SBDA logo

General Data Protection Regulation and Data Security Policy

Statement and purpose of policy

South Bedfordshire Dyslexia Association (SBDA) is committed to ensuring that all personal information handled by us will be processed according to legal compliant standards of data protection and data security.

The purpose of this policy is to help us achieve our data protection and data security aims by:

  1. Setting out how SBDA uses and protects any personal information that we may hold about individuals
  2. Ensuring our volunteers understand our rules and the legal standards for handling personal information relating to staff and others
  3. Clarifying the responsibilities and duties of volunteers in respect of data protection and data security.

We may amend this policy at any time, at our discretion.

Responsibility for data protection and data security

Maintaining appropriate standards of data protection and data security is a collective task shared between SBDA and the volunteers. This policy and the rules contained in it apply to all volunteers of SBDA, irrespective of seniority, tenure and working hours, including all officers, trainees, and any volunteers.

Denise Taylor is appointed as the Data Protection Officer and has overall responsibility for ensuring that all personal information is handled in compliance with the law.

All volunteers have personal responsibility to ensure compliance with this policy, to handle all personal information consistently with the principles set out here and to ensure that measures are taken to protect the data security. The chairman has special responsibility for leading by example and monitoring and enforcing compliance.

Any breach of this policy will be taken seriously and may result in disciplinary action.

Personal information and activities covered by this policy

This policy covers personal information:

  1. Which relates to a living individual who can be identified either from that information in isolation or by reading it together with other information we possess
  2. Is stored electronically or on paper in a filing system
  3. In the form of statements of opinion as well as facts
  4. Which relates to volunteers (present, past or future) or to any other individual whose personal information we handle or control
  5. Which we obtain, hold or store, organise, disclose or transfer, amend, retrieve, use handle process, transport or destroy.

Data protection principles

Volunteers whose work involves using personal data must comply with this policy and with the legal data protection principles which require that personal information is:

  1. Processed fairly and lawfully. We must always have a lawful basis to process personal information. In most (but not all) cases, the person to whom the information relates (the Subject) must have given consent. The Subject must be told who controls the information (us), the purpose(s) for which we are processing the information and to whom it may be disclosed.
  2. Collected for specified, explicit and legitimate purposes. Personal information must not be collected for one purpose and then used for another. If we want to change the way we use personal information, we must first tell the Subject.
  3. Adequate, relevant and limited to what is necessary.
  4. Accurate and kept up to date. Regular checks must be made to correct or destroy inaccurate information.
  5. Kept for no longer than is necessary. Information must be destroyed or deleted when we no longer need it. For guidance on how long particular information should be kept, contact the Data Protection Officer.
  6. Processed in a manner that ensures appropriate security. See section on data security below.

Data subjects’ rights

SBDA will process personal data in line with data subjects’ rights. Data subjects have the right to:

  1. Be informed. About the identity and contact details of the controller/processor, the purpose and/or legal basis for processing the data, how the data is to be processed, how long the data will be kept, which parties are involved in the processing of data and the privacy policy of the controller/processor.
  2. Access. There must be a Subject Access Request process so that Subjects may request a copy of their data.
  3. Rectify incorrect personal information. Subjects must have a facility to request that incorrect information is corrected.
  4. Be forgotten. Subjects may withdraw consent and ask for personal information to be erased.
  5. Object. Subjects must be allowed to object to their personal information being processed. They must be able to opt-out if their personal information is being processed based on legitimate interests, the public interest, exercise of official authority, for direct marketing and for purposes of scientific/historical research and statistics.
  6. Restrict processing of their data. When processing is restricted, storage of the data is permitted, but further processing is not.
  7. Not have their data used for automated decision making and profiling. Such processing must have specific consent, be necessary for the performance of a contract or must be authorised by law.

Data security

We must all protect personal information in our possession from being accessed, lost deleted or damaged unlawfully or without proper authorisation through the use of data security measures.

Maintaining data security means making sure that:

  1. Only people who are authorised to use the information can access it
  2. Information is accurate and suitable for the purpose for which it is processed
  3. Authorised persons can access information if they need it for authorised purposes.

By law, we must use procedures and technology to secure personal information throughout the period that we hold or control it, from obtaining to destroying the information.

Personal information must not be transferred to any person to process (e.g. while performing services for us or on our behalf) unless that person has either agreed to comply with our data security procedures, or we are satisfied that other adequate measures exist.

Security procedures include:

  1. Physically securing information. Any desk or cupboard containing confidential information must be kept locked. Computers should be locked with a password or shut down when left unattended and discretion should be used when viewing personal information on a monitor to ensure that it is not visible to others.
  2. Controlling access to premises. Volunteers should report any person they do not recognise in an entry-controlled area.

Particular care must be taken by Staff who deal with telephone enquiries to avoid inappropriate disclosures. In particular:

  1. The identity of any telephone call must be verified before any personal information is disclosed
  2. If the caller’s identity cannot be verified satisfactorily, then they should be asked to put their enquiry in writing.
  3. Do not allow callers to bully you into disclosing information. In case of any problems or uncertainty, contact the Data Protection Officer.

Any personal data we control or process may be held in the following systems and locations, and we are satisfied that there are adequate data protection and data security measures in place:

  1. Chairman’s home at 29 Brandreth Avenue, Dunstable, Beds LU5 4JP
  2. British Dyslexia Association database
  3. Online banking — Lloyds Bank
  4. Electronic files held by the two Assessors, Chairman or Treasurer

Copies of personal information, whether on paper or on any physical storage device, must be physically destroyed when they are no longer needed. Paper documents should be shredded and CDs or memory sticks or similar must be rendered permanently unreadable.

