Change history
Version number | Date of release | Policy owner | Authorised by |
4.0 | 30 July 2020 | Ryan Palmer, Director of Quality and Impact (SIRO) | Board of Trustees |
Policy statement
Central YMCA (‘the Charity’) fully understands its obligations to ensure that personal information is treated fairly, lawfully and correctly, and it is committed to achieving compliance with relevant Data Protection legislation.
The Charity needs to collect and process personal data about people, including staff and individuals with whom it deals with, to operate its daily business and for the organisation to operate effectively.
The Data Protection Act 2018 ('the Act') and the General Data Protection Regulation (2016/679) ('GDPR') sets out the rules about how personal data and sensitive personal data about living individuals must be processed.
Most businesses hold personal data on their customers, employees and partners. The explosion in the use of the Internet, electronic communication and computerisation of business data has led to an increase in the importance of privacy. Breaches of computerised data security have prompted the introduction of legislation on a national and European level. These include:
- Human Rights Act 1998;
- Freedom of Information Act 2000;
- Privacy and Electronic Communications Regulations 2003;
- Regulation of Investigatory Powers Act 2000;
- Telecommunications (Lawful Business Practice) Interception of Communications Regulations 2000;
- The Act;
- Computer Misuse Act 1990; and
- GDPR.
The GDPR replaces the Data Protection Directive (Directive 95/46/EC) ('the Directive') and supersedes the laws of individual Member States that were developed in compliance with the Directive. Its purpose is to protect the “rights and freedoms” of living individuals, and to ensure that personal data is not processed without their knowledge, and, wherever possible, that it is processed with their consent.
The Charity aims to ensure that information held about employees, ex-employees, volunteers and service users is relevant and accurate; stored safely and available to individuals within reasonable timescales.
The Charity is committed to ensuring that staff are appropriately trained and supported to achieve compliance with the Data Protection Act and other relevant legislation. This is regarded by the Charity as vital in maintaining the confidence between Central YMCA and with those whose personal data they hold.
The Charity fully endorses and adheres to the Data Protection Principles listed below:
- personal data shall be processed fairly and lawfully;
- personal data shall be obtained only for specified and lawful purposes, and shall not be processed in any manner incompatible with those purposes;
- personal data shall be adequate, relevant and not excessive in relation to the purposes for which it is processed;
- personal data shall be accurate and, where necessary, kept up to date;
- personal data shall be kept for no longer than is necessary for the purposes for which it is processed;
- personal data shall be processed in accordance with the rights of Data Subjects under the Bill and GDPR (General Data Protection Regulations);
- personal data shall be subject to appropriate technical and organisational measures to protect against unauthorised or unlawful processing and accidental loss, destruction or damage;
- personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of data protection.
Trustees and the Executive Team are strongly committed to the rights of individuals (the ‘Data Subjects’) whose data they collect and process and will comply with UK and EU laws related to personal information in line with the GDPR. These include customers, suppliers, business contacts, employees and other people the organisation has a relationship with or may need to contact.
This policy describes how this personal data must be collected, handled and sorted to meet the company’s data protection standards and to comply with the law.
Scope
This policy applies to all personal data and sensitive personal data collected and processed by the Charity in the conduct of its business, in electronic medium and within structured filing systems.
This policy applies to all Charity employees (‘all staff’), whether permanent, temporary, contractors, consultants or volunteers.
The Central Young Men's Christian Association (Central YMCA) is the data controller and is registered with the Information Commissioner's Office ('ICO') for collecting and using personal data to:
provide education and training to our students, customers and clients as well as administer membership records for the Charity. Personal information is also processed to enable us to provide a voluntary service for the benefit of the public; to fundraise and promote the interests of the charity; manage our employees and This data protection policy ensures that Central YMCA:
- complies with data protection law and follows good practice;
- protects the rights of staff, customers and partners;
- is open about how it stores and processes individuals’ data; and
- protects itself from the risks of a data breach.
Related Legislation
- Records Retention & Disposal Policy
- Record Retention Schedules
- Privacy Notice
Related Policies, Procedures, and Templates
- Safeguarding Policy
- Prevent Policy
- Recruitment Policy
- DBS Policy
- Equality, Diversity and Inclusion Policy
- Safeguarding Procedure Flowchart
Responsibilities
Board of Trustees
Overall responsibility for the policies and procedures that govern the work at Central YMCA.
Chief Executive
Overall responsibility for ensuring Central YMCA’s resources are used effectively and appropriately.
Senior Information Risk Officer (SIRO)
Responsible for understanding how the strategic business goals of the organisation may be impacted by any information risks, and for taking steps to mitigate them. The SIRO is accountable and responsible for information risk across the Charity.
Data Protection Officer (DPO)
Accountable to the SIRO and responsible for the management of personal information within Central YMCA and for ensuring that compliance with data protection legislation and good practice can be demonstrated. This accountability includes the development and implementation of the data protection policy and security and risk management to ensure compliance.
Policy Owner
Responsible for ensuring guidelines are in place and that policies and procedures reflect our charitable ethos and commitment to equality and diversity.
All Line Managers
Responsible for ensuring all employees are aware of and follow this policy.
All Employees and Volunteers
To follow policies and procedures, promoting best practice throughout the organisation.
Everyone who works for or with Central YMCA has the responsibility for ensuring data is collected, stored and handled appropriately.
Each team that handles personal data must ensure that it is handled and processed in line with this policy and data protection principles.
All third parties who require access to personal data will be required to sign a confidentiality agreement before access is permitted. This agreement will ensure that the third party has the same legal obligations as the Charity. This will also include an agreement that the Charity can audit compliance with the agreement.
Any breach of the GDPR or this policy, will be considered as a breach of the disciplinary policy and could also be considered a criminal offence, potentially resulting in prosecution.
Company Responsibilities
Central YMCA is both a data controller and data processor as defined under the GDPR.
Senior Management and all those in managerial or supervisory roles throughout Central YMCA are responsible for developing and encouraging good information handling practices within the organisation; responsibilities are set out in individual job descriptions.
Central YMCA has appointed a suitably qualified and experienced DPO who is responsible for day to day compliance with this policy. The DPO is responsible for ensuring that Central YMCA complies with the GDPR in relation to all aspects of data processing. The DPO has direct responsibility for policy and procedures, including Subject Access Requests. The DPO is also the person to whom all staff should seek guidance regarding GDPR compliance.
It should be noted that compliance with GDPR requirements remains the responsibility of all staff who process or control personal information for Central YMCA. All members of staff employed by the Charity are also responsible for ensuring that any personal data that is about them that is supplied by them to the Charity is accurate and up-to-date.
The Charity is responsible for ensuring that staff have regular suitable training in order to undertake their data protection responsibilities.
Policy Review
Review of impact against the aims of policy:
This policy has been reviewed by Ryan Palmer (SIRO) and Lucian-Gabriel Burcea (DPO). They have been approved by the Board of Trustees and are deemed fit for purpose. All related procedures have been designed to match the contents of this policy.
The policy has been communicated successfully to all employees and has been made available on the Charity’s intranet.
Do there appear to be any patterns of equality related issues: No
If yes, please provide an Equalities Impact Assessment (if relevant): N/A
Reviewed by:
Date:
This policy will be reviewed on an annual basis by the Policy Owner and signed off by the Board of Trustees if any changes are made.
Next review date: July 2020