GDPR Policy

INTRODUCTION

Sight Loss Shropshire (SLS) is a registered charity no. 215137 in England & Wales. Our registered office is at: The Lantern, Meadow Farm Drive, Shrewsbury, Shropshire, SY1 4NG.

SLS is registered with the Information Commissioner’s Office as a Data Controller, registration number ZB388753.

SLS is committed to protecting your personal information and being clear about what information we hold and what we use it for. SLS needs to collect and use certain types of Data in order to carry out our work. This personal information must be collected and dealt with appropriately. The General Data Protection Regulation (GDPR) governs the use of information about people (personal data). Personal data can be held on computer or in a manual file, and includes email, minutes of meetings, and photographs. Swantje Staar-Slogrove will remain the Data Controller for the information held.

SLS staff and volunteers will be personally responsible for processing and using personal information in accordance with the GDPR. Trustees and volunteers running SLS who have access to personal information, will be expected to read and comply with this policy. SLS is committed to a policy of protecting the rights and privacy of individuals.

Personal data is information that can be used to help identify an individual, such as name, address, phone number or email address. Some categories of data, such as health information, are more sensitive, and are known as personal sensitive data.

Type of Information Processed

Some examples of Personal Data:

• Name
• Date of Birth
• Family Name
• Current and Previous Address
• Evening/Daytime/Mobile telephone numbers
• E-mail Address
• Family Relationships

Some examples of Sensitive Personal data:

• Gender
• Ethnic Origin
• Disability
• Marital Status

SLS processes the following personal information (information that allows a person to be identified):

• Volunteer and donor name, address, email and contact number.
• Referrer name, email address and contact number.
• Client name, full address but NOT sex and age of children, ethnicity. If possible, email and phone numbers are also obtained for the purposes set out above.

Personal information is emailed to a secure email address by the referrer, volunteer or donor and is then uploaded to the client database. If paper requests of referrals or volunteer applications are received, they are uploaded to the client database upon which the paper copy is destroyed. Staff data including personal and financial records are only available to the trustees and staff members. Groups of people within the organisation who will process personal information are:

• Trustees, staff, specific contractors, treasurers, delivery volunteers

You may provide us with personal data when you use our website, social media pages, or services (including phone, and email). We will collect and use your information in the way(s) set out in this policy. If you do not agree with this policy, please do not use our website, social media pages or services.

 

PURPOSE

The purpose of this policy is to explain clearly how we collect and use the personal information you provide to us and what rights you have.

SLS regards the lawful and correct treatment of personal information as very important to successful working, and to maintaining the confidence of those with whom we deal with. We want to collect limited personal information of clients in order to fulfil a referral request. We want to use personal data to contact individuals to invite them to return as volunteers and/or to work as ambassadors. We want to collect personal information from our referral partners and volunteers in order for our service to ensure good communication. We want to maintain accurate records of clients in order to anonymise data to use in funding applications and publicity. We want to use the limited personal data we collect and store for 5 years before anonymising for long term use in order to assess the impact of our services. We want to maintain a list of people who have explicitly told us that they don’t want to be contacted by us again. We want to maintain contact information for anyone who has volunteered for SLS so we can contact them about future volunteering opportunities. We want to keep our volunteer, client and referrer database information up to date.

This policy applies to all personal data processed by SLS.

 

The GDPR

In line with the GDPR principles (Article 5), SLS will ensure that personal data will:

• Be obtained fairly and lawfully and shall not be processed unless certain conditions are met.
• Be obtained for a specific and lawful purpose.
• Be adequate, relevant but not excessive.
• Be accurate and kept up to date.
• Not be held longer than necessary.
• Be processed in accordance with the rights of data subjects.
• Be subject to appropriate security measures.
• Not to be transferred outside the European Economic Area (EEA).

Where collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes.

The definition of ‘Processing’ is obtaining, using, holding, amending, disclosing, destroying and deleting personal data. This includes paper based personal data as well as that kept on computer.

The Personal Data Guardianship Code suggests five key principles of good data governance on which best practice is based. The organisation will seek to abide by this code in relation to all the personal data it processes, i.e.

