The purpose of this policy is to enable the Ottery Feoffee Charity to comply with the law (the DPR and DPA 2018) in respect of the data it holds about individuals.

The Ottery Feoffee Charity will ensure that the information the charity holds about its residents, beneficiaries, employees etc is used in accordance with the law.  The charity will only collect and use personal data in compliance with this policy and the rules set out below.

The charity will:

• follow good practice
• protect residents, trustees, staff, volunteers and other individuals by respecting their rights
• demonstrate an open and honest approach to personal data and 
• protect the charity from the consequences of a breach of its responsibilities.

This policy applies to all the information that we control and process relating to identifiable, living individuals includes contact details, test and exam results, bank details, photographs, audio and digital recordings.

The Ottery Feoffee Charity will company with General Data Protection Regulations 2018 as follows:

1. Transparency:  the charity will be open and transparent in the way personal data is used and shared.  There may be limited circumstances where the charity does not have to comply with the transparency requirement but in such instances the charity will obtain further advice from the ICO.  Individuals will be provided with information about how their personal data is collected and stored.
2. Collecting and Using Personal Date for Lawful purpose only:  the charity will only collect and use the minimum amount of personal data if relevant for the purpose of the charity and where the charity can rely on a lawful basis (or bases) and where the purposes have been identified in a privacy notice provided to individuals, for example in the charity’s application form.  When collecting personal data from individuals the charity will ensure that the individuals are aware of the purposes for which the personal data will be used.

In addition, when collecting personal data, the charity will only collect those details which are necessary for the purposes for which that personal data is being obtained. Any use of personal data will be for the identified purposes and any different or new purposes will have a lawful basis.  Personal data that is not necessary for any legitimate business purpose will not be collected or accessed.

Ottery Feoffee Charity has identified that the charity has a legitimate interest in keeping personal data about residents as trustees must be satisfied that each resident qualifies as a beneficiary of the charity in accordance with the Governing Document dated [        ]

The Charity considers the processing and storing of such personal data is necessary to comply with the Governing Document.  All personal data, including details of residents’ next of kin will be stored securely, data on computer will be password protected and paper copies of data will be kept in a locked filing cabinet.  Only authorised members of staff and trustees will have access to personal data.

Privacy Impact Assessment and Privacy by Design

The trustees consider that the use of personal data is unlikely to result in significant risks for the rights and freedoms of individuals and therefore a Privacy Impact assessment is not necessary.  The Charity will ensure that systems, databases and tools that collect and use personal data are designed to promote privacy protection.

Ensuring data quality

Processing inaccurate information can be harmful to individuals and the Charity. The main way of ensuring that personal data is kept accurate and up to date is by ensuring that the sources the charity uses to obtain personal data are reliable.  Individuals will be actively encouraged to inform the Charity should their personal data change.

To ensure that personal data is accurate, it will generally be collected directly from individuals.  All residents will be actively encouraged to update their contact details by notifying the Charity of any changes in their personal data.

Retaining and disposing of data

Any personal data must only be kept where there is a business or legal needs to do so. When the Charity disposes of personal data, this will be undertaken in a secure manner.

Documents (including paper and electronic versions and e-mail) containing personal data will not be kept indefinitely and will always be securely deleted and destroyed once they have become obsolete or when that personal data is no longer required.

Personal data will not be retained simply on the basis that it might come in useful one day without any clear view of when or why.

The Charity’s data retention policy is:

The Charity will not keep person data for longer than is necessary.  This means that:

• a resident’s file will be completely destroyed after three years of the resident leaving or passing away;
• records of complaints/investigations concerning residents will be destroyed six years after the resident leaves or passes away;
• application forms for unsuccessful applicants will be destroyed three years after the date of application;
• trustees will destroy and delete all Charity documents held within their own records twelve months after receipt, including all computer data and paper copies;
• trustees’ personal files will be destroyed one year after ceasing to be a trustee;
• staff personal files will be destroyed 6 years after employment ceases.

1. Honouring Individuals’ Right

The Charity will reply to queries and complaints from individuals about how the Charity uses their personal data within 30 days.

Individuals are entitled by law (by making a request) to be supplied with a copy of any personal data held about them (including both electronic and paper records).  Individuals are also entitled to know the logic involved in decisions made about them.

An individual also has the right to seek erasure of their data and to request portability of their date i.e. that the Charity provides their data to them in a structured, commonly used and machine-readable format.

