Data Protection Policy

Change history

Version numberDate of releasePolicy ownerAuthorised by
5.001/09/2023Naomi da Silva, Head of Business AssuranceBoard of Trustees

Policy statement

Central YMCA (‘the Charity’) fully understands its obligations to ensure that personal data is treated fairly, lawfully and correctly, and it is committed to achieving compliance with relevant Data Protection legislation.

The Charity needs to collect and process personal data about people, including staff and individuals with whom it deals with, to operate its daily business and for the organisation to operate effectively.

The Data Protection Act 2018 ('the Act') and the UK General Data Protection Regulation) ('UK GDPR'), as amended from time to time, sets out the rules about how personal data and sensitive personal data about living individuals must be processed.

Most businesses hold personal data on their customers, employees and partners. The explosion in the use of the Internet, electronic communication and computerisation of business data has led to an increase in the importance of privacy. Breaches of computerised data security have prompted the introduction of legislation on a national and European level. These include:

  • Human Rights Act 1998; 
  • Freedom of Information Act 2000; 
  • Privacy and Electronic Communications Regulations 2003; 
  • Regulation of Investigatory Powers Act 2000; 
  • Telecommunications (Lawful Business Practice) Interception of Communications Regulations 2000; 
  • The Act; 
  • Computer Misuse Act 1990; and 
  • UK GDPR. 

The purpose of UK GDPR is to protect the “rights and freedoms” of living individuals, and to ensure that personal data is processed fairly, lawfully and transparently.

The Charity aims to ensure that information held about employees, ex-employees, volunteers and service users is relevant and accurate; stored safely and available to individuals within reasonable timescales.

The Charity is committed to ensuring that staff are appropriately trained and supported to achieve compliance with the Data Protection Act and other relevant legislation. This is regarded by the Charity as vital in maintaining the confidence between Central YMCA and with those whose personal data they hold.

The Charity fully endorses and adheres to the Data Protection Principles listed below: 

  • personal data shall be processed fairly and lawfully; 
  • personal data shall be obtained only for specified and lawful purposes, and shall not be processed in any manner incompatible with those purposes; 
  • personal data shall be adequate, relevant and not excessive in relation to the purposes for which it is processed; 
  • personal data shall be accurate and, where necessary, kept up to date; 
  • personal data shall be kept for no longer than is necessary for the purposes for which it is processed; 
  • personal data shall be processed in accordance with the rights of Data Subjects in line with the UK GDPR;
  • personal data shall be subject to appropriate technical and organisational measures to protect against unauthorised or unlawful processing and accidental loss, destruction or damage;
  • personal data shall not be transferred to a country or territory outside the UK unless that country or territory ensures an adequate level of data protection or appropriate technical and organisational measures are put in place such as the EU Standard Contractual Clauses with the UK Addendum.

Trustees and the Executive Team are strongly committed to the rights of individuals (the ‘Data Subjects’) whose data they collect and process and will comply with laws related to personal data in line with the UK GDPR. These include customers, suppliers, business contacts, employees and other people the organisation has a relationship with or may need to contact.

This policy describes how this personal data must be collected, handled and sorted to meet the company’s data protection standards and to comply with the law.


This policy applies to all personal data and special category personal data collected and processed by the Charity in the conduct of its business, in electronic medium and within structured filing systems.

This policy applies to all Charity staff, whether permanent, temporary, contractors, consultants, Trustees and volunteers.

The Central Young Men's Christian Association (Central YMCA) is the Controller and is registered with the Information Commissioner's Office ('ICO') for collecting and using personal data for the following activities:

  • to provide services to our students, customers, and partners as well as administer membership records for the Charity; 
  • to enable us to provide a voluntary service for the benefit of the public;
  • to fundraise and promote the interests of the charity;
  • to manage our employees and volunteers. 

This Policy ensures that Central YMCA:

  • complies with data protection laws and follows good practice; 
  • protects the rights of staff, customers and partners;
  • is open about how it stores and processes individuals’ data; and
  • protects itself and data subjects from the risks of a data breach.


