Data Protection and GDPR Policy

August 2022

Overview

Positive Futures is committed to processing data in accordance with its responsibilities under the GDPR. The organisation will not hold information about individuals without their knowledge and consent as per GDPR. Article 5 of GDPR requires that personal data shall be:

  1. processed lawfully, fairly and in a transparent manner in relation to individuals;
  2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
  3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
  4. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
  5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to the implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
  6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”

Lawful, fair and transparent processing 

  1. To ensure its processing of data is lawful, fair and transparent, the organisation shall maintain a Register of Systems. 
  2. The Register of Systems shall be reviewed at least annually. 
  3. Individuals have the right to access their personal data and any such requests made to the charity shall be dealt with in a timely manner. 
  4. Individuals have the right to remove their personal data from Positive Futures’ systems at any point. 

Lawful purposes

  1. All data processed by the charity must be done on one of the following lawful bases: consent, contract, legal obligation, vital interests, public task or legitimate interests (see ICO guidance for more information). 
  2. The Charity shall note the appropriate lawful basis in the Register of Systems.
  3. Where consent is relied upon as a lawful basis for processing data, evidence of opt-in consent shall be kept with the personal data. 
  4. Where communications are sent to individuals based on their consent, the option for the individual to revoke their consent should be clearly available and systems should be in place to ensure such revocation is reflected accurately in the organisation’s systems.  

Data minimisation

  1. Positive Futures shall ensure that personal data are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

 

 Maintaining the accuracy of data

  1. The Charity shall take reasonable steps to ensure personal data is accurate. 
  2. Where necessary for the lawful basis on which data is processed, steps shall be put in place to ensure that personal data is kept up to date. 
  3. Positive Futures will seek to maintain accurate information by creating ways in which data subjects can update the information held. 

Archiving/removal of data

  1. To ensure that personal data is kept for no longer than necessary, the Charity shall put in place an archiving policy for each area in which personal data is processed and review this process annually. 
  2. The archiving policy shall consider what data should/must be retained, for how long, and why. 

 

Data Security

  1. The Charity shall ensure that personal data is stored securely by password and appropriate encryption using modern software that is kept up to date.  
  2.  Positive Futures will ensure that all personal paper records are stored securely in locked metal cabinets, and unwanted paper data is disposed of in a secure way.
  3. Access to personal data shall be limited to personnel who need access and appropriate security should be in place to avoid unauthorised sharing of information. 
  4. When personal data is deleted this should be done safely such that the data is irrecoverable. 
  5. Appropriate backup and disaster recovery solutions shall be in place. 
  6. Information about data subjects will not be disclosed to other organisations or to individuals who are not members of Positive Futures staff unless where there is explicit consent.
  7. Positive Futures ensures that all staff and volunteers are aware of this data protection policy, and understand its implications for their work role, and Positive Futures’ legal obligations.
  8. There may be situations where Positive Futures works in partnership with other organisations on projects which require data sharing. Positive Futures will clarify which organisation is to be the Data Controller and will ensure that the Data Controller deals correctly with any data which Positive Futures has collected.
  9. Information about data subjects will not be disclosed to other organisations or to individuals who are not members of Positive Futures or the Board of Directors except in circumstances where this is a legal requirement or where there is explicit consent.

 

Data Breach

  1. In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, or unauthorised disclosure of, or access to, personal data, the Charity shall promptly assess the risk to people’s rights and freedoms and if appropriate report this breach to the ICO (more information on the ICO website). 

 

Compliance 

  1. All new staff will be given training on the data protection policy and procedures.
  2. Positive Futures will carry out a bi-annual review of its data protection policy and procedures, or in response to legislative change.
  3. Positive Futures ensures that all staff and volunteers are aware of this data protection policy, and understand its implications for their work role, and Positive Futures’ legal obligations.
  4. At the beginning of any new project or type of activity the responsible person will ensure that data protection is thoroughly considered, and procedures put into practice.
  5. All new staff will be given training on the data protection policy and procedures.

 

Definitions

Charity – means Positive Futures, a registered charity.

Organisation – means Positive Futures, a registered charity.

GDPR – means the General Data Protection Regulation.

Responsible Person – Jan Gomez

Register of Systems – means a register of all systems or contexts in which personal data is processed by the Charity.