General Data Protection Regulation (GDPR) Policy

Document Owner You’re Cherished Charity
Date Policy Signed Off 7th March 2024
Owner Signature R Hardy
Review Date 7th March 2025
What is this policy for?

You’re Cherished are a registered charity who work with young people both in primary and secondary school and also in group settings outside of school. We provide a safe space for them and support them in various capacities of our services, including 1:1 mentoring, group work and bespoke workshops.

Our registered charity number is: 1201663.

We are committed to data protection, and this policy sets out your individual rights and obligations in relation to personal data. We are also committed to being transparent about how we collect and use the personal data we hold within our organisation in order to meet data protection obligations.

Who is this policy for?

This policy applies to the personal data of job applicants, employees, contractors, volunteers, children and young people we support, interns and former employees, referred to as HR-related personal data. This policy does not apply to the personal data of clients or other personal data processed for business purposes.

General Data Protection (GDPR)

We have appointed Hannah Simnett as the person with responsibility for data protection compliance. They can be contacted at hannah@www.cherisheduk.org.  Questions about this policy, or requests for further information, should be directed to them.

What Information do we Collect?

Personal data – this is any information that relates to a living individual who can be identified from that basic information, (name email address, postal address, mobile or telephone number and date of birth. Financial details, (bank details), Photos videos or audio recordings what are used as part of our work with you and only if permission has been given by the relevant individual). Processing is any use that is made of data, including collecting, storing, amending, disclosing, or destroying it.

Special categories of personal data – means information about an individual’s racial or ethnic origin, religious or philosophical beliefs, health, sexual orientation and biometric data, needs around mental and physical health. We won’t use this without a justified reason.

Criminal records data – means information about an individual’s criminal convictions and offenses, and information relating to criminal allegations and proceedings.

Data Protection Principles & how we use the data provided

We process HR-related personal data in accordance with the following data protection principles:

  • We process personal data lawfully, fairly and in a transparent manner.
  • We collect personal data only for specified, explicit and legitimate purposes.
  • We process personal data only where it is adequate, relevant, and limited to what is necessary for the purposes of processing.
  • We keep accurate personal data and take all reasonable steps to ensure that inaccurate personal data is rectified or deleted without delay.
  • We keep personal data only for the period necessary for processing.
  • We adopt appropriate measures to make sure that personal data is secure, and protected against unauthorised or unlawful processing, and accidental loss, destruction, or damage.

We will tell you about the reasons for processing your personal data, how we use such data and the legal basis for processing the data in our privacy notices. We will not process your personal data for other reasons. Where we rely on our legitimate interests as the basis for processing data, we will carry out an assessment to ensure that those interests are not overridden by your rights and freedoms.

We use personal data provided to us by our referral agents in order to assess the needs of the individuals referred to You’re Cherished to enable us to provide them with the relevant services. We will also use this information to safeguard the children we work with if we deem it necessary.

We use the information provided by our referral agents to improve our fundraising and funding bids that we need to help provide our services to children and young people. This may be anaylsing data around demographics, or the number of children supported or the needs of the children and young people. This key information is needed to report on a project that has been funded by a funding provider.

We use the information from referral agents and volunteers to improve the services we offer and to also promote our activities, where it has been agreed we may use photos and testimonials.

We use the information to check the suitability for a role at You’re Cherished as an employee or volunteer. This will be part of the application process.

Where we process special categories of personal data or criminal records data to perform obligations or to exercise rights in employment law, this is done in accordance with guidance on special categories of data and criminal records data.

We will update HR-related personal data promptly if you advise us that your information has changed or is inaccurate. Personal data gathered during your employment, worker, contractor or volunteer relationship, or apprenticeship or internship will be held on your personnel file. The periods for which we will hold HR-related personal data are contained in our privacy notices.

Should any personal data change for those young people we are supporting we need to be informed accordingly so we can amend and make any relevant changes.

We will keep a record of our processing activities in respect of HR-related personal data in accordance with the requirements of the General Data Protection Regulation (GDPR).

Data Security

We take the security of HR-related personal data seriously. We have internal policies and controls in place to protect personal data against loss, accidental destruction, misuse, or disclosure, and to ensure that data is not accessed, except by employees in the proper performance of duties.

We store all confidential data on our secure IT equipment and all referrals of our young people are coded with an ID code to protect identity.

Where we engage with a third party to process personal data on our behalf, such parties do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.  All laptops that are You’re Cherished’s property are password protected via the Google Suite Workspace where we have a two step verification process.

How long will we keep your personal data?

The personal data for our employees and volunteers will not be kept by You’re Cherished for longer than is needed.

The personal data provided to us by our referral agents where one or more of our services supporting children and young people have been accessed will be kept on our system for six years.

International data transfers

We will not transfer HR-related personal data to countries outside the EEA.

Training

We will provide training to you about your data protection responsibilities as part of your induction process.

