The Compass holds and processes personal data about people (data subjects) to enable the charity to meet its charitable objects and administration and communication.
The Compass is committed to protecting personal data and respecting the rights of our data subjects; the people whose personal data we collect and use. We value the personal information entrusted to us and we respect that trust, by complying with all relevant laws, and adopting good practice.
We process personal data to help us:
a) maintain our lists of staff and volunteers so that we can communicate with them effectively
b) provide signposting and/or direct intervention to individuals or families who have been referred or have self-referred
c) safeguard children, young people and adults at risk
d) recruit, support and manage staff and volunteers
e) maintain our accounts and records
f) promote our services
g) respond effectively to enquirers and handle any complaints
The Charity Trustees are responsible for ensuring that we comply with our legal obligations.
This policy sets out the measures we are committed to taking as an organisation to protect, keep safe and ensure accuracy of personal data and what each of us should do to ensure we comply with the relevant legislation.
We will make sure that all personal data is processed in line with the Data Protection Principles which in summary form state that personal data shall be:
a) processed lawfully, fairly and in a transparent manner
b) processed for specified, explicit and legitimate purposes and not in a manner that is incompatible with those purposes
c) adequate, relevant and limited to what is necessary for the purposes for which it is being processed
d) accurate and, where necessary, up to date
e) not kept longer than necessary for the purposes for which it is being processed
f) processed in a secure manner, by using appropriate technical and organisational means
g) processed in keeping with the rights of data subjects regarding their personal data
As an employee, trustee or volunteer processing personal information on behalf of the charity, you are required to comply with this policy. If you think that you have accidentally breached the policy it is important that you contact our Data Protection Trustee (Mark Adams) immediately so that we can take swift action to try and limit the impact of the breach.
Anyone who breaches the Data Protection Policy and Practice may be subject to disciplinary action, and where that individual has breached the policy intentionally, recklessly, or for personal benefit they may also be liable to prosecution or to regulatory action.
Before you collect or handle any personal data as part of your work (paid or otherwise) for the charity, it is important that you take the time to read this policy and practice carefully and understand what is required of you, as well as the organisation’s responsibilities when we process data.
If you are unsure about whether anything you plan to do, or are currently doing, might breach this policy and practice you must first speak to the Data Protection Trustee
As a co-ordinator of a group you are required to make sure that any procedures that involve personal data, that you are responsible for in your group, follow the rules set out in this Data Protection Policy and Practice.
Our Data Protection Trustee (Mark Adams) is responsible for advising the charity and its staff and members about their legal obligations under data protection law, monitoring compliance with data protection law, dealing with data security breaches and with the development of this policy and practice.
We will provide training as required for all people processing personal information on behalf of the charity to raise awareness of their obligations and our responsibilities.
There are two categories of information that the charity processes.
Personal data is information relating to a living individual who can be identified from that data. Personal data can be factual such as name, address or dat of birth, or it can be opinion such as performance appraisal. It includes images of individuals provided the image is clear enough for particular individuals to be identified.
Sensitive personal data includes information about a person’s: racial or ethnic origin; political opinions; religious or similar (e.g. philosophical) beliefs; trade union membership; health (including physical and mental health, and the provision of health care services); genetic data; biometric data; sexual life and sexual orientation.
Processing of personal data must meet a legal condition and must be performed transparently i.e. we provide people with an explanation of how and why we process their personal data at the point we collect data from them, as well as when we collect data about them from other sources.
Processing of personal data is only lawful if at least one of these legal conditions is met:
a) the processing is necessary for a contract with the data subject;
b) the processing is necessary for us to comply with a legal obligation;
c) the processing is necessary to protect someone’s life (this is called “vital interests”);
d) the processing is necessary for us to perform a task in the public interest, and the task has a clear basis in law;
e) the processing is necessary for the legitimate interests pursued by the charity, unless these are overridden by the interests, rights and freedoms of the data subject.
f) If none of the other legal conditions apply, the processing will only be lawful if the data subject has given their clear consent.
