Data Protection Policy

STATEMENT

Your Chapter Ltd. (‘we’, ‘us’, and ‘our’) is committed to respecting and protecting the privacy of individuals and to fully complying with all the requirements of Data Protection Legislation.

We have appointed a Data Protection Officer (DPO) who can be contacted via dpo@yourchapter.co.uk

SCOPE

This policy applies to all our staff.

This policy, which is part of our suite of data protection related policies, must be followed in conjunction with those other policies.

This policy applies to all of our services that involve the processing of personal data.

DEFINITIONS

Data Protection Legislation means the UK General Data Protection Regulation, (‘UK GDPR’), the Privacy and Electronic Communications Regulations (‘PECR’) and (where applicable) the EU General Data Protection Regulation (‘EU GDPR’).

Personal data (aka Personal Information and Personally Identifiable Information or PII) means any information relating to an identified or identifiable person (‘Data Subject’).

Personal data breach means a security incident that has affected the confidentiality, integrity, or availability of personal data (whether accidental or deliberate).

Examples of personal data typically processed by us are:

First and last names
Postal email and IP addresses
Telephone numbers
Identity documents (e.g., passports & driving licence)
Identity numbers (e.g., National Insurance and Bank accounts)
Career & educational documents (e.g., CVs & qualifications)
Any contact information
Case files relating to children and young people in our homes and schools

Special Category data (aka Sensitive Data) means personal data revealing racial or ethnic origin, political opinions, religious (including religious-related dietary preferences) or philosophical beliefs, trade-union membership, genetic information of a living individual; biometric data processed solely to identify a living individual; health-related data (including allergies, intolerances, hospitalizations, adverse reactions to products or substances); data concerning a person’s sex life or sexual orientation.

Examples of special category personal data typically processed by us are:

Health & medical information (including whether a person has a disability)
Personal data of vulnerable individuals
about ethnic origin & race
Staff sickness records

Data subject means any individual whose personal data is processed by us.

Examples of our data subjects are:

Children and young people in our homes and schools
Staff and their next of kin
Job applicants
Suppliers of goods/services
Business contacts

Processing means any use of personal data such as the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, dissemination, erasure and destruction. (This means that virtually anything we do with personal data will be ‘processing’).

Data controller means the organisation which decides the purposes and means of the processing of personal data. We are the data controller for the purposes of this policy.

Data processor means an individual or organisation that processes personal data on behalf of a data controller (on our behalf/on our instructions).

Examples of our data processors are:

External payroll
External IT support

Consent means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data.

Staff means anyone working at or for us including:

Directors
Permanent, interim, and temporary employees
Consultants
Contractors

PURPOSES

To ensure all personal data is processed in accordance with Data Protection Legislation
To respect the privacy of individuals
To ensure personal data is processed by us in a consistent manner
To reduce the risk of a personal data breach
To provide guidance to staff about how to comply with Data Protection Legislation
To clarify responsibilities and roles for implementing this policy and monitoring compliance with it.
To set out the basis on which we will process any personal data we collect from data subjects, or that is provided to us by data subjects or other sources.
To set out the rules on data protection and the legal conditions that must be satisfied when we obtain, handle, process, transfer and store personal data.

PRINCIPLES OF DATA PROTECTION

The principles of data protection are that personal data shall be:

Processed lawfully, fairly and in a transparent manner
Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (‘purpose limitation’)
Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’)
Accurate and, where necessary, kept up to date (‘accuracy’)
Kept for no longer than is necessary (‘storage limitation’)
Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’)

ROLES AND RESPONSIBILITIES

Our Senior Management team have ultimate responsibility for ensuring compliance with Data Protection Legislation and this policy.

The Data Protection Officer (DPO), has responsibility to

Remind the Senior Management team of their responsibility for ensuring our compliance with Data Protection Legislation and this policy; and
Advise the Senior Management team how to exercise their responsibility for ensuring our compliance with Data Protection Legislation and this policy; and
Monitor our compliance with Data Protection Legislation and this policy

Our Data Protection Group (see Appendix) has responsibility to liaise with the DPO to help ensure we comply with the Data Protection Legislation and this policy.

All staff have a responsibility to comply with Data Protection Legislation and this policy when carrying out their duties.

Line managers are responsible for ensuring staff’s adherence with this policy.

