Data Protection Policy
Who is covered by this policy?
All staff, trustees, volunteers, beneficiaries and customers.
What is covered by this policy?
This policy covers data protection in relation to all areas of Launchpad’s activities, including: customer records; legal compliance (UK General Data Protection Regulation – UK GDPR); recruitment, promotion, training, redeployment and/or career development; administration and payment of wages; calculation of certain benefits, including pension; disciplinary purposes arising from an employee’s conduct or inability to perform their duties; performance review; recording of communication with employees and their representatives; compliance with policy and/or legislation with regard to health and safety or other employment legislation and regulation; provision of references to financial institutions, to facilitate entry onto educational courses and/or to assist future employers.
The purpose of this policy is to protect Launchpad and its staff from the misuse of individuals’ personal data and to ensure that Launchpad complies with all relevant legislation.
Recruitment and selection
If placing a recruitment advert, Launchpad must identify itself properly – people should know who they are applying to.
Information collected for recruitment or selection for an interview must be used for that purpose only and must be kept securely. Where sensitive personal data is collected, explicit written consent should be obtained from applicants at the point of data collection. The general manager should ensure that equal opportunities data for applicants is anonymised before the applications are considered.
If verifying the information a person provides, Launchpad must ensure the person knows how this will be done and what information will be checked.
If Launchpad needs to verify criminal conviction information, it will only do this by getting a Disclosure and Barring Service (DBS) check. Launchpad must ensure it is entitled to receive this information and must follow the DBS’s procedures strictly. [Launchpad may only keep a record that a satisfactory/unsatisfactory check was made, but it may not store any detailed information.
Launchpad is permitted to collect, maintain and use employment records. However, staff should know what information about them is kept and what it will be used for. Launchpad will not keep information for which it has no genuine business need or legal duty to keep.
Employment records must be kept in a secure, locked place, and computerised records must be password protected. Only authorised staff should have access to employment records (usually, the individual’s line manager, General manager,and the Chief Executive).
Launchpad will keep employment records of staff who have left for three years to allow for information to be supplied for references. After this time, records will be destroyed.
Launchpad will collect information about a staff member’s health in accordance with Launchpad’s Sickness Policy and Procedure and record it on the sickness tracker. Access to the information is strictly limited to authorised staff.
Pension or insurance scheme records
Launchpad will only use the information about a staff member for the administration of the scheme and will inform the staff member of what information the insurance company or scheme provider will pass back to Launchpad.
Launchpad will only disclose information on a staff member if, in all the circumstances, it is satisfied that it is in line with GDPR and is reasonable to do so or as part of legal disclosure. Fairness to the staff member will always be Launchpad’s first consideration Launchpad will allow staff access to their own records to ensure the information is correct.
Launchpad’s staff rights
Staff have a legal right of access to the information Launchpad holds on them and the right to challenge the information if it is thought to be inaccurate or misleading. If a staff member objects to Launchpad holding or using information about them because it causes them distress or harm, Launchpad will delete the information or stop using it in the way complained about unless Launchpad has a compelling reason to continue holding and/or using that information.
To see what information Launchpad holds on you, ask the General Manager for access to your records.
Launchpad will process personal data that may identify a customer or prospective customer according to the UK GDPR. Customer data will be processed in the legitimate interest of Launchpad work and/or if Launchpad has a contractual or legal obligation. Such data may be retained indefinitely or in accordance with a legal or contractual obligation where such data is for accounting purposes.
Data storage and transfers
Launchpad may store data in the UK or the European Economic Area, or any country deemed to be adequate by either the UK or the EU. Where Launchpad stores data outside these jurisdictions, it may undertake a data transfer risk assessment. Launchpad will ensure appropriate UK safeguards are in place to protect the rights of those identified by personal data stored in such locations.
Records and legal compliance
Under the UK GDPR, ‘personal data’ (i.e. data about identifiable living individuals – ‘data subjects’) should be:
processed fairly and lawfully and in a transparent manner; collected for specified, explicit and legitimate purposes; adequate, relevant and limited to what is necessary; accurate and, where applicable, kept up to date; kept for no longer than is necessary; processed in accordance with the rights of data subjects; kept secure by the data controller (i.e. Launchpad, which holds ultimate responsibility for complying with data protection requirements), following appropriate technical and other measures to prevent unauthorised or unlawful processing or accidental loss or destruction of, or damage to, personal data; only be transferred to a country outside the European Economic Area if that country has equivalent levels of protection for personal data.
GDPR applies to both automated and manual personal data filing systems, where personal data is accessible according to specific criteria.
In order to be able to carry out its functions Launchpad needs to keep and use certain types of information about people and organisations, employees, customers, donors, trustees, volunteers and so on. This may include address and contact details, bank details, personal references and the legal status of groups.
Information is obtained, held, processed and disclosed for the purposes of the administration, management and business activities of Launchpad. These include:
making and holding lists of beneficiaries, customers and relevant organisations; statistical analysis;
maintaining relationships with external associates and other partners; reporting to donors and other partners;
keeping beneficiaries and other partners informed of products and services that may help them;
keeping beneficiaries and other partners informed of events, campaigns, etc.
Using basic information in marketing materials, on any of the websites run by Launchpad or in the annual report;
keeping business process records (including financial records such as purchase information, donations and grant details);
maintaining lists of events delegates.
