Data Protection Policy
Young Ones Clubs is committed to protecting personal data and this policy details how we implement that commitment with regard to the collection and use of personal data.
The use of all personal data by Young Ones Clubs is governed by:
• The General Data Protection Regulation (GDPR)
• The UK Data Protection Act 2018 (DPA)
• The Privacy and Electronic Communications Regulations (PECR)
Every member of staff has a responsibility to adhere to the Data Protection Principles outlined in the GDPR, and to this Data Protection Policy. If you have a question about this Data Protection Policy or an area of concern about data protection matters, please contact our Data Protection Officer (DPO). The DPO is Leah Jenkins-Trask.
To meet our commitment to data protection, the Club will:
• Notify the Information Commissioner’s Office that we hold personal data, unless exempt.
• https://ico.org.uk/registration/new (Accessed 27.10.16)
• Meet our legal obligations as laid down by the Data Protection Act 1998.
• Ensure that data is collected and used fairly and lawfully.
• Process personal data only in order to meet our operational needs or fulfil legal requirements.
• Take steps to ensure that personal data is up to date and accurate by requesting parents/carers to update the child details form when there are any changes and at least [enter time period e.g. annually].
• Establish appropriate retention periods for personal data.
• Provide adequate security measures to protect personal data.
Data Protection Principles
There are six Data Protection Principles defined in Article 5 of the GDPR. These require that all personal data be:
• processed in a lawful, fair and transparent manner
• collected only for specific, explicit and limited purposes (‘purpose limitation’)
• adequate, relevant and not excessive (‘data minimisation’)
• accurate and kept up-to-date where necessary
• kept for no longer than necessary (‘retention’).
• handled with appropriate security and confidentiality, including protection against unlawful or unauthorised processing, access, loss, destruction or damage.
We are committed to upholding the Data Protection Principles. All personal data under our control must be processed in accordance with these principles.
1. All processing of personal data must meet one of the six lawful bases defined in Article 6(2) of the GDPR:
• Where we have the consent of the data subject
• Where it is in our legitimate interests and this is not overridden by the rights and freedoms of the data subject.
• Where necessary to meet a legal obligation.
• Where necessary to fulfil a contract, or pre-contractual obligations.
• Where we are protecting someone’s vital interests.
• Where we are fulfilling a public task, or acting under official authority.
• Nominate a designated person responsible for data protection compliance and is the point of contact for all data protection issues.
• Provide adequate training for all staff responsible for personal data.
• Operate a confidentiality policy.
• Ensure that everyone handling personal data knows where to find further guidance.
What sort of information is held?
Typically, (Name of Club) holds the following information to allow it to conduct its business:
1. Children and Parents
• Children’s personal details
• Parents/Carers personal details
• Records of any medicine administered.
• Personal identifiers e.g. payroll number. name, address, current marriage or partnership status, and immigration status, public offices held, complaint, incident and/or accident details, academic record, qualifications and skills, membership of professional bodies. Disabilities, racial and ethnic origin.
3. Daily records of attendance of staff and children.
4. Compliments and complaints
5. Records of accidents, serious illnesses and other significant events.
6. Records of people who visit the Club.
7. Payment records such as invoices, accounts, receipts, pay slips.
8. Minutes of meetings held (staff and committee); insurance details, constitution/articles of memorandum.
Who else is the information shared with or obtained from?
The Club is legally obliged to share certain information with:
• Social Services
• Care Inspectorate Wales (CIW) with personal and other information in accordance with The Child Minding and Day Care (Wales) Regulations 2010 (Regulation 31 and Schedule 4) and the National Minimum Standards for Regulated Childcare (Standard 21: ‘Notification of significant events’ and in order to comply with other regulation such as health and safety law.
Where appropriate, information may be gathered from and shared, on legitimate request, with the following:
• Employers – past, present and prospective.
• Home Office.
• Local Authorities and Health Authorities.
• The Courts.
• Clybiau Plant Cymru Kids’ Clubs legal representatives in the case of grant funding
• Trade unions e.g. to confirm membership.
• Awarding Organisations
• Records kept about children who attend our Club and are kept completely confidential and will be kept on record for 3 years after the last date on which the child attends the Club.
