This document lays out Voluntary Action Central Surrey’s GDPR Policy. Detailing our commitment to ensure greater right for individuals, transparency for data processing and protection and safeguarding of personal data. The documents will include the following information:
- The purpose for which Voluntary Action Central Surrey process personal data.
- Retention periods for personal data will be retained by Voluntary Action Central Surrey.
- Descriptions of all technical and organisational measures taken by Voluntary Action Central Surrey to ensure the security of personal data.
In order to comply with GDPR 2018, Voluntary Action Central Surrey has adopted three core privacy policies into the organisation Transparency, Empowering, and Protecting and safeguarding of personal data.
Transparency– we are committed to informing our partners, service users, volunteers and employees why we collect personal information and how this information is used.
Empowering– ensuring that our partners, volunteers, employees and service users are able to access their information quickly and efficiently, are able to remove their personal data promptly and with ease.
Protecting and safeguarding of personal data– by privacy by design, ensuring privacy is at the forefront of our day to day working and embedded in ways of working, building privacy into technologies and other additional platforms.
In addition,Voluntary Action Central Surrey is committed to;
- Ensuring personal data shall be processed fairly and lawfully.
- Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
- Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
- Personal data shall be accurate and, where necessary, kept up to date.
- Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
- Privacy by Design (PbD) – incorporating technical and organisational measures to ensure that accidental loss or destruction of, or damage to, personal data is prevented to the best of our abilities.
- Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
Individuals have the rights under GDPR to data held by us:
- the right to be informed;
- the right of access;
- the right to rectification;
- the right to erasure;
- the right to restrict processing;
- the right to data portability;
- the right to object; and
- the right not to be subject to automated decision-making including profiling.
The above information should be given free of charge on request which must be within 30 days. The data will be provided in a commonly used and machine-readable format.
- Overall responsibility for ensuring that Voluntary Action Central Surrey is complies with its GDPR obligations rests with the CEO and Chair.
- It is the responsibility of all employees and volunteers to ensure that personal information provided by Voluntary Action Central Surrey is accurate and up to date. It is the responsibility of the employees and volunteers to inform Voluntary Action Central Surrey immediately when changes occur.
- Employees and volunteers whose role involves the collection, maintenance and processing of personal and partner’s information must ensure that the data is kept confidential and safeguarded.
- Voluntary Action Central Surrey shall be responsible to ensure that all records of all personal data collection and processing is documented.
In addition, Voluntary Action Central Surrey will ensure that:
· Everyone processing personal information understands that they are contractually responsible for following good data protection practice.
· Everyone processing personal information is appropriately trained to do so.
· Everyone processing personal information is appropriately supervised.
· It deals promptly and courteously with any enquiries about handling personal information.
· It describes clearly how it handles personal information.
· It will regularly review and audit the ways it holds, manages and uses personal information.
· All staff are aware that a breach of the rules and procedures identified in this policy may lead to disciplinary action being taken against them.
· All volunteers are aware that a breach of the rules and procedures identified in this policy may lead to the termination of their services as per the problem resolution guidelines.
In carrying out the Voluntary Action Central Surrey’s core functions and fulfilling its legal obligations to the voluntary, community and faith sector in Elmbridge, Epsom & Ewell and Mole Valley, the general public and voluntary, community and faith groups using any of Voluntary Action Central Surrey’s services such as, and not limited to, Volunteer Recruitment, GRANTfinder tool and Disclosure and Barring Service, the organisation has a legitimate right to process and retain personal data in order to fulfil our contractual performance.
The information of the volunteers we recruit will be saved on a shared cloud database where only Voluntary Action Central Surrey staff and volunteers shall have access. All information regardless of format in which it is held will be processed, handled and safeguarded in line with current GDPR guidelines.
Volunteer recruitment service:
- A member of the general public who has expressed an interest to volunteer via our website, telephone, email or drop in at any of our volunteer centres/ outreaches will be made aware that their information will be captured and passed on to third parties.
- The special categories of personal data, defined by GDPR, particularly ethnicity, past and spent criminal convictions and health data will be captured for statistical purpose, allowed by Article 9 (2) (j).
- Voluntary Action Central Surrey will ensure that the special categories of data will be anonymised.
- Voluntary Action Central Surrey will ensure that expressed consent is obtained for additional services such as newsletters and other promotional material.
- Voluntary Action Central Surrey will ensure that data is collected within the boundaries defined in this policy. This applies to data that is collected in person, by completing a form or via email or telephone.
When collecting data, we will ensure that the Data Subjects:
- Clearly understands why the information is needed.
- Understands what it will be used for and what the consequences are should the Data Subject decide not to give consent to processing.
- Has received sufficient information on why their data is needed and how it will be used.
- Understands that consent can be withdrawn at any time.
