PATT Foundation – Data Protection Policy
Agreed by trustees March 2018
1.1 PATT Foundation Ltd (PATT) recognises the importance of the correct and lawful treatment of personal data. All personal data, whether it is held on paper, on computer or other media, will be subject to the appropriate legal safeguards as specified in the UK Data Protection Act, incorporating the General Data Protection Regulations (GDPR).
1.2 Where children and vulnerable adults are concerned, PATT’s safeguarding policy shall take precedence.
1.3 PATT is a Data Controller for the purposes of the Data Protection Act. The PATT Treasurer is the person responsible for all data protection matters
1.4 PATT fully endorses and adheres to the six principles of the Data Protection Act. These principles specify the legal conditions that must be satisfied in relation to obtaining, handling, processing, transportation and storage of personal data. Trustees and any others who obtain, handle, process, transport and store personal data for PATT must adhere to these principles.
2. The Principles
The six GDPR principles require that personal data is:
- a) processed lawfully, fairly and in a transparent manner in relation to individuals;
- b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
- c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
- e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
- f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
3. The data that PATT holds, why we hold it and what we do with it
3.1 The following is a list of the personal data we hold on donors/supporters and the format in which it is kept:
a) Details of donors including name, address, bank account and giving details are on the Treasurer’s home PC. This data is held for administration and legal purposes relating to donations (e.g. processing gift aid claims and records and maintaining accounting records).
b) Details of donors including name, address, (some) email addresses, bank account and giving details are also held in paper format, at the Treasurers home address in the form of Gift Aid declarations and standing order mandates. This data is held for administration and legal purposes relating to donations (e.g. processing gift aid claims and records and maintaining accounting records).
c) For donors and supporters that have consented, email addresses are held by the Chair of Trustees on an Excel spreadsheet and Outlook database. This data is held for the purposes of informing individuals of news, events, activities and prayer points.
e) The PATT website collects limited data for someone who wants to donate (name, email address and donation amount) and for someone who wants to join the newsletter (name and email address). This information will be transferred by the PATT webmaster to the Treasurer and Chair to be used for a) and c) above.
All the above information is given freely by the donors.
3.2 The following is a list of the personal data we hold on trustees, in their role as a trustee (and not as a donor/supporter) and the format in which it is kept:
- a) Home address, date of birth and other trusteeships held, held on the Treasurer’s home PC. This data is held for the purpose of Charities Commission records.
3.3 We may, from time to time hold information on individual beneficiaries. This is restricted to name and is used to process payments to ensure that money is given to the correct beneficiary.
3.4 We do not keep any sensitive personal data
4.1 Consent of personal data to PATT must be freely given, specific, informed and unambiguous.
4.2 The PATT website includes our full data privacy statement which is GDPR compliant. The donor form on the website has a consent statement in line with 4.3 below.
4.3. The PATT Gift Aid/Standing Order Form has a consent statement allowing “opt in” only consent for mailing list purposes. There is also a link on the Form to the Data Privacy statement on the website which clearly states what the data collected will be used for.
4.4. Very occasionally consent for data will be given by phone. For example, in an informal telephone conversation with a supporter who shows interest, we may ask for their email address, so we can send the newsletter. Where this happens, we should wherever possible follow up by email to confirm that the supporter has freely given consent for their personal data to be used in this way.
4.5 The need to process data for normal purposes has been communicated to all data subjects.
5. Maintaining Confidentiality
5.1 PATT will treat personal information as private and confidential and not disclose any data to anyone other than the trustees of the charity and legal bodies (e.g. Charities Commission and HMRC) to facilitate the administration and day-to-day work of the charity.
5.2 Information and data stored by PATT will not be distributed in any form such as digital, hard copy or any other form which might breach the GDPR.
5.3 Personal data will not be given or sold to any other person, company or charity.
5.4 All associates who have access to personal data obtained under this policy will be required to agree to and sign this Data Protection Policy.
