GDPR, Data Protection & Data Retention Policy VERSION CONTROL Version No 8 Version Date September 2023 Next Scheduled Review September 2025 POINT is a Registered Charity: 1161596
2 From October 2020, POINT will summarise key policy amendments in the form of the revision table below. This acts as a reference guide to any updates made to policies including legislative changes. Version Number Date of approval Summary of key policy changes from previous version 6 28.10.2020 • Stripe online payment supplier added to provider table in section 3. • Section 7: This is now limited to the process for requesting deletion of information with the process for requesting the deletion of information (Right to Erasure) now detailed separately. • Section 8: This section has been added to detail process for requesting the deletion of information (Right to Erasure). 7 15.10.2021 • Policy review timeframe extended to biannually. Reviews will be brought forward where legislative changes are introduced. 8 28.09.2023 • No amendments made at policy review
3 POINT respects your privacy and realises how important it is to you that your personal information remains secure. We hope that this policy statement will answer the questions that you may have about how we manage and protect your details, but if you have any questions which are not answered by this statement, please contact us on 0161 503 1547. Your personal data is protected by UK legislation, specifically the General Data Protection Regulation (GDPR) as it applies in the UK, tailored by the Data Protection Act 2018 and the Privacy and Electronic Communications (EC Directive) 2003. We aim to exceed our legal obligations by following best practice and reviewing our procedures regularly. This means that POINT is a ‘data controller’. We recognise that in the running of our business, we collect and process personal data from a variety of sources. This personal information is collated in several different formats including letters, emails, legal documents, employment records, operations records, images and statements. The personal data is held in both hard copy and electronic form. 1. What information will POINT collect about me, what is it used for, and how is it obtained? Personal information is collected directly from you when you complete and return forms as part of communicating with POINT (For example: Completing a membership form, consultation or feedback questionnaire), or when you provide information directly to a POINT representative (For example: During a telephone conversation or in person at one of our events). We collect this information in order to: 1) Keep in touch with you and supply you with information relating to POINT’s work. This includes keeping you informed about issues that might potentially be of interest to you. 2) Identify key issues and themes which are then shared with partners to improve services 3) To evaluate POINT’s work, through data monitoring and contract management processes. The information which we collect in this way will typically include personal details provided by you, which may include your name, postal and email addresses and support needs. We will also sometimes obtain contact information indirectly from third parties. In some cases, we may collect information that the Data Protection Act considers to be ‘sensitive’ (this could include details of ethnicity or religious beliefs or disability). Such information will only be collected and retained with your specific consent. 2. Will you ever share or sell my information? We will not sell your information to third party organisations, and we do not share your personal information with third parties for their benefit without your prior consent.
4 3. How secure is the information which I give to you? POINT takes the care of your data seriously and undertakes to protect your personal information in a range of ways. POINT use a range of systems to deliver our services effectively. These include a database, email mailing system and survey system. These systems are provided by third party providers whose data servers are based in the UK or European Economic Area (EEA). Our current list of providers is shown in the table below. This details what the system is used for, the likely data contained within the system and a direct link to their own data protection and data processing policies for your information. Name of provider What is the system used for Supplier data protection and processing policy CharityLog Database of service user files used to store personal details collected by POINT to deliver services effectively https://www.charitylog.co.uk/privacy SmartSurvey • Consultations • Surveys • Service User Feedback & Evaluation • Online Data Collection Forums https://www.smartsurvey.co.uk/privacypolicy BreatheHR Storage of Team HR data including employee personal data https://www.breathehr.com/hrsoftware/security-reliability/ Xero Used for financial management including supplier, donor and partner information. This may include personal and business contact details https://www.xero.com/uk/about/privacy/ Mailchimp Used for email marketing to service users, donors and partners. Data held is consent based and contains email addresses only https://mailchimp.com/legal/privacy/ Microsoft 365 Used for business administrative purposes including Word, Excel, PowerPoint and POINT email functionality. https://privacy.microsoft.com/enUS/privacystatement
5 OneDrive Cloud Provides POINT data back-up via a cloud-based system. Back-up date may include business and personal information of service users, donors and partner organisations. https://www.microsoft.com/en-us/trustcenter/privacy/gdpr-overview Stripe The secure payment platform used within our website for online order and donations https://stripe.com/en-gb/privacy POINT ensures that all personal information is held securely whether manual or electronic and protects data against unauthorised or illegal use and against accidental loss, destruction or damage. Steps we take to protect the personal data we hold include: • GDPR/Data Protection training for all staff / volunteers and trustees. • Locked filing cabinets. • Password protected devices / cloud storage. • Anti-virus software on all devices. • Secure email encryption. • Secure business premises; and • Securely locked storage for paper records. 4. How long will you keep my information for? We will retain your information for as long as you have an active relationship with POINT. If you cease to have an active relationship with us or request to receive no further contact, your data will be marked inactive and no further communications will be undertaken. POINT will however retain your casefile within our database for 7 years from the date that the relationship ends. Your information is kept solely for for audit and compliance purposes.
