Find a fellowship
Support us
Apply
Support us
Fellows
Insights
About
Contact
Home » Data Protection Policy

Data Protection Policy

February 2023

1. Introduction

The Daphne Jackson Trust (DJT) needs to collect and use certain types of information about the people we work with. Some of this is personal information that must be collected and dealt with according to the General Data Protection Regulation (GDPR). This policy is aimed at ensuring this is achieved. It applies to all personal data we encounter, whether is collected on paper, stored in a computer database or recorded on other material.

Although this policy does not form part of your contract of employment, you must abide by the rules and policies within it.

2. Data controller

DJT is a Data Controller under GDPR which means that we determine what, how and why personal information are held and used for. When necessary, we are also responsible for notifying the Information Commissioner of the data we hold or are likely to hold, and the general purposes that this data will be used for.

DJT has a data protection lead – Andy Clempson – who can advise you on matters linked to data protection. It is, however, everyone’s responsibility to ensure they handle data according to GDPR. Individuals who breach data protection will ultimately be held responsible themselves and the organisation as a whole is ultimately liable for enforcement action or fines from a regulatory body.

Any member of staff, committee member, volunteer or other individual who considers that the policy has not been followed in respect of personal data should raise the matter with Katie Perry. that of legitimate interests or consent. Instead, as per the norm, it becomes that of entering a contract (see your employment contract for further details).

3. Legal basis for processing

DJT uses ‘legitimate interests’ as its main legal basis for processing personal information. Legitimate interests means that processing is necessary under the legitimate interests of the Controller, unless these interests are overridden by the individual’s interests or fundamental rights.

In some cases, we also use explicit ‘consent’ as an additional legal basis. This is where we need to share sensitive personal data with third parties. This includes information about particular health needs or medical conditions. In practice, we may use sensitive personal data for eligibility of fellowship purposes. Should we ever share this with any third party, we need to have positive and recorded consent for this – a verbal ‘yes’ is not consent, neither is silence. It must be documented proof.

For employees of the Trust, a ‘contract’ is the legal basis for processing your personal data. This is described under the specific ‘Employee Data Protection’ policy.

DJT (and therefore all staff, volunteers, committee/board members etc) will ensure that data is processed within the boundaries defined in this policy. This applies to data that is collected in person, or by completing a form. When collecting data, DJT will ensure that the individual:

  • a) clearly understands why the information is needed
  • b) understands what it will be used for and what the consequences are should the individual decide not to allow DJT to process their information
  • c) has received sufficient information on why their data is needed and how it will be used
  • d) has given affirmative consent for the processing of special category data which is then recorded.your personal data, under any circumstance to anyone.

4. Processing of personal data

DJT regards the lawful and correct treatment of personal information it has collected as very important to successful working, and to maintaining the confidence of those with whom we deal with. To this end, DJT adheres to the principles of data protection as detailed in GDPR, where data shall be:

  1. Processed lawfully, fairly and in a transparent manner in relation to individuals;
  2. Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
  3. Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
  4. Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
  5. Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
  6. Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”

GDPR states that data controllers (and therefore DJT) shall be responsible for, and be able to demonstrate, compliance with the principles. In order to do this, DJT will, through appropriate management and strict application of criteria and controls:

  • Observe fully conditions regarding the fair collection and use of information.
  • Meet its legal obligations to specify the purposes for which information is used.
  • Collect and process appropriate information, and only to the extent that it is needed to fulfil its operational needs or to comply with any legal requirements.
  • Ensure the quality of information used.
  • Ensure that the rights of people about whom information is held, can be fully exercised under GDPR. These include:
    • the right to be informed;
    • the right of access;
    • the right to rectification;
    • the right to erasure
    • the right to restrict processing;
    • the right to data portability; (note that this only applies where the processing is based on the individual’s consent or for the performance of a contract and when processing is carried out by automated means).
    • the right to object; and
    • the right not to be subject to automated decision-making including profiling.
  • Take appropriate technical and organisational security measures to safeguard personal information.
  • Set out clear procedures for responding to requests for information and treat people justly and fairly whatever their age, religion, disability, gender, sexual orientation or ethnicity.

5. Sharing of information

DJT may share personal data with other organisations such as with its Fellows, hosts and sponsors, as well as other funding bodies and voluntary agencies providing that all individuals are made aware of the circumstances of how and whom their information will be shared with.