• Accountability: those handling personal data follow publicised data principles to help gain public trust and safeguard personal data.
• Visibility: Data subjects should have access to the information about themselves that an organisation holds. This includes the right to have incorrect personal data corrected and to know who has had access to this data.
• Consent: The collection and use of personal data must be fair and lawful. Personal data should only be used for the purposes agreed by the data subject. If personal data is to be shared with a third party or used for another purpose, the data subject’s consent should be explicitly obtained.
• Access: Everyone should have the right to know the roles and groups of people within an organisation who have access to their personal data and who has used this data.
• Stewardship: Those collecting personal data have a duty of care to protect this data throughout the data life span.

Data collection

Before personal information is collected, we will consider:

• What information we need in order to deliver our service efficiently.
• What information we need in order to show the impact of our service.
• How long we will keep the information on record:
• We will keep data on clients for a maximum of 5 years from the client’s last use of our service.
• We will keep volunteer data for 1 year after their last contact with us, then it will be deleted. This will increase to 6 years where volunteers are providing advice.
• We will keep data on Gift Aid declarations for 6 years, in accordance with HMRC regulations.
• Anonymised data and aggregate totals will be maintained beyond the destruction of individual records so we can assess the impact of our services.
• Application forms, interview records (including notes taken at interview) and references for unsuccessful internal or external candidates for paid employment will be kept for a period of 12 months following application, after which they should be confidentially shredded.
• 6 years after employees have left, all information other than their name, job title, department and period of employment should be deleted.
• Data relating to disciplinary and grievance records of current employees are removed from personnel files once they become spent in accordance with SLS disciplinary procedure; and deleted three years from the date issued. Where disciplinary or grievance cases have involved concerns of sufficient severity or gravity, data will be deleted five years from the date issued.

We will inform people whose information is gathered about the following:

• That we need key information in order to deliver our service.
• That their information will be recorded in our Client Database, which is only accessed by trustees and staff and is password protected.
• That by ticking the box on the referral and/or volunteer form, they consent to SLS using their anonymised data.
• That by ticking the box on the referral and/or volunteer form, we will add them to the mailing list to inform them aboutabout future events, etc. There is an Opt Out option at the footer of each newsletter.
• That by ticking the box on the referral form, they consent to being contacted in order for us to complete our service (such as feedback calls).
• That staff will have relevant financial and personal information kept in the HR files in order to enable SLS to meet legal and contractual obligations.

Data Security

Once received, all correspondence containing ‘personal’ or ‘sensitive personal’ data must immediately be either securely processed, stored, or destroyed; or immediately passed on to another member of staff or a volunteer for secure processing, storing or destruction.

 

No visible, unattended Data

All staff and volunteers must adopt a ‘clear desk policy’ when it comes to data. This means that all versions of any ‘personal’ or ‘sensitive personal’ data must be handled in a timely and secure fashion and at no time left unattended, particularly outside hours of business e.g. not left on desks overnight.

Electronic Copies

Electronic copies should at no time left open and unattended on a computer monitor, and never should be unnecessarily distributed. Computer screens should be locked if they are left unattended for any time.

All electronic correspondence containing ‘personal’ or ‘sensitive personal’ data should be deleted, and then deleted from any electronic ‘trash’ bin, once it has been processed.

COLLECTION OF INFORMATION

SLS will collect information about you when you:

• • • Contact us for advice and information – this may include details of a personal nature, such as information about your eye condition or other health issues
    • Sign up to attend a course or other event
    • Apply for a financial grant
    • Make a donation
    • Take part in surveys, questionnaires or get involved with our campaigns
    • Volunteer with us
    • Apply to work with us
    • Contact us or become involved with us in any other way not listed above.
    • We may also receive information about you from third parties if you have given them permission to share this information
    • We want to contact individuals who have received our support to inform them about changes to our service or events which might be of interest to them.

We ask you to provide this information so that we can deliver the services you request, such as sending you information or a ticket to an event.

We may ask you for information about your health, for example, what type of eye condition you have, so that we can provide you with relevant information or signpost you to other relevant services.