• Parents/carers are able to view the records kept on their children on request, except where a child’s welfare is deemed to be at risk in line with our confidentiality policy.
• Records are also kept on each member of staff working or volunteering at the Club. These are kept confidential and will be kept on record for a minimum of 3 years after the last day of employment.
• Minutes, accounts, invoices, receipts, assets list, accident and incident book etc. are kept safely for 7 years.
• All records that are subject to other factors/organisations such as grant terms and conditions, CIW, Health and Safety Executive, insurers, safeguarding agencies may also define how long certain records are kept.
• The Employer’s Liability insurance certificate must be retained for 40 years.
The Club protects personal data from unauthorised and unlawful use by:
• Storing data in a lockable cupboard/storage with restricted access.
• Ensuring all staff, management, volunteers/students sign that they have read, accepted and implemented the confidentiality policy. Any breach of confidentiality is investigated immediately and the issue dealt with in accordance with the disciplinary procedure.
• Minimising data sharing on a need to know basis.
• Restricting access to electronic records held on the computer by implementing technical security such as a password system.
• Ensuring safe storage of any laptop/computer used for storing data.
• Destroying obsolete paper records securely by shredding or using a confidential waste service which provides certificates of destruction.
• Securely and permanently erasing electronic records.
• Ensuring there is no data remaining before disposing of or recycling any computers. Securely and permanently erasing data stored on other media such as memory sticks, CD-ROM, audio tape, video tape, etc.
Rights of Data Subjects
Under data protection laws, data subjects have certain rights:
• Right to be informed. The right to be told how their personal data is used in clear and transparent language.
• Right of access. The right to know and have access to the personal data we hold about them. Any request in respect of these rights should preferably be made in writing to [email protected] but we will also accept verbal requests.
• Right to data portability. The right to receive their data in a common and machine-readable electronic format.
• Right to be forgotten. The right to have their personal data erased.
• Right to rectification. The right to have their personal data corrected where it is inaccurate or incomplete.
• Right to object. The right to complain and to object to processing.
• Right to purpose limitation. The right to limit the extent of the processing of their personal data.
• Rights related to automated decision-making and profiling. The right not to be subject to decisions without human involvement.
We will uphold individuals’ rights under data protection laws and allow them to exercise their rights over the personal data we hold about them. Privacy information will acknowledge these rights and explain how individuals can exercise them. Most rights are not absolute, and the individual will be able to exercise them depending on the circumstances, and exemptions may apply in some cases.
We will respond to the request within one month from the date of request or being able to identify the person, unless it is particularly complex (in which case we will respond in no longer than 90 days). Information may be withheld under the following circumstances:
• for the prevention, detection or investigation of a crime
• national security or the armed forces
• the assessment or collection of tax
• judicial or ministerial appointments
Under current regulations, Young Ones clubs is not obliged to say why we are withholding this information.
There is no fee for facilitating a request, unless it is ‘manifestly unfounded or excessive’, in which case administrative costs can be recovered. Requests that are ‘manifestly unfounded or excessive’ can be refused.
We will take reasonable measures to require individuals to prove their identity where it is not obvious that they are the data subject.
The DPO will ensure that required actions are taken and that the appropriate response is facilitated within the deadline.
The DPO will draw up procedures for responding to requests where necessary, for example, for facilitating Subject Access Requests.
Reporting of Breaches
1. A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. A breach could include:
• loss or theft of devices or data, including information stored on USB drives or on paper
• hacking or other forms of unauthorised access to a device, email account, or the network
• disclosing personal data to the wrong person, through wrongly addressed emails, or bulk emails that inappropriately reveal all recipients email addresses
• alteration or destruction of personal data without permission
3. Where a member of staff discovers or suspects a personal data breach, this should be reported to the DPO as soon as possible.
4. Where there is a likely risk to individuals’ rights and freedoms, the DPO will report the personal data breach to the ICO within 72 hours of the organisation being aware of the breach.
5. Where there is also a likely high risk to individuals’ rights and freedoms, Young Ones clubs will inform those individuals without undue delay.
6. The DPO will keep a record of all personal data breaches reported, and follow up with appropriate measures and improvements to reduce the risk of reoccurrence.