The New Well is committed to protecting all information that we handle about people we work with, and to respecting people’s rights around how their information is handled. This policy explains our responsibilities and how we will meet them.
The New Well holds and processes personal data about individuals for the purpose of administration, communication and evaluation.
As an organisation, we are committed to complying with data protection law (General Data Protection Regulations-GDPR) and the rights of the individuals under it. We recognise this relates to all personal data, whether it is held on paper, on computer or other media.
All of The New Well trustees, staff members and volunteers who obtain, handle, process or store personal data for The New Well must adhere to these principles.
The New Well is committed to processing data in accordance with its responsibilities under the GDPR.
Article 5 of the GDPR requires that personal data shall be:
- processed lawfully, fairly and in a transparent manner in relation to individuals • collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes • adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Use of Personal Information
The New Well is committed to protecting personal data and respecting the rights of our data subjects (the people whose personal data we collect and use). We value the personal information entrusted to us and we respect that trust, by complying with all relevant laws, and adopting good practice. This information is collected to help us:
- maintain our list of volunteers, supporters, partners and regular attenders
- provide services to the community
- recruit, support and manage staff and volunteers
- maintain our financial accounts and records
- promote our services
- respond effectively to enquirers and handle any complaints
- evaluate our work
All personal information which is held by The New Well (other than that for evaluation purposes) will be treated as private and confidential and not disclosed to a third party other than The New Well trustees, staff and volunteers in order to facilitate the administration and day-to-day running of The New Well.
Personal Data will only be disclosed to a third party for one of the following reasons:
- For administrative or banking purposes with our service providers, who each have their own privacy policy & data protection statement
- We are legally compelled to do so
- There is a public duty to disclose
- Disclosure is required to protect the interests of the individual concerned
- The individual concerned has requested (or given their consent to) the data being disclosed
Applying the Principles
All staff and volunteers will be required to undergo GDPR Training and will have this policy included in their staff handbook.
- The trustees are the Data Protection Controller. All questions and concerns in relation to this policy should be addressed to them. They shall take responsibility for The New Well’s ongoing compliance with this policy.
- This policy will be reviewed annually.
- The New Well shall register with the Information Commissioner’s Office as an organisation that processes personal data.
When personal information is collected for use by The New Well we will ensure that:
- This information is adequate, relevant and limited to what is necessary for our purposes
- The information is not kept for longer than is needed
- Those people supplying the information are aware of this policy and how they can obtain a copy
- Personal Information (including photographs), of individuals will not be published on our website without obtaining explicit and informed consent from the individuals concerned (or their parents if under 16). We will never publish the names of children or young people alongside their photographs.
- All personal information held by staff and volunteers on behalf of The New Well will be held and processed in a sufficiently secure manner (whether in paper or electronic form) to prevent unauthorised access. This means we will:
- Store paper based information in secure, lockable containers
- Use password protection on all electronic devices, mobiles and laptops and encryption of particularly sensitive electronic documents
- Restrict access to both paper and electronic personal data to those who need to process for one of the above uses
- Ensure that personal information is transmitted securely in a way that cannot be intercepted by unintended recipients.
Accuracy
- The New Well shall take reasonable steps to ensure personal data is accurate.
- Where necessary for the lawful basis on which data is processed, steps shall be put in place to ensure that personal data is kept up to date.
Archiving/removal
To ensure that personal data is kept for no longer than necessary, The New Well will usually retain data on the following basis:
| Type of data | Retention period |
| Volunteer information | 36 months after the last contact |
| Contact details for adults | 24 months after the last contact |
| Gift aid documentation | 6 years after the calendar year to which it relates |
| Photographs of individuals and
photographs and videos of events where consent has been given | Indefinitely |
| Personal data relating to specific events | Disposed of immediately after the event |
| Safeguarding matters | Indefinitely or until advised otherwise by authorities |
| Accident books | 3 years from the date of the last entry (or, if the accident involves a child, until the child reaches the age of 21) |
| Complaints (non-safeguarding) | 3 years after resolution of complaint |
| Minutes of meetings | Indefinitely |
| Employee records | 6 years after the date of termination of employment |
Security
- The New Well shall ensure that personal data is stored securely using modern software that is kept up-to-date.
- Access to personal data shall be limited to personnel who need access with appropriate security in place to avoid unauthorised sharing of information. • When personal data is deleted this should be done safely such that the data is irrecoverable.
- Appropriate back-up and disaster recovery solutions shall be in place.
Personal data rights
| Rights | What this means in practice |
| The right to be informed | This is the right to be provided with clear, transparent and easily understandable information about how personal data is processed. |
| The right of access | This is the right of an individual to request a copy of the personal data held about them. |
| The right to rectification | This is the right to have personal data corrected it is either inaccurate or incomplete. |
| The right to erasure | This is known as the right to be forgotten and enables an individual to request the deletion or removal of information about them. |
| The right to restrict processing | This is the right to block or restrict use of personal data. When processing is restricted, it can still be held, but not used. |
| The right to lodge a complaint | This is the right of the individual to lodge a complaint about the way data is handled or processed. |
| The right to withdraw consent | This is the right to withdraw consent regarding what personal data is held or processed |
Any person who wishes to exercise their personal rights should make the request in writing to The New Well office. We will aim to comply with such request as quickly as possible but will ensure that it is provided in a timely manner of receipt of a written request, unless there is a good reason for delay. In such cases, the reason for delay will be explained in writing to the individual making the request.
Breach
In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, The New Well shall promptly assess the risk to people’s rights and freedoms and if appropriate report this breach to the ICO.
