Data Protection and General Data Protection Regulation Policy
(GDPR)
Introduction
1.1 The UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA) constitute the legal framework for data protection in the United Kingdom. These laws protect personal privacy and uphold individuals’ rights regarding their personal data. They apply to all entities that handle or access personal data. This policy is designed to ensure that personal information is processed properly and securely, compliant with these laws. It encompasses all personal data, irrespective of the manner in which it is processed, recorded, and stored, and applies to both paper files and electronic data.
1.2 The UK GDPR is derived from the EU GDPR (Regulation (EU) 2016/679) but has been adapted to fit the UK context following Brexit. It aims to protect and empower all UK citizens’ data privacy and reshape the way organisations across the UK approach data privacy. The Data Protection Act 2018 supplements the UK GDPR, detailing how data is to be protected and providing exceptions in certain cases. Together, they provide a comprehensive framework for data protection in the UK, enhancing individuals’ rights over their personal data and streamlining the data protection landscape for businesses within the UK.
1.3 These regulations encompass both manual (written) and electronic (computerised) personal data. They guarantee individuals’ rights to access and review personal data held about them, ensuring transparency and accountability in data processing activities.
1.4 It is important to note that the Regulations also cover records relating to staff, volunteers and work placements.
1.5 All Here4horses volunteers are required to follow this policy at all times.
1.6 The Chair of Trustees is the Volunteer Data Protection Officer and has overall responsibility for data protection within Here4horses, but each individual processing data is acting on the controller’s behalf and therefore has a legal obligation to adhere to the Regulations.
Definitions
2.1 Processing of information – how information is held and managed.
2.2 Information Commissioner – formerly known as the Data Protection Commissioner.
2.3 Notification – formerly known as Registration.
2.4 Data Subject – used to denote an individual about whom data is held.
2.5 Data Controller – used to denote the entity with overall responsibility for data collection and management. Here4horses is the Data Controller for the purposes of the Act.
2.6 Data Processor – an individual handling or processing data
2.7 Personal data – any information which enables a person to be identified
2.8 Special categories of personal data – information under the Regulations which requires the individual’s explicit consent for it to be held by the Charity.
Data Protection Principles
As data controller, Here4horses is required to comply with the principles of good information handling.
3.1 These principles require the Data Controller to:
• Process personal data fairly, lawfully and in a transparent manner.
• Obtain personal data only for one or more specified and lawful purposes and to ensure that such data is not processed in a manner that is incompatible with the purpose or purposes for which it was obtained.
• Ensure that personal data is adequate, relevant and not excessive for the purpose or purposes for which it is held.
• Ensure that personal data is accurate and, where necessary, kept up-to-date.
• Ensure that personal data is not kept for any longer than is necessary for the purpose for which it was obtained.
• Ensure that personal data is kept secure.
Consent Management
This section of the policy outlines the procedures for obtaining, recording, managing, and withdrawing consent at Here4horses.
4.1 Prior to obtaining consent, Here4horses staff are to ensure that all individuals are fully informed about the purposes for which their data will be used, how it will be managed, and their rights regarding their data. This information will be presented in clear, straightforward language accessible to all.
4.2 Consent at Here4horses is always provided freely and without any undue incentives. Individuals are informed that they have the right to withhold or withdraw consent at any time.
4.3 For special categories of personal data, Here4horses would require explicit consent and this would be recorded.
4.4 Here4horses maintains detailed records of all consents obtained, documenting the individual’s name, date of consent, method through which consent was obtained, and a copy of the information provided at the time of consent.
4.5 Consent records are stored securely in compliance with GDPR requirements, ensuring protection against unauthorised access and data breaches.
4.6 Here4horses will periodically review consents to ensure they remain valid and reflect current data processing activities. This includes checking for changes in the purpose or scope of data use, necessitating renewed consent.
4.7 Here4horses provides a straightforward process for individuals to withdraw their consent at any time, detailed on our website and within our data privacy notices.
