1.1.1. General Statement of The Stuart Low Trust’s Duties
SLT is required to process relevant personal and sensitive personal data regarding applicants, participants, donors, leaders, trustees and other volunteers as part of its operation and shall take all reasonable steps to do so in accordance with this Policy.
To achieve this, SLT endeavours to comply with the General Data Protection Regulations 2018.
1.1.2. The Principles
Stuart Low Trust shall as far as is reasonably practicable ensure all data are:-
1) Processed fairly and lawfully
2) Obtained for specified purposes and only processed in accordance with those purposes
3) Adequate, relevant and not excessive
4) Accurate and up-to-date
5) Not kept for longer than necessary
6) Processed in accordance with the data subject’s rights as per GDPR
7) Kept secure
1.1.3. Personal Data
Personal data cover both facts and opinions about an individual. It includes information necessary for applicants, participants, donors, leaders, trustees and other volunteers such as name and address; it may also include information about the person’s health and appraisals.
1.1.4. Processing of Personal Data
An individual’s consent may be required for the processing of personal data unless other processing is necessary for the performance of any contract. Any information which falls under the definition of personal data will remain confidential and not be disclosed to third parties.
1.1.5. Sensitive Personal Data
Stuart Low Trust may, from time to time, be required to process sensitive personal data regarding applicants, participants, leaders and trustees. Where sensitive personal data are processed by Stuart Low Trust, the explicit consent of the individual will generally be sought in writing. Sensitive personal data include:
o medical information
o religious or other beliefs
o education and training details
o family lifestyle and social circumstances
o financial details
o physical or mental health or condition
o the commission or alleged commission of an offence
1.1.6. Rights of Access to Information
Individuals have a right of access to information held by Stuart Low Trust. Any individual wishing to access his/her personal data should make a request in writing to the Chief Executive. Stuart Low Trust will endeavour to respond to any such written requests as soon as is reasonably practicable and, in any event, within 40 days for access to records and within 21 days to provide a reply to an “access to information” request. The information will be imparted to the individual as soon as is reasonably possible after it has come to Stuart Low Trust’s attention.
Certain data are exempted from the provisions of the GDPR. These include the
The prevention or detection of crime
Where the processing is necessary to exercise a right or obligation conferred or imposed by law upon Stuart Low Trust
Employment and other references given by Stuart Low Trust
Stuart Low Trust will endeavour to ensure that all personal data held in relation to applicants,
participants, leaders, donors, trustees and other volunteers are accurate. Individuals must notify the Chief Executive of any changes to information held about them. An individual has the right to request that inaccurate information about them be erased.
1.1.9. Data Protection Controller
Stuart Low Trust has appointed the Chief Executive as Data Protection Controller.
If anyone believes that Stuart Low Trust has not complied with this Policy or acted in accordance with GDPR, the individual should inform the Chair of Trustees and should also notify the Data Protection Controller appointed by SLT (the Chief Executive).
1.1.11. Information Security Policy
Personal or sensitive personal data can only be disclosed to authorised persons on a need-to-know basis and with the consent of the individual concerned.
No personal or sensitive personal data can be disclosed without authorisation from the Data Protection Officer.
All papers, additional information, interview notes etc will be stored securely in locked metal cabinets in the Stuart Low Trust office by the Chief Executive and will only be accessible to authorised people.
All information kept on authorised computers will be password-protected.
Back-up copies of information stored on computers will be made regularly and will be kept off-site in a secure place.
Papers sent to interviewers will be kept in a secure place and only accessible to authorised personnel. All such papers may collected in after the interviews and shredded.
Information provided to SLT staff, volunteers, group leaders and support staff, in order that they can carry out their duty of care in projects and activities, will be safely destroyed as soon as they are no longer needed.
Personal and sensitive personal data will only be kept as long as is necessary.
All personnel involved in any way with the handling of personal and sensitive personal data will be trained on SLT’s data protection policies, security systems and procedures.
All breaches of security will be investigated should they occur
1.1.12. GDPR & Protection of Personal Data
Data Protection concerns safeguarding data about individuals to maintain their privacy and good information management practice.
Data Protection covers “manual” records – including paper, microfilm, and other media as well as those processed by information technology of any kind.
1.1.13. Data Protection Principles
All trustees, staff and volunteers should be aware of the 7 Data Protection principles:
- Personal data shall be processed fairly and lawfully.
- Personal data shall be obtained for one or more specified and lawful purposes.
- Personal data shall be adequate, relevant and not excessive relative to those purposes.
- Personal data shall be accurate and, where necessary, kept up to date.
- Personal data shall not be kept for longer than is necessary for those purposes.
- Personal data shall be processed in accordance with the rights of Data Subjects under the Act.
- Personal data shall be protected from unauthorised or unlawful processing, and against accidental loss, circulation exposure or destruction.
1.1.14. Subjects in relation to the processing of personal data.
Personal data is any information about a living identifiable individual. Participants, donors, staff, trustees and volunteers may make a formal request to the Chief Executive for a full copy of their own data.
Any person who believes the Stuart Low Trust holds personal data concerning them can apply for a search and disclosure. A charge may be levied and proof of identity will be required.
Detailed requirements of the Act can be discussed with the Stuart Low Trust Data Protection Officer.
Treat personal data with care and keep it up to date
Do not pass on personal data to unauthorised persons.