Data Protection Policy

Data Protection Policy and Procedures

1. Purpose

1.1 Kettering Refugee Assistance (the organisation) is exempt from the requirement to register with the Information Commissioner’s Office (ICO) under the General Data Protection Regulation (GDPR), as it is a not for profit organisation that 

1. processes data for the purposes of establishing or maintaining membership or support for the organisation not established or conducted for profit, or providing or administering activities for individuals who are members of the organisation or have regular contact with it, and 

2. only holds information about individuals whose data is needed to be processed for this exempt purpose, and 

3. the personal data it processes is restricted to personal information that is necessary for this exempt purpose 

1. 1. The organisation will respond within 21 days to a written request to provide the information that would have been included in the public register if the organisation had registered.  

1. 1. The organisation will comply with the GDPR and the eight data protection principles of good practice. In summary, the eight data protection principles require that data shall:

1. be processed fairly and lawfully.

2. be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.

3. be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

4. be accurate and, where necessary, kept up to date.

5. not be kept for longer than is necessary for that purpose or those purposes.

6. be processed in accordance with the rights of data subjects.

7. be protected against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

8. not be transferred to a country or territory outside the European Economic Area.

1. The Information Held by the Organisation

1. 1. Membership Register: This is a computer database that lists the names of the members, those applying to join and those requesting to be kept informed about the organisation together with the contact details they have supplied (one or more of email address, home address and telephone numbers) and any offices or other particular roles they undertake within the organisation.

   2. The Register is held by the Treasurer on one PC with back-up copies on an external HDD. 

   3. Application Forms: A scan is taken of each application form submitted by those wishing to join the organisation. This scanned copy is held on a PC by the Treasurer. 

   4. Personal Details of Beneficiaries: The organisation may be provided with special category data on beneficiaries by the Government or other statutory or voluntary bodies with which it engages to support beneficiaries in addition to data they themselves provide 

1. Sharing Information Within the Organisation

Personal information is shared within the organisation only for purposes included in the criteria for which it is exempt from registration with the ICO. The organisation follows the principles at 1.3 above in sharing information. In sharing special category data consideration will be given to the following questions: Does the information need to be given, does all the information need to be given, and does the information need to be given now?  

1. Sharing Information Outside the Organisation 

None of the personal information held is ever shared with third parties, except for information on beneficiaries that may be shared, with their consent, with other statutory and third sector service providing organisations to their benefit.  

1. Lawful Basis

   1. The lawful basis for the collection and processing of general personal information by the organisation is legitimate interests. This means that the personal information is processed in ways that would be reasonably expected by the individual and with minimal privacy impact.

   2. Some of the information that is collected is special category data that relates to the health and personal circumstances of individual beneficiaries. The lawful basis for the collection and processing of this information is consent. 

1. Data Retention

Personal information is held only while an individual remains on the Membership Register or as a beneficiary. The individual’s information is deleted at their request, on their resignation, on their moving away from the area. General personal data is retained where a request is made to be informed of future events. 

1. Privacy Notice

The organisation’s privacy notice is appended to this document. It will be published on the organisation’s website and sent to individuals on becoming a member.

1. Individuals’ Rights

8.1 The GDPR provides the following rights for individuals:

1. The right to be informed

2. The right of access

3. The right to rectification

4. The right to erasure

5. The right to restrict processing

6. The right to data portability

7. The right to object

8. Rights in relation to automated decision making and profiling.

8.2 The rights listed at points 1 – 7 in paragraph 8.1 above are included in the privacy notice. Requests made in the exercise of these rights by an individual will be complied with without charge as soon as possible, and always no later than 21 days following their receipt.

8.3 The organisation does not undertake automated decision making or profiling. 

1. Data Breaches

Most of the information held by the organisation is unlikely to result in a risk to the rights and freedoms of individuals, for example, discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage. The ICO will be notified if a data breach should occur in the special category data and the individual(s) affected will be notified as soon as practicable. 

1. Responsibilities

All trustees of the organisation are responsible for data protection and ensuring that the organisation’s policies and procedures are adequate. The Treasurer has day-to-day responsibility for compliance with the GDPR, this policy and procedure and any other statutory provisions. 

Privacy Notice

How we use the information that you give us

We keep your contact information on a database maintained by our Treasurer who  is responsible for keeping your information safe. We use your contact details only to keep you informed about our activities.   

We do not share the information you give us with anyone outside the charity, unless you ask us to or if you tell us that you are happy for us to do this.   

We keep your contact information only for as long as you want us to. We delete the information on request or when you move away from the area or if the reason you gave us the information no longer applies. 

You can also ask the Treasurer to

• send you a copy of any information that he has about you

• correct any information about you that is wrong

• put using your contact details on hold until you tell him that that you would like to receive information again

and he will do what you ask as soon as he can and without charge.

Complaints

Andy will want to put things right as soon as he can if you have a complaint about how we have handled your personal information.  You can also complain to the Information Commissioner’s Office on 0303 123 1113 if you think we haven’t looked after your personal information properly. 

This privacy notice is part of our Data Protection Policies and Procedures. You can get the full document from our website.

Contact

The Treasurer can be contacted at krakettering@gmail.com