- Volunteers are defined as any person/s who volunteers with Voluntary Action Central Surrey. We, Voluntary Action Central Surrey, will retain the volunteer’s personal data for maximum of 1 year after they have ceased volunteering with the organisation.
- Service Users are defined as general public who expressed an interest in volunteering via Voluntary Action Central Surrey’s website, other recruitment/ social media sites, telephone, email and drop in at any of our volunteer and out reach centres. We will retain their data for a maximum of one year of non contact.
- The Data Subject retains their right to Subject Access Request and Right to Erasure at any point.
- Voluntary Action Central Surrey will be retaining personal data, employment record of past employee for up to three years for reference purposes
- Data Subject retains their right to Subject Access Request and Right to Erasure at any point
- Information and records relating to service users/volunteers will be stored securely and will only be accessible to authorised staff and volunteers.
- Information will be stored for as long as it is needed or required under statute and will be disposed of appropriately.
- All Data Subjects have the right to access the information Voluntary Action Central Surrey holds about them.
- A Data Subject may make a Subject Access Request (SAR) at any time to find out more about the personal data which Voluntary Action Central Surrey holds about them.
- Voluntary Action Central Surrey will respond to SARs within one month of receipt (although this timescale can be extended by up to two months in the case of complex and/or numerous requests, and in such cases the data subject shall be informed of the need for the extension).
- All subject access requests received must be forwarded to the Chief Officer.
Send your request for Subject Access Request and the right to erasure ( The Right to be Forgotten) to firstname.lastname@example.org
Voluntary Action Central Surrey shall use its best endeavour to ensure all personal data collected and processed is kept secure and protected against unauthorised or unlawful processing and against accidental loss, destruction or damage.
Security measures to be employed include the following:
- All electronic devices used by the organisation must be secured by passwords/access numbers and these shall not be shared with any third parties
- Personal data will be transmitted over secure networks and / or encrypted
- The organisation will use an email service that includes automatic encryption
- Emails containing personal data will be stored securely, and once the data is no longer needed the emails will be deleted
- Where personal data is transferred in hard copy format, it will be posted directly to the recipient by Royal Mail delivery or by collection of the individual
- Personal data will not be shared informally; if an agent, associate, contractor or other third party working on behalf of the organisation requires access to it, they must formally request it from a Chief Officer of Voluntary Action Central Surrey
- All hard copies of personal data, along with any electronic copies stored on physical, removable media, will be stored securely in a locked box, drawer, cabinet or similar
- Personal data will be handled with care at all times and will not be left unattended or on view to any third parties at any time
- If personal data is being viewed on a computer screen, the user must lock the screen and the computer before leaving the computer unattended for any period of time
- No personal data may be stored on any mobile device (including, but not limited to, laptops, tablets and smartphones), whether or not such device belongs to Voluntary Action Central Surrey, without the formal written approval of the Chief Officer, and, in the event of such approval, must be stored strictly in accordance with all instructions and limitations described at the time, and for no longer than is absolutely necessary
- Personal data may only be transferred to devices belonging to employees, agents, associates, contractors, or other parties working on behalf of the organisation where the party in question has agreed to comply fully with the letter and spirit of this Policy and of the GDPR, which may include; demonstrating to Voluntary Action Central Surrey, that all suitable technical and organisational measures have been taken to protect it
- All personal data stored electronically will be backed up overnight and the backups will be stored offsite using an encrypted backup service
- All electronic copies of personal data will be stored securely on devices that are password protected
- All passwords used to protect personal data will be changed regularly and will not use words or phrases that can be easily guessed or otherwise compromised
- Passwords may not be shared with colleagues, agents, associates, contractors, or other parties working on behalf of the organisation. If a password is forgotten, it must be reset using the appropriate method
- Where personal data held by the organisation is used for marketing purposes, it shall be the responsibility of the organisation to ensure that data subjects have consented to receive such marketing
All personal data breaches must be reported immediately to the Chief Officer on Voluntary Action Central Surrey. If a personal data breach occurs and that breach is likely to result in a risk to the rights and freedoms of data subjects (e.g. financial loss, breach of confidentiality, discrimination, reputational damage, or other significant social or economic damage), the Data Protection Officer or director must ensure that the Information Commissioner’s Office is informed of the breach without delay, within 72 hours after having become aware of it.
In the event that a personal data breach is likely to result in a high risk to the rights and freedoms of data subjects, Voluntary Action Centre Surrey must ensure that all affected data subjects are informed of the breach directly and without undue delay.
Data breach notifications shall include the following information:
- The categories and approximate number of data subjects concerned.
- The categories and approximate number of personal data records concerned.
- The name and contact details of Voluntary Action Central Surrey’s Chief Officer (or other contact point where more information can be obtained).
- The likely consequences of the breach.
- Details of the measures taken, or proposed to be taken, by Voluntary Action Central Surrey to address the breach including, where appropriate, measures to alleviate its possible adverse effects.
(j) processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.