The General Data Protection Regulation (GDPR) is enforced in the UK from 25 May 2018. This policy sets out how New Bridge will comply with the GDPR by covering the following areas:
1. Definition of the key terms:
Personal data: data conveying any information relating to an identified or identifiable natural person. This may include name, address, identifier numbers (e.g. telephone); it also includes online or electronically stored identifiers, if they can be used alone or in combination to identify a person. In addition, there is a category of ‘sensitive personal data’ which includes genetic, biometric and medical data; racial and ethnic identity; religious and political beliefs; and sexual orientation.
Criminal offence data: personal data relating to criminal convictions and offences, or related security measures.
Data controller: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing personal data
Data processor: a natural or legal person, public authority, agency or other body which is responsible for processing personal data on behalf of the controller
Data processing: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
Data subject: the individual to whom the personal data belongs. This could be an applicant, beneficiary, donor, potential donor, trustee, employee, volunteer, contractor, or any other individual whose personal data are held by us.
Lawful basis for processing: There are six lawful bases for processing data legally and in a transparent manner and at least one must apply:
(a) Consent: the individual has given clear consent for processing their personal data for a specific purpose.
(b) Contract: the processing is necessary for a contract with the individual, or because they have requested specific steps before entering into a contract.
(c) Legal obligation: the processing is necessary to comply with the law (not including contractual obligations).
(d) Vital interests: the processing is necessary to protect someone’s life.
(e) Public task: the processing is necessary to perform a task in the public interest or for official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
2. Our understanding of the GDPR
The GDRP is an EU-wide law that replaces the previous Data Protection Act (1988). The purpose of the GDPR is to help EU citizens better understand and control how their personal data is being used, and how to raise objections if necessary. The GDPR achieves this by placing responsibilities on data controllers and data processors; and by giving rights to data subjects who have given consent to data processing.
In the UK, compliance with the GDPR is overseen by the Information Commissioner’s Office (ICO). New Bridge is not registered with the Information Commissioners Office due to its charitable status and level of operation. New Bridge is a data processor under the GDPR. The Board of New Bridge has assessed the scale of our data processing and decided that the quantity of data being processed does not justify appointing a Data Protection Officer. The responsibility for compliance with the GDPR is designated by the Board of New Bridge to the Chief Executive.
3. How GDPR fits into our charitable objectives
New Bridge is a charity that exists to befriend people in prison and does this through letter writing and visiting. To carry out this work fairly and effectively, New Bridge processes personal data from individuals making an enquiry about our work, people who apply to be befrienders, people who apply for a befriender, its employees, its trustees, potential donors/supporters and active donors/supporters and we use this data to ensure that our organisation functions effectively. New Bridge has arrangements with other organisations and may need to share personal data in order to fulfil obligations made to its befrienders and befriendees, staff and trustees. New Bridge recognises that all of these uses of personal data fall within the remit of the GDPR.
New Bridge will only process personal data where we have a legal basis to do so and will always respect our data subject’s rights. We may process personal data because the data subject has consented to us doing so or because we consider we have a legitimate interest to do so. Where we do rely on a legitimate interest to process personal data information, we will always ensure that this is done in a way that respects the rights of our data subjects. Other reasons may include using information because we have a legal obligation to do so or because we have to fulfil contractual obligations.
New Bridge accepts that it has added responsibility in the processing of criminal offence data and confirms that it does so in an official capacity agreed with and authorised by HM Prisons and Probation Service.
4. Meeting our responsibilities under the GDPR
The GDPR sets out six responsibilities for organisations processing personal data. These responsibilities are recognised by the Board of Trustees and in practice will be delegated to Chief Executive. New Bridge has identified that there are three lawful basis under which it processes personal data:
4.1 Lawful Basis
Personal data must be ‘processed lawfully, fairly and in a transparent manner in relation to individuals’ (ICO guidance 2018)
New Bridge processes personal data under the lawful basis of contract with the data subject.
New Bridge has contracts with individuals (i.e to claim gift aid) and must process their personal data to comply with its obligations under those contracts.
Individuals apply to New Bridge to be befriended or be a befriender and it must process their personal data in order to further their application.
4.1.2 Legitimate Interest
New Bridge processes personal data under the lawful basis of legitimate interest.
The processing of personal data of both befriendees and befrienders is necessary for New Bridge to achieve its charitable objectives. It has assessed the amount of personal data it requires and has deemed it to be a proportionate way of achieving those objectives.
New Bridge processes personal data under the lawful basis of consent
New Bridge informs individuals about the data it requires from them and sets out how it will be used. New Bridge explains the use of personal data on its privacy statement, application processes, website and fundraising documentation. New Bridge will always ask for written consent from the individual.
Data subjects can tell us to stop contacting them, or change the way in which we do so, e.g. email, post, telephone, SMS etc by getting in touch with us. We will keep a record of any requests to stop receiving marketing from us to ensure that we do not communicate with those data subjects in the future, unless they tell us they want to hear from us again.
Personal data must be ‘collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes’ (ICO guidance 2018)
New Bridge uses personal data to carry out our charitable objectives as set out in section 3 above.