When collecting information, Launchpad will ensure that individuals:
clearly understand why Launchpad needs to collect the information and receive sufficient detail on how it will be used;
understand what it will be used for and what the consequences are should the individuals decide not to give/withdraw consent to processing;
where required, provide explicit written or verbal consent (record of which should be kept) for data to be processed;
give their consent freely and without any duress.
All employees, trustees and volunteers are expected to maintain professional standards and respect confidentiality. Due to the size of Launchpad and nature of data processed, there is no requirement for a formal Data Protection Officer. However, the General Manager should be the first point of contact with regard to any data protection issues, queries or complaints.
Launchpad will review all personal data held on its databases annually to ensure it should be retained. The categories of data listed below have to be retained under the following specific criteria:
Personal data of donors associated with finance data must be retained for at least six years.
Personal data associated with records of transactions/purchases needs to be kept for at least six years.
Personal data of employees needs to be retained for six years with reference to payroll and ten years with reference to pension information.
Personal data of volunteers and trustees needs to be retained for at least six years if it is associated with financial transactions.
Launchpad complies with GDPR by providing the following rights for individuals:
the right to be informed; the right to access to a copy of their personal data;the right of rectification of data; the right of erasure (or right to be forgotten);
the right to restrict processing; the right to data portability (in relation to processing by automated means); the right to object to processing; rights in relation to automated decision-making and profiling.
The right to be informed encompasses Launchpad’s obligation to provide information on how personal data is collected and used (‘fair processing information’), typically through Launchpad’s privacy notice, which can be found at www.launchpadsw.org/dataprotection, and to be transparent in how personal data is used.
With regard to the right of access, Launchpad will provide confirmation that the data is being processed and, if requested, grant access to personal data free of charge within 28 days of receiving the request (this can be extended by a further month if the request is complex or onerous).
Under the right of rectification Launchpad will correct any inaccurate or incomplete data within 28 days of notification. Launchpad will also inform any third parties, if applicable, of these rectifications.
In compliance with the right to erasure, Launchpad will delete data under the following specific circumstances: Personal data is no longer necessary in relation to the purpose for which it was originally collected/processed.
An individual withdraws their consent.
The individual objects to the processing and there is no overriding legitimate interest for continuing processing.
The personal data was unlawfully processed.
The personal data has to be erased to comply with a legal obligation.
The personal data is processed in relation to online services to children.
Launchpad will ensure that, in certain circumstances, the right to restrict processing of personal data is satisfied. This can include situations where data may be inaccurate or where the individual has objected to the processing, and Launchpad is considering whether its legitimate grounds for processing data override the rights of the individual.
Under the right to data portability, an individual can ask for their data in a form that can easily and securely be transferred from one IT environment to another. Launchpad would ensure that data held can be securely transferred if a request is made.
Under the right to object Launchpad will stop processing personal data where there is an objection unless there are compelling legitimate grounds to continue processing data, or if the processing is for the establishment, exercise or defence of legal claims. Launchpad will stop processing personal data for direct marketing purposes as soon as an objection is received. The right to object is included in the Launchpad’s privacy notice.
Launchpad will secure personal data in a way that is proportionate to the risk to the interests and rights of the individual and ensuring that it cannot be used to discriminate against the individual.
Should an individual wish to exercise any of the above rights, they can do so by contacting the General Manager. On request from an individual, the General Manager will supply details of what information is held, why it is held and to whom it may be disclosed. A copy of the relevant record of data on the individual may be supplied.
Launchpad will aim to comply with requests for access to personal data records within one month.
IMPORTANT: Breaches of procedure or loss of data
Any breach of confidentiality should be reported to the General Manager, who will then appoint an appropriate independent person (e.g. a member of the board of trustees or a senior member of staff) to investigate the matter. If, following a written summary of findings, the General Manager finds that a breach has occurred, they have the discretion to take appropriate action within 28 days. This may include consideration of pursuing disciplinary action or, in the case of a volunteer, asking the person to withdraw from Launchpad’s service.
Guidance to staff
Launchpad employees should bear in mind the following considerations:
Sensitive and confidential information must be treated with particular attention.
Personal data must not be emailed to staff members’ personal email accounts, as there is no guarantee of security of these accounts.
Any personal data stored in paper format must be held securely locked in filing cupboards in Launchpad’s office. If it has to leave the office, consider pseudonymisation.
All Launchpad personal computers must be password protected. All personal data should be kept in the appropriate IT system (i.e. customer details in Xero and staff details in the HR management system). If electronic equipment is lost or stolen, access to the server and database from that piece of equipment will be severed.
The database holding customers’ personal data must be accessed only via Launchpad’s electronic equipment. All employees and volunteers will be trained on how to use the database relying on the written procedures for entering, amending and maintaining data. These procedures will be reviewed annually.
In line with Launchpad’s IT Security Policy, no personal data (or other files) should be stored on Launchpad’s electronic equipment. If you download any files for ease of working, make sure you save them in the appropriate place on Onedrive’s personal vault, password protected if necessary, as soon as you have finished working on them and delete any local files.
Any changes to personal data (e.g. a change in home address) must be updated on the database within 28 days of receipt.
Personal data must not be given out to any third party unless the individual has agreed to release this information.
Any personal data kept in paper format that is no longer required must be destroyed.
Any personal data kept electronically that is no longer required must be deleted. Launchpad will carry out data minimisation as part of the annual data audit.
If data needs to be processed for profiling or for other statistical information, pseudonymise it. The procedures for this should be documented to ensure that the identification of the individuals is kept separate from the processed data.his text to edit it.