Stroud District Foodbank is registered with the Information Commissioner as a controller ZA283038 and is governed by the Data Protection Act 2018, the EU General Data Protection Regulation (GDPR) and the Privacy and Electronic Communications Regulations 2003 (PECR).
Who this policy applies to
Stroud District Foodbank employees and volunteers are required to adhere to this policy which is designed to protect the personal data of Stroud District Foodbank data subjects - our supporters, volunteers, employees and trustees. Written Data Protection Guidance is provided to help staff and volunteers comply with this policy and relevant data protection legislation.
Data protection law applies to how we process people’s personal information. The key terms that we need to understand are:
Controller – Stroud District Foodbank is a controller as it collects and decides how personal information will be used.
Principles – These are the rules that we must follow when processing personal information
Processing - This is what we do with personal information. It includes how we collect, record, store, share and use personal information
Personal information – This includes personal data and special category personal data
Personal data - This is information about people and held in computer systems, mobile devices including laptops, tablets, telephones, or in manual records such in paper files and notebooks. For example, name, address, date of birth, bank account details, interests
It also includes opinions about a person. For example, notes on how you think someone has behaved, performed or appears
Special category personal data – this is information about a person’s health, religion, political opinion, trade union membership, race or ethnic origin, sexuality
A data subject - this is the person whose personal information is being processed. For example, a supporter, employee, volunteer, trustee
Data processor – this is an organisation that we use to process personal information on behalf of the Trust. For example, a print and mailing house
Information Commissioner’s Office (ICO) - this is the government body responsible for enforcing data protection law in the UK
Data protection principles
All staff and volunteers are responsible for complying with the principles of data protection legislation which states that personal information must be:
1. Collected and processed in a fair, lawful and transparent way
2. Used only for the reasons it was collected
3. Relevant and not excessive
4. Kept accurate and up to date, and corrected or deleted if there are mistakes
5. Kept for no longer than it is needed
6. Kept safe to protect it from being lost, stolen or used inappropriately
7. Processed in accordance with people’s rights
In addition, the GDPR provides rules relating to the transfer of personal data to countries outside of the European Economic Area.
See Stroud District Foodbank’s Data Protection Guidance for Stroud District Foodbank’s data protection working practices.
Stroud District Foodbank’s data subjects include supporters, employees, volunteers, trustees and beneficiaries.
Data processing purposes
Stroud District Foodbank needs to process personal information about our different data subjects to:
• Process donations and gift aid claims
• Process legacies and pledges
• Enable supporters to fundraise for us
• Enable supporters to participate in events
• Manage relationships with our supporters
• Provide supporters with information about us and the work that we do
• Manage marketing and communication preferences of our supporters
• Provide support to people who need to use the food bank
• Develop case studies and stories about our beneficiaries to promote and report on the work that we do
• Recruit and employ members of staff
• Recruit and manage volunteers
• Fulfil our legal and governance obligations as a registered charity and company
Legal basis for processing personal information
Stroud District Foodbank’s legal basis for processing personal information is documented in detail in our ‘Record of Processing Activity’. Personal information is processed with consent where appropriate, in order to meet our legal obligations as an employer, registered charity and company, and for our legitimate interests.
Stroud District Foodbank may process some personal information based upon our legitimate interests. This is where the processing is required to fulfil our organisational objectives, is not to the detriment of our data subjects, and will not cause them damage or distress. We undertake legitimate interest assessments to balance the rights and interests of our data subjects with that of Stroud District Foodbank in order to make a judgement as to whether the legitimate interest condition applies to our processing.
Responsibilities of staff and volunteers
The Stroud District Foodbank Data Protection Lead, who is also Foodbank Manager is required to:
1. Provide compliance advice to staff
2. Ensure that staff receive appropriate data protection training and guidance
3. Ensure that Stroud District Foodbank’s data protection policies and documents are appropriate and up to date
4. Be the focal point for the administration of any subject access requests
5. Deal with data subject rights in relation to erasure, objection, restriction and rectification that staff feel unable to manage themselves
6. Log and assess all personal data breaches at Stroud District Foodbank.
7. Refer data breach assessments to the board of Trustees for a final decision on whether they should be reported to the ICO
8. Renew and ensure that Stroud District Foodbank’s notification with the ICO is accurate
9. Keep a central register of all organisations that Stroud District Foodbank shares personal information with
10. Advise staff on the interpretation of this policy and guidelines and to monitor compliance with the policy.
All staff and volunteers are responsible for:
1. Working in compliance with the data protection principles as set out in this policy and Stroud District Foodbank’s ‘Data Protection Guidance’
2. Ensuring that any personal information that they provide to Stroud District Foodbank in connection with their employment, volunteering or other contraction agreement is accurate
3. Informing Stroud District Foodbank of any changes to any personal information which they have provided, e.g. changes of address
4. Responding to requests to check the accuracy of the personal information held on them and processed by Stroud District Foodbank.
Data subject rights
Stroud District Foodbank respects the rights of its data subject including the right to:
• To be informed – we do this by including appropriate privacy notice information when collecting personal information
• Subject access - the right to view their personal information which we hold
• Object and / or withdraw consent - where the processing of personal data could cause them significant damage or distress.
• Rectification - we must correct any inaccurate or incomplete personal information when asked
• Erasure - deletion or the removal of their personal information where there is no compelling reason for its continued processing
See Stroud District Foodbank’s ‘Data Protection Guidance’ for information on how to respond to data subject rights.
It is the responsibility of all staff and volunteers authorised to access personal data processed by Stroud District Foodbank to ensure that data, whether held electronically or manually, is kept securely and not disclosed unlawfully, in accordance with this Policy. Unauthorised disclosure will usually be treated as a disciplinary matter and could be considered as constituting gross misconduct in some cases.
Data protection awareness will be included as part of induction. Changes to policy on data protection policy or guidance will be circulated to all staff and volunteers. All staff and volunteers are expected to be familiar with and comply with the policy at all times.
Anyone who considers that this policy has not been followed in respect of personal data about themselves should raise the matter with the Data Protection Lead.
Status of this policy
This policy does not form part of the formal contract of employment, but it is a condition of employment that employees will abide by the rules and polices made by Stroud District Foodbank from time to time.
Compliance is the responsibility of all staff and volunteers. Any breach of this policy may lead to disciplinary action being taken, or even a criminal prosecution.
Any questions or concerns about the interpretation or operation of this policy should be taken up with the Data Protection Lead.