Data protection policy

1. The purpose of this policy

1.1 Royal Voluntary Service collects, holds and processes certain information about its clients, volunteers, employees and donors to ensure that it can meet its commitments to those that it supports, protect those whom it helps, support its legitimate charitable activities and operate its management functions.

1.2 This policy has been developed to ensure that Royal Voluntary Service complies with the Data Protection Act 2018 (“the Act”) and the UK General Data Protection Regulations (“the Regulation”) (together “Data Protection Law”), so that any data which it holds is stored safely, processed correctly and not unlawfully disclosed to any other

1.3 This policy sets out the principles which Royal Voluntary Service applies in processing personal data and the responsibilities that relate to that processing. It is intended, together with any supporting procedures and training, to ensure that data is treated with respect, in compliance with the law and in a way that helps to keep everyone, including Royal Voluntary Service, safe.

2. What is personal data?

2.1 Personal data includes any information relating to an identified or identifiable natural living person. Examples of personal data held and processed by Royal Voluntary Service include an individual’s name, address, date of birth, national insurance number, email address and telephone number.

2.2 Some personal data is more sensitive than the every-day personal data mentioned above and requires additional protection. This is information related to race or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric ID data, health data, sexual life and/or sexual orientation and criminal conviction and criminal offences data. Royal Voluntary Service may hold and process data that falls within some of these categories in addition to the personal data described at 2.1 above.

2.3 Personal data can include data that relates to someone under the age of 16 years. Royal Voluntary Service may hold and process data that relates to a child where, for, example, they volunteer for the charity. In that case, Royal Voluntary Service will ensure that a parent’s/guardian’s consent is obtained before the personal data is collected.

3. Data protection principles

3.1 Article 5 of the Regulation sets out certain principles which Royal Voluntary Service must meet in relation to the way in which it handles personal data. These principles are that personal data must be:

processed lawfully, fairly and in a transparent manner
used only for limited, specified stated purposes and not used or disclosed in any way which is incompatible with those purposes
adequate, relevant and limited to what is necessary
accurate and where necessary kept up to date
not kept for longer than necessary
kept safe and secure.

3.2 In addition, Royal Voluntary Service must be able to evidence its compliance with these six principles. This so-called “Accountability” principle is an important part of Royal Voluntary Service’s compliance with Data Protection Law.

4. Royal Voluntary Service's commitment to Data Protection principles

4.1 As part of its commitment to the data protection principles outlined above, Royal Voluntary Service will:

a. appoint a data protection officer

b. comply with and observe the principles of Data Protection Law and only process data in accordance with Data Protection Law

c. only use personal data to support the charity’s legitimate activities

d. ensure that data subjects are informed in a timely manner about the data that Royal Voluntary Service will collect, how it will be used and their rights in relation to it

e. ensure that data in its possession is stored securely either physically or via appropriate information technology controls

f. ensure that data is correctly processed, kept up-to-date, not unlawfully shared and retained in accordance with the charity’s Records Retention Policy

g. provide appropriate mandatory and refresher training, guidance and support to help those who process data understand their responsibilities under Data Protection Law

h. keep registrations with the ICO up-to-date and ensure that data breach incidents and/or near misses are logged and reported to the ICO and other regulators where necessary

i. ensure, if Royal Voluntary Service need to use a third party supplier to process personal data, that certain protections required by the Regulation are included in the contract with the supplier and that the supplier adopts appropriate measures to safeguard the data

j. on receipt of a lawful request, share information with United Kingdom law enforcement agencies and/or judicial bodies. If it does so, Royal Voluntary Service will inform the ICO of its actions and record the facts in the Royal Voluntary Service Data Protection Register.

4.2 It will be the responsibility of all Royal Voluntary Service individuals to:

a. check that any information they provide to Royal Voluntary Service in connection with their Royal Voluntary Service role is accurate and up-to-date

b. inform Royal Voluntary Service of any error or change to the information provided as Royal Voluntary Service cannot be responsible for any errors of which it has not been notified

c. comply with Data Protection Law, this policy and any Royal Voluntary Service data protection procedure and ensure, for example, that any data is kept securely, is not unlawfully disclosed (either orally or in writing or otherwise) to, or shared with, any unauthorised third party and that any data breaches are reported to the data protection officer as soon as they become aware of them

5. Rights of data subjects

5.1 Royal Voluntary Service respects that the Regulation provides the following rights for data subjects:

The right to be informed

Data subjects have the right to be informed about the collection and use of their personal data. This is usually via a privacy notice.