6 5. Will my information ever go outside the UK? Your data may be stored on data servers outside of the UK. Every care is taken to ensure that we only use data systems outside the UK if they are compliant with UK and European Economic Area data protection regulations. In all instances, POINT adhere to all of the guiding principles relating to UK data protection legislation and are registered with the Information Commissioners Office (ico). The ico guiding principles can be found in the following link for information: https://ico.org.uk/for-organisations/guide-to-data-protection/data-protection-principles/ 6. What if I want to limit or stop receiving messages from POINT? You may opt out of receiving specific information and types of messages from us at any time and your request will be actioned immediately. You can do so by notifying us in writing using the contact details shown at the end of this policy. 7. How can I check or amend the information you hold about me? You may contact us to correct inaccuracies you find in the data which we hold about you, or if you wish to receive no further information from us, at any point in time. This can be done using the contact details shown at the end of this policy. It will help us to update your information quickly if you include your full name and address together with details of the correction to be made. 8. How can I request the deletion of the information you hold about me You have the right to request the deletion of information that POINT hold about you at any time. Under data protection legislation this is known as the Right to Erasure. In some instances, there may be a lawful reason for us to retain some information about you, however in all instances POINT will act upon any requests made for deletion of your data and will respond promptly and in accordance with the standards set out by the Information Commissioners office. For further information on your right to erasure, please visit the following link: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-law-enforcementprocessing/individual-rights/the-right-to-erasure-and-the-right-to-restriction/ You can request the deletion of your data either verbally or in writing and you will find our contact details at the end of this policy.
7 9. How do I request an information access report? To request an information access report which details information we hold about you, please send your request in writing to the address shown at the end of this policy. We aim to issue an initial response to all enquiries within five working days, and will offer a full response to all information access requests within forty working days of receipt. POINT has waived its legal right to levy a fee for this service. Points 9-11 apply specifically to POINT’s UK websites and Social Media Platforms. 10. What types of information do you collect through the website? POINT collects both personal and statistical data relating to the use of the website. 11. How is this information collected? POINT compiles data concerning the way in which the website is used through automated logging: this information does not identify how individuals are using the site. The information collected will include details of the IP address of your machine, the type of browser you are using, the operating system you are using, the time of your visit, the pages viewed, and any search queries you may make. All other personal information is collected on a voluntary basis by means of any HTML forms which website visitors complete during their visit. Information submitted in this way is automatically entered onto our computer system. The website privacy policy can be found in the following link for information: https://www.point-send.co.uk/privacy-policy 12. What about links to other websites? The POINT website includes links to websites that are outside POINT’s control, and whose content is not the responsibility of POINT. Please note that when you click on links to other websites, we encourage you to read their privacy policies because their standards may differ from ours. Any alterations to our policy on the collection or use of data will be posted on this website.
8 POINT is registered with the Information Commissioners Office. Our unique registration number is ZA034658 Our contact details for all correspondence relating to data protection is as follows: Data Controller POINT Chadderton Court 451 Middleton Road Chadderton Oldham OL9 9LB