Fareshare Midlands collects and uses information about people with whom it communicates. This personal information must be dealt with properly and securely however it is collected, recorded and used – whether on paper, in a computer, or recorded on other material – and there are safeguards to ensure this in the Data Protection Act 1998.
Fareshare Midlands regards the lawful and correct treatment of personal information as very important to the successful and efficient performance of its functions, and to maintain confidence between those with whom it deals. To this end Fareshare Midlands fully endorses and adheres to the Principles of Data Protection, as set out in the Data Protection Act 1998 and the General Data Protection Regulations (GDPR).
The purpose of this policy is to ensure that the staff, volunteers and trustees, members and all other and service users of Fareshare Midlands are clear about the purpose and principles of Data Protection and to ensure that it has guidelines and procedures in place which are consistently followed.
Failure to adhere to the Data Protection Act 1998 and GDPR is unlawful and could result in legal action being taken against Fareshare Midlands or its staff, volunteers or trustees.
The Data Protection Act 1998 regulates the processing of information relating to living and identifiable individuals (data subjects). This includes the obtaining, holding, using or disclosing of such information, and covers computerised records as well as manual filing systems and card indexes.
Data users must comply with the data protection principles of good practice which underpin the Act. To comply with the law, information must be collected and used fairly, stored safely and not disclosed to any other person unlawfully.
To do this Fareshare Midlands follows the eight Data Protection Principles outlined in the Data Protection Act 1998, which are summarised below:
- Personal data will be processed fairly and lawfully
- Data will only be collected and used for specified purposes
III. Data will be adequate, relevant and not excessive
- Data will be accurate and up to date
- Data will not be held any longer than necessary
- Data subject’s rights will be respected
VII. Data will be kept safe from unauthorised access, accidental loss or damage
VIII Data will not be transferred to a country outside the European Economic Area, unless that country has equivalent levels of protection for personal data.
The principles apply to “personal data” which is information held on computer or in manual filing systems from which they are identifiable. Fareshare Midlands’s employees, volunteers and trustees who process or use any personal information in the course of their duties will ensure that these principles are followed at all times.
The following procedures have been developed in order to ensure that Fareshare Midlands meets its responsibilities in terms of Data Protection. For the purposes of these procedures data collected, stored and used by Fareshare Midlands falls into 2 broad categories:-
- Fareshare Midlands internal data records; Staff, volunteers and trustees, donors and supporters
- Fareshare Midlands external data records; Members, customers, clients.
Fareshare Midlands as a body is a DATA CONTROLLER under the Act, and the Executive Committee is ultimately responsible for the policy’s implementation.
Internal data records
Fareshare Midlands obtains personal data (names, addresses, phone numbers, email addresses), application forms, and references and in some cases other documents from staff, volunteers and trustees. These data are stored and processed for the following purposes:
- Equal Opportunities monitoring
- Volunteering opportunities
- To distribute relevant organisational material e.g. meeting papers
The contact details of staff, volunteers and trustees will only made available to other staff, volunteers and trustees on an officially verified request/ “in the line of duty” basis. Any other information supplied on application will be kept in a secure Electronic Folders or filing cabinet and is not accessed during the day to day running of the organisation, except as needed for recruitment or operational purposes.
Contact details of staff, volunteers and trustees will not be passed on to anyone outside the organisation without their explicit consent and where officially verified as necessary by the Director and/or Senior Management Team in the Director’s absence. HR Advice will be sought incase of any issues of doubt and/or concern.
Staff, volunteers and trustees will be supplied with a copy of their personal data held by the organisation if a request is made. A separate HR data Privacy Notice is in place for the required procedure.
All confidential post must be opened by the addressee only.
Fareshare Midlands will take reasonable steps to keep personal data up to date and accurate. Personal data will be stored for 6 years after an employee, volunteer or trustee has worked for the organisation and brief details for longer.
Personal data are kept in paper-based systems and on a password-protected computer system. Paper-based data are stored in organised and secure systems.
Fareshare Midlands operates a clear desk policy at all times.
Use of Photographs
Where practicable, Fareshare Midlands will seek consent from individuals before displaying photographs in which they appear. If this is not possible (for example, a large group photo), the organisation will remove any photograph if a complaint is received. This policy also applies to photographs published on the organisations website or in the Newsletter.
External data records
Fareshare Midlands obtains personal data (such as names, addresses, and phone numbers) from Members and clients. These data are obtained, stored and processed solely to assist staff and volunteers in the efficient running of services. Personal details supplied are only used to send material that is potentially useful. Most of this information is stored on the organisation’s database.
