Login
Allia Business Centre
Home » PCVS Policies » Data Protection Policy

Data Protection Policy

1. AIMS OF POLICY

Peterborough Council for Voluntary Service (PCVS) is registered with the Information Commissioner’s Office (ICO) as data controllers and have a legal duty under the EU General Data Protection Regulations (GDPR) to protect the personal information that it collects and processes.

At PCVS, we collect, retain and process personal data about our employees, volunteers, clients, suppliers and other individuals for a variety of business purposes. This policy protects the personal data of our data subjects which include our members, supporters, employees, volunteers, employees and the people that we help.

The purpose of this policy is to inform the general public, PCVS employees and volunteers about the personal information that PCVS collects and uses, how this data may be used, and the procedures that PCVS has implemented to comply with the Act and protect people’s personal information, and ensure that staff and volunteers understand the rules governing their use of personal data to which they have access in the course of their work.

In particular, this policy requires staff and volunteers to ensure that the Data Protection Officer (DPO) be consulted before any significant new data processing activity is initiated to ensure that relevant compliance steps are addressed.

PCVS employees, volunteers and trustees are all required to adhere to this policy.

 

2. POLICY STATEMENT

PCVS intends to fully comply with all requirements of the GDPR in so far as it affects the organisation’s activities.

PCVS has implemented processes and procedures to ensure that we comply with the GDPR. All employees and volunteers are responsible for following this policy and the agreed processes and procedures.

The eight principles of the GDPR require that:

  1. Personal data shall be processed fairly and lawfully
  2. Personal data shall only be processed for the purposes for which it was obtained
  3. Personal data shall be adequate, relevant, and not excessive in relation to its purpose
  4. Personal data shall be accurate and kept up to date
  5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
  6. Personal data shall be processed in accordance with the rights of data subjects under this Act.
  7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
  8. Personal data shall not be transferred to a country or territory outside the European Economic Area (EEA) unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

This policy supplements our other policies relating to internet and email use. We may supplement or amend this policy by additional policies and guidelines from time to time. Any new or modified policy will be circulated to staff before being adopted.

The Data Protection Officer (DPO) – currently the CEO – has overall responsibility for the day-to-day implementation of this policy.

 

3. DEFINITIONS

 

Business purposes The purposes for which personal data may be used by us:

Personnel, administrative, financial, regulatory, payroll and business development purposes.

Business purposes include the following:

–       Compliance with our legal, regulatory and corporate governance obligations and good practice

–       Gathering information as part of investigations by regulatory bodies or in connection with legal proceedings or requests

–       Ensuring business policies are adhered to (such as policies covering email and internet use)

–       Operational reasons, such as recording transactions, training and quality control, ensuring the confidentiality of commercially sensitive information, security vetting, credit scoring and checking

–       Investigating complaints

–       Checking references, ensuring safe working practices, monitoring and managing staff and volunteers’ access to systems and facilities and staff absences, administration and assessments

–       Monitoring staff and volunteers’ conduct, disciplinary matters

–       Marketing our business

–       Improving services
Personal data Information relating to identifiable individuals, such as job applicants, current and former employees, agency, contract and other staff, volunteers, clients, suppliers and marketing contacts.

Personal data we gather may include: individuals’ contact details, educational background, financial and pay details, details of certificates and diplomas, education and skills, nationality, job title, and CV.
Sensitive personal data Personal data about an individual’s marital status, racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership (or non-membership), physical or mental health or condition, criminal offences, or related proceedings—any use of sensitive personal data should be strictly controlled in accordance with this policy.

 

4. OUR PROCEDURES

 

4.1 Fair and lawful processing

We must process personal data fairly and lawfully in accordance with individuals’ rights. This generally means that we should not process personal data unless the individual whose details we are processing has consented to this happening.

The rights of individuals are:

  • a right of access to a copy of the information comprised in their personal data;
  • a right to object to processing that is likely to cause or is causing damage or distress;
  • a right to prevent processing for direct marketing;
  • a right to object to decisions being taken by automated means;
  • a right in certain circumstances to have inaccurate personal data rectified, blocked, erased or destroyed; and
  • a right to claim compensation for damages caused by a breach of the Act.

