General principles and overview 

This policy sets out the principles and practices we undertake as an organisation to ensure personal information is kept safe and confidential across all aspects of our work.  This is both as a legal requirement in accordance with the Data Protection Act 2018 and the EU General Data Protection Regulation 2016/679 (“Data Protection Law”) and more broadly as part of our ethos of treating people with respect and dignity. 

We are a “data controller” for the purposes of the above acts and Data Protection Law. This means we are responsible for, and control the processing of, personal information.

We adhere to the principles of Data Protection Law setting out how personal information should be collected and used.  This includes following the core ideas that information should only be collected when it is necessary, for a specific purpose and only used for those specific purposes.

For more information on our privacy practices you can contact us by email at admin@abound.org.uk.

All employees and voluntary workers who have access to personal information should observe the guidance contained in this policy.

1. Responsibilities

1.1. The Leaders of the organisation have overall and final responsibility for ensuring that Abound meets its legal responsibility regarding confidentiality in relation to the Data Protection Act 2018, Data Protection Law and any current or subsequent human rights legislation guaranteeing a right of privacy.

1.2. The Leaders will ensure that any staff and voluntary workers are made aware of this policy and receive sufficient guidance on their duties and responsibilities in relation to the handling, disclosure and storage of personal information.

1.3. All employees and voluntary workers have a duty to follow the guidelines set out in this policy and any procedures implemented by the organisation in relation to confidentiality and data protection. This duty will be stated in employee contracts and voluntary worker agreements.

1.4. The appointed Data Controller is the Abound Leader Peter Whitfield. The Data Controller is responsible for the implementation of this policy and should be the first point of contact for any queries or concerns about data protection. He can be contacted by email at admin@abound.org.uk.

2. Data Protection Principles

We comply with the eight principles which define the conditions under which processing (including recording, storage, manipulation and transmission) of personal data can be determined to be legally acceptable or otherwise. These are that personal data is:

1. Processed fairly and lawfully.

2. Obtained only for the purpose stated.

3. Adequate, relevant and not excessive.

4. Accurate, and where necessary, kept up to date.

5. Not be kept for longer than is necessary for that purpose.

6. Processed in accordance with the rights of the individual.

7. Be protected from unauthorised access, unlawful processing, accidental loss, destruction or damage.

8. Not transferred without adequate protection.

3. Context

We deal with confidential information in limited contexts across the organisation.  This includes:

• personal information recorded for the purposes of donor administration, 

• employee and voluntary worker records, and 

• certain information relating to the operation of the organisation.

The information may be in various formats:  

• stored electronically, such as entries on our database; contacts on a mobile; 

• or physically; such as hand-written communications.

Regardless of the context or manner in which information has been disclosed, any information of a personal or specific nature about a supporter, employee or voluntary worker should be treated as confidential.

4. General Practice

4.1. Abound will only retain personal information for the purposes of administering supporters and their contributions.  This will include contact information for all communications and where provided any donation amounts for the purposes of operational management of either Abound or Christian Endeavour Hostels (CEH) charity, Odisha, India.

4.2. Within Abound information may be shared between employees and voluntary workers only where necessary and with sensitivity to the confidential nature of the information.

5. Privacy

5.1. When we collect personal information from someone we will ensure that they are made aware of what this information will be used for and consent has been given to process the information in this way.

5.1.1. For employees and voluntary workers (including applicants) we collect personal information such as name, address and contact number, and via a suitable DBS check, relevant information about criminal offences or charges. 

5.1.1.1. This information is collected for the purpose of recruitment decisions and administering the work of the organisation.

5.1.1.2. This is communicated on the forms used to collect this information and we ask people to tick a consent box to indicate they are happy for us to hold and process the information given.

5.1.2. For supporters we collect e-mail addresses and, where relevant, information related to any donations and their participation in the GiftAid process. 

5.1.2.1 This information is collected in order to update people about the work of the organisation, and in order to support the operational management of Abound or the CEH.

5.1.2.2. This will be communicated at the point this information is given and consent shall be indicated to allow us to hold and process their information.

5.2. We will only hold information that is relevant to the above purposes. The processes we use for data collection and storage should be reviewed annually to ensure they are not excessive and that information is not being held unnecessarily.

5.3. In collecting information, we will take reasonable steps to make sure the information is correct and the provider of the information is reliable. Where discovered, inaccuracies will be corrected as soon as possible.

5.3.1. Any individual has the right to review the information held by us and either amend the permission to hold that information or update the information to ensure it is correct – to do so contact the data controller.

5.4. We will not keep personal information for longer than necessary. 

5.4.1. Information held will be assessed and deleted, if necessary, on an annual basis. 

5.4.2. We will normally only keep personal information for up to a year after your last contact or involvement with the organisation. 

5.4.3. However, we will comply with a legal requirement to keep financial information for a period of six years.

6. Data Storage

6.1. Access to and disclosure of personal information should be restricted. Personal information should be stored securely and all employees and voluntary workers are responsible for ensuring that information is not disclosed to unauthorised third parties.

6.2. Any document containing personal or confidential information should not be left where it could be read by anyone without permission to do so.

6.3. Physical documents containing personal or confidential information should be kept stored in a locked area accessible only by those with permission to access this information. Electronic files will be password protected and again, only be accessible by those with permission to access them – this includes contact information stored on mobile phones.

6.4. When deleting documents care should be given to ensure that data is destroyed in a way which means it cannot be accessed inappropriately. This applies to both electronic files and physical documents which should be shredded if necessary.

7. Disclosure

7.1. Information sharing may be part of the work of the organisation and it is important to maintain confidentiality when making a disclosure of personal information. Normally, a disclosure to someone outside of the organisation would be made where one of the following applies: 

7.1.1. Disclosing the information is necessary in connection with the purpose it is held for (i.e. administrative purposes such as payroll) and the individual(s) about whom the data is held have been made aware of or could reasonably expect such a disclosure to be made;

7.1.2. The disclosure is a legal requirement under legislation applicable to the activity or function of the organisation; or

7.1.3. The person about whom the information is held has given valid consent to the disclosure.

7.2. When disclosing personal or confidential information to a third party, employees, workers and voluntary workers should check that it is in line with the clauses outlined above and:

7.2.1. As far as is practicable, the source of the request is genuine;

7.2.2. Ensure that the recipient(s) of the disclosure understands that the information is confidential and accept their obligation to maintain confidentiality;

7.2.3. The information being disclosed is limited to what is essential for the purpose of the disclosure;

7.2.4. Where necessary, details of the disclosure are recorded including to whom, when and why.

8. Data Privacy Breach

8.1. In the event of a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data we will follow the GDPR and ICO guidelines.  

8.2. This includes reporting certain types of personal data breach to relevant authority within 72 hours, and informing individuals involved if deemed necessary. 

8.3. All breaches must be recorded, regardless of whether or not they need to be reported to ICO.  The recording should include facts relating to the breach, effects and any actions taken.