4.8 Here4horses must record Members’ explicit consent to storing certain information (known as ‘personal data’ or ‘special categories of personal data’) on file. Consent to be recorded on Peoples Fundraising when online.
4.9 For the purposes of the Regulations, personal and special categories of personal data covers information relating to:
• Name and contact details
• Member racial or ethnic origin.
• Member religious beliefs or other beliefs of a similar nature.
• Member physical or mental health or condition.
• Member sexuality.
• The commission or alleged commission by members’ of any offence
• Online identifiers such as an IP address
• Genetic and/or biometric data which can be used to identify an individual
4.10 Consent is not required to store information that is not classed as special category of personal data as long as only accurate data that is necessary for a service to be provided is recorded.
4.11 As a general rule,Here4horses will always seek consent where personal or special categories of personal information is to be held.
4.12 Consent obtained for one purpose cannot automatically be applied to all uses e.g. where consent has been obtained from a Donor in relation to information needed for the provision of tickets for an event, separate consent would be required if, for example, direct marketing of products were to be undertaken.
4.13 Although written consent is the optimum, verbal consent is the minimum requirement.
4.14 Specific consent for use of any photographs and/or videos taken should be obtained ideally in writing. Such media could be used for, but not limited to, publicity material, press releases, social media, and website. Consent should also indicate whether agreement has been given to their name being published in any associated publicity. If the subject is less than 18 years of age then parental/guardian consent should be sought.
4.15 Individuals have a right to withdraw consent at any time.
Ensuring the Security of Information
5.1 It is an offence to disclose personal information ‘knowingly and recklessly’ to third parties.
5.2 Individuals may also consent for us to share personal or special categories of personal information with other helping agencies on a need to know basis.
5.3 An individual’s consent to share information should always be checked before disclosing personal information to another agency.
5.4 Where such consent does not exist information may only be disclosed if it is in connection with criminal proceedings or in order to prevent substantial risk to the individual concerned. In either case permission of the Chief Executive or Data Protection Officer should first be sought.
5.5 Personal information should only be communicated within Here4horses’s volunteer team on a strict need to know basis. Care should be taken that conversations containing personal or special categories of personal information may not be overheard by people who should not have access to such information.
Physical Paperwork, Files including Disposal
6.1 In order to prevent unauthorised access, accidental loss or damage to personal information, it is important that care is taken to protect personal data. Paper records should be kept in locked cabinets/drawers overnight and care should be taken that personal and special categories of personal information is not left unattended and in clear view during the working the day.
6.2 If your work involves you having personal and/or special categories of personal data at home or in your car, the same care needs to be taken.
6.3 Be aware that names/addresses/phone numbers and other information written on scrap paper are also considered to be confidential. Please do not keep or use any scrap paper that contains personal information but ensure that it is placed into confidential waste. If you are transferring papers from your home, or an individual’s home, to the office for shredding this should be done as soon as possible and not left in a car for a period of time. When transporting documents, they should be carried out of sight in the boot of your car.
Devices
7.1 Where computers are networked, access to personal and special categories of personal information is restricted by password to authorised personnel only.
7.2 Computer monitors in the reception area, or other public areas, should be positioned in such a way so that passers-by cannot see what is being displayed.
7.3 Computers should locked when leaving it unattended.
7.4 Firewalls and virus protection to be employed at all times to reduce the possibility of hackers accessing our systems and thereby obtaining access to confidential records.
7.5 Multi-Factor Authentication (MFA). MFA requires one or more additional verification factors, which decreases the likelihood of a successful cyber attack.
7.6 MFA to be used on any Here4horses devices and when accessing work related documents or emails on personal devices. Records of devices, operating systems to be held by Here4horses’s Data Protection volunteer.
7.7 Documents should only be stored on the server or cloud-based systems and not on individual computers.
7.8 Where computers or other mobile devices are taken for use off the premises the device must be password protected.
Direct Marketing
8.1 Direct Marketing is a communication that seeks to obtain a measurable fundraising response (such as a donation, a visit to a website, sign up to Gift Aid, etc.). The communication may be in any of a variety of formats including mail, telemarketing and email. The responses should be recorded to inform the next communication. Here4horses will not share or sell its database(s) with outside organisations.