Personal data breaches

A personal data breach is defined as a security incident that has affected the confidentiality, integrity or availability of personal data. There will be a personal data breach whenever any personal data is lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable and this unavailability has a significant negative effect on individuals.

If a personal data breach has occurred, SBDA will take immediate steps to contain it and assess the risk of potential adverse consequences for individuals. If there is a risk to people’s rights and freedoms it will be reported to the ICO within 72 hours of becoming aware of the breach. If there is a high risk to those concerned, they will be informed directly and without undue delay. If the breach is unlikely to result in a risk to rights and freedoms, the breach will be investigated, recorded and steps taken to avoid a future recurrence.

Personal information we process and what we do with it

Volunteers

We collect personal information about Volunteers which:

  1. You provide, or we gather, before or during your engagement with us
  2. Is provided by third parties, such as references or information from suppliers or another party that we do business with
  3. Is in the public domain

The types of personal information that we may collect, store and use about Volunteers include records relating to:

  1. Home address and contact details.
  2. Recruitment (including your application form or cv, any references received and details of your qualifications)

We will use information to carry out our business, to administer your engagement and to deal with any problems or concerns you may have.

We confirm that SBDA is a Data Controller of the personal information in connection with your engagement. This means that we determine the purposes for which, and the manner in which, your personal information is processed.

We will take reasonable steps to ensure that your personal information is kept secure, as described in this policy and in general, we will not disclose your personal information to others outside SBDA. However, we may need to disclose personal information about Volunteers:

  1. To comply with our legal obligations or assist in a criminal investigation or to seek legal or professional advice in relation to engagement issues.
  2. To other parties which provide products or services to us.

Clients (Adults and Parents)

We collect personal information about clients which you provide, or we gather, before or during your engagement with us.

The types of personal information that we may collect, store and use about clients include records relating to:

  1. Name
  2. Contact information including address, telephone number and email address
  3. Information about your children (e.g. name, date of birth, special educational needs information)

We will use information to carry out our business in order to provide you with learning support and assessments. We will not collect any personal data from you we do not need in order to provide and administer this service to you.

We will take reasonable steps to ensure that your personal information is kept secure, as described in this policy and in general, we will not disclose your personal information to others outside SBDA unless we have your permission or we are required by law to do so.

By providing your personal information to us, you consent to the use of your personal information in accordance with this policy.

Suppliers

We collect personal information about suppliers which:

  1. You provide, or we gather, before or during your engagement with us
  2. Is provided by third parties, such as information from other suppliers or another party that we do business with
  3. Is in the public domain

The types of personal information that we may collect, store and use about suppliers include records relating to:

  1. Name and job title
  2. Contact information including address, telephone number and email address
  3. Bank account details, sort code and account number

We will use information to carry out our business with you/your business such as contacting you to discuss your products and services, place orders with you and pay your invoices. We will not collect any personal data from you we do not need in order to carry out these transactions.

We will take reasonable steps to ensure that your personal information is kept secure, as described in this policy and in general, we will not disclose your personal information to others outside SBDA unless we have your permission or we are required by law to do so.

By providing your personal information to us, you consent to the use of your personal information in accordance with this policy.

Other third parties (e.g. prospective clients, business contacts, networking associates

We collect personal information about other third parties which:

  1. You provide, or we gather from you
  2. Is provided by third parties, such as information from other parties that we do business with
  3. Is in the public domain

The types of personal information that we may collect, store and use about suppliers include records relating to:

  1. Name and job title
  2. Contact information including address, telephone number and email address

We will use information to carry out business with you/your business such as contacting you to discuss your products and services. We will not collect any personal data from you if we do not need to do so.

We will take reasonable steps to ensure that your personal information is kept secure, as described in this policy and in general, we will not disclose your personal information to others outside SBDA unless we have your permission or we are required by law to do so.

By providing your personal information to us, you consent to the use of your personal information in accordance with this policy.

Subject access requests

By law, any Subject (including Volunteers) may make a formal request for information that we hold about them, by completing a Subject Access Request (SAR). If you would like a copy of the information we hold on you please write to us at 29 Brandreth Avenue, Dunstable, Beds LU5 4JP.

If you believe that any information we are holding on you is incorrect or incomplete, or if you wish to have it deleted, please write to us at 29 Brandreth Avenue, Dunstable, Beds LU5 4JP. We will correct any information found to be incorrect or delete it if requested.

In the case of Volunteers we will only delete the information once the engagement has ceased and it is no longer required to comply with our legal obligations, assist in a criminal investigation or for legal and regulatory authorities, such as HM Revenue and Customs.

Any Volunteer who receives such a request from a third party should forward it to the Data Protection Officer immediately.

Complaints

If any Subject wishes to raise a complaint on how we have handled their personal data, they can contact our Data Protection Officer who will investigate the matter. If they are not satisfied with the response or believe we are not processing their personal data in accordance with the law they can complain to the Information Commissioner's Office (ICO). Our Data Protection Officer is Denise Taylor who can be contacted at 29 Brandreth Avenue, Dunstable, Beds LU5 4JP.

Date of last Review — 05/08/2018

 Style Chooser

Choose colour:

Choose size: