CRRC Data Policy

Scope of Policy

This Policy covers all data relating to individuals with whom we have contact Subject Data held by CRRC either in paper or electronic format and the way it is handled.


This policy sets out in a clear and concise way to our members, supporter, beneficiaries and other contacts how we will handle data within our organisation.

We are committed to

  • Holding information in a safe and secure manner and only using the information for the purpose for which it was given.
  • Keeping data up to date and accurate.
  • Removing out of date data from our records and disposing of it securely.
  • Reviewing our policy on a regular basis to ensure that it still meets the needs of the organisation and its members.

Data Collection

Why we collect data

We collect information:

  • which we are required to report to funders under grant or Service Level Agreements.
  • on our members, supporters, beneficiaries and other contacts to help us run our organisation in the best possible way.

How we collect data

We collect information from:

  • Application Forms
  • Contacts we make at meetings, from emails, social media, sign-up forms, word of mouth

3.3 The Data Controller

The designated Data Controller (DC) will deal with the implementation of the agreed policy and day to day matters.

CRRC has a designated Data Controller (DC). In their absence, the Chair of the Management Committee (MC) may be consulted.

CRRC’s designated DC is a member of the MC.

Storing and Processing data

4.1 Our policy is to store all data in a secure manner and to dispose of data no longer required in a secure way. We will process data in a way which is consistent with the aims of our organisation and the purpose for which the data was given.

4.2 Data received in paper form will be handed to the DC for electronic storage and paper copies will be destroyed.

Electronic data will be password protected and stored on google drive (

5. Retention of data

5.1 CRRC will keep some forms of information longer than others. Data will be retained until required or until the MC decides to erase the data or until the organisation dissolves.

6. Processing sensitive information

6.1 Sometimes it is necessary to process sensitive personal information such as family details. This is done to ensure that CRRC can operate to the best of its abilities. CRRC will only use such information in the protection of the health and safety of the individual, but will need consent to process - for example, in the event of a medical emergency.

6.2 Because this information is considered sensitive, and it is recognised that the processing of it may cause particular concern or distress to affected individuals, they will be asked to give express consent for CRRC to do this

7. Disclosure

7.1 It is our policy not to disclose any information to third parties unless we have the subject’s permission to do so OR the information is being passed solely for the third party to undertake work on our behalf and for no other purpose OR the information is already in the public domain OR we are legally obliged to do so.

7.2 Sensitive Information will not normally be disclosed. Where information is being passed to a third party undertaking work on behalf of the organisation we will advise that the third party reviews the County’s safeguarding policy (

8. Rights of the individual to access information

8.1 Members, supporter, beneficiaries and other contacts of CRRC have the right to access any personal data that is being kept about them either on computer or in other types of files. Should any person wish to exercise this right they should contact the Data Controller.

8.2 In order to gain access, a request should be made in writing to the Data Controller.

8.3 CRRC aims to comply with requests for access to personal information as quickly as possible, but will ensure that it is provided within 20 days.

9. Inaccurate Data

Where an individual advises that their data is inaccurate we will ensure the inaccuracy is corrected within 7 working days.

10 Complaints

Any complaints about the way we handle or use data need to be submitted in writing to the Secretary of the CRRC, and will be discussed by the MC at the subsequent meeting.

11. Compliance

11.1 Compliance with the Data Protection Act 1998 is the responsibility of all members, supporters, beneficiaries and other contacts of CRRC. Any deliberate breach of the Data Protection Policy may lead to disciplinary action being taken, or access to CRRC facilities being withdrawn, or even a report to the police.

12.2 Any questions or concerns about the interpretation or operation of this Policy should be taken up with the Data Controller.

Ratified by the MC on: 30.11.2016



To be reviewed on 29.11.2017 or as legislation changes