8.2 Here4horses holds information on our volunteers, sponsor’s, donor’s and other stakeholders, to whom we will from time to time send copies of our newsletters, events and details of other activities that may be of interest to them. Specific consent to contact will be sought first, including which formats they prefer (e.g. mail, email, phone etc) before making any communications.
8.3 We recognise that supporters, volunteers and stakeholders for whom we hold records have the right to unsubscribe from our mailing lists. This will be recorded and they will be excluded from future contacts.
Privacy Statements
9.1 Any documentation which gathers personal and/or special categories of personal data should contain the following Privacy Statement information:
• Explain who we are
• What we will do with their data
• Who we will share it with
• Consent for marketing notice
• How long we will keep it for
• That their data will be treated securely
• How to opt out
• Where they can find a copy of the full notice
9.2 The full Privacy Statement will be published on our website.
Personnel Records
10.1 The Regulations apply equally to volunteer and staff records. Here4horses may at times record special categories of personal data with the volunteer’s consent or as part of a staff member’s contract of employment
10.2 For staff and volunteers who are regularly involved with vulnerable adults, it is necessary for Here4horses to apply to the Disclosure & Barring Service (DBS) to request a disclosure of spent and unspent convictions, as well as cautions, reprimands, and final warnings held on the police national computer. This sensitive information is handled in strict accordance with the DBS Code of Practice.
Access Control:
10.3 System Access: Only the Trustee leadership team will be authorised to access the DBS system and view reports generated within. These reports are comprehensive and facilitate initial assessments regarding the suitability of personnel for their respective roles.
10.4 Certificate Access: Direct access to DBS certificates, which contain detailed personal data, is restricted to members of the Trustee Leadership Team. This access is not available through the DBS system but managed directly to ensure heightened security and compliance with GDPR guidelines.
10.5 Exclusions: The Volunteer Team do not have access to the physical DBS certificates or detailed data therein, which ensures a higher level of data protection and integrity by limiting exposure to sensitive information.
10.6 These measures are designed to uphold the security and confidentiality of personal data as required under the GDPR and to ensure that only appropriately authorised personnel have access to specific types of sensitive information.
Confidentiality
11.1 To protect personal data under GDPR, volunteer’s must follow these security protocols when accessing sensitive information, especially on unsecured networks:
11.1.1 Always use a Virtual Private Network (VPN) to establish a secure and encrypted connection when accessing sensitive data from outside secure networks.
11.1.2 Only connect to websites and services through HTTPS, ensuring data is encrypted during transmission. HTTPS (Hypertext Transfer Protocol Secure) is an internet communication protocol that protects the integrity and confidentiality of data between the user’s computer and the site.
11.1.3 Minimise Public WiFi Use: Avoid using public WiFi for handling sensitive data. If necessary, ensure a VPN is active.
11.2 When sending emails to outside organisations, care should be taken to ensure that any identifying data is removed and that codes (e.g. initials) are to be used. Confidential and/or special categories of personal information should be written in a separate document which should be password protected before sending. Wherever possible, this document should be ‘watermarked’ confidential.
11.3 Any paperwork kept away from the office should be treated as confidential and kept securely as if it were held in the office. Documents should not be kept in open view but kept in a file in a drawer or filing cabinet as examples, the optimum being a locked cabinet but safely out of sight is a minimum requirement.
Retention of Records
12.1 Paper records should be retained for the following periods at the end of which they should be shredded:
12.1.1 Staff records – 7 years after ceasing to be a member of staff.
12.1.2 Unsuccessful staff application forms – 3 months after vacancy closing date.
12.1.3 Volunteer records – 7 years after ceasing to be a volunteer.
12.1.4 Financial Documents. Detailed retention guidelines for various types of financial records are as follows:
• Timesheets: 7 years.
• Invoices and Receipts: 10 years.