The Charity principally collects personal information to provide data subjects with the services or information they have requested. Where we use personal data, it may be because the data subject consented to us doing so. Some examples can be found below:
We may also keep a record of conversations we have with a data subject, feedback a data subject provides and any marketing/fundraising materials we send out to a data subject.
We share the personal data of individuals who apply for our befriending service with their volunteer befriender so that they can develop the befriending relationship. We rely on the lawful bases of both consent and legitimate interest as this personal data contains criminal offence data.
We may also need to share data with third parties, called ‘data processors’, (e.g HM Prisons) in order to fulfil our agreement with an individual. We seek consent from the individual and we have a GDPR-compliant Data Sharing Agreement with those third parties].
We may also need to disclose personal data if required to do so by law. For example, we are legally required to provide personal data to HMRC if a data subject has agreed to us claiming Gift Aid on their behalf.
We do not use data for other purposes.
4.3 How we collect personal data
Personal data must be ‘adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed’ (ICO guidance 2018)
New Bridge carries out regular audits on all its data collection, processing, and storage functions to check that data are adequate, relevant and limited to that which is necessary to fulfil our charitable objectives and run our organisation effectively.
The charity receives and stores personal information supplied to it in writing, via email, via the telephone, in person or online when applying, enquiring, or registering for befriending, employment, trusteeship or volunteering opportunities or when attending events or donating money to the Charity.
It may also receive personal information from third parties, for example HMPPS charities, agencies or organisations who refers an individual to its service.
Where befrienders and befriendees have provided information about their experience of the service, by whatever means, we will explain what the information will be used for and whether it will be held anonymously or not. It will always be used anonymously unless the individual agrees otherwise. For example, to write up experiences which can be used in communications including PR and media activity, digital and social media, campaigning, fundraising materials and internal communications, to help New Bridge to raise awareness of befriending. New Bridge will not use a personal story without obtaining the data subject’s consent first, it would always contact the data subject to discuss the use of their story in further detail each time. If the data subject’s material has appeared publicly in a copy of ‘Inside Time’ – a newspaper produced by New Bridge’s subsidiary company, New Bridge deems that it can be replicated in its own materials.
4.4 Accuracy of personal data
Personal data must be ‘accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay’ (ICO guidance 2018)
New Bridge takes care to collect all data accurately and has reasonable administrative procedures for amending or erasing inaccurate data as necessary.
4.5 How long we keep personal data
Personal data must be ‘kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed’ (ICO guidance 2018)
New Bridge has set out a timescale for erasing data that we no longer need for processing purposes. When no longer needed, paper records will be shredded and electronic records will be deleted or permanently anonymised.
Trustee information – in line with Charity Commission requirements and keep 1 year after a Trustee has left for Annual Return purposes
Donor information, including Gift Aid declarations and records to be kept until 6 years after the end of the accounting period they relate to.
Staff, befriender and trustee information - keep for 6 years after the involvement has ended in line with HMRC’s requirements for tax records
Befriendee information is currently retained indefinitely even though the involvement may have come to an end. New Bridge considers this to be acceptable because of the very high incidence of readmittance to prison and the resumption of previously ended befriending relationships. It is also vital to retain such information as a safeguard for our befrienders.
Personal data must be ‘processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.’ (ICO guidance 2018)
New Bridge’s data audit has assessed the risks to personal data. We have appropriate managerial procedures in place to safeguard and secure the information we collect. We have set up reasonable levels of protection for physical and electronic records [to include locked filing cabinets with control of access to keys; locked offices, again with key control; fire precautions; password protected computers; adequate levels of permission to access computer files; adequate anti-virus software; adequate back-up procedures; adequate agreements for data stored in the cloud or offsite; encryption of personal data if it being transferred electronically; regular training for staff and volunteers on data security; other]
New Bridge recognises that any breach of unencrypted personal data must be reported to the ICO within 72 hours of our becoming aware of the breach.
New Bridge will raise awareness of the GDPR regulations, its policy and the legal obligations upon it to all trustees, staff and volunteers who have access to personal data. It will also ensure that there is appropriate data protection training for personnel on an ongoing basis.
The GDPR sets out rights for individuals (i.e. data subjects), which New Bridge recognises and respects.
New Bridge considers that the letters exchanged between befrienders and befriendees within the befriending relationship remain the property of each of the recipients and the contents do not form any part of the information or personal data held by or processed by New Bridge. However, New Bridge advises all its befrienders how to store their letters appropriately.
If for any reason, New Bridge needs to retain or store a letter it will advise both recipient and writer accordingly and explain the reasons.
New Bridge fundraises from members of the public/ our supporters/ trusts and foundations. When it contacts individuals for fundraising purposes, it is clear that fundraising is its aim. New Bridge provides individuals with access to its Privacy Statement and obtains their informed consent before collecting personal data.
New Bridge contacts individuals by post/telephone/email. New Bridge does not make any unsolicited contact with individuals for fundraising purposes. It is clear to those who have consented to New Bridge’s contact that they can unsubscribe or change their preferences at any time.
New Bridge does not pass our fundraising contacts to other parties and does not buy mailing lists for fundraising purposes.
This policy was approved by the Board on 11th September 2018 and is signed on their behalf by:
Signature: Joseph Pilling
Name: Joseph Pilling
Role: Chair of Board of Trustees