Where the Charity receives a request from an individual exercising their legal right to control their personal data, the Charity will respond promptly.  If a valid request concerns a change in that individual’s personal data, such information will be rectified or updated, if appropriate to do so.

Taking appropriate security measures

Personal data will be kept secure.  Technical, organisational, physical and administrative security measures (both computer system and non-computer system related steps) are necessary to prevent the unauthorised or unlawful processing or disclosure of personal data, and the accidental loss, destruction of, or damage to personal data.

The Charity will monitor the level of security applied to personal data and take into account current standards and practices.  As a minimum the Charity will ensure that:

• Personal files for residents, trustees and employees are kept in a locked filing cabinet at all times with access only by authorised staff;
• Applications for accommodation are kept in a locked filing cabinet at all time with access only by authorised staff;
• Trustee’s details are kept in a locked filing cabinet with access only by the Clerk;
• Electronic files containing personal data are password protected and passwords will be changed on a regular basis;
• Backed up electronic data is held securely on an alternative site or when off-site it is encrypted, password protected and will only be accessed by named staff;
• If any personal data is taken from the office (e.g. to work at home) the personal data will be held securely at all times whilst in transit and at the location where held.

Any suspicion of any data security breach should be reported immediately to the Chairman and the Trustees.  When the Charity becomes aware of a breach, protective measures will be taken to effectively mitigate the consequences of the breach.

Using Subcontractors and Vendors

Under EU data protection law, where a provider of a service has access to personal data (e.g. as a payroll provider) the Charity will impose strict contractual obligations dealing with the purposes and ways personal data may eb used and the data security of that information.  These are third parties who act as processors (i.e. only holding the personal data according to the Charity’s instructions) and this will include telecare companies that provide services to the Charity (Housing Benefit and Government officers are not vendors).

The Charity will carry out appropriate due diligence on any potential third party to which personal data is being provided and ensure that the third party’s Data Privacy Policy is adequate.

The Charity will always enter into a written contract with any Vendor that deals with personal data being provided by the Charity.  The contract will meet the requirements under the GDPR Article 28.

Disclosure to Third Parties

At times, the Charity may disclose personal data to vendors, contractors, service providers and other selected third parties.

Prior to disclosing personal data to these parties, the Charity will take reasonable steps to ensure that:

1. the disclosure of personal data is appropriate;
2. the recipient of such information is identified; and
3. where appropriate or required by law, the third party is contractually committed to complying with this Policy and/or the Charity’s instructions concerning the use of personal data as well as implementing appropriate security measures to protect personal data, limited further use of personal data, and complying with applicable laws.

In certain circumstances, the Charity may be required to disclose personal data to third parties when required by law, when necessary to protect the Charity’s legal rights, or in an emergency situation where the health or security of an individual is endangered.  Prior to such disclosures, the Charity will take steps to confirm that the personal data is disclosed only to authorised parties and that the disclosure is in accordance with this Policy and applicable law.

Safeguarding the use of special categories of data

Special categories of data is information revealing an individual’s racial or ethnic origin, political opinions, religious or other beliefs, trade union membership, processing of generic data or biometric data  (for the purpose of uniquely identifying an individual), health and sex life or sexual orientation.  Since this information is more intrusive, the Charity will only use it where absolutely necessary and often with the explicit consent of the individual affected.

The Charity will only hold and make available special categories of data on an individual without their explicit consent if the Charity have another lawful basis under applicable law.  This may be the case, for example, where the Charity holds information about an indiviual’s health where this is necessary to exercise any obligation conferred by law on us in connection with the Charity.

For residents and beneficiaries the Charity may also collect and use their special category date where:

• Our use of their personal data is to provide support for a particular disability or medical condition;
• Our use of their personal data is necessary for providing confidential counselling, advice or support;
• Our use of their personal data is necessary for protecting an individual from negligence or physical, mental or emotional harm;
• Our use of their personal data is necessary for the purpose of protecting the economic well-being of an individual at economic risk and is of health data.

The Charity will always assess whether special categories of data are essential for the proposed use and will only collect special categories of data when it is absolutely necessary in the context of the organisation.  Application (or other) forms used to collect special categories of data will include suitable and explicit wording expressing the individual’s consent when the Charity are collecting explicit consent.

Consent must be demonstrable.  Therefore, it if its collected verbally it will be recorded in such a form as to prove that the requisite information was provided to the individual and their response was able to be verified.

