Privacy Notice and Data Protection Policy – Wonderful Things Ltd.
The aim of this policy is to ensure that Wonderful Things Ltd complies with the General Data Protection Policy (GDPR - May 2018) and builds on the established principles of the Data Protection Act (1998). The GDPR and EU principles of data protection and privacy affect personal data. They protect personal privacy, regulate how personal and sensitive personal data are controlled and processed and uphold individual’s rights.
This policy states that personal information is dealt with properly and securely and in accordance with the GDPR. This policy is designed to be a working document, overseen by the directors of Wonderful Things Ltd, and reviewed regularly.
At Wonderful Things the controllers and processors of personal data are the Project Managers. The Data Protection Officer is Julia Ansell, and Wonderful Things Ltd is registered with the Information Commissioners Office (ICO).
Please note that where our processing of your personal data relies on your consent and where you then withdraw that consent, we may not be able to provide all or some aspects of our services to you and/or it may affect the provision of those services.
Data Protection Act 1998
The main principles of the Data Protection Act established that personal data must be:
1. What data do we hold?
Personal information is any information that relates to a living individual who can be identified from the information. It also applies to personal data held visually in photographs or video clips or as sound recordings.
Wonderful Things collects personal data related to:
2. Why do we hold that data?
3. What personal data do we collect and store?
4. Where do we store personal data?
5. What about photographs and video?
6. How long do we keep personal data?
7. How is personal data deleted and who ensures it is deleted?
8. How can you access the personal data we hold about you?
9. How will we monitor our Data Protection procedures to ensure we comply with the GDPR?
The aim of this policy is to ensure that Wonderful Things Ltd complies with the General Data Protection Policy (GDPR - May 2018) and builds on the established principles of the Data Protection Act (1998). The GDPR and EU principles of data protection and privacy affect personal data. They protect personal privacy, regulate how personal and sensitive personal data are controlled and processed and uphold individual’s rights.
This policy states that personal information is dealt with properly and securely and in accordance with the GDPR. This policy is designed to be a working document, overseen by the directors of Wonderful Things Ltd, and reviewed regularly.
At Wonderful Things the controllers and processors of personal data are the Project Managers. The Data Protection Officer is Julia Ansell, and Wonderful Things Ltd is registered with the Information Commissioners Office (ICO).
Please note that where our processing of your personal data relies on your consent and where you then withdraw that consent, we may not be able to provide all or some aspects of our services to you and/or it may affect the provision of those services.
Data Protection Act 1998
The main principles of the Data Protection Act established that personal data must be:
- Processed in a manner which is fair and lawful.
- Used only for the manner in which it was intended to be used.
- Processed in a manner which is adequate, relevant and not excessive.
- Accurate and kept up to date.
- Not kept for longer than its intended purpose.
- Processed in accordance with the rights of the people the data is about.
- Protected by technical and organisational security measures.
- Not transferred to third countries outside the EU which do not guarantee an adequate measure of data protection.
1. What data do we hold?
Personal information is any information that relates to a living individual who can be identified from the information. It also applies to personal data held visually in photographs or video clips or as sound recordings.
Wonderful Things collects personal data related to:
- Information from parents/carers about children booked on for its activity days.
- Contact details for its Youth Volunteers.
- Information from its facilitators to ensure our safeguarding requirements are met.
- Email addresses for direct marketing to families about future events.
2. Why do we hold that data?
- To ensure we have up to date contact details for parents/carers of children attending our activity sessions, including any particular individual children’s needs, so that the children’s safety and wellbeing is maintained.
- To ensure we have up to date contact details for Youth Volunteers who are volunteering for us during our activity sessions and for additional sessions run for the volunteers, including an annual residential trip.
- We hold a single central record with details of our facilitators and their staff to ensure that we have seen evidence that they meet our safeguarding requirements before they deliver activities for us.
- We hold email addresses for families who have attended our activity days so that we can update them with future activity days that may be of interest to them.
3. What personal data do we collect and store?
- Information actively provided by parents / carers about children booked on for its activity days:
- Child’s full name, gender, date of birth, home address, home telephone number.
- Parents’ / carers’ name, address, telephone numbers, relationship to the child.
- Parents’ /carers’ email address.
- Name of parent / carer authorised to collect the child, password and password reminder.
- Medical, special educational needs, behaviour needs information about the child.
- The name of the child’s Primary School.
- Permission for photographs / video to be taken (active opt out or in).
