Our contact details:
The Lewy Body Society
Unity House, Westwood Park, Wigan, WN3 4HE
Date of Policy: May 2022 | Review Date: May 2024
The Lewy body Society is committed to protecting the personal data of our stakeholders and fulfilling our obligations under UK data protection legislation. This policy sets out the charities commitment to data protection and how we comply with key legislation.
This policy applies to all individuals whose personal data is processed by The Lewy body Society including:
Legislation and guidance
This policy meets the requirements of the UK General Data Protection Regulation (UK-GDPR), the Data Protection Act (DPA) and the Privacy and Electronic Communications Regulations (PECR). In addition, guidance published by the Information Commissioners Office (ICO) has been taken into account.
Any information relating to an identified, or identifiable, individual. Examples include a name or unique reference number.
It may also include factors specific to the individual’s physical, physiological, genetic, mental, economic, cultural, or social identity.
Special categories of personal data
Personal data which is more sensitive in nature and therefore needs more protection. This can typically be categorised into information about an individual’s:
– Racial or ethnic origin
– Political opinions
– Religious or philosophical beliefs
– Trade union membership
– Biometrics (such as fingerprints, retina and iris patterns), where used for identification purposes
– Health – physical or mental
– Sex life or sexual orientation & gender
The lifecycle of personal data / what an organisation does with that data including:
– Adapting / Altering
– Erasing / Destroying
Processing can be automated or manual.
The identified or identifiable individual whose personal data is being processed.
A person or organisation that determines the purposes and the means of processing of personal data.
A third party who processes personal data on behalf of the data controller. Examples include contractors and suppliers of services.
Personal data breach
A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data.
The Lewy body Society is the Data Controller for all personal data processed by the charity which means we are ultimately responsible for how that data is processed and make decisions related to it. As a charity, we are not currently obliged to register with the ICO or pay the annual fee; this is reviewed annually using the ICO’s registration tool available here: https://ico.org.uk/for-organisations/data-protection-fee/self-assessment/
The Board of Trustees hold the overall responsibility for data protection compliance within the charity and will make any key decisions regarding the processing of personal data.
The charity is not currently required to register an official Data Protection Officer with the ICO, however we have appointed an individual responsible for data protection within our organisation. Jacqueline Cannon is the data protection representative (DPR) for the charity and will be responsible for the day-to-day implementation of policies and procedures. The DPR is the first point of call for the charity for any questions related to this policy or data protection and can be contacted using the following details:
T: 01942 914 000 | E: email@example.com
All staff, contractors and volunteers working on behalf of our charity have a responsibility to comply with this policy when processing personal data. We also ask that individuals inform us of any changes to their own personal data such as changes in address to ensure our records are accurate.
In addition, we ask that all individuals working on our behalf notify the charity without undue delay if one or more of the following circumstances occur:
The Lewy body Society ensure that all individuals working with the charity understand their obligations and the charities commitments to keeping data secure. Staff who do not comply with this policy may face disciplinary action.
Data protection principles
The UK-GDPR outlines six key principles that all organisations must comply with. Below we have outlined our commitments:
The charity does not currently process special categories of personal data. Should this change, this policy will be updated to incorporate the additional conditions that we need to meet from the UK-GDPR and DPA.
Where consent is applicable, all individuals are informed of their right to withdraw consent and provided with instructions on how to do so.
Please note that the principles are numbered for reference purposes only; all principles are equal and not one is more important than the other.
The UK-GDPR sets ‘accountability’ as the overarching principle that binds together the 6 key principles outlined above. Organisations should be able to effectively demonstrate compliance with the key principles of the UK-GDPR. The charity complies with the accountability principle by maintaining up to date records of data protection compliance including, details of the decisions made, logs of consent, information requests and data breaches and implementing key policies and procedures.
How we comply with the key principles of the UK-GDPR and demonstrate accountability
The Lewy body Society has compiled a ‘Record of Processing Activities’ containing an inventory of the personal data that we process. This forms the basis of our data protection strategy and outlines the following information:
This document is reviewed on an annual basis, or sooner should the charity engage in a new processing activity, or an amendment is required.
Privacy Notices have been formulated to inform data subjects how and why we process their personal data, these are issued accordingly prior to any processing taking place and stored in accessible locations. These are reviewed on an annual basis. Personal data will not be processed for any new purpose unless the individual has been informed and consent sought where applicable.
Staff, Contractors & Volunteers are provided with a privacy notice and agree that only personal data necessary to perform their role is processed. Access to personal data is only granted if it is necessary for the performance of their role.
Any data shared with third parties will be clearly highlighted in the relevant privacy notice; compliance checks will be performed where necessary on Data Processors to ensure they maintain the high levels of compliance and security expected by The Lewy body Society.
