Policy Statement
45 Digital collects and uses information about people with whom it communicates.
This personal information must be dealt with properly and securely however it is collected,
recorded and used – whether on paper, in a computer, or recorded on other material – and
there are safeguards to ensure this in the Data Protection Act 1998.
45 Digital regards the lawful and correct treatment of personal information as very
important to the successful and efficient performance of its functions, and to maintain
confidence between those with whom it deals.
To this end 45 Digital fully endorses and adheres to the Principles of Data Protection,
as set out in the Data Protection Act 1998.
Purpose
The purpose of this policy is to ensure that the staff, volunteers and trustees of Organisation
Name are clear about the purpose and principles of Data Protection and to ensure that it has
guidelines and procedures in place which are consistently followed.
Failure to adhere to the Data Protection Act 1998 is unlawful and could result in legal action
being taken against 45 Digital or its staff, volunteers or trustees.
Principles
The Data Protection Act 1998 regulates the processing of information relating to living and
identifiable individuals (data subjects). This includes the obtaining, holding, using or disclosing
of such information, and covers computerised records as well as manual filing systems and card
indexes.
Data users must comply with the data protection principles of good practice which underpin
the Act. To comply with the law, information must be collected and used fairly, stored safely
and not disclosed to any other person unlawfully.
To do this 45 Digital follows the eight Data Protection Principles outlined in the Data
Protection Act 1998, which are summarised below:
I. Personal data will be processed fairly and lawfully
II. Data will only be collected and used for specified purposes
III. Data will be adequate, relevant and not excessive
IV. Data will be accurate and up to date
V. Data will not be held any longer than necessary
VI. Data subject’s rights will be respected
VII. Data will be kept safe from unauthorised access, accidental loss or damage
Group Development Resources
VIII. Data will not be transferred to a country outside the European Economic Area, unless that
country has equivalent levels of protection for personal data.
The principles apply to “personal data” which is information held on computer or in manual
filing systems from which they are identifiable. 45 Digital’s employees, volunteers and
trustees who process or use any personal information in the course of their duties will ensure
that these principles are followed at all times.
Procedures
The following procedures have been developed in order to ensure that 45 Digital
meets it’s responsibilities in terms of Data Protection. For the purposes of these procedures
data collected, stored and used by 45 Digital falls into 2 broad categories:
1. 45 Digital’s internal data records;
Staff, volunteers and trustees
2. 45 Digital’s external data records;
Members, customers, clients.
45 Digital as a body is a DATA CONTROLLER under the Act, and the Executive
Committee is ultimately responsible for the policy’s implementation.
Internal data records
Purposes
45 Digital obtains personal data (names, addresses, phone numbers, email addresses),
application forms, and references and in some cases other documents from staff, volunteers
and trustees. This data is stored and processed for the following purposes:
• Recruitment
• Equal Opportunities monitoring
• Volunteering opportunities
• To distribute relevant organisational material e.g. meeting papers
• Payroll
Access
The contact details of staff, volunteers and trustees will only made available to other staff,
volunteers and trustees. Any other information supplied on application will be kept in a secure
filing cabinet and is not accessed during the day to day running of the organisation.
Group Development Resources
Contact details of staff, volunteers and trustees will not be passed on to anyone outside the
organisation without their explicit consent.
A copy of staff, volunteer, trustee emergency contact details will be kept in the Emergency File
for Health and Safety purposes to be used in emergency situations e.g. fire/ bomb evacuations.
Staff, volunteers and trustees will be supplied with a copy of their personal data held by the
organisation if a request is made.
All confidential post must be opened by the addressee only.
Accuracy
45 Digital will take reasonable steps to keep personal data up to date and accurate.
Personal data will be stored for 6 years after an employee, volunteer or trustee has worked for
the organisation and brief details for longer. Unless the organisation is specifically asked by an
individual to destroy their details it will normally keep them on file for future reference. The
Director has responsibility for destroying personnel files.
Storage
Personal data is kept in paper-based systems and on a password-protected computer system.
Every effort is made to ensure that paper-based data are stored in organised and secure
systems.
45 Digital operates a clear desk policy at all times.
Use of Photographs
Where practicable, 45 Digital will seek consent from individuals before displaying
photographs in which they appear. If this is not possible (for example, a large group photo), the
organisation will remove any photograph if a complaint is received. This policy also applies to
photographs published on the organisations website or in the Newsletter.
