The Lambourn Almshouses: Data Protection Policy
1. Introduction
The Lambourn Almshouses, based in Lambourn, West Berkshire, is committed to safeguarding the privacy and personal data of all residents, staff, trustees, and other stakeholders. This policy outlines the principles and practices that the charity follows to ensure compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
2. Purpose
This policy establishes guidelines for the collection, use, storage, and protection of personal data processed by The Lambourn Almshouses. It aims to ensure that personal data is handled lawfully, fairly, and transparently, while respecting the privacy of individuals and protecting their rights.
3. Scope
This policy applies to all personal data processed by The Lambourn Almshouses, including data relating to residents, staff, trustees, volunteers, donors, and other individuals with whom the charity interacts. It applies to all data held electronically or in paper form.
4. Data Protection Principles
In compliance with the UK GDPR, The Lambourn Almshouses commits to processing personal data in accordance with the following principles:
- Lawfulness, Fairness, and Transparency: Personal data must be processed lawfully, fairly, and in a transparent manner.
- Purpose Limitation: Personal data will be collected for specified, explicit, and legitimate purposes and will not be processed in any manner incompatible with those purposes.
- Data Minimisation: Personal data collected will be adequate, relevant, and limited to what is necessary for the purposes for which it is processed.
- Accuracy: Personal data will be accurate and, where necessary, kept up to date. Inaccurate data will be rectified or erased without delay.
- Storage Limitation: Personal data will not be kept for longer than is necessary for the purposes for which it is processed.
- Integrity and Confidentiality: Personal data will be processed securely, ensuring protection against unauthorised or unlawful processing and accidental loss, destruction, or damage.
- Accountability: The charity will be responsible for ensuring compliance with these principles and will be able to demonstrate that compliance.
5. Legal Bases for Processing
The Lambourn Almshouses will only process personal data when there is a lawful basis to do so under the UK GDPR. These legal bases include:
- Consent: When the individual has given clear consent for the processing of their personal data for a specific purpose.
- Contract: When processing is necessary for the performance of a contract with the individual, or to take steps prior to entering into a contract.
- Legal Obligation: When processing is necessary for compliance with a legal obligation.
- Vital Interests: When processing is necessary to protect someone’s life.
- Public Task: When processing is necessary to perform a task in the public interest or for official functions.
- Legitimate Interests: When processing is necessary for the legitimate interests of the charity, provided those interests are not overridden by the individual’s rights.
6. Data Subject Rights
Individuals have the following rights regarding their personal data under the UK GDPR:
- Right to Access: Individuals have the right to access their personal data and obtain information about how it is being processed.
- Right to Rectification: Individuals have the right to request the correction of inaccurate or incomplete personal data.
- Right to Erasure (Right to be Forgotten): Individuals have the right to request the deletion of their personal data in certain circumstances.
- Right to Restrict Processing: Individuals have the right to request that their personal data is restricted from processing in certain situations.
- Right to Data Portability: Individuals have the right to receive their personal data in a structured, commonly used, and machine-readable format, and to request the transfer of their data to another organisation.
- Right to Object: Individuals have the right to object to the processing of their personal data in certain circumstances.
- Right Not to Be Subject to Automated Decision-Making: Individuals have the right not to be subject to decisions based solely on automated processing.
Requests relating to these rights will be handled within one month, in compliance with UK GDPR guidelines.
7. Data Security
The Lambourn Almshouses takes appropriate technical and organisational measures to ensure the security of personal data. These measures include:
- Secure storage of physical and electronic records.
- Limiting access to personal data to authorised personnel only.
- Encryption of sensitive data where applicable.
- Regular review of data security practices to ensure they remain effective.
In the event of a data breach, The Lambourn Almshouses will take immediate steps to contain the breach and will report significant breaches to the Information Commissioner’s Office (ICO) within 72 hours, where required.
8. Data Sharing and Disclosure
The Lambourn Almshouses will not share personal data with third parties without the individual’s consent, unless required by law or where necessary to fulfil the charity’s obligations (e.g., sharing data with service providers, regulators, or legal authorities).
Any third-party service providers that process data on behalf of the charity will be required to adhere to the same data protection standards as outlined in this policy.
9. Data Retention
Personal data will only be retained for as long as necessary to fulfil the purposes for which it was collected or as required by law. Once the retention period has expired, personal data will be securely deleted or anonymised.
10. Responsibilities
- Trustees: The trustees of The Lambourn Almshouses are ultimately responsible for ensuring compliance with data protection laws and this policy.
- Clerk: The Clerk will manage day-to-day data protection practices, maintain records of processing activities, and act as the first point of contact for data protection queries.
- All Staff and Volunteers: Staff and volunteers are responsible for ensuring they understand and comply with this policy, particularly when handling personal data.
11. Training and Awareness
All staff, trustees, and volunteers will receive training on data protection and this policy to ensure they understand their responsibilities and the importance of protecting personal data.
12. Contact Information
For questions or concerns regarding this policy or data protection practices, individuals can contact:
The Clerk, The Lambourn Almshouses, 20 Oxford Street, Lambourn, West Berkshire
13. Approval
This policy has been approved by the Board of Trustees of The Lambourn Almshouses:
Signature:
Name: Christian Noll
Position: Chair of Trustees
Date: 1 November 2024