Data Protection Policy
The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the European Council and the European Commission intend to strengthen and unify data protection for individuals within the European Union (EU). It also addresses the export of personal data outside the EU. The primary objectives of the GDPR are to give citizens back control of their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. When the GDPR takes affect it will replace the data protection directive (officially Directive 95/46/EC) from 1995. The regulation was adopted on 27 April 2016 and applies from 25 May 2018 after a two-year transition period..
The 1998 Data Protection Act, which came into force on 1 March 2000, will continue to apply until the new General Data Protection Regulations come into force in May 2018.
The following guidance is not a definitive statement on the Regulations, but seeks to interpret relevant points where they affect Onion Collective CIC.
The Regulations cover both written and computerised information and the individual’s right to see such records.
It is important to note that the Regulations also cover records relating to staff and volunteers.
Onion Collective CIC staff are required to follow this Data Protection Policy at all times.
The Directors have overall responsibility for data protection within Onion Collective CIC but each individual processing data is acting on the controller’s behalf and therefore has a legal obligation to adhere to the Regulations.
Processing of information – how information is held and managed.
Information Commissioner – formerly known as the Data Protection Commissioner.
Notification – formerly known as Registration.
Data Subject – used to denote an individual about whom data is held.
Data Controller – used to denote the entity with overall responsibility for data collection and management. Onion Collective CIC is the Data Controller for the purposes of the Act.
Data Processor – an individual handling or processing data
Personal data – any information which enables a person to be identified
Special categories of personal data – information under the Regulations which requires the individual’s explicit consent for it to be held by the Charity.
Data Protection Principles
As data controller, Onion Collection CIC is required to comply with the principles of good information handling.
These principles require the Data Controller to:
- Process personal data fairly, lawfully and in a transparent manner.
- Obtain personal data only for one or more specified and lawful purposes and to ensure that such data is not processed in a manner that is incompatible with the purpose or purposes for which it was obtained.
- Ensure that personal data is adequate, relevant and not excessive for the purpose or purposes for which it is held.
- Ensure that personal data is accurate and, where necessary, kept up-to-date.
- Ensure that personal data is not kept for any longer than is necessary for the purpose for which it was obtained.
- Ensure that personal data is kept secure.
- Ensure that personal data is not transferred to a country outside the European Economic Area unless the country to which it is sent ensures an adequate level of protection for the rights (in relation to the information) of the individuals to whom the personal data relates.
Onion Collective CIC must obtain our service users, customers, clients, staff, volunteers and community member’s explicit consent when storing certain information (known as ‘personal data’ or ‘special categories of personal data’) on file.
For the purposes of the Regulations, personal and special categories of personal data cover information relating to:
- The racial or ethnic origin of the Data Subject.
- His/her political opinions.
- His/her religious beliefs or other beliefs of a similar nature.
- Whether he/she is a member of a trade union.
- His/her medical conditions.
- His/her sexual life.
- The commission or alleged commission by him/her of any offence
- Online identifiers such as an IP address
- Genetic and/or biometric data which can be used to identify an individual
- Staff bank account details and National Insurance numbers
Special categories of personal information collected by Onion Collective CIC will, in the main, relate to the medical conditions of our staff and volunteers.
Consent is not required to store information that is not classed as special category of personal data (eg name, address, telephone) as long as only accurate data that is necessary for a service to be provided is recorded.
As a general rule Onion Collective CIC will always seek consent where personal or special categories of personal information are to be held.
If special categories of personal data need to be recorded for the purpose of Health and Safety and the volunteer refuses consent, the case should be referred to the Sally Lowndes, Director for advice.
Consent may be obtained in a number of ways depending on the nature, and consent must be recorded and stored in the filing cabinets:
A volunteer’s form should be used.
Verbal consent should be sought and noted.
The initial response should seek consent.
Consent obtained for one purpose cannot automatically be applied to all uses e.g. where consent has been obtained from a volunteer in relation to information regarding their health, separate consent would be required if, for example, we needed to store information regarding a criminal record.
Preliminary verbal consent should be sought at point of initial contact as special categories of personal data will need to be recorded in the event of an emergency. The verbal consent is to be recorded in the appropriate fields on the volunteer form record or stated in an email for future reference. Although written consent is the optimum, verbal consent is the minimum requirement.
Specific consent for use of any photographs and/or videos taken should be obtained in writing. Such media could be used for, but not limited to, publicity material, press releases, social media, and website. Consent should also indicate whether agreement has been given to their name being published in any associated publicity. If the subject is less than 18 years of age then parental/guardian consent should be sought.
Individuals have a right to withdraw consent at any time.
Ensuring the Security of Personal Information
Unlawful disclosure of personal information
- It is an offence to disclose personal information ‘knowingly and recklessly’ to third parties.
