Privacy & Cookies

Aims of this Policy

Goodwill Children's Homes needs to keep certain information on its employees, volunteers, service users and trustees to carry out its day to day operations, to meet its objectives and to comply with legal obligations.

The organisation is committed to ensuring any personal data will be dealt with in line with the GDPR. To comply with this regulation, personal information will be collected and used fairly, stored safely and not disclosed to any other person unlawfully.

The aim of this policy is to ensure that everyone handling personal data is fully aware of the requirements and acts in accordance with data protection procedures. This document also highlights key data protection procedures within the organisation.

This policy covers - employed staff, trustees, volunteers and anyone connected with Goodwill.

Definitions

In line with the new General Data Protection Regulation (GDPR) principles, Goodwill Children's Homes will ensure that personal data will:

▪ Be obtained fairly and lawfully and shall not be processed unless certain conditions are met

▪ Be obtained for a specific and lawful purpose

▪ Be adequate, relevant but not excessive

▪ Be accurate and kept up to date

▪ Not be held longer than necessary

▪ Be processed in accordance with the rights of data subjects

▪ Be subject to appropriate security measures

The definition of ‘Processing’ is obtaining, using, holding, amending, disclosing, destroying and deleting personal data. This includes some paper based personal data as well as that kept on computer.

The Personal Data Guardianship Code suggests five key principles of good data governance on which best practice is based. The organisation will seek to abide by this code in relation to all the personal data it processes, i.e.

▪ Accountability: those handling personal data follow publicised data principles to help gain public trust and safeguard personal data.

▪ Visibility: Data subjects should have access to the information about themselves that an organisation holds. This includes the right to have incorrect personal data corrected and to know who has had access to this data.

▪ Consent: The collection and use of personal data must be fair and lawful. Personal data should only be used for the purposes agreed by the data subject. If personal data is to be used for another purpose, the data subject’s consent should be explicitly obtained.

▪ Access: Everyone should have the right to know the roles and groups of people within an organisation who have access to their personal data and who has used this data.

▪ Stewardship: Those collecting personal data have a duty of care to protect this data throughout the data lifespan.

Type of information processed

Goodwill Children's Homes processes the following personal information:

▪ In the UK: Supporters & Volunteers- contact details; Trustees’ contact details

▪ From India: Indian committee and staff contact details; Profiles of children available for sponsorship

▪ From France: French supporters’ contact details

▪ Personal information is kept in the following forms: paper-based, on laptop and desktop PC including cloud-based CRM system and an external hard drive (back-ups).

▪ Groups of people within the organisation who will process personal information are: employed staff and trustees

▪ Goodwill does not ask for any Sensitive Personal Data

We may share certain information we hold about you, such as your email address
or information relating to your previous enquiries or interactions with Goodwill
Homes, with carefully selected third parties. This helps us provide you with more
relevant and helpful online marketing. For example, we may securely share your
information with platforms like Google or Facebook to help them recognise you as
someone who has previously shown interest in Goodwill Children's Homes
services, and in turn, show you more relevant content or updates when you're
browsing those sites.

‍

Responsibilities

Under the Data Protection Guardianship Code, overall responsibility for personal data in a voluntary organisation rests with the governing body. In the case of Goodwill Children's Homes, this is the Trustees.

The governing body delegates tasks to the Administrator. The Administrator is responsible for:

▪ understanding and communicating obligations under the GDPR

▪ identifying potential problem areas or risks

▪ producing clear and effective procedures

▪ All employed staff who process personal information must ensure they not only understand but also act in line with this policy and the GDPR principles.

▪ Breach of this policy will result in disciplinary proceedings

Policy Implementation

To meet our responsibilities staff, volunteers and trustees will:

▪ Ensure any personal data is collected in a fair and lawful way;

▪ Explain why it is needed at the start;

▪ Ensure that only the minimum amount of information needed is collected and used;

▪ Ensure the information used is up to date and accurate;

▪ Review the length of time information is held;

▪ Ensure it is kept safely;

▪ Ensure the rights people have in relation to their personal data can be exercised

We will ensure that:

▪ Everyone managing and handling personal information is trained to do so.

▪ Anyone wanting to make enquiries about handling personal information, whether a member of staff, volunteer or service user, know what to do;

▪ Any disclosure of personal data will be in line with our procedures.

▪ Queries about handling personal information will be dealt with swiftly and politely.

Training

Training and awareness raising about the GDPR and how it is followed in this organisation will take the following forms:

On induction, staff will be provided with information on the Privacy Policy and the Administrator is responsible for keeping the Privacy Policy current in the Administrator’s Handbook (part of Risk Register). From May 25, 2018, the new GDPR regulations procedure will be-

▪ The Goodwill office will keep and maintain a Policy file in the office (electronic & hard copy)

▪ The Policy file will contain a list of all relevant Policies and Guidelines

▪ Trustees should be made aware of changes in legislation and updated as and when required via email or at Trustees’ meetings

▪ Supporters should be notified or reminded that we do have a GDPR policy via the bi-annual newsletter; on the website and as footnote in email messages from the Administrator

▪ Staff should receive training on important government legislation to fully understand the importance, complexity and implications for the charity.

