LOWESTOFT SHOPMOBILITY DATA PROTECTION AND GDPR POLICY

---

INTRODUCTION

1. Lowestoft Shopmobility, hereinafter referred to as the Organisation, needs to keep certain information about its employees, trustees, volunteers, members, clients and other members of the public to enable it to monitor performance and achievements.  It is also necessary to process information so that staff can be recruited and paid, activities organised and legal obligations to funding bodies and government fulfilled. 

We collect information in order to assist customers with the hire of mobility scooters, powered wheelchairs, manual wheelchairs and other mobility items. It is used only for that purpose and never shared with third parties. This information is stored on computer and on paper hire forms kept in a secure manner. Computer held records are deleted and paper hire forms are shredded, when they are no longer needed.

2. All personal data collected by us is held and safeguarded in compliance with the General Data Protection Regulation legislation 2018, and with the Data Protection Principles which state that data must be:

i. obtained and processed fairly and lawfully;

ii. obtained for a specified and lawful purpose and not processed in any manner incompatible with that purpose;

iii. adequate, relevant and not excessive for that purpose;

iv. accurate and kept up to date;

v. not be kept for longer than is necessary;

vi. not be passed on to any third-party organisations;

vii. processed in accordance with the data subject's rights;

viii. kept safe from unauthorised access, accidental loss or destruction;

ix. not be transferred to any other country unless that country has equivalent levels of protection for personal data.

3. All the Organisation’s staff and volunteers who process or use any Personal Information must ensure that they follow these principles at all times. In order to ensure that this happens, the Organisation has adopted this Data Protection Policy.

4. Any member of staff, trustee or volunteer, who considers that this policy has not been followed in respect of personal data about him/herself, should raise the matter with the Designated Data Controller initially. If the matter is not resolved it should be raised as a formal grievance.

NOTIFICATION OF DATA HELD AND PROCESSED

5. All employees, trustees, volunteers, members, clients and other members of the public have the right to:

· know what information the Organisation holds and processes about them and why;

· know how to gain access to it;

· know how to keep it up to date;

· know what the Organisation is doing to comply with its obligations under the Act.

THE DATA CONTROLLER AND THE DESIGNATED DATA CONTROLLERS

6. The Organisation as a Charity is the Data Controller under the Act, and the organisation is therefore ultimately responsible for implementation. However, Designated Data Controllers will deal with day to day matters.

7. The Organisation has one Designated Data Controller who is the Coordinator.

INFORMATION HELD

8. Personal Information is defined as any details relating to a living, identifiable individual. Within the Organisation this applies to employees, trustees, volunteers, members, clients and other members of the public such as job applicants and visitors. We need to ensure that information relating to all these people is treated correctly and with the appropriate degree of confidentiality.

9. The Organisation holds Personal Information in respect of its employees, trustees, volunteers, members, clients and other members of the public. The information held may include an individual’s name, postal, e-mail and other addresses, telephone and mobile phone numbers, subscription details, organisational roles and membership status.

10. Personal Information is kept in order to enable the Organisation to understand the history and activities of individuals or organisations within the voluntary and community sector and to effectively deliver services to its members and clients.

11. Some Personal Information is defined as Sensitive Data and needs to be handled with special care.

PROCESSING OF PERSONAL INFORMATION

12. All staff and volunteers who process or use any Personal Information are responsible for ensuring that:

· Any Personal Information which they hold is kept securely; and

· Personal Information is not disclosed either orally or in writing or otherwise to any unauthorised third party.

13. Staff and volunteers should note that unauthorised disclosure will usually be a disciplinary matter, and may be considered gross misconduct in some cases.

14. Personal information should be:

· kept in a locked filing cabinet; or

· in a locked drawer; or

· if it is computerised, be password protected.

COLLECTING INFORMATION

15. Whenever information is collected about people, they should be informed why the information is being collected, who will be able to access it and to what purposes it will be put. The individual concerned must agree that he or she understands and gives permission for the declared processing to take place, or it must be necessary for the legitimate business of the Organisation.

PUBLICATION AND USE OF THE ORGANISATION’S INFORMATION

16. The Organisation aims to make as much information public as is legally possible. In particular information about the Organisation staff, trustees and members will be used in the following circumstances:

· The Organisation may obtain, hold, process, use and disclose information in connection with the administration, management and business activities of the Organisation, including making and keeping lists of members and other relevant organisations.

· The Organisation may publish information about the Organisation by means of newsletters or other publications.

· Names of staff will be published and on the website.

· Photographs of staff may be displayed at the Organisation or placed on the website with their consent.

 · The Organisation’s staff and trustee contact list will not be a public document and information such as mobile telephone numbers or home contact details will not be given out, unless prior agreement has been secured with the person in question.

17. Any individual who has good reason for wishing details in these lists or categories to remain confidential should contact the Designated Data Controller.

RETENTION OF DATA

18. The Organisation will keep some forms of information for longer than others. In general, information about clients will be kept for a maximum of 7 years after they use the service.

19. The Organisation will also need to retain information about staff. In general, all information will be kept for six years after a member of staff leaves the Organisation.