 

4.2 The Data Protection Officer’s (DPO) responsibilities

  • Keeping the Trustee Board updated about data protection responsibilities, risks and issues
  • Reviewing all data protection procedures and policies on a regular basis
  • Arranging data protection training and advice for all staff members and those included in this policy
  • Answering questions on data protection from staff, volunteers and trustees
  • Responding to individuals such as clients and employees who wish to know which data is being held on them by PCVS
  • Checking and approving with third parties that handle the company’s data, any contracts or agreement regarding data processing

 

4.3 Responsibilities of the IT Manager (currently the DPO)

  • Ensuring all systems, services, software and equipment meet acceptable security standards
  • Checking and scanning security hardware and software regularly to ensure it is functioning properly

 

4.4 Responsibilities of managers who carry out marketing activities within their departments

  • Obtaining the necessary consent from individuals for marketing in compliance with the GDPR and PECR (Privacy and Electronic Communications Regulations).
  • Ensuring the initial and ongoing permission of recipients in compliance with PECR.
  • Only sending marketing mail to named individuals who have given consent to receive mailings in compliance with the GDPR
  • Approving data protection statements attached to emails and other marketing copy
  • Addressing data protection queries from clients, target audiences or media outlets
  • Coordinating with the DPO to ensure all marketing initiatives adhere to data protection laws and the company’s Data Protection Policy

 

4.5 The processing of all data must be:

  • necessary to deliver our services
  • in our legitimate interests and not unduly prejudice the individual’s privacy
  • in most cases this provision will apply to routine business data processing activities

 

4.6 Privacy notice

PCVS has a Privacy Notice available to all clients on data protection and is available on our website at www.pcvs.co.uk. The notice:

  • sets out the purposes for which we hold personal data on customers and employees
  • highlights that our work may require us to give information to third parties such as expert witnesses and other professional advisers
  • provides that customers have a right of access to the personal data that we hold about them

 

4.7 Sensitive personal data

In most cases where we process sensitive personal data we will require the data subject’s explicit consent to do this unless exceptional circumstances apply or we are required to do this by law (e.g. to comply with legal obligations to ensure health and safety at work). Any such consent will need to clearly identify what the relevant data is, why it is being processed and to whom it will be disclosed.

4.8 Accuracy and relevance

We will ensure that any personal data we process is accurate, adequate, relevant and not excessive, given the purpose for which it was obtained. We will not process personal data obtained for any unconnected purpose unless the individual concerned has agreed to this or would otherwise reasonably expect this.

Individuals may ask that we correct inaccurate personal data relating to them. If you believe that information is inaccurate you should record the fact that the accuracy of the information is disputed and inform the DPO.

4.9 Individual’s personal data

Individuals, including employees and volunteers must take reasonable steps to ensure that personal data we hold about them is accurate and updated as required. For example, if an individual’s circumstances change, they should inform relevant personnel at PCVS so that we can update your records.

4.10 Data security

  • Employees and volunteers must keep personal data secure against loss or misuse in the course of their work. Where other organisations process personal data as a service on our behalf, the DPO will establish what, if any, additional specific data security arrangements need to be implemented in contracts with those third party organisations.
  • Only authorised people can see personal information. This includes all employees and any volunteer who may be working with you. They must gain authorisation from a manager if they need to see this information. Staff members must ensure that any volunteer working for you has a clear understanding of the GDPR and how it applies to them.
  • We operate a clear desk policy. This means that no personal information must be left on your desk when you are not there. This includes short breaks.
  • Computer screens must be sited to ensure that unauthorised people cannot see the information, where at all possible.
  • All personal data must be kept in locked cabinets. If taking personal information out of the office, place it in a sealed envelope and log what has been removed from the building.
  • In cases when data is stored on printed paper, it must be kept in a secure place where unauthorised personnel cannot access it.
  • Printed data must be shredded when it is no longer needed.
  • Personal data stored on a computer must be protected by strong passwords that are changed regularly. Passwords must not be written down such that others can access and use them ad we encourage all staff and volunteers to use a secure password manager to create and store their passwords.
  • Data stored on CDs or memory sticks must be locked away securely when they are not being used. Use encrypted memory sticks where necessary.
  • Only cloud storage authorised by the DPO must be used to store data
  • PCVS will maintain secure data servers containing personal data in a secure location, away from general office space.
  • PCVS will regularly back up its servers and data in line with the company’s backup procedures.  All staff and volunteers will adhere to these procedures.
  • Data saved directly to personal mobile devices such as laptops, tablets or smartphones for work purposes must be removed after you have finished using the data.
  • All servers containing sensitive data will be approved and protected by security software and strong firewall.

4.11 Data retention

We will retain personal data for no longer than is necessary. What is necessary will depend on the circumstances of each case, taking into account the reasons that the personal data was obtained, but should be determined in a manner consistent with our data retention guidelines.

4.12 Transferring data internationally

There are restrictions on international transfers of personal data. Personal data must not be transferred anywhere outside the EEA without first consulting the DPO.

4.13 Processing data in accordance with the individual’s rights

You should abide by any request from an individual not to use their personal data for direct marketing purposes and notify the relevant data controllers about any such request.

Do not send direct marketing material to someone electronically (e.g. via email) unless we hold explicit consent with them in relation to receiving marketing communications.

Please contact the DPO for guidance on direct marketing before starting any new direct marketing activity.

4.14 Training

All staff, trustees and volunteers will receive training on of data protection and GDPR as part of induction and ongoing training. Further training will be provided whenever there is a substantial change in the law or our policy and procedure.

Training is provided through an in-house seminar.

