PRIVACY & DATA PROTECTION POLICY
SWASEND (Steiner Waldorf Association for Special Educational Needs and Disability) keeps certain information about its project users, staff, directors, volunteers and financial supporters in order to run our operations effectively and efficiently.
To comply with the law, information must be collected and used fairly, stored safely and not disclosed to any other person unlawfully. The following policy sets out how this will be achieved.
Personal data is information about identifiable, living individuals held on computer or in manual filing systems.
The Data Controllers are the SWASEND Directors and they are ultimately responsible for the policy’s implementation.
The Data Protection Officer is a nominated director responsible for reviewing and enforcing the Data Protection Policy.
3. The Policy
In keeping information about its contacts, service users, staff, consultants and volunteers, SWASEND will follow the six Data Protection Principles set out in
the General Data Protection Regulation (GDPR) effective from 25 May 2018, which are summarised below:
- Process data fairly and lawfully and transparently
- Purpose limitation: Collect data only for a specified, explicit and legitimate purpose
- Data minimisation: Collect and store data only to the extent which is adequate, relevant and not excessive.
- Accuracy: Ensure data is accurate and up to date
- Storage: Not keep the data for longer than is necessary.
- Integrity, confidentiality and security: Technical and organisational measures against unauthorised or unlawful processing, and against accidental loss, destruction, or damage
SWASEND staff, consultants and volunteers who process or use any personal information in the course of their duties will ensure that these principles and the following procedures are followed at all times.
Guidance notes to aid with adherence to the six principles above have been included in Appendix 1.
When SWASEND has cause to obtain personal data (such as names, addresses, phone numbers, email addresses) from employees, volunteers, interested organisations and service users, this data will be obtained, stored and processed solely to assist staff, consultants and volunteers in the efficient running of the SWASEND operations.
When personal data is requested from a new volunteer or service user they will be given an explanation of how their personal data will be used. Written consent will be required to collect and store this data. See Appendix 2.
When a referral is made via a third party, contact will be made with the potential service user or volunteer to obtain written permission to store and process their personal data.
A service user’s or volunteer’s personal data will not be passed on to anyone outside SWASEND without explicit consent from them unless there is a legal duty of disclosure under other legislation, in which case SWASEND directors will be consulted.
Only SWASEND staff or directors will normally have access to consultants’, advisors’, volunteers’ or service users’ personal data.
All staff, directors, volunteers and professional advisors will be made aware of SWASEND Data Protection Policy and their obligation not to disclose personal data to anyone who is not authorised to have it. (Professional advisors, for the purposes of the points above are: book keeper, accounts examiner, lawyers, advisors, service providers).
Volunteers and service users will be supplied with a copy of any of their personal data held by SWASEND if a request is made.
4. Accuracy and Longevity
SWASEND staff, directors and volunteers will take reasonable steps to keep personal data up to date and accurate and make corrections in a timely fashion. Personal data will be stored for as long as the volunteer volunteers with us, or the service user uses our services. Where volunteer/service user ceases to use our services and it is not deemed appropriate to keep their records, their records will be destroyed.
If a request is received from an individual to destroy their records, SWASEND will remove their details from its data base and request that all staff holding paper or electronic details of that individual destroys them. This work will be carried out by the Data Protection Officer. It is the responsibility of all SWASEND staff/ volunteers to inform the Data Protection Officer if such a request is received. This procedure also applies if SWASEND is informed that an organisation ceases to exist.
Personal data are kept on a password-protected computer system and/or password-protected cloud storage system.
6. Personal Data Relating to Staff, Volunteers and Directors
SWASEND obtains personal data (names, addresses, phone numbers, email addresses, dates of birth), application forms, references and in some cases other documents from staff, volunteers, job applicants and directors.
This data is stored and processed for the following purposes:
- assessing the suitability of an applicant for a specified placement;
- notification of SWASEND related events
- communication with relevant potential contributors to events and training session
Policy updated and approved: May 2018
To be reviewed: May 2019 by the directors of SWASEND
APPENDIX 1 – GUIDANCE NOTES
This outlines the practical ways we are adhering to the six principles of GDPR (effective from 25 May 2018).
1. Process data fairly and lawfully and transparently
We will let all new and existing volunteers, employees, organisations and directors know what data we hold about them and why it is being held and collect their written permission to hold this data for the reasons outlined in the policy.
The privacy statement used for the above is in Appendix 2
2. Collect data only for a specified, explicit and legitimate purpose The purposes for collecting personal data are:
to inform interested organisations and individuals about our projects.
to inform supporters of our activities and how their money is being used.
We will only collect data for the reasons given above and will not use those details for activities that fall outside those of SWASEND.
3. Collect and store data only to the extent which is adequate, relevant and not excessive
The information we collect are names, addresses, telephone numbers and email addresses.
The addresses and telephone numbers will be passed to our volunteers if necessary to support involvement in our projects.
4. Ensure data is accurate and up to date
We will review the data held annually.
We will delete data from our computer records or burn or shred any paper copies of data held on:
anyone who, for whatever reason, informs us that they do not wish to be informed of, or take part in our projects.
anyone who has died
5. Not keep the data for longer than is necessary
We will adhere to number 4 above
6. Technical and organisational measures against unauthorised or unlawful processing, and against accidental loss, destruction, or damage
Computer data records are held on password protected computers.
The excel file that contains the contact details of all our clients and volunteers is also password protected and is only accessible by SWASEND directors.
The SWASEND files are stored on a password protected Googledocs account only accessible to SWASEND directors.
If our computer systems are compromised in any way, the data protection officer will be informed and all the people whose data has been compromised will be informed.
APPENDIX 2 – PRIVACY STATEMENT WORDING
SWASEND Privacy Statement
In accordance with the new General Data Protection Regulation (GDPR) which comes in to force on 25 May 2018, SWASEND is required to seek permission to store any personal data held about you and to allow us to contact you in the future.
What data we hold
Personal data that SWASEND holds are names, dates of birth, addresses, telephone numbers and email addresses
We also use photographs which to promote SWASEND projects both in print and on our website.
Why we hold personal data
We hold this information in order for SWASEND to run its projects and company activity effectively and efficiently.
How it is stored
Computer data records are held on password protected computers.
The file that contains the contact details of all our contacts and volunteers is also password
protected and is only accessible by SWASEND employees or directors.
The SWASEND files are stored on a password protected cloud storage account only accessible by SWASEND employees or directors.
What we will NOT do with your data
Your data will not be passed onto to any third party without your permission.
Your data will not be used for any purpose other than for the effective running of SWASEND or if it is required by emergency services.
The SWASEND Privacy and Data Protection Policy can be accessed via our website or a hard copy can be obtained from any SWASEND employee or director.
You can request to see the personal data we hold about you at any time.
We will regularly review the data we hold and update it accordingly and also remove your data from our records if requested.