Board of Trustees
Overall responsibility for the policies and procedures that govern the work at Central YMCA.

Chief Executive
Overall responsibility for ensuring Central YMCA’s resources are used effectively and appropriately. 

Policy Owner and Senior Information Risk Owner (SIRO)
Responsible for understanding how the strategic business goals of the organisation may be impacted by any information risks, and for taking steps to mitigate them. The SIRO is accountable and responsible for information risk across the Charity. Responsible for ensuring guidelines are in place and that policies and procedures reflect our charitable ethos and commitment to equality and diversity.

Data Protection Officer (DPO)
Accountable to the SIRO and responsible for the management of personal data within Central YMCA and for ensuring that compliance with data protection legislation and good practice can be demonstrated. This accountability includes the development and implementation of the data protection policy and security and risk management to ensure compliance.

Policy Owner
Responsible for ensuring guidelines are in place and that policies and procedures reflect our charitable ethos and commitment to equality and diversity. 

All Line Managers
Responsible for ensuring all employees are aware of and follow this policy.

All Employees and Volunteers
To follow policies and procedures, promoting best practice throughout the organisation.

  • Everyone who works for or with Central YMCA has the responsibility for ensuring data is collected, stored and handled appropriately.
  • Each team that handles personal data must ensure that it is handled and processed in line with this policy and data protection principles.
  • All third parties who require access to personal data will be required to sign a confidentiality agreement before access is permitted. This agreement will ensure that the third party has the same legal obligations as the Charity. This will also include an agreement that the Charity can audit compliance with the agreement.
  • Any breach of the UK GDPR or this Policy, could also be considered as a breach of the disciplinary policy and could also be considered a criminal offence, potentially resulting in prosecution. 

Company Responsibilities

  • Central YMCA is both a Controller and Processor as defined under the UK GDPR.
  • Senior Management and all those in managerial or supervisory roles throughout the Charity are responsible for developing and encouraging good information handling practices within the organisation.
  • The Charity has appointed a suitably qualified and experienced DPO who is responsible for day to day compliance with this policy. The DPO is responsible for ensuring that Central YMCA complies with the UK GDPR in relation to all aspects of data processing. The DPO has direct responsibility for giving advice on policy and procedures, including any Data Subject Access Requests. The DPO is also the person to whom all staff should seek guidance regarding UK GDPR compliance.
  • It should be noted that compliance with UK GDPR requirements remains the responsibility of all staff who process or control personal data for Central YMCA. All members of staff employed by the Charity are also responsible for ensuring that any personal data that is about them that is supplied by them to the Charity is accurate and up-to-date.
  • The Charity is responsible for ensuring that staff have regular suitable training in order to undertake their data protection responsibilities. 



The objectives of this policy are to ensure that: 

  • Proper procedures are in place for the processing and management of personal data;
  • There is documentation within the organisation to provide knowledge about data protection compliance; 
  • All staff understand their responsibilities when processing personal data, and that methods of handling that information are clearly understood;
  • Individuals are assured that their personal data is processed in accordance with the data protection principles, that their data is secure and safe from unauthorised access, alteration, use or loss; 
  • Other organisations with whom the Charity needs to share or transfer data, meet compliance requirements; 
  • Prior to entering into a contract with a new supplier/third party service provider, who has access to personal data, a Vendor Risk Assessment is carried out, along with a Data Protection Impact Assessment, where needed.

1. Fair Collection and Processing

  • The specific conditions contained in the data protection legislation regarding the fair and transparent collection and use of personal data will be fully complied with.
  • Individuals will be made aware that their information has been collected, and the intended use of the data specified either on collection or at the earliest opportunity following collection.
  • Personal data will be collected and processed only to the extent that it is needed to fulfil business needs or legal requirements.
  • Personal data held will be kept up to date and accurate. 
    • Retention of personal data will be appraised, and risk assessed to determine and meet business needs and legal requirements, with the appropriate retention schedules and secure disposal of applied to that data.
    • Personal data will be processed in accordance with the rights of the individuals about whom the personal data are held.
    • Further guidelines around the storage and management of data can be found in Appendix F 

2. Security

  • Appropriate technical, organisational and administrative security measures to safeguard personal data will be in place.
  • Staff are required to report any actual, near miss, or suspected data breaches to the Head of Business Assurance and Data Protection Officer for investigation.  All reportable and non-reportable incidents will be logged on the Data Breach Register and lessons learnt during the investigation of breaches will be relayed to those processing information to enable necessary improvements to be made.
  • An Information Asset Register and Record of Processing Activities will be maintained identifying personal data held, where it is held, how it is processed and who has access to it.
  • Data Protection Awareness Training will be provided, as appropriate, to staff to keep them better informed of relevant legislation and guidance regarding the processing of personal data.
  • Both the UK GDPR and the Data Protection Act require that personal data is securely handled, therefore, it is considered an employment offence to save personal data on local drives or computer desktops without authorisation. Removal of confidential or personal data offsite is discouraged, however, under certain circumstances personal data may be downloaded onto local drives or computer desktops if authorisation from the Department Manager has been gained before doing so. Staff should make requests in writing stating why downloading or transportation of data is required, physical address of storage location, and identify any risks associated with transportation and offsite storage. The Department Manager should consult with the Charity’s DPO for guidance.
  • Further guidelines around data security can be found in Appendix F

3. Data Protection Impact Assessments

  • All teams will work with the Data Protection Officer to carry out Vendor Risk Assessments and Data Protection Impact Assessments on all new systems, applications, third party service providers intended for implementation/service delivery by the Charity, with the intent to determine and mitigate the risks and impacts to personal data of the individuals those systems are intended to hold.
  • Vendor Risk Assessments and Data Protection Impact Assessments may also need to be undertaken on legacy systems where these were not created at the point of implementation.


4. Data Sharing

  • Personal data will not be transferred outside the United Kingdom by the Charity, unless that country or territory can ensure a suitable level of protection for the rights and freedoms of the Data Subjects in relation to the processing of their personal data.
  • Personal data in any format will not be shared with a third-party organisation without a valid business reason, a signed Data Sharing Agreement in place, without the Data Subjects’ consent or a legal obligation the Charity is subject to.
  • Further guidelines regarding the transfer of data outside the UK can be found in Appendix E

5. Access, Data Subject Access Requests and other Data Subject Rights

Members of staff will have access to personal data only where it is required as part of their functional remit.

All individuals who are the subject of personal data held by the Charity are entitled to:

  • Ask what information the company holds about them and why; 
  • Ask how to gain access to it;
  • Be informed how to keep it up to date; and
  • Be informed how the company is meeting its data protection obligations. 

If an individual contacts the Charity requesting this information, this is called a Data Subject Access Request. Data Subject Access Requests from individuals could be made by any means or addressed to the Charity. Data Subject Access Requests must be responded to within 30 calendar days of receipt and are free of charge, unless there are excessive requests coming from a certain individual.

The Charity’s Privacy Notice will include a contact address for Data Subjects to use should they wish to submit a Data Subject Access Request, make a comment or complaint about how the Charity is processing their data, or about the Charity’s handling of their request for information.

The Charity’s Head of Business Assurance and Data Protection Officer must be informed of any Data Subject Access Requests and the Charity’s internal procedure for responding to such requests must be followed.

Data Subject Access Requests will be acknowledged to the Data Subject within three working days, with the final response and disclosure of information (subject to exemptions) being provided within 30 days from verification. In certain circumstances we may request an extension of two more months.

The Charity must always verify the identity of anyone making a Data Subject Access Request before handing over any information.

Information must be provided in a secure format and all responses must be logged and traceable.