It will cover:

  • The law relating to data protection
  • Our data protection and related policies and procedures.

 

Completion of training is compulsory. DPO should keep a register on who has been trained, dates and renewal training prompts.  Staff training needs and levels of understanding are regularly assessed during line management supervisions and appraisals.

 

5. GDPR PROVISIONS  

Where not specified previously in this policy, the following provisions will be in effect on or before 25 May 2018.

5.1 Privacy Notice – transparency of data protection

Being transparent and providing accessible information to individuals about how we will use their personal data is important for our organisation. The following are details on how we collect data and what we will do with it:

When completing any form that requested personal data you must ensure the individual understands what information is being collected and for what purpose. Ask the person to sign the declaration on the form.

If information is being passed on you must ensure that we have permission to do so from the individual. No information must be passed on without this consent. Consent is deemed to have been obtained, unless exemptions apply, when passing information within PCVS where the information is not sensitive, e.g. passing on a name and address to a colleague in the course of their work.

For example, it should include the following:

  • What information is being collected?
  • Who is collecting it?
  • How is it collected?
  • Why is it being collected?
  • How will it be used?
  • Who will it be shared with?
  • Identity and contact details of any data controllers
  • Details of transfers to third country and safeguards, if applicable
  • Retention period

 

Further information on exemptions: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/exemptions/

5.2 Conditions for processing

We will ensure any use of personal data is justified using at least one of the conditions for processing and this will be specifically documented. All staff who are responsible for processing personal data must be aware of the conditions for processing. The conditions for processing will be available to data subjects in the form of a Privacy Notice.

5.3 Justification for personal data

We will process personal data in compliance with all data protection principles.

We will document the additional justification for the processing of sensitive data, and will ensure any biometric and genetic data is considered sensitive.

5.4 Consent

The data that we collect is subject to active consent by the data subject. This consent can be revoked at any time.

5.5 DBS Checks

Any criminal record checks; Disclosure and Barring Service (DBS) are justified by law. Criminal record checks cannot be undertaken based solely on the consent of the subject.

5.6 Subject access requests

Under the Act, individuals are entitled, subject to certain exceptions, to request access to information held about them.

If you receive a subject access request, you should refer that request immediately to the data controller of your department. The DPO can provide guidance and support where it is needed.

Please contact the relevant data controller if you would like to correct or request information that we hold about you. There are also restrictions on the information to which you are entitled under applicable law. Upon request, a data subject should have the right to receive a copy of their data in a structured format.

These requests should be processed within one month, provided there is no undue burden and it does not compromise the privacy of other individuals. A data subject may also request that their data is transferred directly to another system. This must be done for free.

5.7 Right to be forgotten

A data subject may request that any information held on them is deleted or removed, and any third parties who process or use that data must also comply with the request. An erasure request can only be refused if an exemption applies.

5.8 Privacy by design and default

Privacy by design is an approach to projects that promote privacy and data protection compliance from the start. The DPO will be responsible for conducting Privacy Impact Assessments and ensuring that all IT projects commence with a privacy plan.

When relevant, and when it does not have a negative impact on the data subject, privacy settings will be set to the most private by default.

5.9 International data transfers

No data may be transferred outside of the EEA without first discussing it with the data protection officer. Specific consent from the data subject must be obtained prior to transferring their data outside the EEA.

5.10 Data audit and register

Managers are responsible to carry out regular data audits to manage and mitigate risks, and inform the DPO. This contains information on what data is held, where it is stored, how it is used, who is responsible and any further regulations or retention timescales that may be relevant.

5.11 Reporting breaches

Reporting data breaches allows us to:

  • Investigate the failure and take remedial steps if necessary
  • Maintain a register of compliance failures
  • Notify the Information Commissioner’s Office (ICO) of any compliance failures that are material either in their own right or as part of a pattern of failures

 

For any data breach or any concerns of data breach, please notify the DPO. The DPO will assess the risks and determine based on the risk level if the incident needs to be reported to ICO within 72 hours. Where there is a high risk of harm to employees, they will also need to be notified ‘without undue delay’.

5.12 Monitoring

Everyone must observe this policy. The DPO has overall responsibility for this policy. They will monitor it regularly to make sure it is being adhered to.

6. Consequences of failing to comply

This policy is not part of the formal contract of employment, but it is a condition of all employment contracts that employees will follow the rules and policies created by PCVS.

We take compliance with this policy very seriously. Failure to comply puts both you and the organisation at risk.

The importance of this policy means that failure to comply with any requirement may lead to disciplinary action under our procedures which may result in dismissal.

If you have any questions or concerns about anything in this policy, contact the DPO via the details shown below.

 

DPO: Kirsteen McVeigh – CEO

Email: [email protected]

 

Policy Reviewed and Approved: October 2024

Our Supporters

Peterborough City Council logo
NHS logo
National Gas logo
CPCA logo
Community Fund Logo logo

Please donate to support our vital work

Donate