Walsingham Care Data Protection Policy

Purpose:

Walsingham Care is a grant making charity for older people, based in Walton On Thames, Surrey.

We collect personal information such as name, postal address, telephone number, email address, date of birth (where appropriate), information about communication preferences, health and financial information. For training and employment purposes we may also collect information such as skills, previous training, proof of identity, emergency contacts, right to work, driving licence details. We collect this information only in connection with specific activities, such as providing grants and services.

Employees and Trustees:

  • Walsingham Care expects its employees and trustees to understand and observe all forms of guidance on data protection, collect, process and use appropriate information and only in accordance with the purposes for which it is used.
  • It is expected that information is correctly input onto systems and is not sent abroad.
  • Industry standard passwords should be used and not removed.
  • Personal data should be locked away and not left unattended.
  • Staff are expected to adhere to retention policies as set out in our privacy policy.
  • Data should be processed by users in line with our current lawful bases and within the scope of the eight data protection principles listed below.
  • It is expected that staff should know how to action a Subject Access Request/complaint about personal data.  Please refer to the separate Subject Access Request policy.
  • It is required that the staff and trustees should be aware of what a data protection breach is and how to report it to the ICO within the timeframe specified by the ICO. Please refer to the Breach Policy.
  • It is the day to day responsibility of the Charity’s Chief Operating Officer to monitor and adhere to Data Protection Law.
  • Information or facts obtained by or revealed by staff, during the course of their employment, are highly confidential and staff/trustees must not reproduce or reveal such information in any format to a third party save where authorised to do so by the Charity or it is necessary to do so to perform their duties or where they are under a legal obligation so to do. Employees may be held personally liable for any breaches of their obligations in this regard.
  • All staff and volunteers are within scope of this document.
  • Failure to comply with the following provisions may, if the circumstances warrant, be regarded as Gross Misconduct which may constitute grounds for summary dismissal.

Principles of Data Protection:

Walsingham Care supports and complies with the eight data protection principles as listed below.

1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless –

(a) at least one of the conditions in point 2 is met, and

(b) in the case of sensitive personal data, at least one of the conditions in point 3 is also met.

2. Personal data shall be obtained only for one or more specified and lawful purposes and shall not be further processed in any manner incompatible with that purpose or those purposes.

3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

4.Personal data shall be accurate and, where necessary, kept up to date.

5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

6. Personal data shall be processed in accordance with the rights of data subjects under this Act.

7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

Data retention periods

  • HR/Staff - records required 6 years after leaving unless still valuable.
  • Payroll   - HMRC recommend 3 years for PAYE records after the income year to which they relate or 3 years after employee leaves, unless still valuable (e.g. insurance reasons), in which case retained for 6 years + 1.
  • Accounts - HMRC recommends 6 years from the end of the last company financial year they relate to.
  • Grants to organisations - 6 years from commencement of agreement
  • 6 years from date of receipt for complaints.
  • Case studies – 1 year from date of publishing.
  • Grants to individuals:
    o  2 years from the date of application for one off payment grants.
    o  2 years from the termination of ongoing support grants.
    o  2 years from the date of application for declined grants.

May 2024