Data Protection Policy

snvb 
Data protection policy

SNVB Data Protection Policy 2025 In line with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, our policy sets out how SNVB uses and looks after all personal data.

 1. What data SNVB keeps and why it keeps this data. 

SNVB holds personal data in order to provide the best possible service to the individuals and organisations who access our projects and services. Data includes personal information that is used to match potential volunteers with volunteering opportunities, information that helps us to identify the health & wellbeing requirements of local people, and organisational contact details. Where we process special category data we rely on explicit consent. This means that if we are asking you to give us information on your health, ethnic origin or other sensitive data then we will ask you to consent to us processing your data and we’ll tell you what we will be using it for. We won’t share your personal information with third parties unless you give us your permission, ask us to or expect us to as part of the service we’re giving you. Examples of when we might share your data are: when we’re helping you find a volunteering opportunity, or referring you on to another organisation for more support or another service. 

If we share your data with another organisation then we will always do our best to keep it secure. In exceptional circumstances we may share your personal information without your permission if we reasonably believe: 

  •  your health or safety is at risk
  •  if we believe you might be breaking the law, 
  • and where such a disclosure is allowed under the relevant laws, including data protection law. 

We often report to funders and other bodies on our performance of services. When we do this we will anonymise the data we provide unless you have given us explicit consent to share your information.

2. To what types of data the policy applies. 

This policy applies to the following personal data collected by SNVB which covers staff, volunteers and Trustees:

  •  Biographical information or current living situation, including dates of birth, National Insurance numbers, phone numbers and email addresses. 
  • Workplace data and information about education, including salary, tax information and student numbers (staff).
  • Private and subjective data, including religion 
  • Health, sickness and genetics, including medical history, genetic data (age, disabilities, ethnicity, gender) and information about sick leave. 

SNVB will keep this data for a period of 6 years after a staff member has left their employment, after which all personal data will be permanently destroyed in line with the Data Protection Act 2018. 

3. Responsible staff for processing data at SNVB 

SNVB, as a registered charity, is the Data Controller for the purposes of the UK GDPR and Data Protection Act 2018. The Board of Trustees holds ultimate accountability for ensuring compliance. Day-to-day responsibility for managing data protection is delegated to the CEO, supported by the General Manager for operational processes and the IT Manager for technical and security measures. A named Data Protection Lead will coordinate compliance activities and act as the main point of contact for individuals exercising their data protection rights. 

4. The main data risks to SNVB 

  •  lost by accidentally deleting or overwriting files 
  • lost or become corrupted by computer viruses
  • Cybercrime – either by an individual/group gaining unauthorised access to our servers or theft of hardware. 
  • Destroyed by natural disasters, acts of terrorism, or war 
  • deleted or altered by employees wishing to make money or take revenge on their employer 

5. Key precautions to keep data protected and backed up. 

  •  SNVB staff and volunteers will encrypt all confidential info. 
  •  All computers will be password protected and only authorised staff will be allowed to access sensitive data areas. 
  • Security software will be kept up to date and run on all computers. 
  • We will not allow unauthorised use of USB storage devices which could lead to data being lost from our organisation. 
  • The SNVB Disaster procedure covers a plan of action to follow if a severe data breach takes place. 
  • All SNVB staff and volunteers will receive training in data protection.
  • Where staff or volunteers are using Tablets or laptops outside the SNVB offices, data will be encrypted. 

6. How the organisation ensures data is kept accurate and when data will be deleted. 

In addition, SNVB operates a separate Document Retention Policy, which sets out the specific retention periods for different categories of records. This policy also details when and how records are reviewed on an annual basis, ensuring that personal data is not kept longer than necessary and that compliance checks are carried out regularly. 

  • SNVB will ensure that Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
  • SNVB staff will securely delete information that is no longer needed for this purpose or these purposes 
  • SNVB staff will update, archive or securely delete information if it goes out of date. 
  •  

7. What to do if an individual asks to see their data

Where an individual requests access to data held about them by SNVB in writing or verbally, it should be responded to within 1 month of the request. The authenticity of the individual will need to be obtained first. If an individual informs SNVB that the data we hold on them isn’t correct, we will take steps to address this as soon as we can practically do so. 

8. Under what circumstances the organisation discloses data, and to whom?

SNVB will not share client information with anyone without the individuals consent unless required by law to do so. 

9. How SNVB keeps individuals informed about data it holds. 

The SNVB staff member responsible for processing data will inform the staff member, volunteer or individuals about the data to be held by SNVB at the point of processing. 

10. Responsibility for reporting any breaches to the ICO and Charity Commission. 

If there is a personal data breach which is defined as:- “a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This means that a breach is more than just losing personal data.” 

The SNVB Manager should be informed immediately, or if not available then the SNVB Chair or another SNVB Trustee who will decide on what further action is necessary. If a breach is likely to result in a risk to the rights and freedoms of individuals then the breach must be reported to the ICO (the Information Commissioner‘s Office) within 72 hours. Please note that the 72-hour reporting deadline includes weekends and public holidays, so SNVB must ensure that any suspected breach is escalated immediately once identified. 

If a breach is likely to result in a high risk (e.g. criminal activity such as fraud, or published in the public domain) to the rights and freedoms of individuals then those concerned must be notified immediately as failure to notify a breach when there is a requirement to do so can result in a fine. A breach should be reported at www.ico.org.uk/for-organisations/ report-a-breach/ Along with reporting a data breach to the ICO, all charities must report a serious data breach incident to the Charity Commission. 

The Commission lists the below as a data breach that should be reported:

  • Charity’s data has been accessed by an unknown person; this data was accessed and deleted, including the charity’s email account, donor names and addresses; 
  • A charity laptop, containing personal details of beneficiaries or staff, has been stolen or gone missing and it’s been reported to the police; 
  • Charity funds lost due to an online or telephone ‘phishing scam’, where trustees were conned into giving out bank account details;

 

Information icon

We need your consent to load the translations

We use a third-party service to translate the website content that may collect data about your activity. Please review the details in the privacy policy and accept the service to view the translations.