In certain circumstances, the data protection legislation allows personal data to be disclosed to law enforcement agencies without the consent of the Data Subject. Only under such circumstances, will the Charity disclose requested data. However, the Data Protection Officer will ensure the request is legitimate, seeking assistance from the Charity’s legal advisers where necessary.

6. Data Breaches

  • A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.
  • All employees must report a breach, or suspected data breach to their manager, the Head of Business Assurance and the Data Protection Officer immediately.
  • When a personal data breach has occurred, the Data Protection Officer will assess the likelihood and severity of the resulting risk to the rights and freedoms of Data Subjects. If it’s likely that there will be a risk, then the Charity must notify the Information Commissioner’s Office (ICO); if it’s unlikely then it is not necessary to report it, however such decisions must be justified and documented. A notifiable breach to the ICO must be made without undue delay, but not later than 72 hours after becoming aware of it. If it is deemed that the Data Subjects rights and freedoms are at high risk, they must also be notified of the breach.
  • Any data breaches must be recorded on the Charity’s Data Breach Register


7. Consent

  • The Charity understands ‘consent’ to mean that it has been explicitly and freely given, specific, informed and an unambiguous indication of the Data Subject’s wishes by which he or she by statement, or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. The consent of the Data Subject can be withdrawn at any time.
  • In addition, the Charity understands that for ‘consent’ to be valid, the Data Subject must have been fully informed of the intended processing and has signified their agreement, while in a fit state of mind to do so and without pressure being exerted upon them. Consent obtained under duress or based on misleading information will not be a valid basis for processing. There must be some active communication between the parties which demonstrate active consent. Consent cannot be inferred from non-response to a communication. For special category data, explicit written consent of Data Subjects must be obtained unless an alternative lawful basis for processing exists.
  • Consent to process personal and special category data is obtained routinely by the Charity using standard consent documents. This may be through a contract of employment, during induction or when service users sign up for newsletters etc. 
  • Where the Charity provides online services to children, parental, or custodial authorisation must be obtained in line with the ICO’s Children’s Code. This requirement applies to children under the age of 16.

8. Complaints

  • A Data Subject has the right to complain to the Charity at any time if they have concerns about how their information is used and should refer to the Charity’s Feedback and Complaints policy available on the website.
  • A Data Subject also has the option to complain directly to the Information Commissioners Office. Details of the options for lodging a complaint is provided within Privacy Notice available on the Charity’s website.

Appendix A: Data Controller Names for the Central YMCA Group 

Data Controller: The Central Young Men's Christian Association. Registration Number: Z670975X


112 Great Russell Street

Other Names:


Appendix B: Data Protection Definition and Terms

Information which is recorded in any format, whether stored electronically or in a structured paper-based filing system.

Personal Data 
Any information that identifies a living individual. This includes any expression of opinion about the individual and any Intentions towards the individual. 

Special Category Personal Data
Personal data relating to racial or ethnic origin, political opinion, religious beliefs, trade union membership, sexual life, physical or mental health, commission or alleged commission of any offence. 

Any activity where the data is used, such as obtaining, recording, storing, viewing, copying, accessing, disclosing, erasing, destroying. 

Data Subject 
An individual who is the personal data relates to. 

Data Controller 
The organisation that determines how the personal data will be used and the way it will be processed.

Data Processor 
An organisation that processes personal data on behalf of a Data Controller. 

Subject Access Request 
A request by a Data Subject, to the data controller, asking to see their personal data. 

Third Party 
This can either mean that the data is about someone else, or someone else is the source; i.e. any other person or organisation other than -the Data Subject;

  • the data controller; 
  • a data processor.

Appendix C: Conditions for Processing Personal Data 

The UK GDPR  requires personal data to be processed fairly and lawfully, and, not to be processed unless one of the conditions (below) is met.

