The words you are searching are inside this book. To get more targeted content, please make full-text search by clicking here.

POINT - GDPR & Data Protection Policy - V6 - October 2020

Discover the best professional documents and content resources in AnyFlip Document Base.
Search
Published by POINT, 2020-10-28 20:57:21

POINT - GDPR & Data Protection Policy - V6 - October 2020

POINT - GDPR & Data Protection Policy - V6 - October 2020

GDPR, Data Protection
& Data Retention
Policy

VERSION CONTROL 6
October 2020
Version No October 2021
Version Date
Next Scheduled Review

POINT is a Registered Charity: 1161596

From October 2020, POINT will summarise key policy amendments in the form of the revision
table below. This acts as a reference guide to any updates made to policies including legislative
changes.

Version Date of Summary of key policy changes from previous version

Number approval

6 28.10.2020 • Stripe online payment supplier added to provider table in section 3.

• Section 7: This is now limited to the process for requesting deletion
of information with the process for requesting the deletion of
information (Right to Erasure) now detailed separately.

• Section 8: This section has been added to detail process for
requesting the deletion of information (Right to Erasure).

2

POINT respects your privacy and realises how important it is to you that your personal
information remains secure. We hope that this policy statement will answer the questions that
you may have about how we manage and protect your details, but if you have any questions
which are not answered by this statement, please contact us on 0161 503 1547.

Your personal data is protected by UK legislation, specifically the General Data Protection
Regulation (GDPR) as it applies in the UK, tailored by the Data Protection Act 2018 and the
Privacy and Electronic Communications (EC Directive) 2003. We aim to exceed our legal
obligations by following best practice and reviewing our procedures regularly.

This means that POINT is a ‘data controller’. We recognise that in the running of our business, we
collect and process personal data from a variety of sources. This personal information is collated
in several different formats including letters, emails, legal documents, employment records,
operations records, images and statements. The personal data is held in both hard copy and
electronic form.

1. What information will POINT collect about me, what is it used for, and how
is it obtained?

Personal information is collected directly from you when you complete and return forms as part
of communicating with POINT (For example: Completing a membership form, consultation or
feedback questionnaire), or when you provide information directly to a POINT representative (For
example: During a telephone conversation or in person at one of our events).

We collect this information in order to:

1) Keep in touch with you and supply you with information relating to POINT’s work. This includes
keeping you informed about issues that might potentially be of interest to you.

2) Identify key issues and themes which are then shared with partners to improve services

3) To evaluate POINT’s work, through data monitoring and contract management processes.

The information which we collect in this way will typically include personal details provided by
you, which may include your name, postal and email addresses and support needs. We will also
sometimes obtain contact information indirectly from third parties.

In some cases, we may collect information that the Data Protection Act considers to be ‘sensitive’
(this could include details of ethnicity or religious beliefs or disability). Such information will only
be collected and retained with your specific consent.

2. Will you ever share or sell my information?

We will not sell your information to third party organisations, and we do not share your personal
information with third parties for their benefit without your prior consent.

3

3. How secure is the information which I give to you?

POINT takes the care of your data seriously and undertakes to protect your personal information
in a range of ways.

POINT use a range of systems to deliver our services effectively. These include a database, email
mailing system and survey system. These systems are provided by third party providers whose
data servers are based in the UK or European Economic Area (EEA).

Our current list of providers is shown in the table below. This details what the system is used for,
the likely data contained within the system and a direct link to their own data protection and data
processing policies for your information.

Name of What is the system used Supplier data protection and
provider for processing policy

CharityLog Database of service user files https://www.charitylog.co.uk/privacy
used to store personal details
collected by POINT to deliver
services effectively

SmartSurvey • Consultations https://www.smartsurvey.co.uk/privacy-
• Surveys policy
BreatheHR • Service User Feedback &
Xero https://www.breathehr.com/hr-
Mailchimp Evaluation software/security-reliability/
Microsoft 365 • Online Data Collection https://www.xero.com/uk/about/privacy/

Forums https://mailchimp.com/legal/privacy/
Storage of Team HR data
including employee personal https://privacy.microsoft.com/en-
data US/privacystatement
Used for financial management
including supplier, donor and
partner information.
This may include personal and
business contact details
Used for email marketing to
service users, donors and
partners. Data held is consent
based and contains email
addresses only
Used for business
administrative purposes
including Word, Excel,
PowerPoint and POINT email
functionality.

4

OneDrive Cloud Provides POINT data back-up https://www.microsoft.com/en-us/trust-
Stripe via a cloud-based system. center/privacy/gdpr-overview
Back-up date may include
business and personal https://stripe.com/en-gb/privacy
information of service users,
donors and partner
organisations.
The secure payment platform
used within our website for
online order and donations

POINT ensures that all personal information is held securely whether manual or electronic and
protects data against unauthorised or illegal use and against accidental loss, destruction or
damage.

Steps we take to protect the personal data we hold include:

• GDPR/Data Protection training for all staff / volunteers and trustees.
• Locked filing cabinets.
• Password protected devices / cloud storage.
• Anti-virus software on all devices.
• Secure email encryption.
• Secure business premises; and
• Securely locked storage for paper records.

4. How long will you keep my information for?

We will retain your information for as long as you have an active relationship with POINT. If you
cease to have an active relationship with us or request to receive no further contact, your data will
be marked inactive and no further communications will be undertaken.

POINT will however retain your casefile within our database for 7 years from the date that the
relationship ends. Your information is kept solely for for audit and compliance purposes.

5

5. Will my information ever go outside the UK?

Your data may be stored on data servers outside of the UK. Every care is taken to ensure that we
only use data systems outside the UK if they are compliant with UK and European Economic Area
data protection regulations.

In all instances, POINT adhere to all of the guiding principles relating to UK data protection
legislation and are registered with the Information Commissioners Office (ico). The ico guiding
principles can be found in the following link for information:

https://ico.org.uk/for-organisations/guide-to-data-protection/data-protection-principles/

6. What if I want to limit or stop receiving messages from POINT?

You may opt out of receiving specific information and types of messages from us at any time and
your request will be actioned immediately. You can do so by notifying us in writing using the
contact details shown at the end of this policy.

7. How can I check or amend the information you hold about me?

You may contact us to correct inaccuracies you find in the data which we hold about you, or if
you wish to receive no further information from us, at any point in time. This can be done using
the contact details shown at the end of this policy.

It will help us to update your information quickly if you include your full name and address
together with details of the correction to be made.

8. How can I request the deletion of the information you hold about me

You have the right to request the deletion of information that POINT hold about you at any time.
Under data protection legislation this is known as the Right to Erasure.

In some instances, there may be a lawful reason for us to retain some information about you,
however in all instances POINT will act upon any requests made for deletion of your data and will
respond promptly and in accordance with the standards set out by the Information
Commissioners office.

For further information on your right to erasure, please visit the following link:
https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-law-enforcement-
processing/individual-rights/the-right-to-erasure-and-the-right-to-restriction/

You can request the deletion of your data either verbally or in writing and you will find our
contact details at the end of this policy.

6

9. How do I request an information access report?

To request an information access report which details information we hold about you, please
send your request in writing to the address shown at the end of this policy.

We aim to issue an initial response to all enquiries within five working days, and will offer a full
response to all information access requests within forty working days of receipt. POINT has
waived its legal right to levy a fee for this service.

Points 9-11 apply specifically to POINT’s UK websites and Social Media
Platforms.

10. What types of information do you collect through the website?

POINT collects both personal and statistical data relating to the use of the website.

11. How is this information collected?

POINT compiles data concerning the way in which the website is used through automated
logging: this information does not identify how individuals are using the site. The information
collected will include details of the IP address of your machine, the type of browser you are using,
the operating system you are using, the time of your visit, the pages viewed, and any search
queries you may make.
All other personal information is collected on a voluntary basis by means of any HTML forms
which website visitors complete during their visit. Information submitted in this way is
automatically entered onto our computer system. The website privacy policy can be found in the
following link for information:
https://www.point-send.co.uk/privacy-policy

12. What about links to other websites?

The POINT website includes links to websites that are outside POINT’s control, and whose content
is not the responsibility of POINT. Please note that when you click on links to other websites, we
encourage you to read their privacy policies because their standards may differ from ours.
Any alterations to our policy on the collection or use of data will be posted on this website.

7

POINT is registered with the Information Commissioners Office.
Our unique registration number is ZA034658
Our contact details for all correspondence relating to data protection is as
follows:
Data Controller
POINT
Chadderton Court
451 Middleton Road
Chadderton
Oldham
OL9 9LB

8


Click to View FlipBook Version