• Bank Statements and Transaction Records: 10 years.
• Annual Financial Statements and Audit Reports: Permanently.
• Grant Applications and Agreements: Retain for 7 years after the conclusion of the grant period.
Data Monitoring and Reporting
13.1 Here4horses’s IT provider and Trustee’s have responsibility to monitor access of all systems to which users have an account. Formalised process for starters and leavers supports this data cleanse.
13.2 Data security and protection breach reporting is monitored by Here4horses’s IT provider and anti-virus software. In the event of a data breach, follow the IT provider or Platforms guidance.
Strategy for Systems
14.1 Here4horses use cloud-based systems which automatically complete periodic updates. Here4horses’s IT support provider complete regular maintenance updates for the users and administrators.
Software Installation and Use
15.1 Only authorised consultants are allowed to install or update software on organisational devices.
Authentication and Access Control
Multi-Factor Authentication (MFA) is requested for accessing any organisational systems and data.
16.1.1 Google Authenticator: Provides a time-based, one-time passcode that users must enter in addition to their password to gain access to systems.
16.1.2 Microsoft Authenticator: Offers a similar one-time passcode functionality along with push notifications for approval, providing a seamless authentication experience.
16.2 As part of the onboarding process, new volunteers who require IT access are advised to adopt MFA.
16.3 During setup, a lead volunteer can provide instructions on downloading and configuring the Authenticator app of their choice (Google or Microsoft) on their mobile device.
16.4 A test authentication will be performed to ensure the setup is successful and the staff member understands how to use it.
16.5 Authentication factors may need to be revoked in various scenarios such as volunteer departure, loss of a device, or suspected compromise of authentication credentials.
16.6 The need to revoke an authentication factor must be communicated and agreed upon with the Data Protection Officer.
16.7 The revocation process must be carried out by the Data Protection Officer or consultant required to ensure that access is securely terminated.
16.8 A record of all revocations, including the reason and the date of revocation, will be maintained for audit and security purposes.
In the event of a security breach or loss of a device, volunteers are required to report the incident immediately to the Chair of Trustees (Data Protection Officer). The relevant authentication factors will be revoked and reissued as necessary to prevent unauthorized access.
16.9 All relevant volunteers will receive training on the importance of MFA and how to manage their authentication factors securely. This training will be part of the initial security training during onboarding and included in annual security refreshers.
What is a Data Breach?
Data breaches can occur in various forms and affect different types of data. Here are some common examples:
• Hacking or Cyberattacks: Cybercriminals gain unauthorised access to a system or network to steal sensitive data. This could be through methods like phishing, malware, ransomware, or exploiting security vulnerabilities.
• Insider Threats: Staffs or contractors misuse their access to steal, alter, or destroy data. This can be intentional (malicious insiders) or accidental (due to carelessness or lack of training).
• Lost or Stolen Devices: Devices such as laptops, smartphones, or external hard drives containing sensitive information are lost or stolen, potentially exposing the data they contain.
• Accidental Exposure: Sensitive data is accidentally exposed due to human error, such as sending an email containing personal data to the wrong recipient or misconfiguring databases so they are accessible online.
• Physical Theft or Loss: Physical theft of documents, hard drives, or other media containing personal data from an office, car, or home.
• Third-Party Vendors: Data breaches occurring at third-party service providers or vendors that have access Here4horses’s data. This can be due to their own security failures.
• Unauthorised Access: Unauthorised individuals gain access to sensitive data due to weak authentication processes or compromised credentials.
• Improper Disposal: Sensitive data is not properly destroyed or disposed of, such as failing to shred confidential documents or securely erase data from decommissioned computers.
• Social Engineering Attacks: Attackers use deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes.
• Software Flaws: Exploiting software vulnerabilities that haven’t been patched or updated can lead to unauthorized access and data leakage.
• Credential Stuffing: Using stolen account credentials (obtained from a different breach) to gain unauthorised access to user accounts on other platforms.
