Little Village Camden
Little Village Wandsworth
Little Village HQ, St Mark's Church,
53 Rowfont Road, London, SW17 7AP
Little Village is committed to a policy of protecting the rights and privacy of individuals. Little Village needs to collect and use certain types of Data in order to carry out our work. This personal information must be collected and dealt with appropriately.
The General Data Protection Regulation (GDPR) governs the use of information about people (personal data). Personal data can be held on computer or in a manual file, and includes email, minutes of meetings, and photographs. Little Village will remain the Data Controller for the information held. Little Village and volunteers will be personally responsible for processing and using personal information in accordance with the GDPR.
Trustees, staff, Operating Committee members and volunteers running Little Village who have access to personal information, will be expected to read and comply with this policy.
The purpose of this policy is to set out Little Village’s commitment and procedures for protecting personal data. Little Village regards the lawful and correct treatment of personal information as very important to successful working, and to maintaining the confidence of those with whom we deal with.
In line with the GDPR principles (Article 5), Little Village will ensure that personal data will:
Where collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
The definition of ‘Processing’ is obtaining, using, holding, amending, disclosing, destroying and deleting personal data. This includes paper based personal data as well as that kept on computer.
The Personal Data Guardianship Code suggests five key principles of good data governance on which best practice is based. The organisation will seek to abide by this code in relation to all the personal data it processes, i.e.
Type of Information Processed
Some examples of Personal Data:
Some examples of Sensitive Personal data:
Little Village processes the following personal information (information that allows a person to be identified):
Personal information is emailed to a secure email address by the referrer, volunteer or donor and is then uploaded to the client database. If paper requests of referrals or volunteer applications are received they are uploaded to the client database upon which the paper copy is destroyed.
Staff data including personal and financial records are only available to the Operations Manager, Trustee Treasurer, Finance Manager, CEO and pay roll.
Groups of people within the organisation who will process personal information are:
Applying the GDPR within Little Village
Whilst access to personal information is limited to the aforementioned staff and volunteers at Little Village, volunteers at Little Village may undertake additional tasks which involve the collection of personal details from members of the public.
In such circumstances we will let people know why we are collecting their data and it is our responsibility to ensure the data is only used for this purpose.
Individuals have a right to have data corrected if it is wrong, to prevent use which is causing them damage or distress or to stop marketing information being sent to them.
Little Village is the Data Controller under the GDPR, and is legally responsible for complying with the GDPR, which means that it determines what purposes personal information held will be used for.
The Board of Trustees will take into account legal requirements and ensure that it is properly implemented, and will through appropriate management, strict application of criteria and controls:
The Data Protection Officer on the Board of Trustees is: Jennifer Lucas
The Data Protection Officer for Wandsworth Site is:
Name: Rebecca Wilson
Contact Details: firstname.lastname@example.org
The Data Protection Officer for Camden Site is:
Name: Sharon Traub
Contact Details: email@example.com
The Data Protection Officer for Southwark Site is:
Name: Clare Hill
The Data Protection Officer(s) will be responsible for ensuring that the policy is implemented and will have overall responsibility for:
This policy will be updated as necessary to reflect best practice in data management, security and control and to ensure compliance with any changes or amendments made to the GDPR.
In case of any queries or questions in relation to this policy please contact the Data Protection Officer.
Training and awareness raising about the GDPR and how it is followed in this organisation will take the following forms:
On induction: all volunteers are given a copy of our data protection policy and asked to sign the Volunteers’ Agreement to show they have read and understood it. Specific induction is given regarding volunteer roles that deal with personal data. Only staff (or key volunteers at Start up Sites where there is yet to be a paid data officer) and trustees have access to passwords and locked files.
General training / awareness raising: Before every session attended by families we support there is a reminder briefing in which the responsibilities of the volunteer and data protection are highlighted.
Further training is available to trustees and staff through outside agencies where necessary and a training log is kept of those who have attended.