Applying the GDPR within SLS

Whilst access to personal information is limited to the staff, trustees and volunteers at SLS, volunteers at SLS may undertake additional tasks which involve the collection of personal details from members of the public. In such circumstances we will let people know why we are collecting their data and it is our responsibility to ensure the data is only used for this purpose.

Correcting data

Individuals have a right to have data corrected if it is wrong, to prevent use which is causing them damage or distress or to stop marketing information being sent to them.

Responsibilities

Swantje Staar-Slogrove is the Data Controller under the GDPR, and is legally responsible for complying with the GDPR, which means that it determines what purposes personal information held will be used for. The Board of trustees will take into account legal requirements and ensure that it is properly implemented, and will through appropriate management, strict application of criteria and controls:

• • • Observe fully conditions regarding the fair collection and use of information.
    • Meet its legal obligations to specify the purposes for which information is used.
    • Collect and process appropriate information, and only to the extent that it is needed to fulfil its operational needs or to comply with any legal requirements.
    • Ensure the quality of information used.
    • Ensure that the rights of people about whom information is held, can be fully exercised

Under the GDPR. These include:

• • • The right to be informed that processing is being undertaken
    • The right of access to one’s personal information.
    • The right to prevent processing in certain circumstances.
    • The right to correct, rectify, block or erase information which is regarded as wrong information.
    • Take appropriate technical and organisational security measures to safeguard personal information.
    • Ensure that personal information is not transferred abroad without suitable safeguards.
    • Treat people justly and fairly whatever their age, religion, disability, gender, sexual orientation or ethnicity when dealing with requests for information.
    • Set out clear procedures for responding to requests for information.

USING YOUR INFORMATION

SLS will use the information you share with us to:

• • • provide you with information or services you request
    • administer your participation in an event, which may include sharing your details with a third party event organiser
    • administer a donation
    • process a job or volunteering application
    • refer you to another organisation – this will only be where you have specifically consented to your information being shared
    • keep you up-to-date with our work and the impact of your support

We record contact we have with you, to give us a clear understanding of how you have supported us or have been supported by us in the past. We may also collect and retain your information if you send us feedback about our services, give us a compliment or make a complaint.

After you have used one of our services or taken part in an event, we may get in touch to ask you about your experience. You do not have to take part, but your feedback will help us to improve our services in the future.

PROCESSING YOUR INFORMATION

The principles defined in the Data Protection Act 2018 and the General Data Protection Regulation (GDPR), requires that SLS processes your personal data in ways that are:

• • • Lawful, fair and transparent
    • Collected for specific explicit and legitimate purposes
    • Adequate, relevant and limited
    • Accurate and up-to-date
    • Not kept for longer than necessary
    • Secure

Under the General Data Protection Regulation (GDPR), SLS must have a valid lawful reason to process personal data. At least one of the following bases must apply whenever we process your information.

• • • Consent – in the majority of cases, we will obtain your consent to our use of your personal information (e.g. to send you information, or to refer you to a statutory service). You may withdraw your consent at any time by contacting us using the details at the end of this document.
    • Contract – if you agree to work or volunteer for us, we need to be able to process your information for the purpose of meeting our contractual obligations.
    • Legal Obligation – we may need to process your personal information to comply with the law (e.g. where we are ordered by a court or regulatory authority or we are legally required to hold donor transaction details for Gift Aid).
    • Public Task – we may need to process your personal information to comply with our official functions (e.g. to carry out a task that we have been commissioned to provide by a statutory body).
    • Vital interest – in the event of a risk to life (e.g. a medical emergency) where you are unable to provide consent we may need to share or process your personal information to protect the life of yourself or another person.
    • Legitimate interests – this means our interest in running SLS as a charity with the aim of improving the quality of life of visually impaired people living in Shropshire, Telford & Wrekin. For example:
      • Providing information about local support and services, and eye conditions
      • Administering events
      • Sharing information about forthcoming events and other news of interest to people with sight loss
      • Processing donations
      • Staff recruitment, taking applications for volunteers and contacting volunteers about their role

When we process your personal information in this way, we have to balance our interests against your interests, rights and freedoms.

If you have provided us with your postal or email address, we may send you information about our work and the support we offer, and forthcoming events that may be of interest. As a charity, these activities are fundamental to how we work so we can use the ‘legitimate interest’ as the lawful basis to contact you.