If your role requires regular access to personal data, or if you are responsible for implementing this policy or responding to subject access requests under this policy, you will receive additional training to help you understand your duties and how to comply with them.

Your responsibilities 

You are responsible for helping us to keep your personal data up to date. You should let us know as soon as possible if any data that you have provided to us changes, for example if you move to a new house or you change your bank details. Also ensure that you are using a safe device with regular security updates and virus protection when sending sensitive information.

You may have access to the personal data of your colleagues in the course of your employment. Where this is the case, we rely on you to help us meet our data protection obligations to our employees.

If you have access to personal data, you are required:

  • To access only data that you have authority to access and only for authorised purposes.
  • Not to disclose data except to individuals (whether internal or external) who have appropriate authorisation.
  • To keep data secure (for example by complying with rules on access to premises, computer access, including password protection, and secure file storage and destruction).
  • Not to remove personal data, or devices containing or that can be used to access personal data, from our premises without adopting appropriate security measures (such as encryption or password protection) to secure the data and the device.
  • Not to store personal data on local drives or on personal devices that are used for work purposes, and,
  • To report data breaches of which you become aware of to Hannah Simnett immediately.

Failing to observe these requirements may amount to a disciplinary offense, which will be dealt with under our Disciplinary Policy. Significant or deliberate breaches of this policy, such as accessing your colleagues data without authorisation or a legitimate reason to do so, may constitute gross misconduct and could lead to dismissal without notice.

If you are a referral agent, you are responsible for helping us to keep the personal information of those referred to us or those young people accessing any of our services up to date. You need to advise us as soon as possible if any data related to the young person, we are supporting changes, in terms of address, referral needs or any other relevant information.

Your rights

As a data subject, you have a number of rights in relation to your own personal data. You have the right to make a Subject Access Request (SAR), and if you do make such a request, we will tell you:

  • Whether or not your data is processed and if so why, the categories of personal data concerned and the source of the data if it is not collected from you directly.
  • To whom your is or may be disclosed.
  • For how long your personal data is stored (or how that period is decided).
  • Your rights to rectification or erasure of data, or to restrict or object to processing.
  • Your right to complain to the Information Commissioner if you think that we have failed to comply with your data protection rights, and,
  • Whether or not we carry out automated decision-making and the logic involved in any such decision-making.

To make a Subject Access Request, you should send your request to Hannah@www.cherisheduk.org. In some cases, we may need to ask for proof of identification before your request can be processed. We will inform you if we do need to verify your identity and the documents we will require.

We will normally respond to your request within a period of one month from the date it is received. In some cases, such as where we process large amounts of your data, we may respond within three months of the date your request is received. We will write to you within one month of receiving your original request to tell you if this is the case.

If a subject access request is manifestly unfounded or excessive, we are not obliged to comply with it. Alternatively, we can agree to respond but we may charge a fee, which will be based on the administrative cost of responding to your request (it is likely to be manifestly unfounded or excessive where it repeats a request to which we have already responded). If you submit a request that is unfounded or excessive, we will notify you that this is the case and whether or not we will respond to it.

We will also provide you with a copy of the personal data undergoing processing. This will normally be in electronic form if you have made a request electronically unless you agree otherwise.

If you want additional copies, we may charge a fee, which will be based on the administrative cost of providing the additional copies.

You can require us to:

  • Rectify inaccurate data.
  • Stop processing or erase data that is no longer necessary for the purposes of processing.
  • Stop processing or erase data if your interests override our legitimate grounds for processing data (where we rely on our legitimate interests as a reason for processing data).
  • Stop processing or erase data if processing is unlawful, and,
  • Stop processing data for a period if data is inaccurate or if there is a dispute about whether or not your interests override our legitimate grounds for processing data.

To ask us to take any of these steps, you should send a request to hannah@www.cherisheduk.org.

Data Breaches 

A data breach is defined as any incident that has affected the confidentiality, integrity, or availability of personal data. Any breach that is likely to have an adverse effect on an individual’s rights or freedoms must be reported. If you become aware of a data breach, you must contact Hannah Simnett immediately, who will provide advice on further action, and whether the ICO needs to be reported.

Where a report to the ICO must be made, it should be done without undue delay or within 72 hours of the breach being identified. The report must contain the following information:

  • Our details.
  • Details of the data breach.
  • What personal data has been placed at risk.
  • What actions have been taken to contain the breach and recover the data.
  • What training and guidance has been provided.
  • Any previous contact with the ICO.
  • Any miscellaneous support information.

We will notify you of any breach that affects your personal data without undue delay. You will be notified to afford you the opportunity to take the necessary steps in order to protect yourself from the effects of the breach. In any such event, we will provide you with the following information:

  • The circumstances surrounding the breach.
  • The details of who will be managing the breach.
  • Any actions we have taken to contain and manage the breach.
  • Any other pertinent information that can support you.