The right of access

Data subjects can make a Subject Access Request (SAR) in order to access personal data that Royal Voluntary Service holds about them.

The right to rectification

Data subjects have a right to require that any incomplete or inaccurate information is corrected.

The right to erasure

Data subjects have the right, in certain circumstances, to require that their personal data is deleted.

The right to restrict processing

Data subjects have the right, in certain circumstances, to require that Royal Voluntary Service's use of their personal data is restricted.

The right to data portability

Data subjects have the right, in certain circumstances, to receive their personal data in a structured, commonly used and machine-readable format and/or transmit that data to a third party.

The right to object

Data subjects have the right to object to their personal data being processed for direct marketing (including profiling) and the right, in certain circumstances, to object to the continued processing of their personal data on the basis of legitimate interests.

Rights in relation to automated decision making and profiling

Data subjects have the right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects concerning them or similarly significantly affects them.

5.2 Royal Voluntary Service acknowledges the rights of data subjects as above and will ensure that it observes these rights in its dealings with data subjects.

6. Roles & responsibilities

6.1 Royal Voluntary Service uses the following structure to support its data protection activities:

a. Security & Information Steering Group (SISG) – oversees data protection and data security for Royal Voluntary Service, is chaired by the SIRO and reports to Leadership Team via the SIRO.

b. Senior Information Risk Owner (SIRO) – the SIRO is the owner of this policy on behalf of the charity’s Trustees and owns the overall risk arising from the processing of personal data by Royal Voluntary Service. The SIRO reports to Leadership Team, the charity’s Audit and Risk Committee and then the charity’s Board of Trustees as necessary

c. Data protection officer (DPO) – the DPO will:

- maintain Royal Voluntary Service’s registration with the Information Commissioners Office and act as the first point of contact with the Information Commissioners Office
- provide advice, guidance and direction on data protection issues and compliance within Royal Voluntary Service
- maintain and implement this policy
- provide support on subject access requests
- receive any complaints regarding data management
- maintain the Royal Voluntary Service Data Protection Register, which will detail actions taken by the Data Protection Officer on behalf of RVS in relation to specific issues arising under Data Protection Law
- maintain a Record of its Processing Activities (ROPA)
- make any recommendations for improvement.

The DPO can be contacted at Royal Voluntary Service, PO Box 565, Unit B, RD Park, Hoddesdon EN11 0RF. Email: dataprotection@royalvoluntaryservice.org.uk Tel: 029 2073 9184

d. Line managers are responsible for ensuring compliance with the policy within their areas of responsibility.

7. Privacy notices

7.1 Royal Voluntary Service has an appropriate privacy notice setting out how Royal Voluntary Service processes personal data. This notice can be found on the Royal Voluntary Service website and will be kept up-to-date.

7.2 Royal Voluntary Service also has an appropriate privacy notice for employees explaining how Royal Voluntary Service processes employee data. This statement can be found on the charity’s internal i-Trent system and will be kept up-to-date.

7.3 These privacy notices will be used by Royal Voluntary Service to explain to data subjects what kind of personal data Royal Voluntary Service collects, the legal basis on which the charity relies for processing that data, data subjects’ rights in relation to that data, security measures, retention periods and whether data is transferred or shared with third parties.

8. Retention of data

8.1 Royal Voluntary Service is obliged by law to keep information for differing lengths of time as recorded in Royal Voluntary Service’s data retention.

8.2 Royal Voluntary Service does and will continue to use the services of third party storage suppliers for the purpose of storage and disposal of data and will continue to select its suppliers based on their ISO credentials and security certification.

8.3 Archived data held off site in non Royal Voluntary Service buildings will be retained in accordance with the data retention policy before confidential.

9. Policy review

9.1 This policy will be reviewed every three years or sooner if required.

10. Definitions used in this policy review

10.1 In this policy the following words shall have the following meanings:

“Data Subject”
means any living individual who is the subject of personal data including any Royal Voluntary Service employees, volunteers, service users, family, friends or associates of those individuals and any Royal Voluntary Service supporters, donors, suppliers, contractors or consultants.

“ICO”
means the Information Commissioners Office.

“Royal Voluntary Service individuals”
means any Royal Voluntary Service employee, volunteer and/or other person working under the umbrella of Royal Voluntary Service and/or who has access to data.

“Royal Voluntary Service”
means Royal Voluntary Service, company number 2520413, ICO registration reference Z9787450, and Royal Voluntary Service Services Welfare Limited, company number 2778476, ICO registration reference ZA277593.

Volunteering

Our services

Support us

About us