Policy Statement
PhysCap Children’s Charity collects and uses information about people with whom it communicates. This personal information must be dealt with properly and securely however it is collected, recorded and used – whether on paper, in a computer, or recorded on other material – and there are safeguards to ensure this in the General Data Protection Regulations 2018.
PhysCap Children’s Charity regards the lawful and correct treatment of personal information as very important to the successful and efficient performance of its functions, and to maintain confidence between those with whom it deals. To this end PhysCap Children’s Charity fully endorses and adheres to the General Data Protection Regulations, as set out in the General Data Protection Regulations 2018.
Purpose
The purpose of this policy is to ensure that the staff, and trainees of PhysCap Children’s Charity are clear about the purpose and principles of Data Protection and to ensure that it has guidelines and procedures in place which are consistently followed.
Failure to adhere to the General Data Protection Regulations is unlawful and could result in legal action being taken against PhysCap Children’s Charity or its staff, volunteers or trustees.
Principles
The General Data Protection Regulation Act 2018 regulates the processing of information relating to living and identifiable individuals (data subjects). This includes the obtaining, holding, using or disclosing of such information, and covers computerised records as well as manual filing systems and card indexes.
Data users must comply with the data protection principles of good practice which underpin the Act. To comply with the law, information must be collected and used fairly, stored safely and not disclosed to any other person unlawfully.
To do this PhysCap Children’s Charity follows the main Data Protection Principles outlined in the General Data Protection Regulation 2018, which are summarised below:
I. Personal data will be processed fairly and lawfully II. Data will only be collected and used for specified purposes III. Data will be adequate, relevant and not excessive IV. Data will be accurate and up to date V. Data will not be held any longer than necessary VI. Data subject’s rights will be respected VII. Data will be kept safe from unauthorised access, accidental loss or damage VIII. Data will not be transferred to a country outside the European Economic Area, unless that country has equivalent levels of protection for personal data.
Cont..
General Data Protection Regulations Policy 25th May 2018
Cont..
The principles apply to “personal data” which is information held on computer or in manual filing systems from which they are identifiable. PhysCap Children’s Charity.’s employees who process or use any personal information in the course of their duties will ensure that these principles are followed at all times.
Procedures
The following procedures have been developed in order to ensure that PhysCap Children’s Charity meets its responsibilities in terms of Data Protection. For the purposes of these procedures data collected, stored and used by PhysCap Children’s Charity falls into 2 broad categories:
1. PhysCap Children’s Charity’s internal data records;
2. PhysCap Children’s Charity’s external data records;
PhysCap Children’s Charity as a body is a DATA CONTROLLER, and the Management is ultimately responsible for the policy’s implementation.
Consent
Personal data is collected in person, over the phone and using other methods such as e-mail. During this initial contact, the data owner is given an explanation of how this information will be used.
Written consent is not requested as it is assumed that the consent has been granted when an individual freely gives their own details.
Personal data will not be passed on to anyone outside the organisation without explicit consent from the data owner unless there is a legal duty of disclosure under other legislation. Contact details held on the organisation’s database may be made available to groups/ individuals outside of the organisation. Individuals are made aware of when their details are being collected for the database and their verbal or written consent is requested.
For marketing purposes, we will only contact individuals who have chosen to opt-in to any marketing by electronic means, email or SMS messaging.
Internal data records
Purposes
PhysCap Children’s Charity obtains personal data (names, addresses, phone numbers, email addresses), application forms, and references and in some cases other documents from staff, volunteers or trustees.
Cont..
General Data Protection Regulations Policy 25th May 2018
Cont..
Access
The contact details of its associates will only made available to other staff, volunteers or trustees.
Any other information supplied on application will be kept in a secure filing cabinet and is not accessed during the day to day running of the organisation.
Contact details of staff, volunteers or trustees will not be passed on to anyone outside the organisation without their explicit consent.
Staff, volunteers or trustees will be supplied with a copy of their personal data held by the organisation if a request is made. All confidential post must be opened by the addressee only.