Failure to comply with this policy may result in legal and/or disciplinary action.

RIGHTS

Data subjects have the right to:

Be informed about the collection and use of their personal data.
Access their personal data (for more about this see ‘Subject Access Requests’, below).
Rectification of inaccurate personal data.
Erasure (deletion) of their personal data – also known as the ‘right to be forgotten *
Restrict processing of their personal data.
Data portability – to easily move, copy or transfer their personal data.
Object to our processing of their personal data.
Appropriate decision-making in relation to automated decision making and profiling.

*This is not an absolute right and only applies in certain circumstances

LAWFUL BASES

We must always have a valid lawful basis in order to process personal data.

There are six available lawful bases for processing. No single basis is ’better’ or more important than the others – which basis is most appropriate to use will depend on our purpose and relationship with the data subject.

The lawful bases for processing are:

Consent: the data subject has given clear consent for you to process their personal data for a specific purpose.
Contract: the processing is necessary for a contract we have with the data subject, or because they have asked us to take specific steps before entering into a contract.
Legal obligation: the processing is necessary for us to comply with the law.
Vital interests: the processing is necessary to protect someone’s life.
Legitimate interests: the processing is necessary for our legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.

SUBJECT ACCESS REQUESTS

Any data subject may make a Subject Access Request, (‘SAR’). Any one member of staff in receipt of a SAR must pass it on to our Data Protection Group as soon as possible, as a matter of urgency.

SECURITY

All staff are responsible for ensuring that any personal data which we are responsible for is kept securely.

Examples of keeping personal data secure are:

Paper files/records should be kept in locked cabinets when not in use
Monitors/computer screens should be visible only to those who need to see them
Paper files/records should not be removed from our business premises without appropriate authorisation
Desks should be cleared when not in use
Personal data no longer required for day-to-day use should be sent to secure archiving

SHARING (DISCLOSURE)

Personal data must not be shared unless the recipient is authorised to have access to that personal data and then only in accordance with Data Protection Legislation.

This includes the sharing of personal data by Staff with

other of our employees; and
third parties (other organisations and individuals – including our data processors)

Examples of unauthorised recipients are:

Family members
Friends
Local Authorities and other public bodies

Staff should exercise great caution when asked to share personal data and if in doubt should seek advice from our Data Protection Group before doing so.

RETENTION

Personal data must not be kept for any longer than is necessary and only in accordance with

our Retention Policy.

DELETION (DISPOSAL)

When it is no longer necessary to keep it, personal data must be disposed of securely.

This means that:

Paper will be shredded on site, or disposed of externally as confidential waste
Computer equipment will be disposed of securely by specialist contractors

TRANSFER OUTSIDE THE EEA

The UK GDPR restricts the transfer (sending) of personal data outside the UK. This means that personal data cannot be freely transferred outside the UK, except to the EEA and a limited number of other countries.

You should not agree to transfer personal data outside the UK unless you are authorised to do so. If in doubt, contact our Data Protection Group.

DATA PROTECTION IMPACT ASSESSMENTS

A data protection impact assessment (DPIA) is a process to help identify and minimise the data protection risks of a project.

We must do a DPIA for processing that is likely to result in a high risk to individuals. This includes some specified types of processing. It is also good practice to do a DPIA for any other new project which requires the processing of personal data.

Any circumstances where a DPIA may be required should not be undertaken without the approval of our Data Protection Group.

MARKETING

The PECR (see definition ‘Data Protection Legislation’ above), give people specific privacy rights in relation to electronic communications. There are specific rules on:

marketing calls, emails and texts
cookies (and similar technologies)

These rules mean that:

We must not send marketing messages/materials to those who are ‘consumers’ without being sure that they have previously agreed (consented) to being sent them, do not object to hearing from us and, that by contacting them, we are not being a nuisance to them.
We must tell people if we set cookies on our website and clearly explain what the cookies do and why. We must also (usually) also get the user’s consent to set cookies.

Appendix

At the time this policy was last updated, the members of our Data Protection Group were:

Ian Oatley, Finance Director, Oatley@yourchapter.co.uk.
Pria Griffiths-Sen, Quality and Performance Manager, GriffithsSen@yourchapter.co.uk

This policy was last updated on 14/04/2023

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.