Data Protection and Retention Policy
Purpose of the policy
The Childhood Trust (thereafter referred to as ‘TCT’, also ‘We’, ‘us’, ‘our’) relies heavily on the information it collects and holds to fulfil its aims, objectives, and obligations. Information relating directly to people (personal data) is an essential asset which must be properly managed in order to deliver efficient and effective services, ensure legal compliance, and to protect TCT’s reputation as a responsible organisation.
TCT is committed to complying with privacy and data protection laws including:
(a) The UK General Data Protection Regulation (“the UK GDPR”) and any related legislation which applies in the UK, including, without limitation, any legislation derived from the Data Protection Act 2018;
(b) the Privacy and Electronic Communications Regulations (2003) and any successor or related legislation, including without limitation, E-Privacy Regulation 2017/0003; and
(c) all other applicable laws and regulations relating to the processing of personal data and privacy, including statutory instruments and, where applicable, the guidance and codes of practice issued by the Information Commissioner’s Office (“ICO”) or any other supervisory authority.
(together “the Legislation”)
This policy has been updated to reflect changes to Data Protection law following the UK’s withdrawal from the EU and makes reference to the UK GDPR (derived from the Data Protection Act 2018) which replaces the EU GDPR in UK law. The DPA 2018 sets out the framework for data protection law in the UK.
It updates and replaces the Data Protection Act 1998 and came into effect on 25 May 2018. It was amended on 01 January 2021 by regulations under the European Union (Withdrawal) Act 2018, to reflect the UK’s status outside the EU.
This policy sets out what we do to protect individuals’ personal data. Anyone who handles personal data in any way on behalf of TCT must ensure that we comply with this policy. Section 3 of this policy describes what comes within the definition of “personal data”. Any breach of this policy will be taken seriously and may result in disciplinary action or more serious sanctions.
This policy may be amended from time to time to reflect any changes in legislation, regulatory guidance or internal policy decisions.
About this policy
The types of personal data that we may handle include details of: Donors, grant applicants, trustees, staff, supporters, volunteers, community programme beneficiaries, and other stakeholders.
The Head of Operations is the Data Manager at TCT and is responsible for overseeing compliance with the UK GDPR and with this policy. Any questions or concerns about this policy should be referred in the first instance to the Data Manager who can be contacted via TCT’s office.
Policy Implementation
The policy will be implemented by and monitored by the Chief Executive. In implementing the policy, the aim will be to ensure that:
- There is appropriate training for all staff whose duties include the management of personal data
- Staff managing personal information receive adequate supervision
- Personal data collection methods are adequately managed and regularly assessed/evaluated
- Overall TCT data protection standards are regularly assessed and evaluated
Any member of staff, Board, Grant Applicant or other stakeholder who considers that this policy has not been followed in respect of personal data about him/herself, should raise the matter with the Data Manager. If the matter is not resolved it should be raised as a formal grievance, following TCT’s Complaints Policy.
In meeting its objectives, this policy is supported by other TCT policies. All policies are approved by the Board of Trustees with the aim of securing compliance with one or more of the eight data protection principles contained in the Act.
Definitions of data protections terms
The following terms will be used in this policy and are defined below:
Data Subjects include all living individuals about whom we hold personal data, for instance an employee or a supporter. A data subject need not be a UK national or resident. All data subjects have legal rights in relation to their personal data.
Personal Data means any information relating to a living person who can be identified directly or indirectly from that information (or from that information and other information in our possession). Personal data can be factual (such as a name, address or date of birth) or it can be an opinion (such as a performance appraisal). It can also include an identifier such as an identification number, location data, an online identifier specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
Data Controllers are the people who, or organisations which, decide the purposes and the means for which, any personal data is processed. They have a responsibility to process personal data in compliance with the Legislation. TCT is the data controller of all personal data that we manage in connection with our work and activities.
Data Processors include any person who processes personal data on behalf of a data controller. Employees of data controllers are excluded from this definition but it could include other organisations such as website hosts, fulfilment houses or other service providers which handle personal data on our behalf.
European Economic Area (EEA) includes all countries in the European Union as well as Norway, Iceland and Liechtenstein.
