Data protection policy
Context and overview
- Policy prepared by: P. McGough
- Approved by Trusties: 06/03/2018
- Policy became operational: 06/03/2018
- Next review Date: 06/03/2019
Sunderland Cardiac Support Group needs to gather and use certain information about its members i.e. Names, Addresses, Telephone Numbers, and email addresses
This policy describes how this personal data must be collected, handled and stored to meet the groups data protection standards—and to comply with the law.
Why this policy exists
This data protection policy ensures Sunderland Cardiac Support Group:
- Complies with data protection law and follow good practice
- Protects the rights of trusties and members
- Is open about how it stores and processes individuals’ data
- Protects itself from the risks of a data breach.
Data protection law
The Data Protection Act 1998 describes how charities-including Sunderland Cardiac Support Group– must collect, handle and store personal information.
These rules apply regardless of whether data is stored electronically, or on paper or on other materials.
To comply with the law, personal information must be collected and used fairly, stored safely and not disclosed unlawfully.
The Data Protection Act is underpinned by eight important principles. These say that personal data must:
- Be processed fairly and lawfully
- Be obtained only for specific, and lawful purposes
- Be adequate, relevant and not excessive
- Be accurate and kept up to date
- Not to be held for any longer than necessary
- Processed in accordance with the rights of data subjects
- Be protected in appropriate ways
- Not be transferred outside the European Economic Area (EEA), unless that country or territory also ensures an adequate level of protection.
Have added these eight principles even though most will not apply to Sunderland Cardiac Support Group, just to show what is expected in law.
People, risks and responsibilities
This policy applies to:
- All volunteers and Trusties including any person employed in any way by Sunderland Cardiac Support Group
It applies to all data that the group holds relating to identifiable individuals, even if that information technically falls out side of the Data Protection Act 1998. This can include:
- Names of individuals
- Postal addresses
- Email addresses
- Telephone numbers
- Plus, any other information relating to individuals
Data protection risks
This policy helps to protect Sunderland Cardiac Support Groupe from some very real security risks, including:
- Breaches of confidentiality. For instance, information being given out inappropriately
- Failing to offer choice. For instance, all individuals should be free to choose how the group uses data relating to them
- Reputational damage. For instance, the group could suffer if hackers successfully gained access to sensitive data
All trusties and people who work for Sunderland Cardiac Support Group has some responsibility for ensuring data is collected, stored and handled appropriately.
The board of Trusties is ultimately responsible for ensuring Sunderland Cardiac Support Group handles personal data in line with this policy and the data protection law.
The only people who should have access to data covered by this policy should need it for the everyday running of the group.
- Data should not be shared informally. When access to data is required, it should be only given on the understanding that it can only be used for reasons that comply with this policy.
- Personal data should not be disclosed to unauthorised people, either within the group or externally.
- Data should bee regularly reviewed and updated if it is found to be out of date. If no longer required, it should be deleted and disposed of.
These rules describe how and where data should be safely stored
- When data is stored on paper it should be kept in a secure place where unauthorised people cannot see it
- When data is stored electronically, it must be protected from unauthorised access, accidental deletion and malicious hacking attempts
Subject access requests
All individuals who are the subject of personal data held by Sunderland Cardiac Support Group are entitled to:
- Ask what information the group holds about them and why.
- Ask how to gain access to it.
- Be informed on how to keep it up to date.
- Be informed how the group is meeting its data protection obligations.
If an individual contact the group requesting this information, this is called a subject access request.
These requests can be made to any of the trusties preferably in writing and must be provided within 14 days
It is up to the trustee to verify the identify of the member who is making the request.
Disclosing data for other reasons
In certain circumstances, the Data Protection Act allows personal data to be disclosed to law enforcement agencies without the consent of the data subject
Under these circumstances, Sunderland Cardiac Support Group will disclose requested data. After checking that the request is legitimate.
Sunderland Cardiac Support Group aims to ensure that individuals are aware that their data is being processed, and that they understand:
- How the data is being used
- How to exercise their rights
To these ends, the group has a privacy statement, setting out how data relating to individuals is used by the group
[This is available on request. A version of the statement is also on the Groups website.]