Before personal information is collected, we will consider:
We will inform people whose information is gathered about the following:
Once received, all correspondence containing ‘personal’ or ‘sensitive personal’ data must immediately be either securely processed, stored, or destroyed; or immediately passed on to another member of staff or a volunteer for secure processing, storing or destruction.
All staff and volunteers must adopt a ‘clear desk policy’ when it comes to data. This means that all versions of any ‘personal’ or ‘sensitive personal’ data must be handled in a timely and secure fashion and at no time left unattended, particularly outside hours of business e.g. not left on desks overnight.
Electronic copies should at no time left open and unattended on a computer monitor, and never should be unnecessarily distributed.
Computer screens should be locked if they are left unattended for any time.
All electronic correspondence containing ‘personal’ or ‘sensitive personal’ data should be deleted, and then deleted from any electronic ‘trash’ bin, once it has been processed.
Paper copies should exist in only one of three states; being securely processed, being securely stored, or being securely destroyed.
The organisation will take steps to ensure that personal data is kept secure at all times against unauthorised or unlawful loss or disclosure. The following measures will be taken:
Little Village intends to use the “legitimate interest” principle of the GDPR in relation to information about volunteers and donors which was collected and stored before the date of this policy. Appendix 1 details the circumstances in which legitimate interest will be applied.
Any unauthorised disclosure of personal data to a third party by an employee may result in disciplinary action being taken.
The trustees are accountable for compliance of this policy. A trustee could be personally liable for any penalty arising from a breach that they have made.
Any unauthorised disclosure made by a volunteer may result in the termination of the volunteering agreement.
If a volunteer or member of staff is made aware of a data breach they should notify the Site Director who will then inform the Operations Manager.
Any serious data breaches or data loss will be reported to the Information Commissioners Office and the Charity Commission. This includes:
Data Subject Access Requests
Anyone whose personal information we process has the right to know:
They also have the right to prevent processing of their personal data in some circumstances and the right to correct, rectify, block or erase information regarded as wrong.
Individuals have a right under the Act to access certain personal data being kept about them on computer and certain files. Any person wishing to exercise this right should apply in writing to. Emily Compston (firstname.lastname@example.org)
The following information will be required before access is granted:
We may also require proof of identity before access is granted. The following forms of ID may be required: passport, birth certificate.
Queries about handling personal information will be dealt with swiftly and politely.
We will aim to comply with requests for access to personal information as soon as possible, but will ensure it is provided within the 28 days required by the GDPR from receiving the written request.
Little Village may need to share data with other agencies such asthe local authority, funding bodies and other voluntary agencies.
The Data Subject will be made aware in most circumstances how and with whom their information will be shared. There are circumstances where the law allows Little Village to disclose data (including sensitive data) without the data subject’s consent.
Little Village regards the lawful and correct treatment of personal information as very important to successful working, and to maintaining the confidence of those with whom we deal.
The consequences of breaching Data Protection can cause harm or distress to service users if their information is released to inappropriate people, or they could be denied a service to which they are entitled. Volunteers should be aware that they can be personally liable if they use clients’ personal data inappropriately. This policy is designed to minimise the risks and to ensure that the reputation of Little Village is not damaged through inappropriate or unauthorised access and sharing.
If members of the public/or stakeholders have specific questions about information security and data protection in relation to the Little Village please contact the Data Protection Officer.
The Information Commissioner’s website (www.ico.gov.uk) is another source of useful information.
Dated: May 2019
Review Date: May 2020
Appendix 1: Little Village GDPR Approaches
Background and Definitions
Consent is not defined in the Data Protection Act. However, the European Data Protection Directive (to which the Act gives effect) defines an individual’s consent as:
…any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.
Under the GDRP, organisations using consent as the basis for contact or data processing, will need to actively collect and then maintain consents (opt-ins) from existing and new contacts in order to store information, or before any contact can be made (using personal data). The bar is set very high on the quality of this consent.