- 5.5 There are four exceptional circumstances to the above permitted by law:
- a) Where we are legally compelled to do so
- b) Where there is a duty to the public to disclose
- c) Where disclosure is required to protect our interest
- d) Where disclosure is made at your request or with your consent
6. Deletion and Accuracy of Data
6.1 Data will be held during the time the person is a donor of PATT and for paper data will be deleted 6 years after the donor stops donating. This allows us to comply with statutory rules on Gift Aid.
6.2 If PATT receives a written request from the donor to delete personal data then we will do this within 30 days. The exception to this will be where there is a need to keep statutory records for a longer period.
6.3 If we delete personal data we will also inform any third parties that may have copies of the data and request them to delete the same data.
6.4 PATT strives to keep accurate data in all cases.
6.5 If personal details are found to be inaccurate, they can be amended upon request. If PATT receives a request to check or amend inaccurate data, then we will do this within 30 days.
6.6 If we amend inaccurate data we will also inform any third parties that may have copies of the data and request them to amend the same data.
7. Security of Data
7.1 This section relates to data that PATT holds as per Section 3.
7.2 All home computers that hold FoK personal data are password protected and protected by anti virus software.
7.3 Donation records are held on the Treasurer’s computer, is individually password protected and can only be accessed by selected trustees who have specific permission to do. It is backed up regularly.
7.4 All trustees who store personal information obtained under this policy on any electronic system outside of Donations Co-Ordinator are required to do so in accordance with the principles of the [Data Protection Bill] and to take due care to ensure that the information remains secure using passwords and encryption where appropriate. This includes:
- a) Email / telephone / address books held on personal computers, mobile phones, PDA’s etc
- b) Data stored on memory sticks and/or portable hard drives
8. Right to access personal data
8.1 Subjects of personal data held by PATT the right (with some legal exceptions) to access any personal data that is being kept about them either electronically or in paper-based filing systems. This right may be withheld if the personal information also relates to another individual.
- 8.2 Specifically, all individuals who are the subject of personal data held by PATT are entitled to:
- a) Ask what information the charity holds about them and why.
- b) Ask how to gain access to it.
- c) Be informed how to keep it up to date.
- d) Be informed what PATT is doing to comply with its obligations under the Data Protection Bill.
8.3 Any person who wishes to exercise this right should make the request in writing to the Treasurer, using the standard letter which is available on-line from www.ico.gov.uk. PATT reserves the right to charge a reasonable administration fee for each subject access request.
8.4 PATT aims to comply with requests for access to personal information as quickly as possible but will ensure that it is provided within 30 days of receipt of a completed form.
8.5 The ability to request access to data is stated in the FPATT data privacy notice (see 4.2)
9. Data Breaches
- 9.1 For PATT a data breach is most likely to happen if:
- a) We obtain personal data from a way that is not controlled – i.e. not through the website nor through the Gift Aid/Donor form.
- b) We physically lose data – from a Cyber-attack or from physical documents being stolen. We have controls to prevent this from happening as much as we can.
- c) We send personal data to someone else without consent (even if by accident).
- d) We alter personal data without consent (even if by accident).
9.2 PATT take any suspicions of a data breach seriously and will act immediately to determine whether a breach has occurred.
9.3 Where we are aware of a breach we will notify both the Charities Commission and the ICO within 72 hours, even if we do not have full details of the breach.
9.4 We will notify individuals concerned if there is a risk to them (e.g. if bank details were taken) and will do this within 72 hours.
9.5 All data breaches will be recorded and noted by the trustees at a trustee meeting. In all cases we will discuss whether the breach could have been prevented and what further safeguards we need to put into place.
10.1 Photographs taken at PATT events may include individuals or groups of individuals attending these events. These photographs will be used solely for PATT advertising, marketing and public relations, and may thus appear in any advertising internal and or external, website or other publicity material.
10.2 The photographer will ask for permission before using such photographs.