Data Protection Policy
1. The purpose of this policy
1.1. Royal Voluntary Service (“RVS”) collects, holds and processes certain information about its service users, volunteers, employees and donors to ensure that it can meet its commitments to those that it supports, protect those whom it helps, support its legitimate charitable activities and operate its management functions. This could, by way of example, include the holding of information regarding personal details such as name, address and date of birth, and sensitive information regarding health issues to allow us to provide services as required.
1.2. This policy has been developed to ensure that RVS complies with the Data Protection Act 1998 (“the Act”) and the General Data Protection Regulations, so that any data which it holds is stored safely, processed correctly and not unlawfully disclosed to any other person.
2. Definitions used in this policy
2.1 In this policy the following words shall have the following meanings:
means any living individual who is the subject of personal data including any RVS employees, volunteers, service users, family, friends or associates of those individuals and any RVS supporters, donors, suppliers, contractors or consultants.
means any RVS employee, volunteer and/or other person working under the umbrella of RVS and who has access to information.
3. The Data Controller
3.1 RVS is a company limited by guarantee (number 2520413) and a
registered charity (in England and Wales number 1015988 and in Scotland
with number SC038924). RVS is the Data Controller under the Act as
registered with the Information Commissioners Office with registration
3.2 RVS’s Trustees are responsible for the implementation of this
policy. The RVS Data Protection Officer is Ian Hodgkinson who can be
contacted at Royal Voluntary Service, Beck Court, Cardiff Gate Business
Park, Cardiff CF23 8RP
Tel: 029 2073 9044.
3.3 The Data Protection Officer will:
a. maintain RVS’s registration with the Information
Commissioners Office and act as the first point of contact with the
Information Commissioners Office;
b. provide advice, guidance and direction on data protection issues within RVS;
c. receive any complaints regarding data management;
d. maintain the RVS Data Protection Register.
4. Compliance with the Act, this policy and the RVS Data Protection Procedure
4.1 RVS and any RVS Individual must comply with the Act, the Regulation, this policy and any RVS Data Protection Procedure. This means that personal data must be handled in accordance with the principles of good handling specified in the Act and Regulation i.e. that personal data is:
- processed lawfully, fairly and in a transparent manner
- collected for specified, explicit and legitimate purposes
- adequate, relevant and limited to what is necessary
- accurate and where necessary kept up to date
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which those data are processed
- processed in a manner that ensures appropriate security of the personal data.
Examples of personal data within RVS include an individual’s name, address, date of birth, national insurance number, email address and telephone number.
4.2 Any deliberate or reckless breach of the Act, Regulation or this policy and/or the RVS Data Protection Policy may lead to disciplinary proceedings against the RVS Individual and or legal proceedings against the RVS Individual and or RVS.
5.1 RVS will:
a. ensure that data in its possession is stored securely, correctly processed and not unlawfully distributed;
b. process data in accordance with the Act and Regulation;
c. provide appropriate training, guidance and support to help RVS Individuals comply with the Act and Regulation, this policy and any RVS Data Protection Procedure;
d. on receipt of a lawful request share information with United Kingdom law enforcement agencies and/or judicial bodies. If it does so RVS will inform the Information Commissioners Office of its actions and record the facts in the RVS Data Protection Register.
5.2 It will be the responsibility of all RVS Individuals to:
a. check that any information they provide to RVS in connection with their RVS role is accurate and up-to-date;
b. inform RVS of any error or change to the information provided; RVS will not be responsible for any errors of which it has not been notified;
c. comply with the Act, the Regulation this policy and any RVS Data Protection Procedure and to ensure, for example, that any data is kept securely and is not disclosed either orally or in writing accidentally or otherwise with any unauthorised third party.
6. Sensitive personal data
6.1 RVS recognises that sensitive personal data is likely to be of a private nature and that it may only be processed with the express consent of a Data Subject. The Act defines sensitive personal data as including:
a. racial or ethnic origin
b. political opinion
c. religious beliefs or other beliefs of a similar nature
d. trade union membership
f. biometrics (where used for ID purposes)
h. sex life or orientation.
Examples of the type of sensitive personal data that RVS may hold include details of an individual’s health, medication, physical needs. Criminal convictions although no longer classed as sensitive will still be dealt with in full confidence as per the policy. RVS will strive to collect and hold only data that is necessary and appropriate for the charity to provide its activities.
6.2 RVS will request consent to process sensitive personal data at the earliest appropriate touch point with a Data Subject it being noted that agreement to RVS processing certain types of sensitive personal data is a pre-requisite to certain roles within RVS, for example those that require a DBS or PVG check where previous convictions may be referenced.
7 Rights to access information
7.1 RVS acknowledges that any Data Subject has the right to request access to any personal data regarding them held by RVS that is kept in electronic or paper form. RVS will make no charge for requests as per the regulation;
7.2 RVS will on written request, notify a Data Subject of the data held by RVS concerning them and the reasons as to why any data is being processed. RVS will record the request and response in the Data Protection Register;
7.3 RVS will comply with reasonable requests for access to personal data within 30 days of the date of receipt of the written request and as quickly as possible unless there is a good and fair reason for delay. If a delay is envisaged the Data Controller will inform the requester of the delay and the reasons for it in writing and this will be recorded in the Data Protection Register.
8 The data protection register
8.1 RVS will hold, maintain and update a Data Protection Register which will detail actions taken by the Data Protection Officer on behalf of RVS in relation to specific issues arising under the Act and Regulation, and the reasons for those actions. The Data Protection Register will be:
a. held by the Data Protection Officer on behalf of RVS;
b. secured on the RVS “S” drive;
c. accessible only by those RVS Individuals explicitly authorised by the RVS Executive Finance Director or in his absence the RVS Head of Governance
9 Retention of Data
9.1 RVS is obliged by law to keep information for differing lengths of time as recorded in RVS’s Data Retention Policy.
9.2 RVS does and will continue to use the services of third party storage suppliers for the purpose of storage and disposal of data and will continue to select its suppliers based on their ISO credentials and security certification;
9.3 Archived data held off site in non RVS buildings will be retained in accordance with the Data Retention Policy before confidential destruction.
10 Policy review
10.1 This policy will be reviewed annually or sooner if required.