Data protection policy
1. The purpose of this policy
1.2 This policy has been developed to ensure that Royal Voluntary Service complies with the Data Protection Act 2018 (“the Act”) and the UK General Data Protection Regulations (“the Regulation”) (together “Data Protection Law”), so that any data which it holds is stored safely, processed correctly and not unlawfully disclosed to any other
1.3 This policy sets out the principles which Royal Voluntary Service applies in processing personal data and the responsibilities that relate to that processing. It is intended, together with any supporting procedures and training, to ensure that data is treated with respect, in compliance with the law and in a way that helps to keep everyone, including Royal Voluntary Service, safe.
2. What is personal data?
2.2 Some personal data is more sensitive than the every-day personal data mentioned above and requires additional protection. This is information related to race or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric ID data, health data, sexual life and/or sexual orientation and criminal conviction and criminal offences data. RVS may hold and process data that falls within some of these categories in addition to the personal data described at 2.1 above.
2.3 Personal data can include data that relates to someone under the age of 16 years. Royal Voluntary Service may hold and process data that relates to a child where, for, example, they volunteer for the charity. In that case, Royal Voluntary Service will ensure that a parent’s/guardian’s consent is obtained before the personal data is collected.
3. Data protection principles
- processed lawfully, fairly and in a transparent manner
- used only for limited, specified stated purposes and not used or disclosed in any way which is incompatible with those purposes
- adequate, relevant and limited to what is necessary
- accurate and where necessary kept up to date
- not kept for longer than necessary
- kept safe and secure.
4. Royal Voluntary Service's commitment to Data Protection principles
4.1 As part of its commitment to the data protection principles outlined above, Royal Voluntary Service will:
a. appoint a Data Protection Officer
b. comply with and observe the principles of Data Protection Law and only process data in accordance with Data Protection Law
c. only use personal data to support the charity’s legitimate activities
d. ensure that Data Subjects are informed in a timely manner about the data that Royal Voluntary Service will collect, how it will be used and their rights in relation to it
e. ensure that data in its possession is stored securely either physically or via appropriate information technology controls
f. ensure that data is correctly processed, kept up-to-date, not unlawfully shared and retained in accordance with the charity’s Records Retention Policy
g. provide appropriate mandatory and refresher training, guidance and support to help those who process data understand their responsibilities under Data Protection Law
h. keep registrations with the ICO up-to-date and ensure that data breach incidents and/or near misses are logged and reported to the ICO and other regulators where necessary
i. ensure, if Royal Voluntary Service need to use a third party supplier to process personal data, that certain protections required by the Regulation are included in the contract with the supplier and that the supplier adopts appropriate measures to safeguard the data
j. on receipt of a lawful request, share information with United Kingdom law enforcement agencies and/or judicial bodies. If it does so, Royal Voluntary Service will inform the ICO of its actions and record the facts in the RVS Data Protection Register.
5. Rights of data subjects
6. Roles & responsibilities
6.1 Royal Voluntary Service uses the following structure to support its data protection activities:
a. Security & Information Steering Group (SISG) – oversees data protection and data security for Royal Voluntary Service, is chaired by the SIRO and reports to Leadership Team via the SIRO.
b. Senior Information Risk Owner (SIRO) – the SIRO is the owner of this policy on behalf of the charity’s Trustees and owns the overall risk arising from the processing of personal data by Royal Voluntary Service. The SIRO reports to Leadership Team, the charity’s Audit and Risk Committee and then the charity’s Board of Trustees as necessary
c. Data Protection Officer (DPO) – the DPO will:
- maintain Royal Voluntary Service’s registration with the Information Commissioners Office and act as the first point of contact with the Information Commissioners Office
- provide advice, guidance and direction on data protection issues and compliance within Royal Voluntary Service
- maintain and implement this policy
- provide support on subject access requests
- receive any complaints regarding data management
- maintain the Royal Voluntary Service Data Protection Register, which will detail actions taken by the Data Protection Officer on behalf of RVS in relation to specific issues arising under Data Protection Law
- maintain a Record of its Processing Activities (ROPA)
- make any recommendations for improvement.
d. Line managers are responsible for ensuring compliance with the policy within their areas of responsibility.
7. Privacy statements
7.1 Royal Voluntary Service has an appropriate privacy notice setting out how Royal Voluntary Service processes personal data. This statement can be found on the Royal Voluntary Service website and will be kept up-to-date.
7.2 Royal Voluntary Service also has an appropriate privacy statement for employees explaining how Royal Voluntary Service processes employee data. This statement can be found on the charity’s internal i-Trent system and will be kept up-to-date.
7.3 These privacy statements will be used by Royal Voluntary Service to explain to Data Subjects what kind of personal data Royal Voluntary Service collects, the legal basis on which the charity relies for processing that data, Data Subjects’ rights in relation to that data, security measures, retention periods and whether data is transferred or shared with third parties.
8. Retention of data
8.1 Royal Voluntary Service is obliged by law to keep information for differing lengths of time as recorded in Royal Voluntary Service’s data retention
8.2 Royal Voluntary Service does and will continue to use the services of third party storage suppliers for the purpose of storage and disposal of data and will continue to select its suppliers based on their ISO credentials and security certification;
8.3 Archived data held off site in non Royal Voluntary Service buildings will be retained in accordance with the data retention policy before confidential
9. Policy review
9.1 This policy will be reviewed every three years or sooner if required.
10. Definitions used in this policy review
10.1 In this policy the following words shall have the following meanings:
means any living individual who is the subject of personal data including any RVS employees, volunteers, service users, family, friends or associates of those individuals and any RVS supporters, donors, suppliers, contractors or consultants.
means the Information Commissioners Office.
“Royal Voluntary Service individuals”
means any Royal Voluntary Service employee, volunteer and/or other person working under the umbrella of RVS and/or who has access to data.
“Royal Voluntary Service”
means Royal Voluntary Service, company number 2520413, ICO registration reference Z9787450, and Royal Voluntary Service Services Welfare Limited, company number 2778476, ICO registration reference ZA277593.