Data Protection Policy
The organisation needs to gather and use certain information about individuals.
These can include information about volunteers, mentors, mentees, partners and
other people the organisation has established a relationship with or may need to
This policy describes how personal data must be collected, handled and stored to
meet the organisation’s data protection standards and to comply with General Data
Why this policy exists
This data protection policy ensures that the organisation :
● Complies with data protection law and follow good practice
● Protects the rights of volunteers, mentors, mentees and partners
● Is open about how it stores and processes individuals’ data
● Protects itself from the risks of a data breach
Data protection law
The Data Protection Act 2018 describes how the organisation must collect, handle
and store personal information.
These rules apply regardless of whether data is stored electronically, on paper or on
To comply with the law, personal information must be collected and used fairly,
stored safely and not disclosed unlawfully.
The Data Protection Principles
The six data protection principles provided by GDPR which must be complied with at all
times are as follows:
● That personal data shall be processed fairly, lawfully and in a transparent manner,
and processing shall not be lawful unless one of the processing conditions can be
● That personal data shall be collected for specific, explicit, and legitimate purposes,
and shall not be further processed in a manner incompatible with those purposes
● That personal data shall be adequate, relevant, and limited to what is necessary for
the purpose(s) for which it is being processed
● That personal data shall be accurate and, where necessary, kept up to date
● That personal data processed for any purpose(s) shall not be kept for longer than is
necessary for that purpose/those purposes
People, Responsibilities and Security
This policy applies to:
● The head office of the organisation
● All Partners and Agencies linked to the organisation
● All volunteers, mentors and mentees associated with the organisation
● All contractors, suppliers and other people working on behalf of the organisation
It applies to all data that the organisation holds relating to individuals associated with
the organisation. This can include:
● Names of individuals
● Postal addresses
● Email addresses
● Telephone numbers
● Any other information relating to individuals requested by the organisation.
Everyone who works for or with the organisation has some responsibility for ensuring data
is collected, stored and handled appropriately.
Each team that handles personal data must ensure that it is handled and processed in line
with this policy and data protection principles.
However, these people have key areas of responsibility:
The board of directors is ultimately responsible for ensuring that the organisation meets its
The Head of governance and administration, is responsible for:
▪ Keeping the board updated about data protection responsibilities, risks and issues.
▪ Reviewing all data protection procedures and related policies, in line with an agreed
▪ Handling data protection questions from anyone else covered by this policy.
▪ Dealing with requests from individuals to see the data the organisation holds about
them (also called ‘subject access requests’).
▪ Checking and approving any contracts or agreements with third parties that may
handle the organisation’s sensitive data.
The IT Team is also responsible for:
▪ Ensuring all systems, services and equipment used for storing data meet acceptable
▪ Performing regular checks and scans to ensure security hardware and software is
Security of Personal Data
The organisation will take reasonable steps to ensure that mentors, partners and
service providers will only have access to personal data where it is necessary for
them to carry out their duties. All such persons will be made aware of this Policy and
their duties under the GDPR. The organisation will take all reasonable steps to
ensure that all personal information is held securely and is not accessible to
The Rights of an Individual
Under the Regulations an individual has the following rights with regard to those who
are processing his/her data:
● Personal and special categories of personal data cannot be held without the individual’s
consent (however, the consequences of not holding it can be explained and a service
● Data cannot be used for the purposes of direct marketing of any goods or services if the
individual has declined their consent to do so.
● Individuals have a right to have their data erased and to prevent processing in specific
▪ Where data is no longer necessary in relation to the purpose for which it was
▪ When an individual withdraws consent
▪ When an individual object to the processing and there is no overriding
legitimate interest for continuing the processing
▪ Personal data was unlawfully processed
● An individual has a right to restrict processing – where processing is restricted, the
organisation is permitted to store the personal data but not for processing. The
organisation can retain just enough information about the individual to ensure that
the restriction is respected in the future.
● An individual has a ‘right to be forgotten’.
We have a robust procedure where monthly checks are made to ensure accuracy
throughout the database where user details are stored. Any updates regarding our
data storage shall be communicated to the user, via email.
Data which is stored for longer than the period stated in the ‘Storage Limitations’
section of this document, shall be deleted.
Due to the objectives of the organisation, Data is recommended to be stored for 6 years
After those 6 years the user will be contacted and given the option to continue using
our platform. If the user has not responded to our request within 6 months, then the
user’s personal details will be erased.
Data Breach Procedure
A personal data breach is a breach of security leading to the accidental or unlawful
destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
If we experience a personal data breach, we shall consider whether this poses a risk to
people. We shall also consider the likelihood and severity of the risk to people’s rights
and freedoms, following the breach. When assessment is made, and there is likelyhood
of a risk, we shall notify the ICO (Information Commissioner’s Office). We do not need
to report every breach to the ICO, but shall be handled adequately in-house as
What can be classed as a data breach?
● Access by an unauthorised third party
● Deliberate or accidental action (or inaction) by a controller or processor
● Sending personal data to an unintended recipient
● Lost or stolen computing devices containing personal data
● Unauthorised alteration of personal data
● Loss of availability of personal data.
Any suspected data breach will be reported to the Head of Governance and Administration
[Mrs Titilayo Asanbe: [email protected] ].
Subject access requests
Under the Data Protection Act 1998, individuals are entitled, subject to certain
exceptions, to request access to information held about them. This requirement is
included in the GDPR 2018 and is expected to be included in the DPA 2018 Act.
Please contact the Head of Governance and Administration [Mrs Titilayo Asanbe:
[email protected] ] if you would like to update or request for any
information that we hold about you.