Gathering and checking information

Before personal information is collected, we will consider:

▪ Including a privacy policy/note in email messages, all correspondence, newsletters and on the website, having a message in the footer of letters.

▪ Keeping personal information for as long as there is a legitimate interest in the charity

▪ Keeping financial data and gift aid declarations for at least 6 years as required by HMRC

We will inform people whose information is gathered about the following:

▪ Personal data will be treated ‘fairly’

▪ Relevant Personal data will be shared with India in the event of being a sponsor and for the purpose of receiving communication from India

▪ Preferences regarding the way we communicate with them can change and they can let us know how they would like to hear from us

▪ They have a choice to ‘opt-out’ by contacting the Administrator

▪ Update your privacy notice to explain clearly what information you collect and how you use it.

We will take the following measures to ensure that personal information kept is accurate:

▪ Donor information must not be kept longer than is necessary. This means that data that is being processed for a particular purpose must not be kept unless it is still required for that purpose.

▪ Recommend good practice technique - sending out reminders to people asking them to check their details or when speaking on the phone, ask them to verify details.

▪ Deceased supporters- Hard copies are removed from file and kept externally in safe storage for as long as necessary. Time: up to 6 years

▪ Data kept on CRM system are archived. Records and details are removed after a period of 6 years.

▪ Personal sensitive information will not be used apart from the exact purpose for which permission was given.

Retention periods

Goodwill Children's Homes will ensure that information is kept according to the following retention periods guidelines ‘

▪ Personnel files - 6 years after employment/volunteering ceases, (slimmed down format after 2 years). This file may include:

1) Application forms and interview notes (unsuccessful candidates)- 1 year

2) Letters of reference - 6 years from the end of employment

3) Redundancy details - 6 years from the date of redundancy

4) Parental leave - 5 years from birth/adoption or 18 if the child receives a disability allowance

5) Accident books, accident records/reports - 3 years

6) Assessments under health & safety regulations- Permanently

7) Income tax, NI returns, income tax records and correspondence with IR- At least 3 years after the end of the financial year to which they relate

8) Statutory maternity pay records and calculations - At least 3 years after the end of the financial year to which they relate

9) Statutory sick pay records and calculations - At least 3 years after the end of the financial year to which they relate

10) Wages and salary records – 6 years

11) Employee joining/new starter form - 6 years after employment ceases

▪ Financial records: Required by law to keep records for a minimum six years after the end of the tax period in which the last donation was made. However, it is advisable to keep them for as long as you are able in case of problems in a later audit.

▪ Gift Aid Declarations: Required by law to keep declarations and store all records of Gift Aid transactions for at least 6 years in case of an audit.

Data Security

The Charity will take steps to ensure that personal data is kept secure at all times against unauthorised or unlawful loss or disclosure. The following measures will be taken:

▪ Using lockable cupboards (restricted access to keys) Office filing cabinet keys are kept by the Administrator and taken off-site every day. Archived files kept in safe off-site storage. Secure lock with code. Code only known to Administrator.

▪ Setting up computer systems to allow restricted access to certain areas

▪ Personal data should not be taken off-site except by means of the encrypted back-up system or if in hard copy format appropriate security measures should be taken and the data should be returned to the office asap.

▪ Back up of data on computers (onto a server/the cloud off-site) Managed by external IT-support and daily backed up on to secure Microsoft cloud. Data on CRM system daily backed up to secure Microsoft Azure cloud.

▪ Any unauthorised disclosure of personal data to a third party by an employee may result in disciplinary proceedings

The Trustees are accountable for compliance with this policy. A trustee could be personally liable for any penalty arising from a breach that they have made. Any unauthorised disclosure made by a volunteer may result in the termination of the volunteering agreement.

Procedure in case of a breach

When a breach of data protection occurs, consideration will be given to reviewing practices. In addition, Goodwill Children's Homes will consider whether the breach should be reported to the Information Commissioner

Subject Access Requests

Anyone whose personal information we process has the right to know:

▪ What information we hold and process about them

▪ How to gain access to this information

▪ How to keep it up to date

▪ What we are doing to comply with the Regulation.

They also have the right to prevent processing of their personal data in some circumstances and the right to correct, rectify, block or erase information regarded as wrong.

Individuals have a right under the Regulation to access certain personal data being kept about them on the computer and certain files. Any person wishing to exercise this right should apply in writing to The Chair of Trustees- Dr David Neill via the Goodwill Children's Homes office -Tel:0117 3250 550

The following information will be required before access is granted:

▪ Full name and contact details of the person making the request

▪ their relationship with the organisation (former/ current member of staff, trustee or other volunteer, service user

▪ Any other relevant information- e.g. timescales involved

▪ Type of identification required before releasing any information (e.g. passport, birth certificate etc)

We may also require proof of identity before access is granted.

Queries about handling personal information will be dealt with swiftly and politely. We will aim to comply with requests for access to personal information as soon as possible but will ensure it is provided within the 40 days required from receiving the written request.

Review

This policy will be reviewed at intervals of 1 year - Autumn meeting - to ensure it remains up to date and compliant with the law. (On 25 May 2018 the new General Data Protection Regulation (GDPR) came into effect, replacing the current Data Protection Act 1998)