Introduction
The Data Protection Act 1998 requires every Data Controller who is processing personal data to notify the Information Commissioner unless they are exempt. Failure to notify is a criminal offence.
Organisations and people about which we hold information are referred to in this policy as donors, trustees and volunteers. Julie Peet the Chairperson has been designated as the Data Protection Compliance Officer and the Data Controller for the organisation.
Information we hold
- Organisational Information – publicly available information about organisations and some confidential information.
- Personal Information – names, email addresses.
- Sensitive Personal Information – This kind of information is only held about volunteers. Any additional sensitive personal information held about individuals in regards to a fundraiser will only be held for the duration of said fundraiser and will be securely destroyed afterwards.
We will not hold information about individuals without their knowledge and consent. It is a legal requirement that people know what we are doing with their information and who it will be shared with.
We will only hold information for specific purposes. We will inform donors, trustees and volunteers what those purposes are. We will also inform them if those purposes change.
Donations
HIPS have chosen to use Wonderful Payments Limited “Wonderful” as the organisation to facilitate being able to take online donations. If you would like to read Wonderful’s Terms and Conditions they can be found at the following link:
HIPS do not hold any financial information about our donors and we will never request payment information from you.
Access to information
- We will seek to maintain accurate information by creating ways in which donors, trustees and volunteers can update the information held.
- Information about donors, trustees and volunteers will not be disclosed to other organisations or to individuals who are not members of our organisation, volunteers or trustees (except in circumstances where this is a legal requirement, where there is explicit or implied consent or where information is publicly available elsewhere.)
- Donors, trustees and volunteers will be entitled to have access to information held about them by us and for what purpose within 40 days or submitting a request.
- Subject to any rules of the organisation awarding the funding, information will not be retained once no longer required for its stated purpose, we will not keep more than a project requires or surplus information ‘just in case’. We will establish retention periods and a process to delete personal information when no longer required.
- At the beginning of any new project or type of activity the member of volunteers managing it will consult the Data Controller about any data protection implications.
- There may be situations where we work in partnership with other organisations on projects which require data sharing. We will clarify which organisation is to be the Data Controller and will ensure that the Data Controller deals correctly with any data which we have collected.
Data Security
- We have procedures for ensuring the security of all electronic personal data. Paper records containing confidential personnel data are disposed of in a secure way.
- All passwords should contain uppercase and lowercase letters, a number and ideally a symbol. This will help to keep our information secure from would-be thieves. There is no point protecting the personal information we hold with a password if that password is easy to guess.
Our Commitment
- We have a set of procedures covering all areas of our work which we follow to ensure that we achieve the aims set out above.
- We have established a business continuity/disaster recovery plan and we take regular back-ups of computer data files which are stored away from the office at a safe location.
- We will carry out regular reviews of our data protection policy and procedures.
Appendix
The Data Protection Principles defined by the Information Commissioners Office (ICO)
Whenever collecting information about people, we agree to apply the Eight Data Protection Principles:
- Personal data should be processed fairly and lawfully.
- Personal data should be obtained only for the purpose specified.
- Data should be adequate, relevant and not excessive for the purposes required.
- Data should be accurate and kept up-to-date.
- Data should not be kept for longer than is necessary for purpose.
- Data processed in accordance with the rights of service users and volunteers under this act.
- Security: appropriate technical and organisational measures should be taken unauthorised or unlawful processing of personal data and against accidental loss or destruction or damage to personal data.
- Personal data shall not be transferred outside the EEA unless that country or territory ensures an adequate level of data protection.