If you wish to opt-out of receiving marketing communications please contact us using the details at the end of this document.

If you have indicated you do not wish to be contacted by us for marketing purposes, we will retain your details on a ‘do not contact’ list to help ensure that we do not contact you accidentally. However, we may still need to contact you if you carry on dealing with us, including (but not limited to):

• • • Sending you information you have requested
    • Providing you with information you need in order to participate in an activity, event or campaign for which you have registered
    • Sharing information about forthcoming events and other news of interest to people with sight loss
    • Processing a donation
    • Responding to a complaint

STORING YOUR INFORMATION

When you provide us with information, you agree to us recording your details. We hold your personal information for as long as required to provide you with the information or services you have requested, to comply with the law or to ensure we do not communicate with people who no longer wish to hear from us.

The criteria used to determine retention periods is based on:

• • • various legal requirements
    • the purpose for which we hold data
    • whether there is a legitimate reason for continuing to store it (e.g. in order to deal with any future legal disputes)
    • guidance issued by relevant regulatory authorities including, but not limited to, the Information Commissioner’s Office (ICO).

Personal information that we no longer need is securely disposed of and/or anonymised so you can no longer be identified from it. Some personal information may be retained by us in archives for statistical or historical research purposes. This will be done in a way that complies with applicable data protection law.

We continually review the personal information and records we hold and delete what is no longer required. Access to both paper and electronic records is restricted to personnel who need access. Paper records are held in locked cabinets in our office. Electronic records are held on TEAMS and a secure data base.

Paper Copies

Paper copies should exist in only one of three states; being securely processed, being securely stored, or being securely destroyed. The organisation will take steps to ensure that personal data is kept secure at all times against unauthorised or unlawful loss or disclosure. The following measures will be taken:

• • • All referrals are emailed to an email address which only SLS staff and trustees have access to.
    • Clients are only requested to give their full address if they require our delivery service, the information of which is held on a secure password protected spreadsheet on a password protected device and destroyed once delivery is completed.
    • Volunteers are sometimes required to collect the above data from clients and record on a paper referral form. All volunteers are specifically told in their induction and reminded at each session briefing that all paper copies of referral documents should be given to a staff member or trustee.
    • All volunteer and donor information are contained on separate, password protected spreadsheets or a password protected CRM.
    • Any paper copies of volunteer agreements are kept in a secure filing cabinet.
    • SLS will use our best efforts to ensure that any outside agencies or contractors used to process data (such as payroll, fundraising etc.) also comply to the law and will adhere to the GDPR regulations.

Existing Records

SLS intends to use the “legitimate interest” principle of the GDPR in relation to information about volunteers and donors which was collected and stored before the date of this policy.

SLS will only share your information if you have given specific consent for it to be shared (e.g. so that we can refer you to another service) or if we are required to by law, i.e. with the police or a regulatory body. At all times we remain legally responsible for your data.

 

DATA RETENTION

SLS complies with the requirements of data protection legislation by:

• • • Supporting the organised creation, retrieval, appropriate storage and preservation of SLS’s essential records
    • Supporting the appropriate disposal of documents that have no continuing business, legal or historical significance
    • Enabling SLS to manage and track documents and assisting in providing openness and transparency to the public

The actual period for records to be kept will depend on several factors, including:

• • • Legal requirements
    • SLS’s need to access the document
    • Historical value
    • Storage costs

 

PURPOSE

This policy applies to both manual and electronic records held by SLS. The timescales for retention and destruction of manual and electronic records are the same.

The General Data Protection Regulation (GDPR) requires that:

• • • records shall be processed lawfully for specified, explicit and legitimate purposes,
    • be adequate, relevant and not excessive for the purpose/s for which they are held;
    • be accurate and where necessary kept up to date
    • not kept for longer than is necessary for its purpose/s.

These principles require SLS to have procedures in place which cover the review of information held by them in relation to the retention and destruction of records. SLS employees must follow this procedure to ensure we fulfil our legal obligations in relation to these principles.

