Data Protection Policy
Protecting Confidential or Sensitive Information
Corsham Connections recognises it needs to keep and process sensitive and personal information about both employees and the public to achieve its aims. It has therefore adopted this policy not only to meet its legal obligations but to ensure high standards. The General Data Protection Regulation (GDPR) which became law on 25 May 2018 and, like the Data Protection Act 1998 before it, seeks to strike a balance between the rights of individuals and the sometimes legitimate reasons for using personal information.
The policy is based on the premise that personal data must be:
- Processed fairly, lawfully and in a transparent manner in relation to the data subject.
- Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
- Adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.
- Accurate and, where necessary, kept up to date.
- Kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed.
- Processed in a manner that ensures appropriate security of the personal data including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Data Protection Terminology
Data subject – means the person whose personal data is being processed. That may be a Trustee, an employee, prospective employee, a volunteer, associate or prospective associate of Corsham Connections or someone transacting with it in some way, or an employee, member or volunteer with one of our customers, or persons transacting or contracting with one of our clients when we process data for them.
Personal data – means any information relating to a natural person or data subject that can be used directly or indirectly to identify the person. It can be anything from a name, a photo, an address, date of birth, an email address, bank details, and posts on social networking sites or a computer IP address.
Sensitive personal data – includes information about racial or ethnic origin, political opinions, religious or other beliefs, trade union membership, medical information, sexual orientation, genetic and biometric data or information related to offences or alleged offences where it is used to uniquely identify an individual.
Data controller – means a person who (either alone or jointly or in common with other persons) (e.g. Town Council, employer, other council) determines the purposes for which, and the manner in which, any personal data is to be processed.
Data processor – in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller. Processing information or data – means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including:
- organising, adapting or altering it.
- retrieving, consulting or using the information or data.
- disclosing the information or data by transmission, dissemination or otherwise making it available.
- aligning, combining, blocking, erasing or destroying the information or data. regardless of the technology used.
Corsham Connections processes personal data in order to:
- Volunteer and maintaining information required by law.
- Pursue the legitimate interests of its business, by fulfilling contractual terms with other organisations, and maintaining information required by law.
- Monitor its activities including the equality and diversity of its activities.
- Assist regulatory, health and law enforcement agencies.
- Process information including the recording and updating details about its Trustees, employees, partners and volunteers.
- Process information including the recording and updating of details about individuals and services who contact it for information, or to access a service or make a complaint.
- Undertake surveys, censuses and questionnaires to fulfil the objectives and purposes of the Connections and occasional funding sources.
- Undertake research, audit and quality improvement work to fulfil its objects and purposes.
- Carry out essential administration. Where appropriate and governed by necessary safeguards we will carry out the above processing jointly with other appropriate bodies from time to time.
The Trustees will ensure that at least one of the following conditions is met for personal information to be considered fairly processed:
- The individual has consented to the processing.
- Processing is necessary for the performance of a contract or agreement with the individual.
- Processing is required under a legal obligation.
- Processing is necessary to protect the vital interests of the individual.
- Processing is necessary in order to pursue the legitimate interests of the data controller or third parties.
Particular attention is paid to the processing of any sensitive personal information and the Trustees will ensure that at least one of the following conditions is met:
- Explicit consent of the individual.
- Required by law to process the data for employment purposes.
- A requirement in order to protect the vital interests of the individual or another person.
Who is responsible for protecting a person’s personal data?
The Trustees of Corsham Connections has ultimate responsibility for ensuring compliance with the Data Protection legislation. This is delegated on a day to day basis to the Chair.
Phone: 07725 749883
Correspondence: Caroline J Baker, Corsham Connections, 32 Hastings Road, Corsham, SN13 9HQ