Eildon West Youth Hub
Data Protection Policy - Updated May 2018
 
Introduction
Eildon West Youth Hub (EWYH) is committed to a policy of protecting the rights and privacy of individuals. EWYH collects and uses certain types of data for business and management purposes. This personal information is collected and dealt with in accordance with the Data Protection Act 1998 (DPA) and General Data Protection Regulation (GDPR) 2018 that governs the use of all such data.
EWYH will not share data with a third party nor permit a third party to access its data.   
 
Purpose of policy
The purpose of this policy is to:
  • Comply with the law in regards to data that EWYH holds about individuals
  • Protect the rights of trustees, staff, volunteers, members and donors
  • Protect the organisation from the consequences of a breach of its responsibilities.
 
Policy Statement
EWYH recognises that it has a duty to make sure that the data it holds is:
  1. Processed fairly and lawfully
  2. Obtained only for specific, lawful purposes
  3. Adequate, relevant and not excessive
  4. Accurate and up to date
  5. Not held for longer than necessary
  6. Processed in accordance with the rights of data subjects*
  7. Protected in appropriate ways
 
EWYH will take all necessary steps to ensure it has suitable policies and procedures in place to deal with the above and that staff and volunteers are briefed to ensure that they are adhered to.
 
*Data subject – the individual whose personal information is being held or processed by EWYH
 
Key risks to data protection
EWYH has identified the following risks to its data protection which this policy is designed to address:
  1. Breach of confidentiality such as information being given out inappropriately.
  2. Failure to offer choice about data use when appropriate such as offering ‘opt out’ from newsletters and publications.
  3. Failure to ensure databases are updated to reflect a decision to opt out.
  4. Harm to individuals if personal data is not up to date.
  5. Breach of security by allowing unauthorised access.
 
Responsibilities
Everyone who works for the organisation has a responsibility to ensure data is collected, stored and handled appropriately, however, specific responsibilities are outlined below:
 
The Board of Trustees
  • The Board of Trustees holds ultimate responsibility for ensuring that EWYH meets its legal obligations.

The Data Protection Officer
  • Keeping the Board updated about data protections responsibilities, risks & issues
  • Reviewing procedures & policies
  • Making staff aware of responsibilities, policies & procedures
  • Handling queries from anyone covered by the policy
  • Dealing with requests from individuals to see data held about them.
  • Approving data protection statements attached to communications and the website.
  • Addressing any data protection queries from journalists or media.
  • Ensuring all systems and equipment used for storing data meet acceptable security standards.
  • Performing regular checks to ensure security hardware and software is functioning properly.
  • Evaluating any third party services used to store data e.g. cloud services.

Staff and volunteers
  • All staff and volunteers are required to read, understand and accept the data protection policy and procedures relating personal data they may handle.
  • Any staff utilising databases must ensure that opt out requests are appropriately dealt with and this is reflected in the databases.

Data recording & retention
  1. EWYH will ensure that it has legitimate ground for collecting and using the personal data and will be clear from the outset why the data is being recorded and for what purpose.
  2. EWYH will regularly review procedures for ensuring that records remain accurate and consistent.
  3. Data on any individual will be held in as few places as possible and staff and volunteers are discouraged from creating unnecessary additional data sets. Procedures are in place to ensure all relevant systems are updated when information about an individual changes.
  4. Data will be retained no longer than is necessary. Guidelines have been established and are outlined in Appendix 1. These guidelines cover the personal data of the following groups:
    1. Members
    2. Board of Trustees
    3. Staff
    4. Volunteers
    5. Donors
    6. Prospective employees not offered a position
  5. When data retention periods have been reached, data will be securely destroyed.
 
Data accuracy
  1. Data will be held in as few places as possible.
  2. Staff should take every opportunity to ensure data is updated.
  3. Data should be updated as inaccuracies are discovered.
  4. Procedures are in place to ensure that regular checks of data accuracy take place. (As above with database prompt)
  5. Procedures are in place to ensure that no data is retained longer than is necessary.
 
