HANDSWORTH ASSOCIATION OF SCHOOLS

Data protection legislation covers everyone about whom HAOS keeps personal data. This includes employees, volunteers, service users, members, supporters and donors.

The General Data Protection Regulation (GDPR) took effect on 25 May 2018. 

The legislation requires organisations to register if they keep records (unless they are exempt and this includes many charities and clubs). 

The legislation: 

• governs the processing of personal data including 'personal sensitive data'
• requires organisations to comply with its seven key principles
• Lawfulness, fairness and transparency
• Purpose limitation
• Data minimisation
• Accuracy
• Storage limitation
• Integrity and confidentiality (security)
• Accountability
• allows employees, service users and other contacts to request to see the personal data held on them.

Every organisation should have a written policy and procedure that is specific to their context about how they handle personal data and enact privacy principles.

HAOS  keeps certain data in order to maintain an effective service to its partners, and service users and to protect the organisation,  its staff, volunteers and service users against risks. 

HAOS reviews data annually to ensure it is kept accurate. Any data that is no longer required for will be deleted. Data must be deleted prior to the sale or disposal of computers, laptops and other digital equipment.  

This policy applies to personal data about trustees, staff, volunteers and service users.  

The Manager is responsible to maintain the data protection policy and the administrator is responsible for processing the data?   

All staff and trustees must keep personal data safe. Files containing personal data must be kept in a secure place in both paper and electronic files with limited access. All documents containing personal data should not be kept on desks or filing trays when not being used or updated. Failure to maintain the data protection policy is a serious matter that can result in disciplinary action being taken..  

Data is stored and backed up on a limited access database only available to the manager and administrator. 

When an individual asks to see their data by a Subject Access Request, HAOS will respond within 28 days. HAOS reserves the right to turn down a Subject Access Request.  

HAOS will disclose data when formally requested via a Service Access Request (SAR) where the request for information is reasonable and proportionate. HAOS will use national guidance on GDPR to determine whether a request is reasonable or proportionate. 

HAOS keeps individuals informed about data it holds.  

The HAOS Manager is responsible for reporting any breaches to the ICO and Charity Commission.

Further guidance for charities on how to comply with GDPR is made available by ICO. Charity Finance Group have also produced GDPR: A guide for charities

The main data risks faced by HAOS

Personal Data Breach

The Information Commissioner's Office (ICO), describes a personal data breach as “a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.  This means that a breach is more than just losing personal data.” 

All trustees, staff and volunteers need to be robust regarding breach detection, investigation and internal reporting procedures in place.  

If HAOS suffers a personal data breach, then you should follow HAOS Data Breach Policy. 

The steps to follow 

You must notify the Manager. The manager will determine if the breach requires a higher level of notification, both internally and externally , i.e. to the ICO or Charity Commission. HAOS will use the ICO guidance on  the requirement to notify both Regulator/Supervisory Authority and Data Subject.

HAOS will use the following guidance from ICO regarding the reporting of a personal data breach. 

"If you experience a personal data breach you need to consider whether this poses a risk to people. You need to consider the likelihood and severity of the risk to people’s rights and freedoms, following the breach. When you’ve made this assessment, if it’s likely there will be a risk then you must notify the ICO; if it’s unlikely then you don’t have to report. You do not need to report every breach to the ICO".

Other data risks

The ICO guidance refers to a number of other potential risks. These other risks are unlikely to occur within the work of HAOS. However, it is the manager's responsibility to check whether any potential data breach should be reported by reference to the ICO guidance relating to small charities. If there is a need to report a data breach it should be reported promptly and the chair of trustees must also be informed promptly.