GDPR presents legitimate interest as a valid condition for processing as follows:
“where processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
Organisations using legitimate interest as the basis for processing data will need to be able to demonstrate that they have balanced the rights of the individual data subject with their own interests. They will need to record and explain the rationale for using legitimate interest and they need to be aware that the data subject can challenge.
Contacting all individuals who we already hold data on to collect permission could lead to a significant reduction in numbers of people on our databases. Not everyone will respond and of those that do, tick a consent box – even if they are actively in contact with Little Village. Harvesting and maintaining permissions could quickly become the major preoccupation of operating teams.
Legitimate interest is a simpler approach and recent guidance from the Information Commissioner’s Office (ICO) suggests they now consider this route is likely to be chosen by charities in many cases. However, the charity needs to specify and record the grounds on which it believes legitimate interest applies in each case. Organisations can also not rely on consent and legitimate interest for the same set of data, i.e., if a group of individuals are contacted to request consent but consent is not given by some, we could not then retain their information under legitimate interest.
Proposed Approaches for Little Village
Our updated Data Protection Policy outlines the personal information we collect on various groups that come into contact with our charity, why this collected and how and why it is held. We have updated all of the forms we use to collect this information to contain a robust set of consents around storing data and opt-ins for future contact for relevant reasons depending on the group of people using the form. Given consents will be recorded and stored securely.
To judge which route should apply, and to enable us to articulate these to others, we set out to establish some principles.
We do not currently have any (or very few) financial donors on a regular giving scheme, and as such do not have a large financial donor database who we would contact about and future fundraising campaigns. If this is something we decide to pursue in the future, we should revisit this policy. Many other charities are relying on legitimate interest for contact relating to fundraising.
|Group||Proposed Approach||Action Required||Confirmation Action Confirmed & Notes|
|Existing Volunteers||Legitimate interest to hold their information as charity needs to be able to contact them to operate. Not harming rights of individuals as contact is in line with reason individuals originally provided data. Inform individuals that they will be kept on our database and give them the option to opt-out.||Send local newsletters to existing data base (legitimate interest) including link to new policy and right to have data removed and no longer receive correspondence: Site Directors included language from HQ in email sent May 2018||Mailchimp has an opt-out. No opt-out on Frank communicaton system. However, note added to footer of email to ask recipients to reply if they would like to be removed from mailing. Reviewed by Sophia Parker 30/4/19|
|New Volunteers||Collect consents (data retention and future contact) at point of contact and store securely.||Online contact form to be updated with new opt-in consents|
|Existing Service Users||Hold anonymised data in line with policy. Cannot contact without obtaining new set of consents. New consents to be obtained for any service user we have contact with and stored securely.||Site Directors and Referrals Managers to delete historic correspondence by which individuals could be identified.|
|New Service Users||Collect consents (data retention and future contact) at point of contact and store securely.||Paper and online contact form to be updated with new opt-in consents. Site Directors/Referral Managers to email consents to individuals contacting us not using standard new forms.|
|Existing Referrers||Legitimate interest to hold their information as charity needs to be able to contact them to operate. Not harming rights of individuals as contact is in line with reason individuals originally provided data. Inform individuals that they will be kept on our database and give them the option to opt-out.||Send local newsletters to existing data base (legitimate interest) including link to new policy and right to have data removed and no longer receive correspondence: Site Directors to include language from HQ in email sent May 2018|
|New Referrers||Collect consents (data retention and future contact) at point of contact and store securely.||Paper and online contact form to be updated with new opt-in consents. Site Directors/Referral Managers to email consents to individuals contacting us not using standard new forms.|
|Donors – equipment||We do not currently have an existing database of equipment donors. New consent will be obtained if we wish to establish this in the future.|
|Donors – financial||We retain the information we are required to relating to Gift Aid. This is in the legitimate interest of thecharity to allow us to comply with regulations. If we wanted to use this information to contact donors about future giving, we could use legitimate interest but we should revisit this at the time.|
Reviewed by Emily Compston, Operations Manager – May 2019