Data Protection Policy
Scope of the policy
This policy applies to the work of KINAMBA COMMUNITY PROJECT – registered charity no 1126601. The policy sets out the requirements that KINAMBA COMMUNITY PROJECT has to gather personal information for fundraising, sponsorship and information purposes. The policy details how personal information will be gathered, stored and managed in line with data protection principles and the General Data Protection Regulation. The policy is reviewed on an ongoing basis by KINAMBA COMMUNITY PROJECT TRUSTEES to ensure that KINAMBA COMMUNITY PROJECT is compliant. This policy should be read in tandem with KINAMBA COMMUNITY PROJECT Privacy Policy.
Why this policy exists
This data protection policy ensures that KINAMBA COMMUNITY PROJECT:
- Complies with data protection law and follows good practice
- Protects the rights of Trustees, donors, sponsors, supporters
- Is open about how it stores and processes data
- Protects itself from the risks of a data breach
General guidelines for trustees
- The only people able to access data covered by this policy should be those who need to communicate with trustees, donors, sponsors and supporters
- Data should not be shared informally or outside of KINAMBA COMMUNITY PROJECT
- Trustees will undertake awareness training to help them understand their responsibilities when handling personal data
- Trustees should keep all data secure, by taking sensible precautions and following the guidelines below
- Strong passwords must be used and they should never be shared
- Personal data should not be shared outside of KINAMBA COMMUNITY PROJECT unless with prior consent and/or for specific and agreed reasons
- Sponsor, donor information should be reviewed and consent refreshed periodically via the regular newsletter or when policy is changed
Data protection principles
The General Data Protection Regulation identifies 8 data protection principles.
- Principle 1 – Personal data shall be processed lawfully, fairly and in a transparent manner
- Principle 2 – Personal data can only be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
- Principle 3 – The collection of personal data must be adequate, relevant and limited to what is necessary compared to the purpose(s) data is collected for
- Principle 4 – Personal data held should be accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that are inaccurate are erased or rectified without delay
- Principle 5 – Personal data which is kept in a form which permits identification of individuals shall not be kept for longer than is necessary
- Principle 6 – Personal data must be processed in accordance with the individuals’ rights
- Principle 7 – Personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures
Lawful, fair and transparent data processing
KINAMBA COMMUNITY PROJECT requests personal information from potential donors and sponsors for the purpose of sending communications about their involvement with KINAMBA COMMUNITY PROJECT. Donors and sponsors will be advised as to why the information is being requested and what the information will be used for. Donors and sponsors will be asked to provide consent for their data to be held and a record of this consent along with personal contact information will be securely held. Registered donors and sponsors will be informed that they can, at any time, remove their consent and will be informed as to who to contact should they wish to do so. Once a donor/sponsor requests not to receive certain communications this will be acted upon promptly and the member will be informed as to when the action has been taken.
Processed for Specified, Explicit and Legitimate Purposes
Donors/Sponsors will be informed as to how their information will be used and the Trustees of Kinamba Community Project will seek to ensure that personal contact information is not used inappropriately. Appropriate use of information provided by members will include:
- Communicating with donors, sponsors and helpers about KINAMBA COMMUNITY PROJECT events and activities
- Communicating with sponsors to provide details of their sponsee progress
- Communicating with regular donors/sponsors about specific issues relating to regular donations made to KINAMBA COMMUNITY PROJECT
KINAMBA COMMUNITY PROJECT Trustees are made aware of what would be considered appropriate and inappropriate communication. Inappropriate communication would include sending donors/sponsors/helpers marketing and/or promotional materials from external service providers.
KINAMBA COMMUNITY PROJECT will ensure that donors/sponsors/supporters information is managed in such a way as to not infringe an individual’s rights which include:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
Adequate, Relevant and Limited Data Processing
Donors, sponsors and supporters of KINAMBA COMMUNITY PROJECT will only be asked to provide information that is relevant for membership purposes. This will include:
- Name
- Postal address
- Email address
- Telephone number
- Gift Aid eligibility
There may be occasional instances where an individual’s data needs to be shared with a third party due to an accident, or incident involving statutory authorities. Where it is in the best interest of the individual in these instances where there is a substantiated concern then consent does not have to be sought from that individual.
Accuracy of Data and Keeping Data up to Date
KINAMBA COMMUNITY PROJECT has a responsibility to ensure information is kept up to date. Sponsors will be informed to let the Trustees know if any of their personal information changes.
Accountability and Governance
The Trustees of KINAMBA COMMUNITY PROJECT are responsible for ensuring that KINAMBA COMMUNITY PROJECT remains compliant with data protection requirements and can evidence that it has. For this purpose, those from whom data is required will be asked to provide consent. The evidence of this consent will then be securely held as evidence of compliance. The Trustees shall ensure that any new Trustees KINAMBA COMMUNITY PROJECT receive an induction into how data protection is managed within the charity and the reasons for this. The Trustees will review data protection and who has access to information on a regular basis as well as reviewing what data is held.
Secure Processing
The Trustees of KINAMBA COMMUNITY PROJECT have a responsibility to ensure that data is both securely held and processed. This will include:
- Trustees using strong passwords-
- Trustees not sharing passwords
- Restricting access of sharing supporter personal contact information only to those within the Trustees who need to communicate with supporters on a regular basis
- Using password protection on laptops and PCs that contain or access personal information
- Ensuring Trustees install adequate security programs to protect individual laptops and storage devices, such as Norton or similar acceptable products
Subject Access Request
KINAMBA COMMUNITY PROJECT donors, sponsors and supporters are entitled to request access to the information that is held by KINAMBA COMMUNITY PROJECT. The request needs to be received in the form of a written request to the any of the authorised Trustees of KINAMBA COMMUNITY PROJECT. On receipt of the request, the request will be formally acknowledged and dealt with within 14 days unless there are exceptional circumstances as to why the request cannot be granted. A nominated Trustee of KINAMBA COMMUNITY PROJECT will provide a written response detailing all information held on the individual. A record shall be kept of the date of the request and the date of the response.
Data Breach Notification
Were a data breach to occur action shall be taken to minimise the harm by ensuring all Trustees are aware that a breach had taken place and how the breach had occurred. The Trustees shall then seek to rectify the cause of the breach as soon as possible to prevent any further breaches. All Trustees shall be notified within 24 hours of the breach occurring to notify of the breach. A discussion would take place between the Trustees as to the seriousness of the breach, action to be taken and, where necessary, the Information Commissioner’s Office would be notified. The Trustees shall also contact the relevant donor/sponsor/supporters to inform them of the data breach and actions taken to resolve the breach.
If a KINAMBA COMMNITY PROJECT donor/sponsor/supporter contacts KINAMBA COMMUNITY PROJECT to say that they feel that there has been a breach a Trustee will ask the supporter to provide an outline of their concerns. If the initial contact is by telephone, the receiving Trustee will ask the supporter to follow this up with an email or a letter detailing their concern. The concern will then be investigated by all of the Trustees the committee who are not in any way implicated in the breach. Where the Trustees needs support or if the breach is serious they should seek assistance from the Data Protection Commissioner’s office and or the Charity Commission. The supporter should also be informed that they can report their concerns to the Charity Commission or the Data Protection Commissioners office if they don’t feel satisfied with the response from the KINAMBA COMMUNITY PROJECT. Breach matters will be subject to a full investigation, records will be kept and all those involved notified of the outcome.
May 2018