Privacy and Communications Policy
This policy will be reviewed on an ongoing basis, at least once a year. Time to Help UK and Dialogue Society will amend this policy, following consultation, where appropriate.
Date of last review: 23/08/2022
Data protection, privacy and communications policy.
Introduction. The Charity holds personal data about job applicants, employees, beneficiaries, partners, donors, and other individuals for a variety of purposes connected with the Charity’s work. This policy sets out how the Charity seeks to protect personal data and ensure staff understands the rules governing their use of personal data to which they have access in the course of their work. In particular, this policy requires staff to ensure that the Managing Director should be consulted before any significant new data processing activity is initiated to ensure that relevant compliance steps are addressed.
Scope. This policy applies to all staff, which for these purposes includes employees, temporary and agency workers, other contractors, interns, and volunteers. All staff must be familiar with this policy and comply with its terms. The Charity may supplement or amend this policy with additional policies and guidelines from time to time. Any new or modified policy will be circulated to staff before being adopted.
Definitions. In this policy:
Business purposes mean the purposes for which personal data may be used by the Charity, e.g. personnel, administrative, financial, regulatory, payroll, and fund-raising purposes;
Personal Data means information relating to identifiable individuals, such as job applicants, current and former employees, agency, contract, and other staff, interns, volunteers, beneficiaries, partners, and donors. This includes expression of opinion about the individual and any indication of someone else’s intentions towards the individual.
Sensitive Personal Data. Means personal data about an individual’s racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership (or non-membership), physical or mental health or condition, sexual life, criminal offences, or related proceedings. Any use of sensitive personal data must be strictly controlled in accordance with this policy
Processing Data. Means obtaining, recording, holding, or doing anything with it, such as organising, using, altering, retrieving, disclosing, or deleting it.
General principles. The Charity’s policy is to process personal data in accordance with the applicable data protection laws and rights of individuals as set out below. All employees have personal responsibility for the practical application of Charity’s data protection policy. The Charity will observe the following principles in respect of the processing of personal data:
- to process personal data fairly and lawfully in line with individuals’ rights;
- to make sure that any personal data processed for a specific purpose are adequate, relevant, and not excessive for that purpose;
- to keep personal data accurate and up to date;
- to keep personal data for no longer than is necessary;
- to keep personal data secure against loss or misuse;
- not to transfer personal data outside the EEA (which includes the EU countries, Norway, Iceland, and Liechtenstein) without adequate protection.
- Fair and lawful processing. Staff should generally not process personal data unless:
- the individual whose details are being processing has consented to this;
- the processing is necessary to perform Charity’s legal obligations or exercise legal rights;
- the processing is otherwise in the Charity’s legitimate interests and does not unduly prejudice the individual’s privacy;
Gathering Data. When gathering personal data or establishing new data protection activities, staff should ensure that individuals whose data is being processed receive appropriate data protection notices to inform them how the data will be used. There are limited exceptions to this notice requirement. In any case of uncertainty as to whether a notification should be given, staff should contact the COO.
Sensitive Data. It will normally be necessary to have an individual’s explicit consent to process ‘sensitive personal data’, unless exceptional circumstances apply or the processing is necessary to comply with a legal requirement. The consent should be informed, which means it needs to identify the relevant data, why it is being processed and to whom it will be disclosed. Staff should contact the Managing Director for more information on obtaining consent to process sensitive personal data.
Accuracy, adequacy, relevance and proportionality. Staff should make sure data processed by them is accurate, adequate, relevant and proportionate for the purpose for which it was obtained. Personal data obtained for one purpose should generally not be used for unconnected purposes unless the individual has agreed to this or would otherwise reasonably expect the data to be used in this way.
Individuals may ask the Charity to correct personal data relating to them which they consider to be inaccurate. If a member of staff receives such a request and does not agree that the personal data held is inaccurate, they should nevertheless record the fact that it is disputed and inform the COO.
Staff must ensure that personal data held by the Charity relating to them is accurate and updated as required. If personal details or circumstances change, staff should inform the Charity so the Charity’s records can be updated.
Security. Staff must keep personal data secure against loss or misuse. Where the Charity uses external organisations to process personal data on its behalf additional security arrangements need to be implemented in contracts with those organisations to safeguard the security of personal data. Staff should consult the Managing Director to discuss the necessary steps to ensure compliance when setting up any new agreement or altering any existing agreement.
Data retention. Personal data should not be retained for any longer than necessary. The length of time over which data should be retained will depend upon the circumstances including the reasons why the personal data were obtained.
Rights of individuals. Individuals are entitled (subject to certain exceptions) to request access to information held about them. All such requests should be referred immediately to the COO. This is particularly important because the Charity must respond to a valid request within the legally prescribed time limits.
Reporting breaches. Staff have an obligation to report actual or potential data protection compliance failures to the Managing Director. This allows the Charity to:
- Investigate the failure and take remedial steps if necessary.
- Make any applicable notifications.
Consequences of failing to comply. The Charity takes compliance with this policy very seriously. Failure to comply puts both staff and the Charity at risk. The importance of this policy means that failure to comply with any requirement may lead to disciplinary action, which may result in dismissal.
Breaches of this policy will be dealt with under the Grievance and/or Disciplinary procedures as appropriate.
The Organisation will monitor this policy to ensure it meets statutory and legal requirements including the Data Protection Act, Children’s Act, Rehabilitation of Offenders Act and Prevention of Terrorism Act. Training on the policy will include these aspects.
Ensuring the Effectiveness of the Policy
All Executive Committee members will receive a copy of the confidentiality policy. Existing and new workers will be introduced to the confidentiality policy via induction and training. The policy will be reviewed annually and amendments will be proposed and agreed by the Executive Committee.
If the personal details provided change, please help us to keep the information provided to us up to date by notifying firstname.lastname@example.org.
Data Protection Regulator
Further information and advice about data protection are available from The Office of the Information Commissioner, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. Tel: +44 (0) 01625 545 745. Website: https://www.ico.org.uk
End of policy