  • the right of access;
  • the right to rectification;
  • the right to erasure;
  • the right to restrict processing;
  • the right to data portability;
  • the right to object; and;
  • the right not to be subject to automated decision-making including profiling

The right to data portability only applies:

  • to personal data an individual has provided;
  • where the processing is based on the individual’s consent or for the performance of a membership; and
  • when processing is carried out by automated means.

This means that only the information kept electronically is covered by data portability.

Any requests for copies of the information held by Fair Close Centre in electronic or paper format will be responded to within one calendar month.  A copy of the relevant Excel file / Word file will be emailed to the requestor, if email communication has been agreed.


Subject Access Requests

In most cases no charge will be made for complying with a data portability request.  However, a second request will be chargeable at £10.

  • Requests will be responded to within one calendar month
  • In accordance with the GDPR, the charity will refuse or charge for requests that are considered unfounded or excessive.
  • If a request is refused, the person who made the request will be informed why and that they have the right to complain to the supervisory authority and to a judicial remedy. This will be done within one calendar month.

Processing Personal Data

Information about Members and clients is processed as referred to above and is not processed or shared unnecessarily

Information about Trustees is not processed or shared unnecessarily

Information about Employees is processed as part of the payroll, pension contribution process and bank process

Information about Suppliers/Contractors is processed as part of the payment of invoice process

Information about supporters is processed to keep them informed about our work and events and for direct marketing purposes for fundraising


Consent

The receipt of an application to become a member or client of Fair Close Centre is taken as consent for the information on the membership/application form to be held on record and used as described above.

Acceptance of a position of employment at Fair Close Centre is taken as consent for information to be held about employees, for payroll and pension purposes.  Annual reviews are also kept in electronic format.

Acceptance of orders by suppliers or work at the Fair Close Centre by contractors will be taken as Consent for information necessary for payment of invoices and contact details to be held.

Donating money to us or otherwise supporting us and/or contacting us through our website is taken as consent to access the personal data that we hold for the purposes referred to above.

We will not sell, share transfer or rent any personal data we hold


Keeping Data secure

The charity will take all appropriate measures to prevent unauthorised or unlawful processing of personal data and to protect personal data against loss, damage or destruction. 

  • Personal files for members, clients, trustees and employees will be kept in a locked filing cabinet at all times with access only by authorised staff
  • Trustees’ details will be kept in a locked filing cabinet with access only by the Manager
  • Electronic files containing personal data will be password protected and passwords will be changed on a regular basis
  • Backed up electronic data will be held securely on an alternative site or when off-site will be password protected and only accessed by named staff

If any data is taken from the office (e.g. work to home) the data will be held securely at all times whilst in transit and at the location the data is held


Data Breaches

Data breaches are when data is accessed or obtained incorrectly or by unauthorised people.

The GDPR has introduced a duty on all organisations to report certain types of data breach to the ICO, and in some cases, to individuals. The ICO has to be notified of a breach where it is likely to result in a risk to the rights and freedoms of individuals – if, for example, it could result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage.

Where a breach is likely to result in a high risk to the rights and freedoms of individuals, those concerned also have to be notified, in most cases.

Because of the basic level of information kept in electronic format, it is unlikely that such an event would occur.

Files containing sensitive or personal information, including names, addresses and contact details, are password protected to keep them secure. 


Design and Impact Assessments

The GDPR makes privacy by design an express legal requirement, under the term ‘data protection by design and by default’. It also makes PIAs – referred to as ‘Data Protection Impact Assessments’ or DPIAs – mandatory in certain circumstances.

A DPIA is required in situations where data processing is likely to result in high risk to individuals, for example:

  • where a new technology is being deployed;
  • where a profiling operation is likely to significantly affect individuals; or
  • where there is processing on a large scale of the special categories of data.

If a DPIA indicates that the data processing is high risk, and the risk cannot sufficiently be addressed, it is required that the Charity consults the ICO to seek its opinion as to whether the processing operation complies with the GDPR.

There is currently no data processing taking place and therefore no impact assessment is currently required.


Data Protection Officer (DPO)

A DPO must be designated if the organisation is:

  • a public authority (except for courts acting in their judicial capacity);
  • an organisation that carries out the regular and systematic monitoring of individuals on a large scale; or
  • an organisation that carries out the large-scale processing of special categories of data, such as health records, or information about criminal convictions.

None of these apply to the charity and so there is no legal requirement to appoint a DPO.

It has, however, been decided that the Manager of the Fair Close Centre will oversee compliance with the GDPR and the Policy and practise will be reviewed annually by the Trustees.