CARING FOR LIFE
DATA PROTECTION POLICY
The work of Caring For Life is built on relationships – with colleagues, beneficiaries, supporters, customers and others. While it is these relationships which make Caring For Life so special, the need to safeguard and protect the information we obtain from the people we work with, along with the need to have a clear approach to ensure that we comply with our legal obligations, must be at the heart of all we do. This policy sets out how we will address those needs.
In this policy:
Data breach means anything which compromises the security, confidentiality, integrity or availability of personal data. Examples of data breaches are:
(i) where someone accesses our computer system without authorisation;
(ii) where someone sends an email containing personal data to the wrong recipient; and
(iii) where a laptop or USB stick containing personal data is lost or stolen.
Data subject means a living, identified or identifiable person about whom we hold personal data.
Promotions means communications which we send directly to our customers and supporters to advertise or promote our goods and services, to promote or issue invitations to our fundraising and other events, to ask for donations and other support, to promote or raise awareness of Caring For Life’s beliefs, aims, ideals, work and ministry, to promote or raise awareness of the Christian faith more generally, or to call for or request prayer in relation to specific issues.
Personal data means any information identifying or relating to a data subject or information relating to a data subject. Personal data can be factual (for example, a name, email address, location or date of birth) or an opinion about that person's actions or behaviour.
Processing means any activity that involves the use of personal data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transferring personal data to third parties.
UK GDPR means the retained EU law version of the General Data Protection Regulation ((EU) 2016/679) as defined in the Data Protection Act 2018.
This policy relates to all personal data which we handle, both digitally and on paper. It covers personal data which relates to our beneficiaries, staff, volunteers, trustees, supporters, social enterprise customers and website users.
4.1. All teams, departments and individual employees are responsible for ensuring compliance with this policy.
4.2. Our Data Protection Officer (DPO) is principally responsible for developing and overseeing this policy and monitoring its effectiveness. His details are:
Name: Tim Parkinson
Phone: 0113 2303600
4.3. It is very important that you comply with this policy and with the rules and procedures mentioned in it. If you do not, we may take disciplinary action against you. A serious breach might result in your dismissal or in personal criminal liability.
4.4. You should contact the DPO immediately if you need any clarification or explanation of any part of this policy, if you are not sure what to do, or if you are worried that a part of the policy is not being or has not been followed.
5. Data protection principles
5.1. We comply with the data processing principles set out in the UK GDPR. These say that personal data must: 5.1.1. be processed lawfully, fairly and in a transparent way;
5.1.2. be collected only for specified, explicit and legitimate purposes;
5.1.3. be adequate, relevant and limited to what is necessary;
5.1.4. be accurate and up to date;
5.1.5. not be kept in a form which permits identification of individuals for longer than necessary;
5.1.6. be handled securely, using appropriate technical and organisational measures to protect against unauthorised or unlawful handling and against accidental loss, destruction or damage;
5.1.7. not be transferred outside the UK unless appropriate safeguards are in place;
5.1.8. be made available to the people who own it if they ask to see it.
5.2. We will also:
5.2.1. be open and transparent with our beneficiaries and those who lawfully act on their behalf in relation to their care and treatment;
5.2.2. establish and maintain policies for the controlled and appropriate sharing of personal data with other agencies;
5.2.3. comply with our common law duty of confidentiality; and
5.2.4. never sell or transfer personal data for any commercial or marketing purposes whatsoever.
5.3. You must support us in this approach and must comply with the rules and procedures we introduce to endure that the data protection principles are complied with.
6. General data handling rules
6.1. You may collect and handle personal data only for specified, authorised, work-related purposes which you have explained to the data subject.
6.2. You must ensure that an appropriate privacy notice is given to every data subject whose personal data you collect. You may sometimes need to explain the contents and meaning of the Privacy Notice. It may be appropriate to direct the recipient to the appropriate section of the Caring For Life website instead of providing a paper copy.
6.3. You may not collect or handle personal data for any reason which is unrelated to your job duties.
6.4. You may not collect personal data that you do not need.
6.5. You must ensure that when personal data is no longer needed for the purpose for which it was collected, it is deleted or anonymised in accordance with our retention guidelines.