At least one of the following conditions must be met for personal data to be considered fairly processed:

  • the individual has consented to the processing 
  • processing is necessary for the performance of a contract with the individual 
  • processing is required under a legal obligation (other than one imposed by the contract) 
  • processing is necessary to protect the vital interests of the individual 
  • processing is necessary to carry out public functions, e.g. administration of justice 
  • processing is necessary to pursue the legitimate interests of the data controller or third parties 

Appendix D: Rights under the Act 

There are eight rights under the Data Protection Bill: 

1. The right to be informed
The right to be informed covers some of the key transparency requirements of the UK GDPR. It is about providing individuals with clear and concise information about what we do with their personal data.. 

2. The right of Access
The right of access, commonly referred to as subject access, gives individuals the right to obtain a copy of their personal data as well as other supplementary information. It helps individuals to understand how and why we are using their data, and check we are doing it lawfully. 

3. The right to rectification
Individuals have the right to have inaccurate personal data rectified. An individual may also be able to have incomplete personal data completed – although this will depend on the purposes for the processing. This may involve providing a supplementary statement to the incomplete data.

4. The right to erasure
Individuals have the right to have personal data erased. This is also known as the ‘right to be forgotten’. The right is not absolute and only applies in certain circumstances. 

5. The right to restrict processing
An individual has the right to restrict the processing of their personal data in certain circumstances. This means that an individual can limit the way that an organisation uses their data. This is an alternative to requesting the erasure of their data. 

6. The right to data portability
The right to data portability gives individuals the right to receive personal data they have provided to a controller in a structured, commonly used and machine-readable format. It also gives them the right to request that a controller transmits this data directly to another controller.

7. The right to object
Individuals have the right to object to the processing of their personal data. This effectively allows individuals to ask us to stop processing their personal data. The right to object only applies in certain circumstances. Whether it applies depends on our purposes for processing and our lawful basis for processing.

8. Rights in relation to automated decision making and profiling
Individuals who are Data Subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

Appendix E: Privacy Electronic Communication Regulations 2003 

  • The Privacy and Electronic Communications (EC Directive) Regulations 2003 ('PECR') are derived from European law. They implement European Directive 2002/58/EC, also known as 'the e-privacy Directive'.
  • PECR complements the general data protection regime and sets out more-specific privacy rights on electronic communications. It recognises that widespread public access to digital mobile networks and the internet opens up new possibilities for businesses and users, but also new risks to their privacy.
  • PECR have been amended seven times. The more recent changes were made in 2018, to ban cold-calling of claims management services and to introduce director liability for serious breaches of the marketing rules; and in 2019 to ban cold-calling of pension schemes in certain circumstances.
  • This guide covers the latest version of PECR, which came into effect on 9 January 2019, with some updates to cover changes made by the UK GDPR from 25 May 2018.
  • The EU is in the process of replacing the e-privacy Directive with a new e-privacy Regulation to sit alongside the EU GDPR. However, the new Regulation is not yet agreed but will not be implemented in the UK. PECR will continue to apply alongside the UK GDPR.

Internal transfers

  • Personal data shall not be transferred to a country or territory outside the United Kingdom (UK), unless that country or territory ensures an adequate level of protection for the ‘rights and freedoms’ of Data Subjects in relation to the processing of personal data.
  • The transfer of personal data outside of the UK is prohibited unless one or more of the safeguards or exceptions specified below apply:

Binding corporate rules 
Central YMCA may adopt approved Binding Corporate Rules for the transfer of data outside the UK.

EU Standard contract clauses
Central YMCA may adopt approved EU model contract clauses for the transfer of data outside of the UK. If Central YMCA adopts the model contract clauses it will also incorporate the UK Addendum.  Alternatively, Central YMCA can rely on an International Data Transfer Agreement for any transfers of personal data out of the UK.  

Ad Hoc contractual clauses 
Central YMCA may adopt ad hoc contractual clauses that will have to be approved by the ICO. They allow the Central YMCA to individually tailor the transfer to its needs. 