DJT will ensure that:

  • Personal information is not disclosed orally, in writing, via email, web pages or by any other means, accidentally or otherwise, to any unauthorised third party.
  • Ensure that personal information is not transferred abroad without suitable safeguards.

There are circumstances where the law allows DJT to disclose data (including sensitive data) without the data subject’s consent however these are not commonplace and relate to legal duties or when protecting the vital interests of an individual or other person.

6. Data storage

Information and records relating to Fellows (successful, unsuccessful, current and previous), hosts, sponsors and other contacts will be stored securely and will only be accessible to authorised staff and volunteers. Information will only be stored for as long as necessary and will be disposed of appropriately. We have a separate Data Retention Policy that you should refer to for more information.

It is DJT’s responsibility to ensure all personal (and other) data is non-recoverable from any computer system used within the organisation that has been passed on to a third party.

7. Data access and accuracy

All individuals have the right to access the information DJT holds about them. DJT will also take reasonable steps ensure that this information is kept up to date.

DJT will ensure that:

  • It has a data protection guidance for staff on compliance with GDPR.
  • Everyone processing personal information understands that they are contractually responsible for following good data protection practice.
  • Everyone processing personal information is appropriately trained (and where necessary supervised) to do so.
  • Anybody making enquiries about handling personal information knows what to do.
  • It deals promptly and courteously with such enquiries.
  • It describes clearly how it handles and processes personal information.
  • It regularly reviews and audits how personal information is held, managed and used.
  • It regularly assesses and evaluates its methods and performance of personal data handling.
  • All staff are aware that a breach of this policy may lead to disciplinary action being taken against them.

Rights of access
All staff, volunteers and other users are entitled to know:

  • what information DJT holds and processes about them and why;
  • how to gain access to it;
  • how to keep it up to date or change it in any way;
  • what the DJT is doing to comply with its obligations under GDPR.

To address the first point, DJT will provide all staff, volunteers and other relevant users with a statement regarding the personal data held about them. This will state all the types of data DJT holds and processes about them, and the reasons for which they are processed. This information is in the Privacy Notice. Please speak to the CEO should you have any questions.

All staff, volunteers and other users have a right, under GDPR, to access certain personal data being kept about them either electronically or hard copy. Any person who wishes to exercise this right should notify DJT. For DJT staff and volunteers, this information can be accessed anytime, but should be reviewed regularly, such as during your annual appraisal.

DJT must comply with requests for access to personal information as quickly as possible, and by 30 days maximum as required by GDPR.

Retention of Data
DJT has a duty to retain some staff personal data for a period of time following their departure from the Trust, mainly for legal reasons but also for other purposes (e.g. handling reference requests, for pensions and taxation purposes). Different categories of data will be retained for different periods of time. Information about this is contained in our Data Retention Policy. If you would like to know more, please get in touch with the Chief Executive.

8. Conclusion

Compliance with GDPR is the responsibility of all members of DJT. Any deliberate breach of the data protection policy may lead to disciplinary action being taken, or further measures as appropriate. Any questions or concerns about the interpretation or operation of this policy should be taken up with the Chief Executive.

This policy will be updated as necessary to reflect best practice in data management, security and control and to ensure compliance with any changes or amendments made to GDPR.

9. Glossary of terms

Data Controller – the organisation who decides what personal information DJT will hold and how it will be held or used. DJT as a whole is the Data Controller.

Individual: the person whose personal information is being held or processed by DJT for example: DJT staff and volunteers, fellows and all other individuals we come into contact with.

General Data Protection Regulation – the legislation that provides a framework for responsible behaviour by those using personal information.

Information Commissioner – the UK Information Commissioner responsible for implementing and overseeing GDPR.

Processing – means collecting, amending, handling, storing or disclosing personal information.

Personal Information – information about living individuals that enables them to be identified – e.g. name and address. It does not apply to information about organisations, companies and agencies but applies to named persons, such as individual employees or fellows.

Sensitive data – data about racial or ethnic origin, political affiliations, religion/similar beliefs, trade union membership, physical or mental health, sexuality, criminal record or proceedings.

Andy White, Freelance WordPress Developer London