The General Data Protection Regulations (‘GDPR’) forms part of the data protection regime in the UK, together with the Data Protection Act 2018 (‘DPA 2018’). The Kids Network (‘TKN’) (‘we’) (‘us’) is fully committed to complying with the requirements of the DPA 2018 and the GDPR.
We are required to maintain certain personal data about individuals for the purposes of satisfying our operational and legal obligations. We recognise the importance of correct and lawful treatment of personal data as it helps to maintain confidence in our charity.
The purpose of this policy is to set out TKN’s commitment and procedures for protecting personal data. TKN regards the lawful and correct treatment of personal information as very important to successful working, and to maintaining the confidence of those with whom we deal with.
TKN is committed to processing data in accordance with its responsibilities under the GDPR. Article 5 of the GDPR requires that personal data shall be:
Personal data means data which relates to a living individual who can be identified:
Personal data can be held on a computer or in a manual file, and includes, but is not limited to, emails, minutes of meetings, and photographs. All TKN stakeholders may be held personally responsible for processing and using personal information in accordance with the DPA.
TKN will ensure that a designated Data Controller is appointed and that all those who manage and handle personal information understand that they are contractually responsible for following good data protection practice. The Data Controller is the person that decides why and how personal data is processed. They control the data but don’t necessarily store or process it, although they are responsible for how it’s used, stored and deleted.
Any person who wishes to exercise the right to access their information should make a request in writing to the Data Controller. If personal details are inaccurate, they will be amended upon request. If by providing this information we would have to disclose information relating to or identifying a third party, we will only do so provided the third party gives consent, otherwise we may edit the data to remove the identity of the third party.
Unless we are under a legal obligation to release data, or the individual has given us permission, personal information will only be released to the individual to whom it relates. The disclosure of such information to anyone else without their consent may be a criminal offence. Any staff member who is in doubt regarding a data access request should check with a member of the Board of the Data Controller.
We aim to comply with requests for access to personal information as quickly as possible, but will ensure that this is provided within 14 days of receipt of a written request unless there is good reason for delay. In such cases, the reason for the delay will be explained in writing to the individual making the request.
All data processed by TKN shall be done on one of the following lawful bases: consent, contract, legal obligation, vital interests, public task or legitimate interests, as stipulated by law. Where consent is relied upon as a lawful basis for processing data, we shall ensure that evidence of opt-in consent is kept with the personal data.
Where communications are sent to individuals based on their consent, we shall ensure that the option for the individual to revoke their consent is clearly available and systems should be in place to ensure such revocation is reflected accurately in TKN’s systems.
The need to ensure that data is kept securely means that precautions must be taken against physical loss or damage, and that both access and disclosure must be restricted.
Information stored electronically and hard copies shall have appropriate levels of authorisation which prevent unauthorised access. TKN shall ensure that all data is appropriately backed-up and disaster recovery solutions are put in place.
Data retained on personal/and or TKN laptops, smartphones and any other electronic equipment which contains sensitive information in relation to the charity and affiliated personnel should be password protected.
Third party processors will be required to provide sufficient guarantees for their data security measures and compliance with them. Checks will be made to ensure that secure data disposal facilities are in place and regular monitoring will take place.
Any stakeholder who discovers personal or sensitive data in an inappropriate place should speak to a member of the Board or the Data Controller, whilst ensuring that its contents are not revealed to anyone else.
TKN will ensure that data is collected within the boundaries defined in this policy. This applies to data that is collected in person, or by completing a form.
When collecting data, TKN will ensure that the individual regarding whom data is being collected:
TKN may need to share data with other agencies such as the local authority, funding bodies and other voluntary agencies. Information that is already in the public domain is exempt from the DPA.
The individual regarding whom the data is held will be made aware in most circumstances how and with whom their information will be shared. There are circumstances where the law allows TKN to disclose data (including sensitive data) without the relevant individual’s consent. TKN shall only disclose data in the circumstances defined in the GDPR and DPA and shall ensure that these instances are documented.
Members of the public may also request certain information from the Local Authority under the Freedom of Information Act 2000. The Act does not apply to TKN. However, if at any time we undertake the delivery of services under contracts with the Local Authority we may be required to assist them to meet the Freedom of Information Act request where we hold information on their behalf.
Information will be kept in line with our internal document retention guidelines. TKN are responsible for ensuring that information is not kept for longer than necessary.
Documents containing any personal information will be disposed of securely, and paper copies will be shredded (not disposed of directly into a normal bin or recycling bin). Information stored on obsolete electronic equipment (desktops, laptops and other devices) will be erased prior to the equipment being sold, disposed of or reallocated to other staff.
In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, TKN shall promptly assess the risk to people’s rights and freedoms and if appropriate report this breach to the ICO.
Under the DPA 2018, you have the right to find out what information the government and other organisations store about you. These include the right to:
You also have rights when an organisation is using your personal data for:
If members of the public/or stakeholders have specific questions about information security and data protection in relation to TKN or any complaints, please contact the Data Protection Officer on email@example.com or visit https://ico.org.uk/ for details on the DPA and GDPR.