In the absence of the above, transfer of data shall only take place subject to the fulfilment of the following conditions:

  • the Data Subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the Data Subject due to the absence of an adequacy decision and appropriate safeguards;
  • the transfer is necessary for the performance of a contract between the Data Subject and the controller or the implementation of pre-contractual measures taken at the Data Subject's request;
  • the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the Data Subject between the controller and another natural or legal person;
  • the transfer is necessary for important reasons of public interest;
  • the transfer is necessary for the establishment, exercise or defence of legal claims;
  • the transfer is necessary to protect the vital interests of the Data Subject or of other persons, where the Data Subject is physically or legally incapable of giving consent;
  • the transfer is made from a register which according to Union or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down in Union or Member State law for consultation are fulfilled in the particular case.

The Charity’s Data Protection Officer will assess the adequacy of the safeguards considering the following factors:

  • the nature of the information being transferred;
  • the country or territory of the origin, and destination, of the information;
  • how the information will be used and for how long;
  • the laws and practices of the country of the transferee, including relevant codes of practice and international obligations; and
  • the security measures that are to be taken about the data in the overseas location. (This is a UK-specific option.)

A list of countries that satisfy the adequacy requirements of the Commission are published in the Official Journal of the European Union and in the UK GDPR.

Appendix F: Data Storage and Management 

Data storage 

These rules describe how and where data should be safely stored. Questions about storing data safely can be directed to the IT Manager or Data Protection Officer.

Hard Copies

  • When data is stored on paper, it should be kept in a secure place where unauthorised people cannot see it.
  • These guidelines also apply to data that is usually stored electronically but has been printed out for some reason. In such instances:
    • When not required, the paper or files should be kept in a locked drawer or filing cabinet;

    • Employees should make sure paper and printouts are not left where unauthorised people could see them, like on a printer;

    • Data printouts should be shredded and disposed of securely when no longer required. 

Soft Copies

  • When data is stored electronically, it must be protected from unauthorised access, accidental deletion and malicious hacking attempts
  • Data should be protected by strong passwords that are changed regularly and never shared between employees.
  • If data is stored on removable media (like a USB, CD or DVD), these should be kept locked away securely when not being used.
  • Data should only be stored on designated drives and servers, and should only be uploaded to an approved cloud computing services.
  • Servers containing personal data should be sited in a secure location, away from general office space.
  • Data should be backed up frequently. Those backups should be tested regularly, in line with the Charity’s standard back up procedures.
  • Data should never be saved directly to laptops or other mobile devices like tablets or smart phones.
  • All servers and computers containing data should be protected by approved security software and a firewall.

Data use

  • Personal data is of no value to the Charity unless the business can make use of it. However, it is when personal data is accessed and used that it can be at the greatest risk of loss, corruption or theft
  • When working with personal data, employees should ensure the screens of their computers are always locked when left unattended
  • Personal data should not be shared informally. In particular, it should never be sent by email, as this form of communication is not secure
  • Data must be encrypted before being transferred electronically
  • Personal data should never be transferred outside of the UK
  • Employees should not save copes of personal data to their own computers. Always access and update the central copy of any data.

Data accuracy

  • The data protection legislation requires the Charity to take reasonable steps to ensure data is kept accurate and up to date.
  • The more important it is that the personal data is accurate, the greater the effort the Charity should put into ensuring its accuracy.
  • It is the responsibility of all employees who work with data to take reasonable steps to ensure it is kept as accurate and up to date possible.
  • Data will be held in as few places as necessary and should not be duplicated wherever possible
  • Staff should take every opportunity to ensure data is updated. For instance, by confirming a customer’s details when they call.
  • Central YMCA will make it easy for Data Subjects to update the information the Charity holds about them. Data should be updated as inaccuracies are discovered. For instance, if a customer can no longer be reached on their stored telephone number, it should be removed from the database.
  • It is the marketing department’s responsibility to ensure marketing databases are checked against industry suppression files every six months.

**Some processes are for internal use only.