Data protection policy
Context and overview
- Policy prepared by: P. McGough
- Approved by Trusties: 06/03/2018
- Policy became operational: 06/03/2018
- Next review Date: 06/03/2019
Sunderland Cardiac Support Group needs to gather and use certain information about its members i.e. Names, Addresses, Telephone Numbers, and email addresses
This policy describes how this personal data must be collected, handled and stored to meet the groups data protection standards—and to comply with the law.
Why this policy exists
This data protection policy ensures Sunderland Cardiac Support Group:
- Complies with data protection law and follow good practice
- Protects the rights of trusties and members
- Is open about how it stores and processes individuals’ data
- Protects itself from the risks of a data breach.
Data protection law
The Data Protection Act 1998 describes how charities-including Sunderland Cardiac Support Group– must collect, handle and store personal information.
These rules apply regardless of whether data is stored electronically, or on paper or on other materials.
To comply with the law, personal information must be collected and used fairly, stored safely and not disclosed unlawfully.
The Data Protection Act is underpinned by eight important principles. These say that personal data must:
- Be processed fairly and lawfully
- Be obtained only for specific, and lawful purposes
- Be adequate, relevant and not excessive
- Be accurate and kept up to date
- Not to be held for any longer than necessary
- Processed in accordance with the rights of data subjects
- Be protected in appropriate ways
- Not be transferred outside the European Economic Area (EEA), unless that country or territory also ensures an adequate level of protection.
Have added these eight principles even though most will not apply to Sunderland Cardiac Support Group, just to show what is expected in law.
People, risks and responsibilities
This policy applies to:
- All volunteers and Trusties including any person employed in any way by Sunderland Cardiac Support Group
It applies to all data that the group holds relating to identifiable individuals, even if that information technically falls out side of the Data Protection Act 1998. This can include:
- Names of individuals
- Postal addresses
- Email addresses
- Telephone numbers
- Plus, any other information relating to individuals
Data protection risks
This policy helps to protect Sunderland Cardiac Support Groupe from some very real security risks, including:
- Breaches of confidentiality. For instance, information being given out inappropriately
- Failing to offer choice. For instance, all individuals should be free to choose how the group uses data relating to them
- Reputational damage. For instance, the group could suffer if hackers successfully gained access to sensitive data
All trusties and people who work for Sunderland Cardiac Support Group has some responsibility for ensuring data is collected, stored and handled appropriately.
The board of Trusties is ultimately responsible for ensuring Sunderland Cardiac Support Group handles personal data in line with this policy and the data protection law.
The only people who should have access to data covered by this policy should need it for the everyday running of the group.
- Data should not be shared informally. When access to data is required, it should be only given on the understanding that it can only be used for reasons that comply with this policy.
- Personal data should not be disclosed to unauthorised people, either within the group or externally.
- Data should bee regularly reviewed and updated if it is found to be out of date. If no longer required, it should be deleted and disposed of.
These rules describe how and where data should be safely stored
- When data is stored on paper it should be kept in a secure place where unauthorised people cannot see it
- When data is stored electronically, it must be protected from unauthorised access, accidental deletion and malicious hacking attempts
Subject access requests
All individuals who are the subject of personal data held by Sunderland Cardiac Support Group are entitled to:
- Ask what information the group holds about them and why.
- Ask how to gain access to it.
- Be informed on how to keep it up to date.
- Be informed how the group is meeting its data protection obligations.
If an individual contact the group requesting this information, this is called a subject access request.
These requests can be made to any of the trusties preferably in writing and must be provided within 14 days
It is up to the trustee to verify the identify of the member who is making the request.
Disclosing data for other reasons
In certain circumstances, the Data Protection Act allows personal data to be disclosed to law enforcement agencies without the consent of the data subject
Under these circumstances, Sunderland Cardiac Support Group will disclose requested data. After checking that the request is legitimate.
Sunderland Cardiac Support Group aims to ensure that individuals are aware that their data is being processed, and that they understand:
- How the data is being used
- How to exercise their rights
To these ends, the group has a privacy statement, setting out how data relating to individuals is used by the group
[This is available on request. A version of the statement is also on the Groups website.]
Sunderland Cardiac Support Group’s Financial Police
Financial Records and Accounts
1) Financial records will be kept so that:The S.C.S.G meets its legal and other statutory obligations, such as Charity Acts, Her Majesty’ s Revenue & Customs and common law.The trustees have proper financial control of the organisation.The organisation meets the contractual obligations and requirements of funders.
2) The books of accounts must include:A cashbook analysing all the transactions appearing on the bank accounts A petty cash book if cash payments are being made.These are both incorporated in the spreadsheet, which the treasure keeps for each month.
3) Accounts will be drawn up at the end of each financial year within 3 months of the financial year end and presented to the next Annual General Meeting.
4) Prior to the start of each financial year, the trustees will approve a budgeted income and expenditure account for the following year.
5) A report comparing actual income and expenditure with the budget should be presented to the trustees every three months or whenever meetings take place.
6) The AGM will appoint an appropriately qualified auditor/ independent examiner to audit or examine the accounts before presentation to the next AGM.
1)The S.C.S.G banks with Virgin Money plc at its 10 The Bridges Branch Sunderland and the accounts is held in the name of the S.C.S.G. The following accounts will be maintained:Charity Account No 1 Charity Account No 2.is also held at Yorkshire Building Society. As a savings account.
2) The bank mandate (list of people who can sign cheques on the organisations behalf) will always be approved and minuted by the trustees as will any changes to it.
3) S.C.S.G will require the bank to provide statements every month and these will be reconciled with the cash book at least every three months and the treasurer will spot check that this reconciliation has been done at least twice a year, signing the cash book accordingly. (These are covered with the passbooks that both society’s provide.)
4) The S.C.S.G will not use any other bank or financial institution or use overdraft facilities or loan without the agreement of the trustees.
- All monies received will be recorded promptly in the cash analysis book and banked without delay (this includes sundry receipts such as payment for telephone calls, photocopying etc.). S.C.S.G will maintain files of documentation to back this up.
2) The aim is to ensure that all expenditure is on the charity’s business and is properly authorised and that this can be demonstrated. The latest approved budget provides the cheque signatories with authority to spend up to the budgeted expenditure, not beyond it.
3) The Director will be responsible for holding the cheque books (including unused and partly used cheque books) which should be kept under lock and key.
4) Blank cheques will NEVER be signed.
5) The relevant payee’s name will always be inserted on the cheque before signature and the cheque stub will always be properly completed.
6) No cheques should be signed without original documentation.
1) S.C.S.G, does not accept liability for any financial commitment unless properly authorised. Any orders placed or undertakings given which are likely to cost the S.C.S.G must be authorised and minuted by the trustees.
2) In exceptional circumstances such undertakings can be made with the Chairperson’s approval who will then provide full details to the next meeting of the trustees. (This covers such items as the new service contracts, office equipment, purchase and hire).
3) All fundraising and grant applications undertaken on behalf of the organisation will be done in the name of S.C.S.G with the prior approval of the trustees or in urgent situations the approval of the Chairperson who will provide full details to the next trustee’s meeting.
4) The S.C.S.G will adhere to good practice in relation to its finances at all times, e.g. when relevant it will set up and maintain a fixed asset register stating the date of purchase, cost, serial numbers and normal location of assets. Additionally, the S.C.S.G will maintain a property record of items of significant value, with an appropriate record of their use.