What to Do If There Is a Breach
18.1 The Data Protection Officer should be informed of the breach, action taken and outcomes to determine whether it needs to be reported to the Information Commissioner and also for reporting to the Board of Trustees. There is a time limit for reporting breaches to ICO so the Data Protection Officer should be informed without delay.The Data Protection Officer will complete the following steps:
• As soon as a data breach is discovered, it’s crucial to act immediately. This involves stopping the breach from continuing or spreading, which might include isolating affected systems, revoking access, or taking compromised systems offline.
• Conduct a thorough investigation to understand the nature and extent of the breach. This involves identifying what data was involved, how the breach occurred, and which systems or data sets were affected.
• GDPR mandates that data breaches likely to result in a risk to the rights and freedoms of individuals must be reported to the relevant supervisory authority within 72 hours of discovery. If the breach poses a high risk to individuals’ rights and freedoms, you must also inform those affected individuals without undue delay. Clear, concise, and honest communication is key.
• The data breach, including the facts surrounding the breach, its effects, and the remedial actions taken must be kept on file. This is important for compliance purposes and for learning from the incident.
18.2 Steps should be taken to secure systems and prevent further unauthorised access. This might involve working with cybersecurity experts, updating software, changing passwords, or implementing new security measures.
18.3 Evaluation of how the breach occurred and why the existing measures didn’t prevent it. This should involve a thorough review of this policy and security measures as well as any Business Continuity Plan.
18.4 Here4horses Data lead to regularly review Trustee and Volunteer training to ensure GDPR training has been completed, understood and implemented.
18.5 Implement ongoing monitoring to detect future breaches more quickly. This can involve regular audits, updating software and systems, and staying informed about new cybersecurity threats. This is to be conducted by our IT Consultant and Website provider.
18.6 Keep all relevant parties informed throughout the process. This includes internal teams, external partners, and potentially customers or donor’s.
18.7 Any deliberate or reckless breach of this policy by a volunteer may result in action and could therefore result in dismissal from the Charity.
The Rights of an Individual
19.1 Under the Regulations an individual has the following rights with regard to those who are processing data:
19.1.1 Personal and special categories of personal data cannot be held without the individual’s.
19.1.2 Data cannot be used for the purposes of direct marketing of any goods or services if the Data Subject has declined their consent to do so.
19.1.3 Individuals have a right to have their data erased and to prevent processing in specific circumstances:
• Where data is no longer necessary in relation to the purpose for which it was originally collected
• When an individual withdraws consent
• Personal data was unlawfully processed.
19.1.4 An individual has a right to restrict processing – where processing is restricted, Here4horses is permitted to store the personal data but not further process it. Here4horses can retain just enough information about the individual to ensure that the restriction is respected in the future.
19.2 Here4horses will not undertake direct telephone marketing activities under any circumstances.
19.3 Data Subjects can ask, in writing to the Data Protection Officer, to see all personal data held on them, including e-mails and computer or paper files. The Data Processor (Here4horses) must comply with such requests within 30 days of receipt of the written request.
Powers of the Information Commissioner
20.1 The following are criminal offences, which could give rise to a fine and/or prison sentence:
• The unlawful obtaining of personal data.
• The unlawful selling of personal data.
• The unlawful disclosure of personal data to unauthorised persons.
Details of the Information Commissioner
21.1 The Information Commissioner’s office is at:Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
21.2 Data Protection Help Line: 01625 545 745
21.3 Email: mail@ico.gsi.gov.uk
21.4 Further information is available at www.informationcommissioner.gov.uk
Annex One – Here4horses Data Sharing Procedure
Objective
This procedure outlines the steps for secure data sharing across all partnerships and projects managed by Here4horses, ensuring compliance with GDPR and robust data management practices, including the use of secure technology and privacy procedures.
Partners are required to password-protect any other sensitive documents before sharing via email or alternative file-sharing methods.
Passwords for accessing these documents will be transmitted through a secure channel.
General Data Sharing Guidelines
Consent must be obtained from participant for the collection and sharing of their data, clearly outlining the purpose behind data processing.