 

SCOPE

This policy covers:

• • • records created by or on behalf of SLS
    • records received by any member of SLS’ staff, trustees or volunteers
    • hard copy and electronic records including internet sites, databases, emails, pictures and videos

 

DATA PROTECTION

This policy will ensure that SLS is complying with the relevant data protection legislation, which requires that personal data is not retained for longer than is necessary.

To comply with the principles of data protection legislation, SLS must:

• • • only keep information for as long as there is a business need
    • keep records secure, whether electronic or paper
    • ensure records are retrievable and easily traced
    • allow a person access to information held about them, should they request it

To maintain compliance, SLS must:

• • • destroy papers and electronic data for which there is no continuing business need
    • keep data secure while it remains in the office
    • keep track of where information is stored
    • continuously apply these good practices to avoid stockpiling papers in the future

All records created by, or on behalf of, SLS belong to SLS. All records received on behalf of SLS as part of its business will be its property, which may be disposed of or released as SLS sees fit or as required by law. Originators’ and owners’ rights will be fully respected in accordance with legislation.

The SLS Chief Officer AJ will be responsible for ensuring that complete and accurate records are retained in line with legislative requirements and agreed best practice.

The SLS Manager will be responsible for managing and tracking records and will determine whether a file is no longer required for current business usage.

The SLS Chief Officer AJ will be responsible for depositing and disposing of archive records. The Chief Officer may choose to retain records for longer than the indicative periods given in the retention schedule, for example, if they consider records to be of significant historical value or if the issue they are concerned remains ‘live’.

 

YOUR RIGHTS

UK data protection law provides the following rights for individuals:

• • • The right to be informed – this policy is intended to provide you with clear and concise information about how we use your personal data.
    • The right of access – you have a right to obtain a copy of your personal data.

Data Subject Access Requests

Anyone whose personal information we process has the right to know:

• • • What information we hold and process on them
    • How to gain access to this information
    • How to keep it up to date
    • What we are doing to comply with the Act.

They also have the right to prevent processing of their personal data in some circumstances and the right to correct, rectify, block or erase information regarded as wrong.
Individuals have a right under the Act to access certain personal data being kept about them on computer and certain files. Any person wishing to exercise this right should apply in writing to SLS either via email (admin@sightlossshropshire.org.uk) or post:

Sight Loss Shropshire,
The Lantern,
Meadow Farm Drive,
Shrewsbury,
Shropshire,
SY1 4NG

The following information will be required before access is granted:

• • • Full name and contact details of the person making the request
    • Relationship with the organisation and applicable timescales

We may also require proof of identity before access is granted. The following forms of ID may be required: passport, birth certificate.

Queries about handling personal information will be dealt with swiftly and politely.

We will aim to comply with requests for access to personal information as soon as possible, but will ensure it is provided within the 28 days required by the GDPR from receiving the written request.

• • • The right to rectification – if the information we hold about you is inaccurate you have the right to have it corrected. You may also be able to have incomplete personal data completed. If you believe the information we hold about you is inaccurate or incomplete, please provide us with details and we will investigate.
    • The right to erasure – you have the right to have some or all of your personal data erased in certain circumstances.
    • The right to restrict processing – you have the right to restrict processing of your personal data in certain circumstances.
    • The right to data portability – you have the right to receive personal data you have provided in a structured, commonly used and machine readable format.
    • The right to object – you have the right to object to the processing of some or all of your personal data. This right only applies in certain circumstances.
    • Rights in relation to automated decision making and profiling. SLS does not undertake automated decision making or profiling.

If you want to exercise any of the above rights, please contact us using the details at the end of this document. We may ask for further information and/or evidence of identity. You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.

Please note that exceptions apply to a number of these rights, and not all rights will be applicable in all circumstances. For more details we recommend you consult the guidance published by the Information Commissioner’s Office in their ‘Your Data Matters ‘ guidance for individuals.

SLS is committed to keeping your data accurate. If your contact details or circumstances change, please let us know by contacting our office using the details at the end of the document.

If you decide that you do not want to hear from us, or want to change the way we contact you, please contact our office.

Disclosure

SLS may need to share data with other agencies such as the local authority, funding bodies and other voluntary agencies.

