Privacy policy
We have reviewed how we store information and how we use it in line with the introduction of General Data Protection Regulations 2018.
General Data Protection Regulation Policy
1. Introduction
The GDPR applies to personal information about individuals which is held on a device or in a manual filing system, or which is recorded with the intention that it will be part of such systems.
The GDPR is concerned with the right of the individual (the Data Subject) to know what information is being held about them, for what reason and how the information will be used. It also provides ways that the information can be accessed, rectified, erased and objected to. The GDPR outlines principles to ensure that:
- Individuals have the right to be informed about the collection and use of their personal data
- Individuals have the right to understand retention periods of personal data and who it will be shared with (called privacy information) The CPCT must provide privacy information to individuals at the time of collection
- The information provided to individuals is concise, transparent, intelligible, easily accessible, and presented using clear and plain language.
- Individuals have the right to access their personal data
- Individuals have the right to rectify/adjust their data
- Individuals have the right to be deleted. Any requests made either verbally or in writing must be actioned within one month
- Individuals have the right to restrict the use of their personal data – any requests must be responded to in one month
Individuals have the right to object to processing including the use of their personal data for statistics, research & direct marketing (including profiling) At the CPCT we collect personal data and ensure that it is:
- obtained only for specified purposes
- relevant to the purposes for which it is processed
- accurate and kept up-to-date
- not kept for longer than is necessary – in most cases two years but some governance documents for six
- processed according to the rights of the Data Subject under the GDPR
- protected against unauthorised processing, accidental loss or damage
- not transferred to areas outside of the European Union (including via websites)
- not shared with third parties without the consent of the data subject, in which case the consent will be recorded
Crystal Palace Community Trust holds personal information on volunteers, staff, and service users. The designated data protection officer is the Trust Manager, Ben Harding. In her absence, all requests should be made to Elaine Harrison, Trust Development Manager.
2. Scope of the policy
- Personal records will be stored at the CPCT in accordance with its procedures
- CPCT staff and volunteers, other than designated persons in the course of their duty, do not have access to the personal information of other staff or volunteers
- When staff and volunteers leave the organisation, all personnel documents will be kept in accordance with CPCT procedures
- Staff and volunteers have the right to access the information held by CPCT. Requests should be in writing to the Trust Manager and the CPCT will provide a copy of the information within two weeks of receiving the request. No charge is made
- Information about individuals will not be disclosed to any third party outside of CPCT without the permission of the individual
- Where photographs of staff or service users are used to publicise or promote the organisation, permission will be sought from individuals and the photographs will be held and consequently used for no more than two years
This policy will be used in conjunction with other policies if applicable including the:
- Confidentiality Policy
- CCTV Policy
- DBS data storage Policy
- Photographic Permissions Policy