Adherence to data retention policies ensure data is kept only as long as necessary for its intended use.
Here4horses commits to any audits of our data sharing practices to maintain compliance with GDPR and other relevant data protection laws.
Integration of Here4horses’s Privacy Statement
In conjunction with the data sharing procedure, Here4horses’s Privacy Statement provides a detailed overview of our commitment to data privacy, outlining how personal data is collected, used, protected, and the rights of individuals in relation to their data.
This statement reinforces our dedication to transparency, security, and compliance in all data handling processes.
Responsibilities of Project Leads
To prioritise the security and confidentiality of all data we hold. Restricted access controls are in place to ensure that only Volunteers who are directly involved with funded projects have access to the data for reporting purposes. These measures are designed to prevent unauthorised access and ensure that our handling of personal and sensitive information is in compliance with GDPR and other relevant data protection laws.
Our Volunteers are trained on data protection principles and practices, reinforcing our commitment to safeguarding the privacy and rights of the individuals whose data we manage.
To maintain a robust framework of policies and procedures to manage and monitor access, ensuring that data is not only secure but also handled in a manner that respects the privacy and confidentiality of the information entrusted to Here4horses.
Enhanced Data Security Processes include:
Incident Response Plan
Here4horses has established a comprehensive Incident Response Plan. Should any breach of personal data occur, it will be reported in accordance with our GDPR policy and relevant regulatory requirements. This includes notifying the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of the breach, as well as communicating with affected individuals without undue delay if the breach poses a high risk to their rights and freedoms.
Data Deletion Protocols
Personal data collected as part of funded projects will be securely deleted 5 years from the project completion date, unless otherwise stated in the funding terms and conditions. This timeframe allows us to fulfil any project reporting requirements while ensuring that we do not retain personal information longer than necessary. Our procedure ensures deletion methods that render the data unrecoverable, thereby safeguarding against unauthorised access or misuse.
Acknowledgment
By participating in any partnership or project with Here4horses, partners agree to adhere to data sharing protocols and the principles outlined in the Here4horses’s Privacy Statement, ensuring a cooperative effort in protecting the privacy and security of all individuals involved in the project.
Annex Two – Data Privacy Statement
Data Privacy Statement
Here4horses is committed to protecting the privacy and security of personal information. This statement outlines how we collect, use, and safeguard the personal data of participants involved in Here4horses activities, in compliance with the Data Protection Act 2018 and the UK General Data Protection Regulation (UK GDPR).
Data Controller
Here4horses Chair of Trustees is the Data Controller, responsible for deciding how personal data is processed. This privacy notice applies before, during, and after your involvement in Here4horses activities and funded projects.
Purpose of Data Collection
The data collected is essential for delivering our services and managing our duties, effectively. It also aids in reporting outcomes to our core funders, ensuring accountability and transparency in our operations.
Types of Data Processed
Identifying Information: This includes your name, address, contact details (telephone numbers and email address). This information will not be shared with our core funder without your explicit consent.
Sharing and Processing of Data
Personal data collected through Here4horses will be processed primarily for administrative, analytical purposes, and to fulfil our obligations to you.
Third-Party Sharing
Your personal data may be shared with third-party providers involved in the Charities activities, including but not limited to:
• Other Welfare Organisations
• Governmental bodies like HMRC regarding Gift Aid
All third-party providers are obligated to take appropriate security measures to protect your data and comply with our data protection policies.
Data Retention
Your personal data will be retained for as long as necessary to fulfil the purposes it was collected for, as outlined in this policy.
Your Rights
Under the GDPR, you have rights regarding your personal data, including access, correction, removal, and the right to object to processing. You can withdraw consent at any time by contacting us in writing.
Consent
Participation in the Charity Activities or project implies your consent for Here4horses to process your personal data as described in this privacy statement. We will always seek explicit consent where required, especially for sensitive personal information.
Updates to the Privacy Statement
We reserve the right to update this privacy statement at any time. Significant changes will be communicated to you directly.
