Version 1
Approved by Board of Trustees 14 May 2024
Review Period 2 years
Review Date May 2026
Area 43 needs to keep certain information about employees, volunteers, clients and other users to allow it to monitor performance, achievements and health and safety, for example. It is also necessary to process information so that staff can be recruited and paid, courses organised and obligations to funding bodies, the Charities Commission and Welsh Government complied with. To comply with the law, information must be used fairly, stored safely and not disclosed to any other person unlawfully. To do this, Area 43 must comply with the 6 Data Protection Principles which are set out in the Data Protection Act 1998 (the 1998 Act) and the General Data Protection Regulations 2018.
Any member of staff, volunteer, trustee or client who considers that the Policy has not been followed in respect of personal data about themselves, should raise the matter with the Data Protection Officer initially. If the matter is not resolved it should be raised as a formal grievance.
Article 5 of the GDPR requires that personal data shall be:
● Processed lawfully, fairly and in a transparent manner in relation to individuals;
● Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
● Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
● Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
● Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
● Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Area 43 and all staff or others who process or use any personal information must ensure that they follow these principles at all times. In order to ensure that this happens, Area 43 has developed this Data Protection Policy.
All staff, volunteers, trustees, clients and other users are entitled to:-
● Know what information Area 43 holds and processes about them and why.
● Know how to gain access to it.
● Know how to keep it up to date.
● Know what Area 43 is doing to comply with its obligations under GDPR.
All staff are responsible for ensuring that:
● Any personal data which they hold is kept securely.
● Personal information is not disclosed either orally or in writing or accidentally or otherwise to any unauthorised third party.
● Staff should note that unauthorised disclosure will usually be a disciplinary matter and may be considered gross misconduct in some cases. Personal information should be: kept in a locked filing cabinet; orif it is kept electronically, be encrypted and password protected
Personal information should be:
● Kept in a locked filing cabinet; or
● If it is kept electronically, be encrypted and password protected
Area 43 uses GSuite (Google) as the email host and is GDPR compliant. Google servers may be located outside of the EU. Google uses the EU-US Privacy Shield Framework, this means they have adequate security for the transferring of data between the EU and the US in order to comply with data protection requirements. More information on the privacy shield framework can be found: https://www.privacyshield.gov/welcome
Staff, volunteers, trustees, clients and other users of Area 43’s services have the right to access any personal data that are being kept about them either on computer or in certain files. Any person who wishes to exercise this right can make their request in writing to the Data Protection Officer.
Area 43 charges an admin fee for an access request.
Area 43 aims to comply with requests for access to personal information as quickly as possible and will ensure a response is provided within 1 month.
Information that is already in the public domain is exempt from the 1998 Act. It is Area 43’s policy to make as much information public as possible, and in particular the following information will be available to the public for inspection:
● Names of Area 43 Trustees and senior staff with significant financial responsibilities (for inspection during office hours only)
● List of key staff
● Photographs of key staff
Any individual who has good reason for wishing details in these lists or categories to remain confidential should contact the Data Protection Officer.
Area 43 can only process personal data with the explicit consent of the individual and this consent can be withdrawn at any time by notifying the Data Protection Officer. Agreement to Area 43 processing some specified classes of personal data is a condition of acceptance of volunteer placements, induction of trustees and a condition of employment for staff. This includes information about previous criminal convictions.
Area 43 will also ask for information about particular health needs, such as allergies to particular forms of medication, or any conditions such as asthma or diabetes. Area 43 will only use the information in the protection of the health and safety of the individual but will need consent to process in the event of a medical emergency, for example.
Area 43 is the Data Controller under the Act and is registered with the Information Commissioner Office under the registration number Z5483358, and the board of trustees is therefore ultimately responsible for implementation. However, there is a designated Data Protection Officer dealing with day to day matters. The first point of contact for enquiries is Rachael Eagles who may either deal with the enquiry herself or refer it to another designated data protection officer.
Area 43 will keep some forms of information for longer than others. No information will be kept longer than necessary.
When personal data is no longer required, or has passed its retention date, paper records will be disposed of securely. Electronic records must be permanently deleted, with particular care taken that data cannot be recovered.
Compliance with the 1998 Act and GDPR is the responsibility of all members of Area 43. Any deliberate breach of the data protection policy may lead to disciplinary action being taken, or access to Area 43 facilities being withdrawn, or even a criminal prosecution. Any questions or concerns about the interpretation or operation of this policy should be taken up with the designated Data Controller.
May 2024