6.6. You must take all reasonable steps to ensure that personal data remains accurate and up to date and to destroy or amend any personal data which is inaccurate or which becomes out-of-date.
7. Sharing personal data
7.1. Generally, we will not share personal data with third parties unless certain safeguards and contractual arrangements have been put in place.
7.2. You may share the personal data we hold with another employee of Caring For Life if the recipient has a job-related need to know the information.
7.3. You may share the personal data we hold with third parties if: 7.3.1. the third party has a need to know the information for the purposes of providing services to Caring For Life;
7.3.2. the sharing complies with the Privacy Notice provided to the data subject and, if required, the data subject has completed and signed an appropriate consent form; and
7.3.3. the third party has agreed to comply with our data security standards, policies and procedures and to put adequate security measures in place.
8.1. We are subject to additional rules when sending promotions to our supporters and customers.
8.2. For example, we may not send a promotion by email or text message unless we first have the recipient’s consent. There is a limited “soft opt-in” exception which allows us to send promotions electronically if we have obtained contact details in the course of a sale to that person, if the promotion relates to similar products or services, and if we give the recipient an opportunity to opt out of promotions when first collecting the details and in every subsequent promotion we send.
8.3. You must not send any promotion to any person unless we have their existing consent, or unless the soft opt-in exception applies.
9. Automated decision-making
We do not carry out any automated profiling or decision-making at Caring For Life.
10. Data subjects’ rights
10.1. We uphold the following personal data rights outlined in the UK GDPR: 10.1.1. the right to be informed;
10.1.2. the right of access;
10.1.3. the right to rectification;
10.1.4. the right to erasure;
10.1.5. the right to restrict processing;
10.1.6. the right to data portability;
10.1.7. the right to object; and
10.1.8. rights in relation to automated decision making and profiling.
10.2. You must support us in upholding these rights and must comply with the processes and procedures we put in place for the benefit of data subjects.
10.3. If you receive a subject access request or other request which relates to data protection rights, you should inform and take advice from the DPO immediately.
11.1. Where consent is required for the processing of personal data, we will ensure that informed and explicit consent will be obtained and documented in clear, accessible language and in an appropriate format. We will ensure that it is as easy to withdraw as it is to give consent.
11.2. If you need to obtain consent from a data subject, you must use Caring For Life’s standard data protection consent form. You must retain copies of all consent forms.
11.3. If someone tells you that they withdraw consent, you should inform and take advice from the DPO immediately.
12. Data security
12.1. We have implemented various technical measures to ensure that the personal data we handle is kept secure. You must use the technology we have provided and you must comply with our rules and policies in this regard.
12.2. Specifically, you must:
12.2.1. Access ThankQ – for the use of storing supporter and donation information
12.2.2. Access aCloud Financials – to store financial information, including donations
12.2.3. Filemaker (Hero)– for storing beneficiary activity, purchase orders.
12.2.4. Office 365 – For administrative support and storage of files associated with care, administration and activity
12.2.5. Mailchimp – For storage of email addresses for bulk emails
12.2.6. Outlook – For storage of individual email addresses for correspondence purposes that are not bulk
12.2.7. KCPos – for storage of loyalty customers information
12.2.8. Mobile Telephones, Tablets and Computers for holding contacts, emails and other communicating methods such as social media, for use of contacting beneficiaries.
13. Data breaches
13.1. We are required by law to notify certain data breaches to the Information Commissioner’s Office and, in certain instances, to the data subjects who are affected. We have the necessary procedures in place to do so.
13.2. If you know or suspect that a data breach has taken place, you must immediately contact the DPO. You will be required to complete a data breach form which the DPO will give you.
14.1. We will provide you with adequate training to enable you to comply with data protection laws.
14.2. You must undergo all such training to the best of your ability.
This policy has been approved by the undersigned and will be reviewed at least annually.
Name - Tim Parkinson
Position - Executive Director
Approval Date - 25/10/2022
Review Date - 01/06/2023