SYEP (Sprowston Youth Engagement Project) Data Protection Policy
SYEP is required to process relevant personal data regarding young people, their parents, volunteers, sessional workers, committee members and trustees, as part of its operation and shall take all reasonable steps to do so in accordance with this Policy.
SYEP shall so far as is reasonably practicable comply with the Data Protection Principles contained in the General Data Protection Regulation (GDPR) from 25 May 2018 to ensure all data is:-
- Fairly and lawfully processed • Processed for a lawful purpose • Adequate, relevant and not excessive • Accurate and up to date • Not kept for longer than necessary • Processed in accordance with the data subject’s rights • Secure • Not transferred to other countries without adequate protection.
Data Protection Policy
Personal data covers both facts and opinions about an individual where that data identifies an individual. For example, it includes information necessary for employment such as the member of staff’s name and address and details for payment of salary. Personal data may also include sensitive personal data as defined in the Act.
Processing of Personal Data
Consent will be required for the processing of personal data, unless processing is necessary for the performance of the contract of employment. Any information which falls under the definition of personal data and is not otherwise exempt, will remain confidential and will only be disclosed to third parties with appropriate consent.
If a member wishes to revoke or change consent they must agree a specific agreement on how their data is to be processed with the data processor.
SYEP processes some personal data for advertising, making parents aware of activities and for fund-raising purposes. Data subjects have the right to request an opt-out to these activities, which must be respected.
Sensitive Personal Data
SYEP may, from time to time, be required to process sensitive personal data. Sensitive personal data includes data relating to medical information, gender, religion, race, sexual orientation, trade union membership and criminal records and proceedings. (Data Protection Act 1998)
Rights of Access to Information
Data subjects have the right of access to information held by the SYEP, subject to the provisions of the Data Protection Act 1998 and the Freedom of Information Act 2000. Any data subject wishing to access their personal data should put their request in writing to SYEP. The information will be imparted to the data subject as soon as is reasonably possible after it has come to SYEP’s attention in compliance with the Data Protection Policy 2017.
Certain data is exempted from the provisions of the Data Protection Act which includes the following:-
- National security and the prevention or detection of crime
- The assessment of any tax or duty
- Where the processing is necessary to exercise a right or obligation conferred or imposed by law upon SYEP, including Safeguarding.
Any further information on exemptions should be sought from the DPC.
SYEP will endeavour to ensure that all personal data held in relation to all data subjects is accurate. Data subjects must notify the data processor of any changes to information held about them. Data subjects have the right in some circumstances to request that inaccurate information about them is erased.
If an individual believes that SYEP has not complied with this Policy or acted otherwise than in accordance with the Data Protection Act, the member or member of staff should contact the administrator in the first instance. If not satisfied with the response or if in need of any advice the Information Commissioner’s Office (ICO) should be contacted.
SYEP will take appropriate technical and organisational steps to ensure the security of personal data.
All sessional workers, trustees and volunteers will be made aware of this policy and their duties under the Act.
SYEP, Sessional Workers, trustees and volunteers are required to respect the personal data and privacy of others and must ensure that appropriate protection and security measures are taken against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to all personal data.
An appropriate level of data security must be deployed for the type of data and the data processing being performed. In most cases, personal data must be stored in appropriate systems and be encrypted when transported offsite.
SYEP must ensure that data processed by external processors, for example, service providers, Cloud services including storage, web sites etc. are compliant with this policy and the relevant legislation.
When data held in accordance with this policy is destroyed, it must be destroyed securely in accordance with best practice at the time of destruction.
Retention of Data
SYEP will only create and retain personal data where absolutely necessary. Regular reviews of files will be held and unnecessary or obsolete data will be systematically destroyed.
Data may be retained for differing periods of time for different purposes as required by statute or best practices. Other statutory obligations, legal processes and enquiries may also necessitate the retention of certain data.
SYEP may store some data such as registers, photographs, books and records etc. indefinitely in its archive.