Fareshare Midlands obtains personal data and information from clients and members in order to provide services. These data are stored and processed only for the purposes outlined in the agreement and service specification signed by the client/ member.
Personal data are collected over the phone and using other methods such as e-mail. During this initial contact, the data owner is given an explanation of how this information will be used. Written consent is not requested as it is assumed that the consent has been granted when an individual freely gives their own details.
Personal data will not be passed on to anyone outside the organisation without explicit consent from the data owner unless there is a legal duty of disclosure under other legislation, in which case the Project Manager will discuss and agree disclosure with the Chair of Trustees. Contact details held on the organisation’s database may be made available to groups/ individuals outside of the organisation. Individuals are made aware of when their details are being collected for the database and their verbal or written consent is requested.
Only the organisation’s relevant staff, volunteers and trustees will normally have access to personal data. All staff, volunteers and trustees are made aware of the Data Protection
Policy and General Data Protection Regulation (GDPR) and their obligation not to disclose personal data to anyone who is not supposed to have it. Information supplied is kept in a secure filing, paper and electronic system and is only accessed by those individuals involved in the delivery of the service. Information will not be passed on to anyone outside the organisation without their explicit consent, excluding statutory bodies e.g. the Inland Revenue. Individuals will be supplied with a copy of any of their personal data held by the organisation if a request is made. All confidential post must be opened by the addressee only.
Fareshare Midlands continues to take reasonable steps to keep personal data up to date and accurate.
Personal data will be stored for as long as the data owner/ client/ member uses our services and normally longer. Where an individual ceases to use our services and it is not deemed appropriate to keep their records, their records will be destroyed. However, unless we are specifically asked by an individual to destroy their details, we will normally keep them on file for future reference. If a request is received from an organisation/ individual to destroy their records, we will remove their details from the database and request that all staff holding paper or electronic details for the organisation destroy them. This work will be carried out by the Information Officer.
This procedure applies if Fareshare Midlands is informed that an organisation ceases to exist.
Personal data may be kept in paper-based systems and on a password-protected computer system. Paper-based data are stored in organised and secure systems.
Fareshare Midlands operates a clear desk policy at all times.
Use of Photographs
Where practicable, Fareshare Midlands will seek consent of members/ individuals before displaying photographs in which they appear. If this is not possible (for example, a large group photo), the organisation will remove any photograph if a complaint is received. This policy also applies to photographs published on the organisation’s website or in the Newsletter.
Disclosure and Barring Service
Fareshare Midlands will act in accordance with the DBS code of practice. Only Certificate numbers of any DBS checks will be held by FSM on the HR Breathe Database, in line with the timelines in the HR Data Privacy Notice and Retention of Records schedule.
Responsibilities of staff, volunteers and trustees
During the course of their duties with Fareshare Midlands, staff, volunteers and trustees will be dealing with information such as names/addresses/phone numbers/e-mail addresses of members/clients/volunteers i.e. for legitimate business purpose only. They may be told or
overhear sensitive information while working for Fareshare Midlands. The Data Protection Act (1988) gives specific guidance on how this information should be dealt with.
In short to comply with the law, personal information must be collected and used fairly, stored safely and not disclosed to any other person unlawfully. Staff, paid or unpaid must abide by this policy.
To help staff, volunteers, trustees meet the terms of the Data Protection Act; staff, volunteers and trustees are asked to confirm that they have understood their responsibilities as part of the employment contract, induction programme and sign on their volunteer agreement that have understood their responsibilities. The HR Data Privacy Notice is issued with the recruitment paperwork.
Compliance with the Act is the responsibility of all staff, paid or unpaid. Fareshare Midlands will regard any unlawful breach of any provision of the Act by any staff, paid or unpaid, as a serious matter which will result in disciplinary action. Any employee who breaches this policy statement will be dealt with under the disciplinary procedure which may result in dismissal for gross misconduct. Any such breach could also lead to criminal prosecution.
Any questions or concerns about the interpretation or operation of this policy statement should in the first instance be referred to the team Senior Manager, in the first instance.
Breach of data Security
If FSM discovers that there has been a breach of HR-related personal data that poses a risk to the rights and freedoms of an individual(s), it will report it to the Information Commissioner within 72 hours of discovery. FSM will record all data breaches regardless of their effect.
If the breach is likely to result in a high risk to the rights and freedoms of an individual(s), it will tell affected individuals that there has been a breach and provide them with information about its likely consequences and the mitigation measures it has taken.
Retention of Data
No documents will be stored for longer than is necessary.
All documents containing personal data will be disposed of securely in accordance with the Data Protection principles.
Questions about this Policy or requests for further information, should be directed to firstname.lastname@example.org
Date last reviewed - July 2021