Data Protection Policy (GDPR)
-
INTRODUCTION
According to the terms of UK Government Data Protection Act of 2018, “Personal data”
refers to the information that can be used to identify an individual, such as name, address, or
credit card number. A "data subjec" refers to any living individual whose personal data is
collected, stored, or processed by an organisation.
The controller of personal data at Resettlement CIC is Oliver Welzen-James, contactable at
2. RETENTION OF PERSONAL DATA
To volunteer with us, we will need to collect and store certain personal information, including:
● Name
● Email address
● Phone number
● Address
● Date of Birth
● DBS Certificate
Please note that this list is not exhaustive, and we may collect additional information as
needed to support your role as a volunteer. However, we do not store any sensitive data
about our volunteers.
We are committed to protecting your personal information. We regularly review the data we
store to ensure it remains accurate, relevant, and secure. Our data protection practices are
designed to keep your information safe and to comply with all applicable privacy laws and
regulations.
3. USAGE OF HELD PERSONAL DATA
The data we collect will be used solely for the purpose it was provided. We will never sell
client or supplier data to third parties.
4. DISPOSAL OF PERSONAL DATA
On an annual basis, an exercise will be undertaken to ensure that personal data which is no
longer necessary for our legitimate core activities is removed and a record shall be kept that
this exercise has taken place and what data has been disposed of.
5. SHARING OF PERSONAL DATA
Personal data will be kept strictly confidential and will only be shared with Resettlement CIC
staff and volunteers for activities directly related to the organisation. For example, if a
volunteer needs to be in contact with the team or for a volunteer to be in contact with
individuals they are supporting through a Resettlement CIC project.
We will only share data with third parties outside the charity under the following
circumstances:
● With the individual's consent
● If legally required, such as during a police investigation
● In accordance with our safeguarding policy
6. DATA PROTECTION PRINCIPLES
Your personal data will be collected and processed according to the following principles:
a) Data should be processed in a legal, fair, and transparent way, ensuring individuals
understand how their data is being used.
b) Data should be collected for clear, specific, and legitimate reasons, and not used in ways
that are incompatible with those reasons. Exceptions apply if the data is used for public
interest archiving, research, or statistical purposes.
c) The data collected should be adequate, relevant, and limited to what is necessary for its
intended purpose.
d) Data should be accurate and updated as needed. Steps must be taken to correct or
delete any inaccurate data promptly.
e) Data should only be kept in a form that allows identification of individuals for as long as it
is necessary for its intended purpose. Data may be stored longer if used solely for archiving,
research, or statistical purposes, provided that appropriate safeguards are in place.
f) Data must be processed with appropriate security measures to protect it from
unauthorised access, unlawful use, and accidental loss, destruction, or damage.
7. THE RIGHTS OF DATA SUBJECT
The below outlines the legal responsibilities of Resettlement CIC and the rights of data
subjects under the GDPR, ensuring transparency and protection of personal data. Under the
UK Government Data Protection Act of 2018, the “data subject” is entitled to:
(A) The Right to Be Informed
Organisations must inform individuals about what personal data is being collected,
how it will be used, the duration of its retention, and whether it will be shared with
third parties. This information must be provided clearly and in straightforward
language.
(B) The Right of Access
Individuals have the right to submit a subject access request, requiring organisations
to provide a copy of the personal data they hold about them. Organisations have one
month to comply, with certain exceptions for requests that are unfounded, repetitive,
or excessive.
(C) The Right to Rectification
If an individual identifies inaccuracies or incompleteness in the personal data held by
an organisation, they can request corrections. The organisation has one month to
make the necessary changes, subject to the same exceptions as the right of access.
(D) The Right to Erasure
Also known as "the right to be forgotten" this right allows individuals to request the
deletion of their data under specific circumstances, such as when the data is no
longer necessary, was processed unlawfully, or the individual withdraws consent.
(E) The Right to Restrict Processing
Individuals can request that an organisation limit how it processes their personal
data. This may be an alternative to erasure when, for example, the accuracy of the
data is disputed or when the data is no longer needed for its original purpose but is
required for legal claims.
(F) The Right to Data Portability
This right allows individuals to obtain and reuse their personal data across different
services. It applies only to data provided to a controller based on consent or a
contract.
(G) The Right to Object
Individuals can object to the processing of their personal data when it is collected for
legitimate interests or public tasks. Organisations must cease processing unless they
can demonstrate compelling legitimate grounds that override the individual’s
interests, rights, and freedoms or if the processing is required for legal claims.
(H) Rights Related to Automated Decision-Making and Profiling
The GDPR regulates decisions made without human intervention, such as profiling
based on personal data. Individuals have the right to challenge and request a review
of automated processing if they believe the rules are not being followed.
8. RECTIFICATION OF DATA
Individuals have the right to request the correction of inaccurate personal data or the
completion of incomplete data. This request can be made either in writing or verbally. Upon
receiving such a request, Resettlement CIC will rectify the information without delay, and no
later than one calendar month. This period may be extended by up to two additional months
if the request is complex or if multiple requests have been made.
However, if the request is clearly unfounded or excessive, particularly if it is repetitive,
Resettlement CIC reserves the right to refuse the request.
We will verify the identity of the individual making the request through reasonable methods.
If incorrect data has been shared with other organisations, we will notify them of the
correction where possible.
9. RIGHT OF ERASURE
You can request the deletion of your personal data, known as the "right to be forgotten"
either verbally or in writing. Resettlement CIC will delete the data within one month, or within
up to two additional months for complex requests. We will verify your identity using
reasonable means.
You also have the right to ask Resettlement CIC to stop processing your data if it is causing
or is likely to cause significant damage or distress. Notify any team member with details of your
concern, and we will respond within one month, explaining our decision and actions.
Requests for erasure may be refused in cases where it is necessary to:
● Uphold freedom of expression and information
● Comply with legal obligations
● Establish, exercise, or defend legal claims
10. BREACH
In the rare event of a personal data breach, Resettlement CIC will notify the Information
Commissioner’s Office (ICO) within 72 hours of discovering the breach. A personal data
breach refers to a security incident leading to the accidental or unlawful destruction, loss,
alteration, unauthorised disclosure, or access to personal data. If the breach is likely to
impact an individual’s rights or freedoms, we will also inform the affected individuals.
Resettlement CIC will maintain a record of all personal data breaches.
Examples of breaches include:
● Improper disposal of equipment or documents
● Lost or stolen unprotected equipment or documents
● Ineffective access controls, including physical security
● Poor data governance, such as improper filing or outdated data
● Inadequate defence against cyber threats, including viruses and phishing
● Unprotected data transmissions, such as via email or video conferences
● Lack of policies, procedures, or controls
● Equipment failure
● Negligence or malicious actions by poorly trained employees
10. FURTHER INFORMATION
Further information regarding your rights can be found on the Information Commissioner's
Office website: https://ico.org.uk/.
Last reviewed: 25/09/24