WAVES needs to gather and use certain information about individuals.
These can include clients, volunteers, supporters, management team and Trustee/Directors and other people that WAVES has a relationship with or may need to contact.
This policy describes how this personal data is collected, handled and stored to meet WAVES’ data protection standards and to comply with GDPR 2018.
Why this policy exists
This policy ensures that WAVES:
GDPR – Data protection law
GDPR describes how organisations, including WAVES Seaford Ltd must collect, handle and store personal information.
These rules apply regardless of whether data is stored electronically, on paper or in any other form.
To comply with the law, personal information must be collected fairly, lawfully, accurately and with integrity, for a clear and transparent purpose.
Under GDPR, personal data must:
This policy applies to:-
It applies to all data that is held by WAVES Seaford Ltd relating to identifiable individuals. This can include:-
Data protection risks
This policy helps to protect WAVES Seaford Ltd from data security risks, including:
Everyone who is engaged in the work of WAVES has some responsibility for ensuring that the data is collected, stored and handled appropriately.
All staff and volunteers are issued with a copy of this policy and will be asked to give their consent to WAVES Seaford Ltd. holding their personal data. This will be included in the application form for each post. This data will be held for ten years after the volunteer or member of staff has ceased to be engaged with the work of WAVES. This data is held so that individuals can be contacted in connection with the working or volunteering that they are engaged in.
All clients are asked to sign a client agreement form, which will indicate their acceptance of their personal data being held by WAVES Seaford Ltd. for a period of ten years after the case has been closed and WAVES ceases to be involved. This data is held to enable WAVES to apply for grants in support of the work. No individual data is used in this context but accumulative data is used to support the need for the intervention work that WAVES is engaged in. If there is any indication of possible safeguarding or child protection issues this data will be held for 99 years.
Data held on those individuals who support WAVES Seaford Ltd. and in respect of which WAVES claims Gift Aid are requested to indicate their consent to hold this data for the purpose of making claims for the repayment of tax on their donations and the circulation of regular information, updates, invitations to events and newsletters.
Data held on individuals who support WAVES Seaford Ltd. is requested to indicate their consent to be contacted by WAVES for the purpose of regular information, updates, invitations to events and newsletters.
All WAVES Seaford Ltd. employees and volunteers are restricted by law from discussing any information they have access to concerning WAVES’ clients with any person(s) not within the WAVES team. Discussion of client information within the WAVES team is restricted to a ‘need to know basis’.
Employees should keep all data secure, by taking sensible precautions.
Strong passwords must be used and never shared
Personal data should not be disclosed to unauthorised people.
Data should be reviewed regularly and updated if it is found to be out of date.
When data is stored on paper, it should be kept in a secure place where unauthorised people cannot see it.
Print outs of any data should either be shredded when no longer needed or kept locked in a filing cabinet.
Printouts should not be left where unauthorised people can see them.
When data is stored electronically, it must be protected from unauthorised access, accidental deletion and malicious hacking attempts.
Data should be backed up frequently. Back ups should be tested regularly.
Data should not be saved directly to mobile devices like tablets or personal smart phones.
Data cleanse exercise will be carried out every year.
All incorrect data will be deleted.
Data subjects will be given the opportunity to ‘opt out’. If a data subject wishes to ‘opt out’, unless there is a possible safeguarding or child protection issue all data will be deleted and a record kept indicating the date that the data subject requested their data to be deleted.