Data Protection Policy
1. The purpose of this policy
1.2. This policy has been developed to ensure that Royal Voluntary Service complies with the Data Protection Act 2018 (“the Act”) and the General Data Protection Regulations, so that any data which it holds is stored safely, processed correctly and not unlawfully disclosed to any other person.
2. Definitions used in this policy
- “Data Subject” - means any living individual who is the subject of personal data including any Royal Voluntary Service employees, volunteers, service users, family, friends or associates of those individuals and any Royal Voluntary Service supporters, donors, suppliers, contractors or consultants.
- “Royal Voluntary Service Individuals” - means any Royal Voluntary Service employee, volunteer and/or other person working under the umbrella of Royal Voluntary Service and who has access to information.
3. The Data Controller
- maintain Royal Voluntary Service’ registration with the Information Commissioners Office and act as the first point of contact with the Information Commissioners Office
- provide advice, guidance and direction on data protection issues within Royal Voluntary Service
- receive any complaints regarding data management
- maintain the Royal Voluntary Service Data Protection Register.
4. Compliance with the Act, this policy and the Royal Voluntary Service Data Protection Procedure
4.1 Royal Voluntary Service and any Royal Voluntary Service Individual must comply with the Act, the Regulation, this policy and any Royal Voluntary Service Data Protection Procedure. This means that personal data must be handled in accordance with the principles of good handling specified in the Act and Regulation ie that personal data is:
- processed lawfully, fairly and in a transparent manner
- collected for specified, explicit and legitimate purposes
- adequate, relevant and limited to what is necessary
- accurate and where necessary kept up to date
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which those data are processed
- processed in a manner that ensures appropriate security of the personal data.
Examples of personal data within Royal Voluntary Service include an individual’s name, address, date of birth, national insurance number, email address and telephone number.
- ensure that data in its possession is stored securely, correctly processed and not unlawfully distributed
- process data in accordance with the Act and Regulation
- provide appropriate training, guidance and support to help Royal Voluntary Service Individuals comply with the Act and Regulation, this policy and any Royal Voluntary Service Data Protection Procedure
- on receipt of a lawful request share information with United Kingdom law enforcement agencies and/or judicial bodies. If it does so Royal Voluntary Service will inform the Information Commissioners Office of its actions and record the facts in the Royal Voluntary Service Data Protection Register.
- check that any information they provide to Royal Voluntary Service in connection with their Royal Voluntary Service role is accurate and up-to-date;
- inform Royal Voluntary Service of any error or change to the information provided; Royal Voluntary Service will not be responsible for any errors of which it has not been notified;
- comply with the Act, the Regulation, this policy and any Royal Voluntary Service Data Protection Procedure and to ensure, for example, that any data is kept securely and is not disclosed either orally or in writing accidentally or otherwise with any unauthorised third party.
6. Sensitive personal data
6.1 Royal Voluntary Service recognises that sensitive personal data is likely to be of a private nature and that it may only be processed with the express consent of a Data Subject. The Act defines sensitive personal data as including:
- racial or ethnic origin
- political opinion
- religious beliefs or other beliefs of a similar nature
- trade union membership
- biometrics (where used for ID purposes)
- sex life or orientation.
Examples of the type of sensitive personal data that Royal Voluntary Service may hold include details of an individual’s health, medication, physical needs. Criminal convictions although no longer classed as sensitive will still be dealt with in full confidence as per the policy. Royal Voluntary Service will strive to collect and hold only data that is necessary and appropriate for the charity to provide its activities.
7. Rights to access information
7.1 Royal Voluntary Service acknowledges that any Data Subject has the right to request access to any personal data regarding them held by Royal Voluntary Service that is kept in electronic or paper form. Royal Voluntary Service will make no charge for requests as per the regulation
7.2 Royal Voluntary Service will on written request, notify a Data Subject of the data held by Royal Voluntary Service concerning them and the reasons as to why any data is being processed. Royal Voluntary Service will record the request and response in the Data Protection Register
7.3 Royal Voluntary Service will comply with reasonable requests for access to personal data within 30 days of the date of receipt of the written request and as quickly as possible unless there is a good and fair reason for delay. If a delay is envisaged the Data Controller will inform the requester of the delay and the reasons for it in writing and this will be recorded in the Data Protection Register.
8. The data protection register
8.1 Royal Voluntary Service will hold, maintain and update a Data Protection Register which will detail actions taken by the Data Protection Officer on behalf of Royal Voluntary Service in relation to specific issues arising under the Act and Regulation, and the reasons for those actions. The Data Protection Register will be:
- held by the Data Protection Officer on behalf of Royal Voluntary Service
- secured on the Royal Voluntary Service “S” drive
- accessible only by those Royal Voluntary Service individuals explicitly authorised by the Royal Voluntary Service Executive Finance Director or in his absence the Royal Voluntary Service Head of Governance
9. Retention of Data
9.1 Royal Voluntary Service is obliged by law to keep information for differing lengths of time as recorded in Royal Voluntary Service’ Data Retention Policy.
9.2 Royal Voluntary Service does and will continue to use the services of third party storage suppliers for the purpose of storage and disposal of data and will continue to select its suppliers based on their ISO credentials and security certification
9.3 Archived data held off site in non Royal Voluntary Service buildings will be retained in accordance with the Data Retention Policy before confidential destruction.
10. Policy review
10.1 This policy will be reviewed annually or sooner if required.