External data records
Purposes
PhysCap Children’s Charity obtains personal data (such as names, addresses, and phone numbers) from grant applications and help requests.
This data is obtained, stored and processed to assist staff in the efficient running of services and process. Company information is also used to facilitate applications for funding.
Most of this information is stored on the organisation’s database. Hard copy documents, including funding documents will be retained for a minimum of 3 years and a maximum of 7 years.
PhysCap Children’s Charity obtains personal data and information from applicants and other companies in order to provide services. This data is stored and processed only for the purposes outlined in the agreement and service specification signed by the applicant and company.
Storage
Paper-based data is stored in organised in secure cabinets within our registered office and in secure folders when used by our assessors in the field. PhysCap Children’s Charity operates a clear desk and internally and unattended vehicle policy at all times. Where necessary instructors and assessors will store personal data in respect to training information in paper form in a secured folder and case system in their vehicle during their working day.
Internally and at our registered address PhysCap Children’s Charity. Digital data is kept securely on our internal server and accessed at our registered address through authorised computers that are password-protected, passwords are updates every 30 days.
Externally and where necessary instructors and assessors will store personal data in respect to training information in digital form in a Password protected device/laptop and case system in their vehicle during their working day.
Cont..
General Data Protection Regulations Policy 25th May 2018
Cont..
Access
Only the organisation’s staff volunteers or trustees will normally have access to personal data.
All staff, volunteers or trustees, whether in our offices or in the field adhere to the companies the Data Protection Policy and their obligation not to disclose personal data to anyone who is not supposed to have it. Information supplied is kept in a secure filing, paper and electronic system and is only accessed by those individuals involved in the delivery of the service.
Information will not be passed on to anyone outside the organisation without their explicit Consent.
Individuals will be supplied with a copy of any of their personal data held by the organisation if a request is made.
Responsibilities of staff, and associates
They may be told or overhear sensitive information while working for PhysCap Children’s Charity. The Data Protection Act (1988) gives specific guidance on how this information should be dealt with. In short to comply with the law, personal information must be collected and used fairly, stored safely and not disclosed to any other person unlawfully. Staff, volunteers or trustees, paid or unpaid must abide by this policy.
Accuracy
PhysCap Children’s Charity will take reasonable steps to keep personal data up to date and accurate. Personal data will be stored for as long as the applicant uses our services and normally longer. Where an applicant has accessed funding records will be retained for the period required by the funding authority.
Where an individual cease to use our services and it is not deemed appropriate to keep their records, their records will be destroyed However, unless we are specifically asked by an individual to destroy their details, we will normally keep them on file for future reference.
If a request is received from an organisation/ individual to destroy their records, we will remove their details from the database and request that all staff holding paper or electronic details for the organisation destroys them. This work will be carried out by the Data Protection Officer. This procedure applies if PhysCap Children’s Charity is informed that an organisation ceases to exist.
Use of Photographs
Where practicable, PhysCap Children’s Charity will seek consent from individuals before displaying photographs in which they appear. If this is not possible (for example, a large group photo), the organisation will remove any photograph if a complaint is received. This policy also applies to photographs published on the organisations website or in the Newsletter.
Cont..
General Data Protection Regulations Policy 25th May 2018
Cont..
Personal Data Requests
Personal Data Requests must be given in writing to the Data Protection Officer (DPO) for PhysCap Children’s Charity. Where applicable we may require proof of identity for this request.
Data Protection Officer PhysCap Children’s Charity Unit 7 Gemini Business Park Sheepscar Way Leeds LS7 3JB
enquiries@physcap.org
Once acknowledged the DPO will provide the relevant information within 28 days of request. If the personal data request is not met by PhysCap Children’s Charity within 28 days of request. or you are unhappy with the personal data report.
The next action would be to contact the Information Commissioners Office (ICO) with the relevant information for the ICO to peruse this grievance on your behalf. More information about the ICO and the General Data Protection Regulations can be found at. www.ico.or.uk