- It is a condition of receiving a service that all service users, our service users, customers, clients, staff, volunteers and community members for whom we hold personal details sign a consent form allowing us to hold such information.
- Service users, clients, staff, volunteers and community members may also consent for us to share personal or special categories of personal information with other people on a need to know basis.
- Service users, clients, staff, volunteers and community member’s individual consent to share information should always be checked before disclosing personal information.
- Personal information should only be communicated within Onion Collective CIC staff and volunteer team on a strict need to know basis. Care should be taken that conversations containing personal or special categories of personal information may not be overheard by people who should not have access to such information.
Use of Files, Books and Paper Records
In order to prevent unauthorised access or accidental loss or damage to personal information, it is important that care is taken to protect personal data. Paper records will be kept in locked cabinets overnight and care will be taken that personal and special categories of personal information is not left unattended and in clear view during the working the day.
Disposal of Scrap Paper, Printing or Photocopying Overruns
Names/addresses/phone numbers and other information written on scrap paper are also considered to be confidential. Any scrap paper that contains personal information will be shredded.
If paper is being transferred from away from the office, to the office for shredding this will be done as soon as possible. When transporting documents they will be carried out of sight.
All laptops and phones that have access to personal data, eg G-Drive, Bitrix and Xero, must have a password to gain entry. These devices must also automatically lock themselves after 5 minutes if they have not been used.
Laptops and phones in public areas should be positioned in such a way so that passers-by cannot see what is being displayed. If working in a public area, eg reception, you should lock your laptop or phone when leaving it unattended.
Documents should only be stored on the server or cloud-based systems and not on individual devices.
Cloud Systems and Third-Party Providers
When commissioning cloud based systems and third part providers, Onion Collective CIC will satisfy themselves as to the compliance of data protection principles and robustness of these providers.
Our G-drive is where the bulk of our work is stored. Only certain people have access to everything, others are given permission to use the folders they need and no more restricting their access to personal data.
Bitrix24 is a system that will hold all of our CRM data in one safe place. All of our newsletters and bulk emails to keep people informed about the work we are doing and when our public consultations are. You will only receive this information if you have subscribed, if not it will just be used to store information for when we need to contact you regarding work we are doing on your behalf.
Xero is where anything to do with our internal finances is done; this will only store information on staff. Only the financial team have access to this.
It is important to us to find out the public’s opinion on various things that we are doing so Onion Collective CIC use Survey Monkey. Although Onion Collective ourselves don’t put any data on there we do ask for people’s personal data so we can follow up with any queries that may have been raised. These surveys will stay on Survey Monkey until we are completely sure we are no longer going to need any of the results.
Dropbox is where we store some of pictures from various projects and events that we have worked on.
What to Do If There Is a Breach
If you discover, or suspect, a data protection breach you should report this to a Senior Management who will review our systems, to prevent a reoccurrence. All Directors will be informed of the breach, action taken and outcomes to determine whether it needs to be reported to the Information Commissioner. There is a time limit for reporting breaches to ICO so the QA & Systems Manager should be informed without delay.
Any deliberate or reckless breach of this Data Protection Policy by an employee or volunteer may result in disciplinary action which may result in dismissal.
Onion Collective CIC holds information on our service users, customers, members, clients and the community and other supporters, to whom we will from time to time send copies of our newsletters and details of other activities that may be of interest to them. Specific consent to contact will be sought from our staff, clients and other supporters before making any communications.
We recognise those service users, customers, members, clients, the community
and supporters for whom we hold records have the right to unsubscribe from our mailing lists. This wish will be recorded on their records and will be excluded from future contacts.
The following statement is to be included on any forms used to obtain personal data:
We promise never to share or sell your information to other organisations or businesses and you can opt out of our communications at any time by telephoning 01984 633496, writing to Onion Collective CIC, Harbour Studios, Harbour Road, Watchet, Somerset, TA23 0AQ or by sending an email to email@example.com
Any documentation which gathers personal and/or special categories of personal data should contain the following Privacy Statement information:
- Explain who we are
- What we will do with their data
- Who we will share it with
- Consent for marketing notice
- How long we will keep it for
- That their data will be treated securely
- How to opt out
- Where they can find a copy of the full notice
A fuller Privacy Statement will also be published on our website.
The Regulations apply equally to volunteer and staff records. Onion Collective CIC may at times record special categories of personal data with the volunteer’s consent or as part of a staff member’s contract of employment.
For staff and volunteers who are regularly involved with vulnerable people, it will be necessary for Onion Collective CIC to apply to the Disclosure & Barring Service to request a disclosure of spent and unspent convictions, as well as cautions, reprimands and final warnings held on the police national computer. Any information obtained will be dealt with under the strict terms of the DBS Code. Access to the disclosure reports is limited to the Senior Management Team. If there is a positive disclosure the Directors will discuss this, anonymously, with our insurers to assess the risk of appointment. Other staff, volunteers and insurers should not see the report itself.
Further guidance regarding confidentiality issues can be found in our Confidentiality Policy.
When working from home, or from some other off-site location, all data protection and confidentiality principles still apply. All computer data, e.g. documents and programmes related to work for Onion Collective CIC should not be stored on any external USB drive unless password protected.
Workstations in areas accessible to the public, e.g. reception or trading office, should operate a clear desk practice so that any paperwork, including paper diaries, containing personal and/or special categories of personal data is not left out on the desk where passers-by could see it.
Any paperwork kept away from the office (eg clients contact details kept at home by a worker) should be treated as confidential and kept securely as if it were held in the office. Documents should not be kept in open view (eg on a desktop) but kept in a file in a drawer or filing cabinet as examples, the optimum being a locked cabinet but safely out of sight is a minimum requirement
Retention of Records
Paper records should be retained for the following periods at the end of which they should be shredded:
- Client records – 3 years after ceasing to be a client.
- Prospect client records – 3 years from initial meeting
- Staff records – 3 years after ceasing to be a member of staff.
- Unsuccessful staff application forms – 2 months after vacancy closing date.
- Volunteer records – 1 year after ceasing to be a volunteer.
- Timesheets and other financial documents – 7 years.
- Employer’s liability insurance – 40 years.
Archived records should clearly display the destruction date.
Computerised records e.g. Charitylog, to be anonymised 6 years after ceasing to have any services from us. (Anonymising will remove the personal and special categories of personal data but will not remove the statistical data.)
The Rights of an Individual
Under the Regulations an individual has the following rights with regard to those who are processing his/her data:
- Personal and special categories of personal data cannot be held without the individual’s consent (however, the consequences of not holding it can be explained and a service withheld).
- Data cannot be used for the purposes of direct marketing of any goods or services if the Data Subject has declined their consent to do so.
- Individuals have a right to have their data erased and to prevent processing in specific circumstances:
- Where data is no longer necessary in relation to the purpose for which it was originally collected
- When an individual withdraws consent
- When an individual objects to the processing and there is no overriding legitimate interest for continuing the processing
- Personal data was unlawfully processed
- An individual has a right to restrict processing – where processing is restricted, Onion Collective CIC is permitted to store the personal data but not further process it. Onion Collective CIC can retain just enough information about the individual to ensure that the restriction is respected in the future.
- An individual has a ‘right to be forgotten’.
- Onion Collective CIC will not undertake commercial telephone marketing activities under any circumstances.
Data Subjects can ask, in writing to the Directors, to see all personal data held on them, including e-mails and computer or paper files. The Data Processor (Onion Collective CIC) must comply with such requests within 30 days of receipt of the written request.
Powers of the Information Commissioner
The following are criminal offences, which could give rise to a fine and/or prison sentence
- The unlawful obtaining of personal data.
- The unlawful selling of personal data.
- The unlawful disclosure of personal data to unauthorised persons.
Further information is available at www.informationcommissioner.gov.uk
Details of the Information Commissioner
The Information Commissioner’s office is at:
Cheshire SK9 5AF
Switchboard: 01625 545 700
Data Protection Help Line: 01625 545 745
Notification Line: 01625 545 740
on the disclosure of personal information
relating to service users
At Onion Collective CIC, we’re committed to protecting and respecting your privacy.
This Policy explains why we collect personal information about people, how we use it, the conditions under which we may disclose it to others and how we keep it secure.
We may change this Policy from time to time so please check this page occasionally to ensure that you’re happy with any changes.
Any questions regarding this Policy and our privacy practices should be sent by email to firstname.lastname@example.org or by writing to Onion Collective CIC, Harbour Road, Harbour Studios, Watchet, Somerset, TA23 0AQ. Alternatively, you can telephone 01984 633496.
Who are Onion Collective CIC?
Onion Collective CIC are a small Community Interest Company based in West Somerset. We believe that every community has the power to build a strong and secure future for itself. Times have changed, and it is no longer possible to rely on local authorities to ensure community sustainability.
We help communities build a plan for their hometown and we help them to deliver it. That plan includes a process of asking what is needed, defining shared community priorities and then helping to ensure success whether it is a major capital build or revenue projects. This process has proven to be transformative.
Regeneration from the roots up enables communities to feel that they are instrumental in making where they live the place they want it to be. It nurtures pride, tackles loneliness, gives a sense of purpose and belief. We work with communities to help make them the best versions of themselves.
How do we collect information from you?
We obtain information about you through various ways, eg social media, consultations, surveys, customer/membership/volunteer forms, website and emails.
What type of information is collected from you?
The personal information we collect will include your name, home address, email address, telephone number and if you are a volunteer for us any medical conditions you may have.
How is your information used?
We may use your information to:
- to contact you in regards to any work we may be contracted to do for you;
- reply to any queries you may have had at any public consultations relating to any projects we may be doing;
- if subscribed, send you a newsletter;
- invite you to join in with projects or events that you have previously expressed an interest in;
- seek your views or comments on the services we provide;
- notify you of changes to our services;
- process a job application.
- In the event of an emergency any medical information will be given to the relevant people;
- MORE NEEDED I’M SURE BUT MIND HAS GONE BLANK SO JUST LET ME KNOW
We review our retention periods for personal information on a regular basis. We are legally required to hold some types of information to fulfil our statutory obligations. We will hold your personal information on our systems for as long as is necessary for the relevant activity, or as long as is set out in our GDPR policy which can be found on our website.
Who has access to your information?
We will not sell or rent your information to third parties.
We will not share your information with third parties for marketing purposes.
Third Party Service Providers working on our behalf: We may pass your information to our third party service providers, agents subcontractors and other associated organisations for the purposes of completing tasks and providing services to you on our behalf. However, when we use third party service providers, we disclose only the personal information that is necessary to deliver the service. Please be reassured that we will not release your information to third parties beyond the Onion Collective CIC network for them to use for their own direct marketing purposes, unless you have requested us to do so, or we are required to do so by law, for example, by a court order or for the purposes of prevention of fraud or other crime.
HELP WITH THIS PLEASE NOT SURE IT’S ENOUGH!!!
We will not contact you for marketing purposes by email, phone or text message unless you have given your prior consent. We will not contact you for marketing purposes by post if you have indicated that you do not wish to be contacted. You can change your marketing preferences at any time by contacting us by email: email@example.com or telephone on 01984 633496.
How you can access and update your information
The accuracy of your information is important. If you change email address, or any of the other information we hold is inaccurate or out of date, please email us at: firstname.lastname@example.org, or write to us at: Onion Collective CIC, Harbour Road, Harbour Studios, Watchet, Somerset, TA23 0AQ. Alternatively, you can telephone 01984 633496
You have the right to ask for a copy of the information Onion Collective CIC hold about you.
Security precautions in place to protect the loss, misuse or alteration of your information
When you give us personal information, we take steps to ensure that it’s treated securely. Any sensitive information (such as medical information) is only shared with senior staff and locked away in a filing cabinet in which only senior staff have access to.
Non-sensitive details (your email address etc.) that come to us in various ways (eg email, Facebook and consultations) will be stored on our central CRM marketing system, Bitrix this program is accessible through staff computers and phones but all devices are locked with passwords. All consent/volunteer/application/membership forms will be stored relevant in a locked filing cabinet.
Links to other websites
In addition, if you linked to our website from a third party site, we cannot be responsible for the privacy policies and practices of the owners and operators of that third party site and recommend that you check the policy of that third party site.
16 or Under
We are concerned to protect the privacy of children aged 16 or under. If you are aged 16 or under‚ please get your parent/guardian’s permission beforehand whenever you provide us with personal information.
on the disclosure of personal information
relating to service users
Reasons for this Policy Statement
- To protect the interests of our service users, customers, members, clients and the community.
- To ensure all these parties have trust and confidence in the company.
- To protect the company, its directors, staff and volunteers.
- To comply with data protection law.
- Staff and volunteers receiving personal information about clients, customers or community members, should treat this information as confidential.
- Under no circumstances should staff and volunteers share personal information with their own partners, family or friends.
Onion Collective CIC will seek to ensure that:
- All personal information will be treated as confidential. Information will only be collected that is necessary and relevant to the work in hand. It will be stored securely, only accessible on a need to know basis to those members of staff and volunteers duly authorised. The retention periods of personal information is covered in the retention section of the Data Protection Policy which should be read in conjunction with this policy.
- Where consent is not given for the company to record and store basic information about the service user it is unlikely that a service will be able to be provided.
- All information stored in the G-Drive and Bitrix 24 (our data storage and CRM/project management tools respectively) will be kept secure and treated as confidential.
- Paper records will be kept in a locked cabinet with restricted access.
- Any signed consent forms will be stored in the client’s paper records in a locked cabinet.
- All service users, clients, customers and community members, whose data we hold are made aware of their right of access to their records.
- Reasonable efforts will be made to ensure the physical environment in which face to face discussions and telephone conversations take place does not compromise confidentiality.
- Service users, clients, customers and community members will be made aware of their right to complain if they feel confidentiality has been breached.
- Breaches of confidentiality will be dealt with through the company’s staff and volunteer disciplinary procedures.
Personal Information: By personal information we mean:
- The data protection definition which is any information which enables a living person to be identified (eg name, address, phone number, email address, etc.)