Processing of sensitive personal data is only lawful when, in addition to the conditions above, one of these extra conditions is met:
a) the processing is necessary for carrying out our obligations under employment and social security and social protection law;
b) the processing is necessary for safeguarding the vital interests (in emergency, life or death situations) of an individual and the data subject is incapable of giving consent;
c) the processing is carried out in the course of our legitimate activities and only relates to our members or persons we are in regular contact with in connection with our purposes;
d) the processing is necessary for pursuing legal claims.
e) If none of the other legal conditions apply, the processing will only be lawful if the data subject has given their explicit consent.
The advice we have been given about groups and others within the charity sharing contact details with each other is that communications within internal groups do not involve sharing information with the charity/Trustees as the Data Controller, so would not require privacy statements or consent.
When personal data is collected directly from an individual we will inform them in writing about the reasons for processing and the legal bases, explaining the legitimate interests, and where relevant, the consequences of not providing data needed for a contract or statutory requirement; how long the data will be stored and the data subjects’ rights. This information is provided in a ‘Privacy Notice’ and will be given at the time when the personal data is collected.
If data is collected from another source, rather than directly from the data subject, we will provide the data subject with the information described above as well as: the categories of the data concerned; and the source of the data. It will be provided to the individual in writing and no later than within 1 month after we receive the data, unless a legal exemption under the GDPR applies. If we use the data to communicate with the data subject, we will at the latest give them this information at the time of the first communication.
We will only process personal data for the specific purposes explained in our privacy notices (as described above) or for other purposes specifically permitted by law. We will explain those other purposes to data subjects, unless there are lawful reasons for not doing so.
We will only collect and use personal data that is needed for the purposes described in Section 1 above. We will not collect more than is needed to achieve those purposes.
We will make sure that personal data held is accurate and, where appropriate, kept up to date.
We will not keep personal data longer than is necessary for the purposes that it was collected for. We will comply with official guidance about retention periods for specific records.
We will use appropriate measures to keep personal data secure at all points of the processing. Keeping data secure includes protecting it from unauthorised or unlawful processing, or from accidental loss, destruction or damage.
We will implement security measures which provide a level of security which is appropriate to the risks involved in the processing.
We will process personal data in line with data subjects' rights, including their right to:
a) request access to any of their personal data held by us (known as a Subject Access Request)
b) ask to have inaccurate personal data changed
c) restrict processing, in certain circumstances
d) object to processing, in certain circumstances, including preventing the use of their data for direct marketing
e) data portability, which means to receive their data, or some of their data, in a format that can be easily used by another person (including the data subject themselves) or organisation
f) not be subject to automated decisions, in certain circumstances
g) withdraw consent when we are relying on consent to process their data.
We will comply with the rules set out in the GDPR, the Privacy and Electronic Communications Regulations (PECR) and any laws which may amend or replace the regulations around direct marketing. This includes, but is not limited to, when we make contact with data subjects by post, email, text message, social media messaging, telephone (both live and recorded calls) and fax.
We will only share personal data with other organisations or people when we have a legal basis to do so and if we have informed the data subject about the possibility of the data being shared (in a privacy notice), unless legal exemptions apply to informing data subjects about the sharing.
We will follow the ICO’s statutory Data Sharing Code of Practice (or any replacement code of practice) when sharing personal data with other data controllers. Legal advice will be sought as required.
We don’t use external companies or organisations to process personal data on our behalf.
We don’t transfer personal data outside of the EU.
The information processing performed by the charity is within the exemption provided by the ICO for not-for-profit organisations and so the charity does not need to register with the ICO.
You’re welcome to reach out through the form below or contact us directly by email: connect@thecompass.uk
Start your journey – book an appointment. Kindly take our working hours into account.
Tuesday to Thursday — 9:00 to 17:00