Data storage & security
Paper files
  1. Staff and volunteers should adhere to a clear desk policy
  2. When not needed, paper files should be stored in cabinets/drawers/pedestals.
  3. Staff and volunteers should avoid leaving printouts where unauthorised people could see them e.g. on printers.
  4. Data printouts with personal data should be shredded when finished with.
Electronic data
  1. Staff should have strong passwords on PCs and laptops. Password policies are in place, which require a level of password complexity to be met.
  2. Mobile phones and tablets should have a keypad lock set.
  3. Staff should never write down or share passwords.
  4. Staff should only use removable drives/USB drives issued by EWYH.
  5.  Data should only be stored on designated drives, servers, removable devices or cloud services.
  6. Data should never be transferred outside the European Economic Area.
  7. Servers are stored in a secure location.
  8. Data is backed up regularly and backups tested regularly
  9. Servers and devices are protected by approved software security and a firewall.
 
Privacy Statement
EWYH has a data protection privacy statement setting out how data subjects’ information will be used. This is shown in Appendix 2. A copy of this is available to any data subject who requests one. EWYH also has a separate Online Privacy Statement. This statement includes information on internet specific issues and can be viewed in Appendix 3.
 
Data Subject access requests
All individuals who are the subject of personal data held by EWYH are entitled to:
  1. Ask what information is held about them
  2. Ask how to gain access to it
  3. Be informed how to keep it up to date
  4. Be informed how the organisation is meeting its data protection obligations
 
Requests for information by data subjects can be made by writing to EWYH. The identity of any requester will be verified and the information provided within 14 days. There is no charge for providing data.
 
Members of the public may request certain information from the Local Authority under the Freedom of Information Act 2000. This Act does not apply to EWYH. However if at any time EWYH undertakes the delivery of services under contracts with the Local Authority it may be required to assist in meeting a Freedom of Information Act request where information is held on its behalf. This will not involve the disclosure or sharing of any personal data.
 
Data destruction
EWYH has processes in place to ensure any personal and confidential data is destroyed securely (including at the end of data retention periods).
  • On-site paper shredder for secure shredding
  • Once deleted from the online database recycle bin, individual data records cannot be retrieved by users.
  • Electronic files deleted from EWYH servers are only recoverable by a third party IT service provider.
 
                                                                                                                         

Appendix 1 – Guidelines for data retention
 
Grouping
Type of data
Retention period

Members
Personal Details
5 years from date of last contact

Achievements
5 years from date of last contact

Board of Trustees
Contact details, Register of Interests & expense claims
7 years from end of Trusteeship

Disclosure Information
At end of Trusteeship

Staff
Personnel records
7 years from end of employment

Salary & payroll
7 years from end of employment

Pensions documents
Permanent retention

Disclosure Information
At end of employment

Volunteers
Personnel records
7 years from end of volunteer period

Disclosure Information
At end of volunteer period

Record of Achievement
3 years from end of volunteer period

Donors
Basic contact data
10 years after last donation

Prospective employees not offered a position
 
CVs
2 years

Interview records
2 years

Appendix 2 - Privacy statement
 
In line with the Data Protection Act 1998, EWYH will ensure that the data held is relevant, accurate, adequate, and not excessive. It will not be used for purposes other than those necessary for the operation of EWYH. EWYH will not share your information with a third party nor allow a third party to access your data.
 
Normally the only information held comes directly from you.  Whenever EWYH collects information from you, it will be made clear what information is required in order to provide you with the service you require.  You do not have to provide any additional information unless you choose so to do.  Your information will be stored on secure servers with access restricted to appropriate staff members.  All our staff members are briefed on handling personal information securely and sensitively. Where information is held in hard copy it will be stored in locked cabinets.
 
You have the right to a copy of all the information EWYH holds about you.  To obtain a copy, please write Eildon West Youth Hub (TD1 Youth Hub), 47a Ladhope Vale, Galashiels, TD1 1BW. After verifying your identity, EWYH will provide the information free of charge within 14 days.
 
Appendix 3 – Online Privacy Statement
Eildon West Youth Hub is committed to protecting your privacy when you visit its website.
When you visit the website you do not have to give any personal information. If you choose to e-mail EWYH or to complete an on-line form, EWYH will not pass on this information to a third party. Any personal data collected through this website will be treated as confidential in line with the principles of the Data Protection Act 1998  and General Data Protection Regulation (GDPR) 2018.
It is possible that this Data Protection Policy may be amended in the future. If substantial changes are made to the way in which your personal information is used or stored you will be notified by a notice posted on the website’s homepage. You can view the current version of our Data Protection Policy at any time by clicking on the Data Protection Policy link.