Slough Foodbank registered with the Information Commissioner as a controller ZA076032 and is governed by the Data Protection Act 2018, the EU General Data Protection Regulation (GDPR) and the Privacy and Electronic Communications Regulations 2003 (PECR)
Who this policy applies to
Slough Foodbank employees and volunteers are required to adhere to this policy which is designed to protect the personal data of Slough Foodbank data subjects – our supporters, volunteers, employees and trustees.
Written Data Protection Guidance is provided to help staff and volunteers comply with this policy and relevant data protection legislation.
Data protection law applies to how we process people’s personal information. The key terms that we need to understand are:
Controller – Slough Foodbank is a controller as it collects and decides how personal information will be used.
Principles – These are the rules that we must follow when processing personal information
Processing – This is what we do with personal information. It includes how we collect, record, store, share and use personal information
Personal information – This includes personal data and special category personal data
Personal data – This is information about people and held in computer systems, mobile devices including laptops, tablets, telephones, or in manual records such in paper files and notebooks. For example, name, address, date of birth, bank account details, interests
It also includes opinions about a person. For example, notes on how you think someone has behaved, performed or appears
Special category personal data – this is information about a person’s health, religion, political opinion, trade union membership, race or ethnic origin, sexuality
A data subject – this is the person whose personal information is being processed. For example, a supporter, employee, volunteer, trustee
Data processor – this is an organisation that we use to process personal information on behalf of the Trust. For example, a print and mailing house
Information Commissioner’s Office (ICO) – this is the government body responsible for enforcing data protection law in the UK
Data protection principles
All staff and volunteers are responsible for complying with the principles of data protection legislation which states that personal information must be:
- