Monday 9th April 2018.
Created with reference to the Data Protection and Information Commissioners guidance-www.ico.gov.uk
Chemogiftbags respects the private lives of individuals and recognises the importance of safeguarding personal privacy. Chemogiftbags appreciates the responsibility of storing personal information and considers the protection of personal data to always be a priority and consideration throughout Chemogiftbags services.
This policy provides guidance for all Chemogiftbags trustees and volunteers.
The guidance outlines the consideration and management of personal data.
Specific instructions for each block of information are detailed on the Data Control Sheets and attached as appendices.
Data control sheets exist for the following areas. They are
not part of the policy as they will be amended by the data controller as required. The current versions are attached for information.
A1 Volunteer Administration
A2 For providing Chemogiftbags to service users.
A3 Fundraising and donor management.
2.Information Commissioners Data Protection Register.
Chemogiftbags is not required to register with the Information Commissioner Data Protection Register but recognises the following purposes for holding personal data.
Purpose description – Appointments or removals, management and other personal matters in relation to volunteers of the charity.
Data subjects volunteers, including trustees.
Purpose description — Fundraising in support of the objectives of the Data Controller.
Data subjects- donors and lenders.
3. Realising the objectives of a charitable organisation.
Purpose description- The provision of goods and services in order to realise the objectives of Chemogiftbags.
Data subjects- volunteers, agents, customers and clients. Suppliers members or supporters, complaints, correspondence and enquirers, advisers consultants and other professional experts.
3.Managing the protection of personnel data
Any volunteer or trustee considering the new store of data, reviewing the storage of existing data or using existing data in a new way will consider the following questions.
The responsible manager will complete a data protection control sheet and understand its contents.
1.Is the information personal data?
If the information is personal data is it going to be processed by a computer or as part of a filing system and it relates to an individual who can be identified then this is personal data and covered by this policy and the data protection legislation.
If there is any doubt treat the information as personal
2. What are the risks?
This is the key question. It is vital that all possible risks are identified and the level of risk should dictate how the data is obtained and managed.
It is important to know that compliance with the processing requirements is not of itself enough.
The paramount consideration must be given to the consequences of the processing of the interests of the end user.
The risks will vary; for example there may be a small risk of an individual being subject to direct marketing or a risk that an individuals faith, ethnicity or sexual orientations revealed by association and their home addresses identified bye extremists.
3.How can we process the personal data lawfully?
To fulfil its legal requirements Chemogiftbags is required to be “fair” to the person. To be “fair: to that person he/she must have been given his consent to the processing.
Before asking an individual to give consent Chemogiftbags must ensure they have informed the person of,
* The identity of Chemogiftbags
* The intended purpose of the data.
* any other circumstances or possible outcomes.
Chemogiftbags will ensure that the individual is able to understand the information provided and realises any possible consequences.
If the personal data is SENSATIVE then the consent must be absolutely explicit which means informed consent from the Data Subject.
SENSITIVE data reveals the individuals;
racial or ethnic origin
trade union membership
physical/mental health or condition
4.The storing and managing of personal data.
*The data shall be obtained for specific purposes and will not be used for any other purpose.
*CGB will only use personal data for the purposes it individual consented to.
* CGB will only request data that is relevant, not excessive and adequate for its purpose. Data will not be stored on the basis that it may be useful 1 day.
*CGB will make a reasonable effort to ensure the data obtained is accurate and will provide a method or regular
review, in the Data Control Sheet, to keep it up to date if necessary. A review period will be specified in the Data Control Sheet and any data held after that is no longer necessary will be deleted.
*CGB will rectify, delta or cease to hold data within a reasonable time of a request by the individual.
*CGB will take all measures to prevent unauthorised or unlawful processing of personnel data and accidental loss or damage. The measure will be specified in the Data Control Sheet.
5.Management of the Data Control Sheet.
* CGB will produce a Data Control Sheet for each category of data held.
* The DCS will not form part of this policy as the Responsible Manager may need to alter the instructions as circumstances change or produce addition sheets should the storage of additional data be required.
Details/address could be revealed to an inappropriate person.
How to eliminate or minimise the risks-
Store data in a locked filing cabinet. Delete information once it is no longer needed. Also delete the original email or online Facebook communication once printed and locked away.
Information to be given prior to consent- That the information will be held for the reasons stated.
*How will the information be given- Volunteer agreement and verbally.
*How will consent be obtained?– By signing the volunteer agreement.
* How will a person request the removal of their personal data?- by written request to Lynne Shipton, including email and online.
*What actions will be taken to ensure the security off
the data? The information will be stored in a locked filing cabinet and destroyed once it is no longer needed.
*For how long will the data be stored?
Unsucessful applicants- all data should be destroyed as soon a possible and certainly within 6 months. Unless permission is requested and given for the details and not just in case. For the duration of their volunteering and to be destroyed within 6months of leaving volunteering.
*For providing CGB’s to service users, recipients.
Responsible Manager Lynne Shipton.
The Data Subjects- individuals who have been referred to our services from Health professionals, social care services, and assistants, families or friends who have contacted us.
The information held– Name, home address, telephone number, email address, whether they have breast cancer and receiving chemotherapy.
The purpose of the information.-to enable us to provide support by way of Chemogiftbags and information and sign posting toothed relevant services and products.
Are these purposes registered with the commissioner and under which heading? No this is not required but we do understand that this will come under the heading realising the objectives of a charitable organisation.
How to eliminate or minimise those risks- A general need to respect the privacy of the data subject and not to hold unnecessary data or hold any data beyond the period required for the use it was given. To make sure all hard copy information is accessed via password.
Information to be given prior to consent.
how the data will be stored, what the date will be used for, including passing information to the Ambassadors to deliver the CGB’s an d possible consequences of providing sensitive data.
How will the information be given-? Via email or online
messenger, known as CGB, Facebook-private message.
How will consent be obtained? Via the communication above and by signing the disclaimer.
How long will the data be stored? For 6mths from the end of providing a CGB.
How will an individual correct or the request this removal of personal data. of email, letter, or Facebook messenger iron the CGB page.
A3 Fundraising and Donor Management.
Responsible manager LS.
Data Subjects- Donors.
Information Held –
Name , address, amount of donation and gift aid declaration where appropriate.
Purposes of the Information- To fairly process and manage donations and to send Thank You card if requested by the donor. We do not ask for repeat donations or contact donors in this way.
Are these purposes registered with the Commissioner?
No, this is not required but we recognise that it would fall under fundraising.
Potential risks for holding data subject?
Financial information could be passed to inappropriate persons.
How to minimise or eliminate these risks.
Copy of the cheque and amount if relevant, name and other personal details will be recorded and securely filed in. Paper file and locked in a filing cabinet.
Information same as above.
How given, in person, email, or online
How will consent be given
How long stored?- For 1 yr for the purpose of preparing the annual accounts.