ICO means the Information Commissioner’s Office (the authority which oversees data protection regulation in the UK). TCT is registered with the ICO as a data controller.
Processing is any activity that involves use of personal data, whether or not by automated means. It includes but is not limited to:
collecting; recording; organising; structuring; storing; adapting or altering; retrieving; disclosing by transmission; disseminating or otherwise making available; alignment or combination; restricting; erasing; or destruction of personal data.
Sensitive Personal Data (which is defined as “special categories of personal data” under the UK GDPR) includes information about a person’s:
a) racial or ethnic origin;
b) political opinions;
c) religious, philosophical or similar beliefs;
d) trade union membership;
e) physical or mental health or condition;
f) sexual life or orientation;
g) genetic data;
h) biometric data; and
Such other categories of personal data as may be designated categories or personal data under the legislation categorized as ‘special’.
Data protection principles
Anyone processing personal data must comply with the six data protection principles set out in the UK GDPR. TCT is required to comply with these principles (summarised below), and show that we comply, in respect of any personal data that we deal with as a data controller.
Personal data should be:
a) processed fairly, lawfully and transparently;
b) collected for specified, explicit and legitimate purposes and not further processed in a way which is incompatible with those purposes;
c) adequate, relevant and limited to what is necessary for the purpose for which it is held;
d) accurate and, where necessary, kept up to date;
e) not kept longer than necessary; and
f) processed in a manner that ensures appropriate security of the personal data.
Processing data fairly and lawfully
The first data protection principle requires that personal data is obtained fairly and lawfully and processed for purposes that the data subject has been told about. Processing will only take place under one of the legal basis’ set out in the legislation.
To comply with this principle, every time we receive personal data about a person directly from that individual, which we intend to keep, we will provide them with our Privacy Policy. Our Privacy Policy is designed to be clear, digestible and easily accessible.
When we receive personal data we state the following, via the Privacy Policy or supplementary information:
a) the type of information we collect;
b) how we hold information;
c) why we are collecting their information and what we intend to do with it;
d) that we have considered the legal basis for collecting their information;
e) the period for which their personal data will be stored;
f) whether their personal data will be shared with third parties; and
g) a list of their rights as data subjects
They also will be told whether the provision of their personal data is part of a statutory or contractual obligation and details of the consequences of the data subject not providing that data.
Where we obtain personal data about a person from a source other than the person his or herself, we must provide that individual with the following information in addition to that listed under 5.2 above:
a) the categories of personal data that we hold; and
b) the source of the personal data and whether this is a public source.
Processing data for the original purpose
The second data protection principle requires that personal data is only processed for the specific, explicit and legitimate purposes that the individual was told about when we first obtained their information.
This means that we should not collect personal data for one purpose and then use it for another. If it becomes necessary to process a person’s information for a new purpose, the individual should be informed of the new purpose beforehand. For example, if we collect personal data such as a contact number or email address, in order to update a person about our activities it should not then be used for any new purpose, for example to share it with other organisations for marketing purposes, without first getting the individual’s consent.
Personal data should be adequate and accurate
The third and fourth data protection principles require that personal data that we keep should be accurate, adequate and relevant. Data should be limited to what is necessary in relation to the purposes for which it is processed. Inaccurate or out-of-date data should be destroyed securely. Staff members take personal responsibility to update any data they find to be inaccurate or will report it to the salesforce administrator for action.
Not retaining data longer than necessary
The fifth data protection principle requires that we should not keep personal data for longer than we need to, for the purpose it was collected for. This means that the personal data we hold should be destroyed or erased from our systems when it is no longer needed.
The below table sets out our types of data and their retention period.
