|Version number||Date of release||Policy owner||Authorised by|
|5.0||01/09/2023||Naomi da Silva, Head of Business Assurance||Board of Trustees|
Central YMCA (‘the Charity’) fully understands its obligations to ensure that personal data is treated fairly, lawfully and correctly, and it is committed to achieving compliance with relevant Data Protection legislation.
The Charity needs to collect and process personal data about people, including staff and individuals with whom it deals with, to operate its daily business and for the organisation to operate effectively.
The Data Protection Act 2018 ('the Act') and the UK General Data Protection Regulation) ('UK GDPR'), as amended from time to time, sets out the rules about how personal data and sensitive personal data about living individuals must be processed.
Most businesses hold personal data on their customers, employees and partners. The explosion in the use of the Internet, electronic communication and computerisation of business data has led to an increase in the importance of privacy. Breaches of computerised data security have prompted the introduction of legislation on a national and European level. These include:
- Human Rights Act 1998;
- Freedom of Information Act 2000;
- Privacy and Electronic Communications Regulations 2003;
- Regulation of Investigatory Powers Act 2000;
- Telecommunications (Lawful Business Practice) Interception of Communications Regulations 2000;
- The Act;
- Computer Misuse Act 1990; and
- UK GDPR.
The purpose of UK GDPR is to protect the “rights and freedoms” of living individuals, and to ensure that personal data is processed fairly, lawfully and transparently.
The Charity aims to ensure that information held about employees, ex-employees, volunteers and service users is relevant and accurate; stored safely and available to individuals within reasonable timescales.
The Charity is committed to ensuring that staff are appropriately trained and supported to achieve compliance with the Data Protection Act and other relevant legislation. This is regarded by the Charity as vital in maintaining the confidence between Central YMCA and with those whose personal data they hold.
The Charity fully endorses and adheres to the Data Protection Principles listed below:
- personal data shall be processed fairly and lawfully;
- personal data shall be obtained only for specified and lawful purposes, and shall not be processed in any manner incompatible with those purposes;
- personal data shall be adequate, relevant and not excessive in relation to the purposes for which it is processed;
- personal data shall be accurate and, where necessary, kept up to date;
- personal data shall be kept for no longer than is necessary for the purposes for which it is processed;
- personal data shall be processed in accordance with the rights of Data Subjects in line with the UK GDPR;
- personal data shall be subject to appropriate technical and organisational measures to protect against unauthorised or unlawful processing and accidental loss, destruction or damage;
- personal data shall not be transferred to a country or territory outside the UK unless that country or territory ensures an adequate level of data protection or appropriate technical and organisational measures are put in place such as the EU Standard Contractual Clauses with the UK Addendum.
Trustees and the Executive Team are strongly committed to the rights of individuals (the ‘Data Subjects’) whose data they collect and process and will comply with laws related to personal data in line with the UK GDPR. These include customers, suppliers, business contacts, employees and other people the organisation has a relationship with or may need to contact.
This policy describes how this personal data must be collected, handled and sorted to meet the company’s data protection standards and to comply with the law.
This policy applies to all personal data and special category personal data collected and processed by the Charity in the conduct of its business, in electronic medium and within structured filing systems.
This policy applies to all Charity staff, whether permanent, temporary, contractors, consultants, Trustees and volunteers.
The Central Young Men's Christian Association (Central YMCA) is the Controller and is registered with the Information Commissioner's Office ('ICO') for collecting and using personal data for the following activities:
- to provide services to our students, customers, and partners as well as administer membership records for the Charity;
- to enable us to provide a voluntary service for the benefit of the public;
- to fundraise and promote the interests of the charity;
- to manage our employees and volunteers.
This Policy ensures that Central YMCA:
- complies with data protection laws and follows good practice;
- protects the rights of staff, customers and partners;
- is open about how it stores and processes individuals’ data; and
- protects itself and data subjects from the risks of a data breach.
Board of Trustees
Overall responsibility for the policies and procedures that govern the work at Central YMCA.
Overall responsibility for ensuring Central YMCA’s resources are used effectively and appropriately.
Policy Owner and Senior Information Risk Owner (SIRO)
Responsible for understanding how the strategic business goals of the organisation may be impacted by any information risks, and for taking steps to mitigate them. The SIRO is accountable and responsible for information risk across the Charity. Responsible for ensuring guidelines are in place and that policies and procedures reflect our charitable ethos and commitment to equality and diversity.
Data Protection Officer (DPO)
Accountable to the SIRO and responsible for the management of personal data within Central YMCA and for ensuring that compliance with data protection legislation and good practice can be demonstrated. This accountability includes the development and implementation of the data protection policy and security and risk management to ensure compliance.
Responsible for ensuring guidelines are in place and that policies and procedures reflect our charitable ethos and commitment to equality and diversity.
All Line Managers
Responsible for ensuring all employees are aware of and follow this policy.
All Employees and Volunteers
To follow policies and procedures, promoting best practice throughout the organisation.
- Everyone who works for or with Central YMCA has the responsibility for ensuring data is collected, stored and handled appropriately.
- Each team that handles personal data must ensure that it is handled and processed in line with this policy and data protection principles.
- All third parties who require access to personal data will be required to sign a confidentiality agreement before access is permitted. This agreement will ensure that the third party has the same legal obligations as the Charity. This will also include an agreement that the Charity can audit compliance with the agreement.
- Any breach of the UK GDPR or this Policy, could also be considered as a breach of the disciplinary policy and could also be considered a criminal offence, potentially resulting in prosecution.
- Central YMCA is both a Controller and Processor as defined under the UK GDPR.
- Senior Management and all those in managerial or supervisory roles throughout the Charity are responsible for developing and encouraging good information handling practices within the organisation.
- The Charity has appointed a suitably qualified and experienced DPO who is responsible for day to day compliance with this policy. The DPO is responsible for ensuring that Central YMCA complies with the UK GDPR in relation to all aspects of data processing. The DPO has direct responsibility for giving advice on policy and procedures, including any Data Subject Access Requests. The DPO is also the person to whom all staff should seek guidance regarding UK GDPR compliance.
- It should be noted that compliance with UK GDPR requirements remains the responsibility of all staff who process or control personal data for Central YMCA. All members of staff employed by the Charity are also responsible for ensuring that any personal data that is about them that is supplied by them to the Charity is accurate and up-to-date.
- The Charity is responsible for ensuring that staff have regular suitable training in order to undertake their data protection responsibilities.