External data records
Purposes
45 Digital obtains personal data (such as names, addresses, and phone numbers) from
members/clients. This data is obtained, stored and processed solely to assist staff and
volunteers in the efficient running of services. Personal details supplied are only used to send
material that is potentially useful. Most of this information is stored on the organisation’s
database.
Group Development Resources
45 Digital obtains personal data and information from clients and members in order to
provide services. This data is stored and processed only for the purposes outlined in the
agreement and service specification signed by the client/ member.
Consent
Personal data is collected over the phone and using other methods such as e-mail. During this
initial contact, the data owner is given an explanation of how this information will be used.
Written consent is not requested as it is assumed that the consent has been granted when an
individual freely gives their own details.
Personal data will not be passed on to anyone outside the organisation without explicit consent
from the data owner unless there is a legal duty of disclosure under other legislation, in which
case the Director will discuss and agree disclosure with the Chair/ Vice Chair. Contact details
held on the organisation’s database may be made available to groups/ individuals outside of the
organisation. Individuals are made aware of when their details are being collected for the
database and their verbal or written consent is requested.
Access
Only the organisation’s staff, volunteers and trustees will normally have access to personal data.
All staff, volunteers and trustees are made aware of the Data Protection Policy and their
obligation not to disclose personal data to anyone who is not supposed to have it.
Information supplied is kept in a secure filing, paper and electronic system and is only accessed
by those individuals involved in the delivery of the service.
Information will not be passed on to anyone outside the organisation without their explicit
consent, excluding statutory bodies e.g. the Inland Revenue.
Individuals will be supplied with a copy of any of their personal data held by the organisation if a
request is made.
All confidential post must be opened by the addressee only.
Accuracy
45 Digital will take reasonable steps to keep personal data up to date and accurate.
Personal data will be stored for as long as the data owner/ client/ member uses our services and
normally longer. Where an individual ceases to use our services and it is not deemed
appropriate to keep their records, their records will be destroyed according to the schedule in
Appendix B. However, unless we are specifically asked by an individual to destroy their details,
we will normally keep them on file for future reference.
Group Development Resources
If a request is received from an organisation/ individual to destroy their records, we will remove
their details from the database and request that all staff holding paper or electronic details for
the organisation destroy them. This work will be carried out by the Information Officer.
This procedure applies if 45 Digital is informed that an organisation ceases to exist.
Storage
Personal data may be kept in paper-based systems and on a password-protected computer
system. Paper-based data are stored in organised and secure systems.
45 Digital operates a clear desk policy at all times.
Use of Photographs
Where practicable, 45 Digital will seek consent of members/ individuals before
displaying photographs in which they appear. If this is not possible (for example, a large group
photo), the organisation will remove any photograph if a complaint is received. This policy also
applies to photographs published on the organisation’s website or in the Newsletter.
Criminal Records Bureau
45 Digital will act in accordance with the CRB’s code of practice.
Copies of disclosures are kept for no longer than is required. In most cases this is no longer than
6 months in accordance with the CRB Code of Practice. There may be circumstance where it is
deemed appropriate to exceed this limit e.g. in the case of disputes.
Responsibilities of staff, volunteers and trustees
During the course of their duties with 45 Digital, staff, volunteers and trustees will be
dealing with information such as names/addresses/phone numbers/e-mail addresses of
members/clients/volunteers. They may be told or overhear sensitive information while working
for 45 Digital. The Data Protection Act (1988) gives specific guidance on how this
information should be dealt with. In short to comply with the law, personal information must be
collected and used fairly, stored safely and not disclosed to any other person unlawfully. Staff,
paid or unpaid must abide by this policy.
To help staff, volunteers, trustees meet the terms of the Data Protection Act; the attached Data
Protection/Confidentiality statement has been produced. Staff, volunteers and trustees are
asked to read and sign this statement to say that they have understood their responsibilities as
part of the induction programme.
Group Development Resources
Compliance
Compliance with the Act is the responsibility of all staff, paid or unpaid. 45 Digital will
regard any unlawful breach of any provision of the Act by any staff, paid or unpaid, as a serious
matter which will result in disciplinary action. Any employee who breaches this policy statement
will be dealt with under the disciplinary procedure which may result in dismissal for gross
misconduct. Any such breach could also lead to criminal prosecution.
Any questions or concerns about the interpretation or operation of this policy statement should
in the first instance be referred to the line manager.
Retention of Data
No documents will be stored for longer than is necessary. For guidelines on retention periods
see the Data Retention Schedule.
All documents containing personal data will be disposed of securely in accordance with the Data
Protection principles.