1. Introduction

The General Data Protection Regulations (‘GDPR’) forms part of the data protection regime in the UK, together with the Data Protection Act 2018 (‘DPA 2018’). The Kids Network (‘TKN’) (‘we’) (‘us’) is fully committed to complying with the requirements of the DPA 2018 and the GDPR.

We are required to maintain certain personal data about individuals for the purposes of satisfying our operational and legal obligations. We recognise the importance of correct and lawful treatment of personal data as it helps to maintain confidence in our charity.

1. Who this policy is for

This policy should be read, in conjunction with our Privacy Policy, and complied with by all TKN stakeholders, especially those who have access to personal and/or sensitive information.

2. Objectives

The purpose of this policy is to set out TKN’s commitment and procedures for protecting personal data. TKN regards the lawful and correct treatment of personal information as very important to successful working, and to maintaining the confidence of those with whom we deal with.

TKN is committed to processing data in accordance with its responsibilities under the GDPR. Article 5 of the GDPR requires that personal data shall be:

1. processed lawfully, fairly and in a transparent manner in relation to individuals;

1. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;

1. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;

1. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;

1. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
2. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

1. Procedure

• Applying the DPA and GDPR within TKN

Personal data means data which relates to a living individual who can be identified:

• from the data; or

• from data and other information which we are in the possession of, or are likely to come into the possession of; and

• includes any expression of opinion about the individual and any indication of our intentions or any other person in respect of the individual.

Personal data can be held on a computer or in a manual file, and includes, but is not limited to, emails, minutes of meetings, and photographs. All TKN stakeholders may be held personally responsible for processing and using personal information in accordance with the DPA.   

TKN will ensure that a designated Data Controller is appointed and that all those who manage and handle personal information understand that they are contractually responsible for following good data protection practice. The Data Controller is the person that decides why and how personal data is processed. They control the data but don’t necessarily store or process it, although they are responsible for how it’s used, stored and deleted.

• Individuals access requests

Any person who wishes to exercise the right to access their information should make a request in writing to the Data Controller. If personal details are inaccurate, they will be amended upon request. If by providing this information we would have to disclose information relating to or identifying a third party, we will only do so provided the third party gives consent, otherwise we may edit the data to remove the identity of the third party.

Unless we are under a legal obligation to release data, or the individual has given us permission, personal information will only be released to the individual to whom it relates. The disclosure of such information to anyone else without their consent may be a criminal offence. Any staff member who is in doubt regarding a data access request should check with a member of the Board of the Data Controller.

We aim to comply with requests for access to personal information as quickly as possible, but will ensure that this is provided within 14 days of receipt of a written request unless there is good reason for delay. In such cases, the reason for the delay will be explained in writing to the individual making the request.

All data processed by TKN shall be done on one of the following lawful bases: consent, contract, legal obligation, vital interests, public task or legitimate interests, as stipulated by law. Where consent is relied upon as a lawful basis for processing data, we shall ensure that evidence of opt-in consent is kept with the personal data.

Where communications are sent to individuals based on their consent, we shall ensure that the option for the individual to revoke their consent is clearly available and systems should be in place to ensure such revocation is reflected accurately in TKN’s systems. 

• Data security

The need to ensure that data is kept securely means that precautions must be taken against physical loss or damage, and that both access and disclosure must be restricted.

Information stored electronically and hard copies shall have appropriate levels of authorisation which prevent unauthorised access. TKN shall ensure that all data is appropriately backed-up and disaster recovery solutions are put in place.

Data retained on personal/and or TKN laptops, smartphones and any other electronic equipment which contains sensitive information in relation to the charity and affiliated personnel should be password protected.

Third party processors will be required to provide sufficient guarantees for their data security measures and compliance with them. Checks will be made to ensure that secure data disposal facilities are in place and regular monitoring will take place.

Any stakeholder who discovers personal or sensitive data in an inappropriate place should speak to a member of the Board or the Data Controller, whilst ensuring that its contents are not revealed to anyone else.

• Data collection

TKN will ensure that data is collected within the boundaries defined in this policy. This applies to data that is collected in person, or by completing a form.

When collecting data, TKN will ensure that the individual regarding whom data is being collected:

• clearly understands why the information is needed;
• understands what it will be used for and what the consequences are should the individual decide not to give consent to processing;
• as far as reasonably possible, grants explicit consent, either written or verbal for data to be processed;
• is, as far as reasonably practicable, competent enough to give consent and has given so freely without any duress; and
• has received sufficient information on why their data is needed and how it will be used.

• Disclosure

TKN may need to share data with other agencies such as the local authority, funding bodies and other voluntary agencies. Information that is already in the public domain is exempt from the DPA.

The individual regarding whom the data is held will be made aware in most circumstances how and with whom their information will be shared. There are circumstances where the law allows TKN to disclose data (including sensitive data) without the relevant individual’s consent. TKN shall only disclose data in the circumstances defined in the GDPR and DPA and shall ensure that these instances are documented.

Members of the public may also request certain information from the Local Authority under the Freedom of Information Act 2000. The Act does not apply to TKN. However, if at any time we undertake the delivery of services under contracts with the Local Authority we may be required to assist them to meet the Freedom of Information Act request where we hold information on their behalf.

• Destroying personal data

Information will be kept in line with our internal document retention guidelines. TKN are responsible for ensuring that information is not kept for longer than necessary.

Documents containing any personal information will be disposed of securely, and paper copies will be shredded (not disposed of directly into a normal bin or recycling bin). Information stored on obsolete electronic equipment (desktops, laptops and other devices) will be erased prior to the equipment being sold, disposed of or reallocated to other staff.

• Breach

In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, TKN shall promptly assess the risk to people’s rights and freedoms and if appropriate report this breach to the ICO.

4. Your rights under DPA

Under the DPA 2018, you have the right to find out what information the government and other organisations store about you. These include the right to:

• be informed about how your data is being used;
• access personal data;
• have incorrect data updated;
• have data erased;
• stop or restrict the processing of your data;
• data portability (allowing you to get and reuse your data for different services); and
• object to how your data is processed in certain circumstances.

You also have rights when an organisation is using your personal data for:

• automated decision-making processes (without human involvement); and/or
• profiling, for example to predict your behaviour or interests.

If members of the public/or stakeholders have specific questions about information security and data protection in relation to TKN or any complaints, please contact the Data Protection Officer on s.woodcock@thekidsnetwork.org.uk or visit https://ico.org.uk/ for details on the DPA and GDPR.