- How the parent / carer heard about Wonderful Things.
- How they would like to be contacted in future (active opt out or in).
- Contact details for its Youth Volunteers.
- Volunteer’s full name, date and place of birth, home address, home telephone number, email address, school attended, language spoken, signature.
- Referee’s full name, home address, telephone number.
- Details of previous volunteering, other commitments affecting volunteering time, hobbies, interests and skills.
- Statement of why they wish to volunteer with Wonderful Things.
- Emergency contact’s full name, home address, telephone number.
- Parent / carer’s signature.
- Information from its facilitators to ensure safeguarding requirements are met.
- Facilitator’s name, date of birth, public liability insurance evidence, enhanced DBS details, signed Childcare Act Declaration of Disqualification form, details of safeguarding and first aid training (if required).
- Email addresses for direct marketing to families about future events.
- Email addresses provided on the activity booking form and Youth Volunteer application form are used for future marketing following an active opt – in at booking stage.
4. Where do we store personal data?
- Electronic booking notifications received by email from our online SSL protected website.
- Paper registers held by the Project Managers in advance of activity days.
- Paper registers (child’s name only) in the activity day file.
- Paper record of parent / carer contact details (controlled access) in the activity day file.
- Paper record of sensitive personal data (controlled access) in the activity day file.
- Paper record of Youth Volunteers’ name and contact telephone number in the activity day file.
- A summary paper record (anonymous) of number of children and volunteers for the lead staff at the activity day.
- A summary paper record (named) of sensitive personal data required by the lead staff at the activity day.
- Parent / carer / volunteers’ email addresses at hello@wonderfulthings.org.uk and Wonderful Things email accounts held by the Project Managers.
- Paper application forms from Youth Volunteers in a central file.
- A single central record for safeguarding information in a central file.
- Personal data is personally transported by Project Managers in the activity day file to activity day locations.
- Personal data is stored on the Project Managers’ mobile device and laptop so that it is quickly accessible when required before, during and immediately after activity days and Youth Volunteer sessions.
- No data is shared with any third party organisations.
5. What about photographs and video?
- Parents / carers actively opt in or out of allowing photographs and video to be taken of their child at Wonderful Things.
- Permission is renewed at each booking.
- Wonderful Things has a separate policy on mobile devices and permissions for their use at its sessions.
6. How long do we keep personal data?
- Electronic booking forms are deleted 3 weeks after the activity day they relate to is completed.
- Paper registers are deleted 3 weeks after the activity day they relate to is completed.
- Personal and sensitive personal data are deleted 3 weeks after the activity day they relate to is completed.
- Youth Volunteer application forms are deleted 1 year after the volunteer last attended.
- Facilitator’s details are updated bi-annually.
- Photographs and video are deleted 1 year after they were created unless embedded into online content which has been released with permission and can no longer be controlled by Wonderful Things.
- Email addresses will be deleted once a parent / carer chooses not to opt in to email contact.
- Opt in consent to email contact will be refreshed annually in September.
7. How is personal data deleted and who ensures it is deleted?
- The Project Managers are data controllers with responsibility for ensuring data is deleted and that deletion is verified.
- Electronic data is transferred from the server to a Project Manager’s laptop regularly.
- Personal data and sensitive personal data is shredded and disposed of through domestic recycling.
- Electronic data is deleted and removed from the laptop / mobile devices’ memory permanently.
8. How can you access the personal data we hold about you?
- You can make a Subject Access Request by contacting the Data Protection Officer at Wonderful Things at 62 Haworth Avenue, Rawtenstall, Lancashire, BB4 8SS.
- You can ask to view the personal data we hold about you.
- You can ask to rectify any incorrect personal data held about you.
- You can object to the way we use your data and ask for your data to be removed at any time.
- We will respond to a Subject Access Request within one month.
- If you are unhappy with our control and processing of personal data you have provided to us then you can contact the ICO: https://ico.org.uk/for-the-public/ Tel: 0303 123 1113.
9. How will we monitor our Data Protection procedures to ensure we comply with the GDPR?
- Any data breach will be documented and investigated by the Chairperson of Wonderful Things who will report to the board of Directors to ensure the data breach is reviewed.
- The Data Protection Officer will report to all Directors at board meetings.
- All Directors will ensure up to date information, advice and procedures are shared at board meetings.
- Membership of the ICO will be maintained and its online support will be used.
- The Data Protection Policy will be viewed as a working document, to be reviewed as required and not less than annually in September.