The Shropshire Children’s Scrapstore, Recycling and Resource Centre (Scrappies) needs to gather and use certain information about individuals. This includes members, day members, customers, workshop participants, suppliers, staff, volunteers and other people the organisation has a relationship with or may need to contact.
This policy describes how this personal data must be collected, handled and stored to meet our data protection standards and to comply with the law.
This policy exists to comply with data protection law; to follow good practice; to protect the rights of staff, volunteers, members, workshop participants, customers and partners; to be open about how we store and process individuals’ data and to protect us from the risk of a data breach.
The GDPR describes how we must collect, handle and store personal information. These rules apply regardless of whether data is stored electronically, on paper or on other materials. To comply with the law, personal information must be collected and used fairly, stored safely and not disclosed unlawfully. It must also be accurate, kept up to date and not held any longer than necessary.
This policy applies to everyone employed by or volunteering for Scrappies and it applies to all data that we hold relating to identifiable individuals. These data include names, addresses (postal and electronic), phone numbers and any other information relating to individuals. It helps to protect us from some very real data security risks which include breaches of confidentiality, failure to offer choice and reputational damage.
Everyone who works for or with Scrappies has some responsibility for ensuring that data is collected, stored and handled appropriately. Each person who handles personal data must ensure that it is handled and processed in line with the policy and the principles of the GDPR. However, there are some who have key areas of responsibility:
The Board of Trustees of the charity is ultimately responsible for ensuring that we meet our legal obligations. The trustees are therefore taking the role of data controller.
Those people who collect, store and process personal data take the role of data processors. This role may be outsourced to another organisation (e.g. MailChimp for mailing lists) or may be taken on “in-house” (e.g. entering membership or listing volunteer information).
The IT manager is responsible for:
- Keeping the board updated about data protection responsibilities, risks and issues.
- Reviewing all data protection procedures and related policies, in line with an agreed schedule.
- Arranging data protection training and advice for the people covered by this policy.
- Handling data protection questions from volunteers and anyone else covered by this policy.
- Dealing with requests from individuals to see the data we hold about them.
- Checking (and approving?) any contracts or agreements with third parties that may handle our sensitive data.
- Ensuring all systems, services and equipment used for storing data meet acceptable security standards.
- Performing regular checks and scans to ensure security hardware and software is functioning properly.
- Evaluating any third-party services the company is considering using to store or process data. For instance, cloud computing services
- Approving any data protection statements attached to communications such as emails and letters. Where necessary, working with other staff/volunteers to ensure marketing initiatives abide by data protection principles.
- Addressing any data protection queries from journalists or media outlets like newspapers
General Staff/Volunteer Guidelines
- The only people able to access data covered by this policy should be those who need it for their work.
- Data should not be shared informally. When access to confidential information is required, volunteers should request it from their manager.
- Scrappies will provide training, where needed, to all staff and volunteers to help them understand their responsibilities when handling data.
- Staff/volunteers should keep all data secure, by taking sensible precautions and following the guidelines below.
- In particular, strong passwords must be used, and they should never be shared.
- Personal data should not be disclosed to unauthorised people, either within the organisation or externally.
- Data should be regularly reviewed and updated if it is found to be out of date. If no longer required, it should be deleted and disposed of.
- Staff/volunteers should request help (from their manager or data protection officer) if they are unsure about any aspect of data protection.
These rules describe how and where data should be safely stored. Questions about storing data safely can be directed to the IT manager or the data controller.
When data is stored on paper, it should be kept in a secure place where unauthorised people cannot see it. These guidelines also apply to data that is usually stored electronically but has been printed out for some reason:
- When not required, the paper or files should be kept in a locked drawer or filing cabinet
- Staff/volunteers should make sure paper and printouts are not left where unauthorised people could see them (e.g. on a desk or on a printer).
- Data printouts should be shredded and disposed of securely when no longer required.
When data is stored electronically, it must be protected from unauthorised access, accidental deletion and malicious hacking attempts:
- Data should be protected by strong passwords that are changed regularly and never shared.
- If data are stored on removable media (like a CD or DVD) these should be kept locked away securely when not being used.
- Data should only be stored on designated drives and servers and should only be uploaded to approved cloud computing services.
- Data should be backed up frequently. Those backups should be tested regularly.
- All servers and computers containing data should be protected by approved security software and a firewall.
Personal data is of no value to Scrappies unless we can make use of it. However, it is when personal data is accessed and used that it can be at the greatest risk of loss, corruption or theft:
- When working with personal data, staff/volunteers should ensure the screens of their computers are kept out of view.
- Personal data should not be shared informally. In particular, it should never be sent by email, as this form of communication is not secure. Make a habit of using “blind copy” when sending e-mails to a group of people.
The law requires that Scrappies take reasonable steps to ensure that data is kept accurate and up to date. It is the responsibility of all staff/volunteers who work with data to take reasonable steps to ensure it is kept as accurate and up to date as possible.
- Data must be held in as few places as necessary. Staff/volunteers should not create any unnecessary additional data sets. Use centralised lists wherever possible to reduce redundancy.
- Staff/volunteers should take every opportunity to ensure data is updated. For instance, by confirming a member’s details when they call and particularly when they update their membership.
- Data should be updated as inaccuracies are discovered. For instance, if a member can no longer be reached on their stored telephone number, it should be removed from the database.
Disclosing data for other reasons
In certain circumstances, it may be necessary to disclose personal data to law enforcement agencies without the consent of the data subject. Under these circumstances we will disclose it, but the data controller must ensure that the request is legitimate.
Subject Access Requests
All individuals who are the subject of personal data held by Scrappies are entitled to:
- have control over who sees and uses their name, address, phone number, e-mail address and any other personal details, including photos, in digital or hand-written form;
- know what information we hold on them and how we are storing and using it;
- request to see this data (we must produce it, without charge, within one month);
- request correction or deletion of their data (these actions must be carried out within one month);
- request data in a common digital format so that it can be transferred to other organisations when requested.
Scrappies aims to ensure that individuals are aware that their data is being processed and that they understand:
- How the data is being used
- How to exercise their rights
To these ends, the organisation has a privacy statement, setting out how data relating to individuals is collected, stored, processed and used. This is available on request and can also be found here.