The Data Subject will be made aware in most circumstances how and with whom their information will be shared. There are circumstances where the law allows SLS to disclose data (including sensitive data) without the data subject’s consent.

These are:

• • 1. Carrying out a legal duty or as authorised by the Secretary of State.
    2. Protecting vital interests of a Data Subject or other person.
    3. The Data Subject has already made the information public.
    4. Conducting any legal proceedings, obtaining legal advice or defending any legal rights.
    5. Monitoring for equal opportunities purposes – i.e. race, disability or religion.
    6. Providing a confidential service where the Data Subject’s consent cannot be obtained or where it is reasonable to proceed without consent: e.g. a safeguarding concern for the welfare of the child or adult.

SLS regards the lawful and correct treatment of personal information as very important to successful working, and to maintaining the confidence of those with whom we deal.

Data Breach

Any unauthorised disclosure of personal data to a third party by an employee may result in disciplinary action being taken. The trustees are accountable for compliance of this policy. A trustee could be personally liable for any penalty arising from a breach that they have made. Any unauthorised disclosure made by a volunteer may result in the termination of the volunteering agreement. If a volunteer or member of staff is made aware of a data breach they should notify the trustees. Any serious data breaches or data loss will be reported to the Information Commissioners Office and the Charity Commission. This includes:

• • • Charity data that has been accessed by an unknown person and/or deleted.
    • A charity device, containing personal details of beneficiaries or staff, has been stolen or gone missing and it’s been reported to the police;
    • Charity funds lost due to an online or telephone ‘phishing scam’, where trustees were conned into giving out bank account details;
    • A Data Protection Act breach has occurred and been reported to the ICO

Risk Management

The consequences of breaching Data Protection can cause harm or distress to service users if their information is released to inappropriate people, or they could be denied a service to which they are entitled. Volunteers should be aware that they can be personally liable if they use clients’ personal data inappropriately. This policy is designed to minimise the risks and to ensure that the reputation of SLS is not damaged through inappropriate or unauthorised access and sharing.

Training

Training and awareness raising about the GDPR and how it is followed in this organisation will take the following forms:

On induction: all volunteers are given a copy of our data protection policy. Specific induction is given regarding volunteer roles that deal with personal data. Only staff members, volunteers and trustees have access to passwords and locked files.

Further training is available to trustees and staff through outside agencies where necessary and a training log is kept of those who have attended.

The Data Protection Officer will be responsible for ensuring that the policy is implemented and will have overall responsibility for:

• • • Everyone processing personal information understands that they are contractually responsible for following good data protection practice.
    • Everyone processing personal information is appropriately trained to do so.
    • Everyone processing personal information is appropriately supervised
    • Anybody wanting to make enquiries about handling personal information knows what to do.
    • Dealing promptly and courteously with any enquiries about handling personal information.
    • Describe clearly how SLS handles personal information
    • Will regularly review and audit the ways SLS holds, manages and uses personal information.
    • Will regularly assess and evaluate SLS methods and performance in relation to handling personal information.
    • All staff and volunteers are aware that a breach of the rules and procedures identified in this policy may lead to action being taken against them. This policy will be updated as necessary to reflect best practice in data management, security and control and to ensure compliance with any changes or amendments made to the GDPR. In case of any queries or questions in relation to this policy please contact the Data Protection Officer.

WHAT TO DO IF YOU HAVE ANY CONCERNS

If, at any time, you are unhappy about the way we process and/or use your personal information, please contact us using the details at the end of this document.

If you are unhappy with the way your data is being processed, and we have been unable to satisfactorily resolve your concern, you have the right to complain to the Information Commissioner’s Office (ICO):

By post: Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Helpline number: 0303 123 1113

Website: www.ico.org.uk

 

REVIEW

This policy is due for review annually unless an incident or new legislation or guidance suggests the need for an interim review. The SLS trustees are responsible for this review.

Next review date: October 2025

OUR CONTACT DETAILS

You can contact us:

By post at: Sight Loss Shropshire,
The Lantern,
Meadow Farm Drive,
Shrewsbury,
Shropshire,
SY1 4NG

By email at: admin@sightlossshropshire.org.uk

By telephone: 07778 956096

 

 

RETENTION SCHEDULE

APPENDIX A