The charity will update personal data promptly if an individual advises that their information has changed or is inaccurate. In addition, an email marketing system is utilised for newsletters that informs the charity if any correspondence is undeliverable or if an individual has unsubscribed; any data is securely deleted automatically.
An annual check is performed on all personal data held within filing systems to ensure it is not kept for longer than necessary. Data is securely shredded or deleted if electronic in line with the charity’s retention schedule.
Procedures have been put in place to cover the rights of individuals set out in the UK-GDPR; logs are also in place to record any information requests. Similarly, the charity has put measures in place outlining steps in the event of a data breach along with a log to record all breaches. Logs are reviewed on an annual basis to assess any areas for improvement.
The charity review security and confidentiality measures on a regular basis; key steps include limiting access of personal information to those staff and contractors that need it to perform their role only. All electronic systems are password protected and regular backups performed, whilst paper documentation is kept within a locked cupboard in a locked room with access limited. Paper documentation is converted to electronic means where possible.
Rights of Individuals
Individuals have several rights in relation to their personal data under the UK-GDPR which are outlined below along with the process the charity will follow to effectively meet those rights:
Right of Access
Commonly referred to as a ‘Subject Access Request’ (SAR); individuals have a right to gain access to the personal data that an organisation processes. Individuals have a right to ask the following:
The Lewy body Society ask that all SAR’s are submitted in writing either by letter or email to the charity’s representative for data protection. Requests should include:
Any individual employed in a working capacity for the charity that receives a request for personal information, no matter the method or format should forward it immediately to the charity’s representative for data protection.
The charity reserves the right to verify the identity of the individual making the request.
Unless specified otherwise, copy data will be provided in electronic format and sent via a password protected email. We ask that a proof of receipt is provided for our records.
The charity will keep a log of all SARs including:
Other data protection rights of individuals
Individuals have the right to:
Individuals that wish to exercise any of these rights should do so in writing or contact us using the following details:
The Lewy body Society
Unity House, Westwood Park, Wigan, WN3 4HE
A response to all requests will be provided within one calendar month unless the request is deemed complex, in which case a two-calendar month extension may apply. The charity will however inform individuals within one calendar month of any extensions.
All responses will include a cover letter outlining whether the charity has been able to fulfil the request in full, part or not at all. Explanations will be provided if the charity is unable to meet any part of a request.
The Lewy body Society will not charge a fee unless the request is deemed manifestly unfounded or excessive, in which case an administrative fee may apply. Manifestly unfounded or excessive requests may be refused.
If an individual is unhappy with how the charity has dealt with a request, we ask that they contact us in the first instance so that we can help resolve their complaint. Individuals also have a right to complain to the ICO using the following details: https://ico.org.uk/make-a-complaint/data-protection-complaints/
As part of our fundraising activities, The Lewy body Society use images of individuals with their consent; images include photographs and videos.
The charity will gain written consent for the use of all images, and we will clearly outline how and why the image(s) will be used and if they will be shared on any third-party platforms including social media, the charity or partner websites or on printed publications.
Images will only be accompanied by an individual’s name if consent has been provided.
Consent can be refused or withdrawn at any time. If consent is withdrawn, we will delete the image and not distribute it further. Consent can be withdrawn by contacting the charity directly or unsubscribing to our emails.
Data protection by design and default
We will put measures in place to show that we have integrated data protection into all of our data processing activities, including:
Data security and storage of records
We will protect personal data and keep it safe from unauthorised or unlawful access, alteration, processing, or disclosure, and against accidental or unlawful loss, destruction or damage.
Personal data that is no longer needed will be disposed of securely. Personal data that has become inaccurate or out of date will also be disposed of securely, where we cannot or do not need to rectify or update it. Paper records will be shredded whilst electronic records will be overwritten or securely deleted.
Personal Data Breaches
The Lewy body Society will make all reasonable endeavours to ensure that there are no personal data breaches. In the unlikely event of a suspected data breach, we ask that individuals report to the DPR without undue delay so that the breach can be assessed accordingly. The reporting of breaches as soon as possible helps the charity to mitigate any potential impact that may occur.
Data breaches that are deemed reportable to the ICO will be reported within 72hours and Data Subjects will be informed where necessary. The charity will report the ICO using the following link: https://ico.org.uk/for-organisations/report-a-breach/personal-data-breach/
Records of all data breaches will be kept as a point of reference and method of improving practices.
The DPR is responsible for monitoring and reviewing this policy. This policy will be reviewed every 2years or sooner if any fundamental change in legislation occurs. The policy will be reviewed and shared with the full Trustee board.