Data Protection Policy
The Data Protection Act 1998 describes how organisations must collect, handle and store personal information. ACTS is committed to fulfilling these requirements.
To comply with the law, personal information must be collected and used fairly, stored safely and not disclosed unlawfully.
The Data Protection Act is underpinned by eight important principles. These say that personal data must:
- Be processed fairly and lawfully
- Be obtained only for specific, lawful purposes
- Be adequate, relevant and not excessive
- Be accurate and kept up to date
- Not be held for any longer than necessary
- Processed in accordance with the rights of data subjects
- Be protected in appropriate ways
- Not be transferred outside the European Economic Area (EEA), unless that country or territory also ensures an adequate level of protection
This policy applies to all the trustees and volunteers of the charity. It applies to all data that the charity holds relating to identifiable individuals, even if that information technically falls outside of the Data Protection Act 1998. This can include information such as names, postal addresses, email addresses, telephone numbers.
This policy helps to protect the charity against data security risks such as:
- Breaches of confidentiality. This includes information being given out inappropriately.
- Failing to offer choice. This includes ensuring that all individuals should be free to choose how the charity uses data relating to them.
- Reputational damage. For example, the charity could suffer if hackers successfully gain access to sensitive data.
- The only people who are able to access data covered by this policy must be those who need it for their work.
- Data should not be shared informally. Any volunteer should not have access to data covered by this policy normally, and will only be given access by requesting information from a trustee.
- For all charity uses, strong passwords must be used.
- Personal data must not be disclosed to unauthorised people, either within the charity or externally.
- Data will be regularly reviewed and updated if it is found to be out of date. If no longer needed, it should be deleted and / or disposed of.
- When data is stored on paper, it must be kept in a secure place where unauthorised people cannot see it.
- When data that is usually stored electronically is printed out:
- When not required, the paper or files should be kept in a locked drawer or filing cabinet.
- Care must be taken to ensure that paper and printouts are not left where unauthorised people could see them (like on a desk or printer).
- Data printouts must be shredded and disposed of securely when no longer required.
- If data is stored on removable media (for example, CD or DVD), these must be stored locked away securely when not being used. Data stored on USB drives must be secured with a strong password and never left in public places.
- Those with access to personal information (for example, via the charity’s website) must make sure that the screens of any devices are always locked when left unattended. Also, they should not make copies of personal data and should only ever access the central copy of the data.
- Personal data should never be sent via email.
- Personal data must never be given to anyone outside of the charity without the express permission of the data subject. In certain circumstances, the Data Protection Act allows personal data to be disclosed to law enforcement agencies without the consent of the data subject. Under these circumstances, the charity will disclose requested data. However, the trustees will ensure the request is legitimate and will seek legal advice where necessary.
- Personal data should never be transferred outside of the European Economic Area.
- Data should be updated as soon as possible when inaccuracies are discovered.
Subject Access Requests
All individuals who are the subject of personal data held by the charity are entitled to:
- Ask what information the company holds about them and why
- Ask how to gain access to it
- Be informed how to keep it up to date
- Be informed about how the charity is meeting its data protection obligations
If an individual contacts the company requesting this information, this is called a subject access request. Subject access requests from individuals should be made either by email (to email@example.com) or by filling in the form on the website (which will send the request to the same email address) or in writing.
Individuals will be charged £5 per subject access request. We will aim to provide the relevant data within 14 days.
The trustee who processes the request will always verify the identity of anyone making a subject access request before handing over any information.