Where consent is not relied upon, the Charity will take steps to ensure that there is another lawful basis under applicable law for the collection and use of such information. In certain circumstances, the Charity may be required to consult with the Information Commissioner’s Office about the proposed use of such special categories of data.

Collecting children’s data

Data pertaining to children will only be collected when strictly necessary, for example where the Charity appoints families and needs to record ages of children.  The Charity will only collect a minimum amount of data about children as is necessary for the Charity’s purpose.  Trustees are aware that children’s data is considered more sensitive and will be protected accordingly.

Data storage and processing:

Ottery Feoffee Charity recognises that data is held about:

• Residents
• Trustees
• Staff
• Volunteers
• Members.

This information is always stored securely and access is restricted to those who have a legitimate need know.  We are committed to ensuring that those about whom we store data understand ho and why we keep that data and who may have access to it.  We do not transfer data to third parties without the express consent of the individual concerned.

Archived records are stored security and the Charity has clear guidelines for the retention of information as set out in point 5 above.

Rights of individuals

All individuals who come into connect with Ottery Feoffee Charity have the following rights under the DPA:

• A right of access to a copy of their personal data;
• A right to object to processing that is likely to cause or is causing damage or distress;
• A right to prevent processing for direct marketing;
• A right to object to decisions being taken by automates means;
• A right, in certain circumstances, to have inaccurate personal data rectified, blocked, erased or destroyed; and
• A right to claim compensation for damages caused by a breach of the DPA.

The Trustees recognise their overall responsibility for ensuring that the Charity complies with its legal obligations.  A trustee, [name], [or the Data Protection Officer if there is one] is responsible as follows:-

Roles and Responsibilities

• Briefing trustees on Data Protection responsibilities
• Reviewing Data Protection and related policies
• Advising other staff on Data Protection issues
• Ensuring that Data Protection induction and training takes place 
• Notification
• Handling subject access requests.

All trustees, staff and volunteers are required to read, understand and accept any policies and procedures that relate to the personal data they may handle in the course of their roles.

Significant breaches of these policies will be handled under disciplinary procedures.

Key risks to the safely of data control and process:

The Trustees have identified the following potential key risks:

• Breach of confidentiality (information being given out inappropriately)
• Individuals being insufficiently informed about the use of their data
• Misuse of personal information by staff or volunteers
• Failure to up-date records promptly
• Poor IT security and
• Direct or indirect, inadvertent or deliberate unauthorised access.

The trustees will review the Charity’s procedures regularly, ensuring that the Charity’s records remain accurate and consistent and in particular:

• IT systems will be designed, where possible, to encourage and facilitate the entry of accurate data;
• Data on any individual will be held in as few places as necessary and trustees and staff will be discouraged from establishing unnecessary additional data sets;
• Effective procedures will be in place so that relevant systems are updated when information about an individual changes.

Subject access requests

Any individual who wants to exercise their right to receive a copy of their personal data can do so by making a Subject Access Request (“SAR”) to the Clerk.  The request must be made in writing and the individual must satisfy the Clerk of their identity before receiving access to any information.

A SAR must be answered within 30 calendar days of receipt by the Charity.

Collecting and using personal data

The Ottery Feoffee Charity typically collects and used data in connection with the provision of [objects of the Charity].  The Charity collects personal data mainly in the following ways:-

• By asking applicants for accommodation to complete paper forms
• By asking residents to give staff information verbally.

The Ottery Feoffee Charity will:-

• Not use any of the personal data it collects in any ways that have unjustified adverse effects on the individuals concerned
• Be transparent about how it intends to use the data and give individuals appropriate privacy notices when collecting their personal data
• Handle people’s personal data only in ways they would reasonably expect
• Not to do anything unlawful with the data.

Keeping data secure

The Ottery Feoffee Charity will take all appropriate measures to prevent unauthorised or unlawful processing of personal data and to protect personal data against loss, damage or destruction. The means that:-

[these are examples}

• Personal files for residents, trustees and employees and applications for accommodation will be kept in a locked filing cabinet at all times with access only by authorised staff;
• Trustees’ details will be kept in a locked filing cabinet with access only by the Clerk;
• Electronic files containing personal data will be password protected and passwords will be changed on a regular basis;
• Backed up electronic data will be held securely on an alternative site or when off-site will be encrypted, password protected and only accessed by named staff;
• If any data is taken from the office (e.g. to work at home) the data must be held securely at all times whilst in transit and at the location the data is held.

This policy has been approved for issue by the board of trustees of Ottery Feoffee Charity