Once data has passed its retention period, we will ensure that it is securely deleted or anonymised where possible.
| Type of Data | Retention Period | Reason for Retention |
| Personal details of donors | 7 years from the last donation or interaction | To manage donations, fundraising campaigns, and maintain tax records. |
| Volunteer information | 5 years after the end of volunteer activity | To comply with safeguarding and employment law requirements. |
| Community Programme Beneficiary details and Safeguarding records | 10 years from the last interaction or case closure | To comply with child protection regulations and legal obligations. |
| General fundraising communications | 5 years after last engagement or opt-out | To ensure compliance with GDPR requirements regarding consent. |
| Employee records | 7 years after termination of employment | To meet legal and financial record-keeping obligations. |
| Board of Trustees meeting minutes | Permanent | To comply with charity governance and legal requirements. |
| Grant application records | 5 years from the date of the final grant payment | To comply with funding agreements and regulatory requirements. |
| Financial Information | 5 years from the date of final transaction | To comply with tax, financial auditing and reporting compliance |
| Marketing communications consent data | 5 years from the last engagement or until opt out |
To ensure compliance with GDPR requirements regarding consent.
|
In some cases, The Childhood Trust may retain data beyond the usual retention period if:
a) required by law;
b) Needed for historical purposes or programme monitoring (e.g. long-term impact studies); and
c) Explicit consent from the individual has been obtained to retain data for an extended period of time.
In other cases, the childhood trust may choose to shorten the retention period, and for those who are elderly or with life shortening conditions this would usually be less than 5 years.
Rights of individuals under UK GDPR
The UK GDPR gives people rights in relation to how organisations process their personal data. They include (but are not limited to) the right:
a) to request a copy of any personal data that TCT holds about them (as data controller), as well as a description of the type of information that we are processing, the uses that are being made of the information, details of anyone to whom their personal data has been disclosed, and how long the data will be stored (known as subject access rights);
b) to be told, where any information is not collected from the person directly, any available information as to the source of the information;
c) to be told of the existence of automated decision-making;
d) to object to the processing of data where the processing is based on either the conditions of public interest or legitimate interests;
e) to have all personal data erased (the right to be forgotten) unless certain limited conditions apply;
f) to restrict processing where the individual has objected to the processing;
g) to have inaccurate data amended or destroyed; and
h) to prevent processing that is likely to cause unwarranted substantial damage or distress to themselves or anyone else.
Data Security
The sixth data protection principle requires that TCT keeps personal data secure.
Refer to TCT’s IT Policy for information on:
a) how TCT holds digital data securely;
b) how staff process personal and sensitive data securely and responsibly;
c) how staff use data when away from the office premises;
d) how data breach risks are minimised;
e) how compromises of data, data misuse or data loss are reported;
f) backing-up data and recovering lost data
The Board of Trustees is responsible for the risk assessment of potential data breaches, considering the likelihood of the breach and the impact it would have on the reputation of TCT and the data subjects involved, in order for the staff team to implement mitigating action.
In the office, any cabinets, desks or other storage for hard copy personal data must be kept locked when not in use. Only staff with authorisation from the CE can access locked storage.
Transferring Data outside the UK and EEA
Currently TCT has no need to transfer data outside of the EEA. If this situation changes, we commit to complying to the relevant legislation.
Processing sensitive personal data
On some occasions we may collect information about individuals that is defined by the UK GDPR as ‘special categories of personal data’, and special rules will apply to the processing of this data. In this policy we refer to “special categories of personal data” as “sensitive personal data”. The categories of sensitive personal data are set out in the definition under section 4.
Purely financial information is not technically defined as sensitive personal data by the UK GDPR. However, particular care should be taken when processing such data, as the ICO will treat a breach relating to financial data very seriously.
In order to process sensitive personal data, we must obtain explicit consent from the individuals involved and provide them with the processing information.
TCT need to process sensitive personal data in order to administer grants to our charity partners. See TCT’s Grant Making Policy for details on how such grants are administered.
Gathering Consent
We have very clear consent guidelines at The Childhood Trust, and our consent standards are transparent and empathetic. This includes understanding on Enhanced Consent and the Capacity to Consent. To read these guidelines, you can contact our communications team.
Notification
We recognise that whilst there is no obligation for us to make an annual notification to the ICO under the UK GDPR, we will consult with the ICO where necessary when we are carrying out “high risk” processing.
We will report breaches (other than those which are unlikely to be a risk to individuals) to the ICO where necessary, within 72 hours. We will also notify affected individuals where the breach is likely to result in a high risk to the rights and freedoms of these individuals.
Review
The effectiveness of this policy will be reviewed every two years by the Head of Operations and approved by the Board of Trustees.