Data Protection Policy

The New Well is committed to protecting all information that we handle about people we  work with, and to respecting people’s rights around how their information is handled. This  policy explains our responsibilities and how we will meet them. 

The New Well holds and processes personal data about individuals for the purpose of  administration, communication and evaluation. 

As an organisation, we are committed to complying with data protection law (General Data  Protection Regulations-GDPR) and the rights of the individuals under it. We recognise this  relates to all personal data, whether it is held on paper, on computer or other media.  

All of The New Well trustees, staff members and volunteers who obtain, handle, process or  store personal data for The New Well must adhere to these principles.  

The New Well is committed to processing data in accordance with its responsibilities under  the GDPR.  

Article 5 of the GDPR requires that personal data shall be: 

  • processed lawfully, fairly and in a transparent manner in relation to individuals • collected for specified, explicit and legitimate purposes and not further processed in  a manner that is incompatible with those purposes; further processing for archiving  purposes in the public interest, scientific or historical research purposes or statistical  purposes shall not be considered to be incompatible with the initial purposes • adequate, relevant and limited to what is necessary in relation to the purposes for  which they are processed 
  • accurate and, where necessary, kept up to date; every reasonable step must be  taken to ensure that personal data that are inaccurate, having regard to the  purposes for which they are processed, are erased or rectified without delay 
  • kept in a form which permits identification of data subjects for no longer than is  necessary for the purposes for which the personal data are processed; personal data  may be stored for longer periods insofar as the personal data will be processed  solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate  technical and organisational measures required by the GDPR in order to safeguard  the rights and freedoms of individuals
  • processed in a manner that ensures appropriate security of the personal data,  including protection against unauthorised or unlawful processing and against  accidental loss, destruction or damage, using appropriate technical or organisational  measures.

Use of Personal Information 

The New Well is committed to protecting personal data and respecting the rights of our data  subjects (the people whose personal data we collect and use). We value the personal  information entrusted to us and we respect that trust, by complying with all relevant laws,  and adopting good practice. This information is collected to help us: 

  • maintain our list of volunteers, supporters, partners and regular attenders
  • provide services to the community  
  • recruit, support and manage staff and volunteers 
  • maintain our financial accounts and records 
  • promote our services 
  • respond effectively to enquirers and handle any complaints  
  • evaluate our work 

All personal information which is held by The New Well (other than that for evaluation  purposes) will be treated as private and confidential and not disclosed to a third party other  than The New Well trustees, staff and volunteers in order to facilitate the administration  and day-to-day running of The New Well. 

Personal Data will only be disclosed to a third party for one of the following reasons: 

  • For administrative or banking purposes with our service providers, who each have their own privacy policy & data protection statement 
  • We are legally compelled to do so 
  • There is a public duty to disclose 
  • Disclosure is required to protect the interests of the individual concerned 
  • The individual concerned has requested (or given their consent to) the data being disclosed 

Applying the Principles 

All staff and volunteers will be required to undergo GDPR Training and will have this policy  included in their staff handbook. 

  • The trustees are the Data Protection Controller. All questions and concerns in relation to this policy should be addressed to them. They shall take responsibility for The New Well’s ongoing compliance with this policy.
  • This policy will be reviewed annually. 
  • The New Well shall register with the Information Commissioner’s Office as an organisation that processes personal data. 

When personal information is collected for use by The New Well we will ensure that: 

  • This information is adequate, relevant and limited to what is necessary for our  purposes 
  • The information is not kept for longer than is needed 
  • Those people supplying the information are aware of this policy and how they can obtain a copy 
  • Personal Information (including photographs), of individuals will not be published on  our website without obtaining explicit and informed consent from the individuals  concerned (or their parents if under 16). We will never publish the names of children or young people alongside their photographs. 
  • All personal information held by staff and volunteers on behalf of The New Well will  be held and processed in a sufficiently secure manner (whether in paper or electronic  form) to prevent unauthorised access. This means we will: 
  1. Store paper based information in secure, lockable containers 
  2. Use password protection on all electronic devices, mobiles and laptops and  encryption of particularly sensitive electronic documents 
  3. Restrict access to both paper and electronic personal data to those who need to process for one of the above uses 
  4. Ensure that personal information is transmitted securely in a way that cannot be intercepted by unintended recipients. 


  • The New Well shall take reasonable steps to ensure personal data is accurate.
  • Where necessary for the lawful basis on which data is processed, steps shall be put in  place to ensure that personal data is kept up to date. 


To ensure that personal data is kept for no longer than necessary, The New Well will usually  retain data on the following basis:

Type of data Retention period
Volunteer information 36 months after the last contact
Contact details for adults 24 months after the last contact
Gift aid documentation 6 years after the calendar year to which it relates
Photographs of individuals and  


photographs and videos of events where  consent has been given

Personal data relating to specific events Disposed of immediately after the event
Safeguarding matters Indefinitely or until advised otherwise by  authorities
Accident books3 years from the date of the last entry (or, if the  accident involves a child, until the child reaches  the age of 21)
Complaints (non-safeguarding) 3 years after resolution of complaint
Minutes of meetings Indefinitely
Employee records 6 years after the date of termination of  employment


  • The New Well shall ensure that personal data is stored securely using modern  software that is kept up-to-date. 
  • Access to personal data shall be limited to personnel who need access with  appropriate security in place to avoid unauthorised sharing of information. When personal data is deleted this should be done safely such that the data is  irrecoverable. 
  • Appropriate back-up and disaster recovery solutions shall be in place. 

Personal data rights

Rights What this means in practice
The right to be informed This is the right to be provided with clear,  transparent and easily understandable information about how personal data is  processed.
The right of access This is the right of an individual to request a copy  of the personal data held about them.
The right to rectification This is the right to have personal data corrected it  is either inaccurate or incomplete.
The right to erasureThis is known as the right to be forgotten and  enables an individual to request the deletion or  removal of information about them.
The right to restrict processingThis is the right to block or restrict use of personal  data. When processing is restricted, it can still be  held, but not used.
The right to lodge a complaintThis is the right of the individual to lodge a  complaint about the way data is handled or  processed.
The right to withdraw consent This is the right to withdraw consent regarding  what personal data is held or processed

Any person who wishes to exercise their personal rights should make the request in writing  to The New Well office. We will aim to comply with such request as quickly as possible but  will ensure that it is provided in a timely manner of receipt of a written request, unless there  is a good reason for delay. In such cases, the reason for delay will be explained in writing to  the individual making the request.  


In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, The New Well shall  promptly assess the risk to people’s rights and freedoms and if appropriate report this breach  to the ICO.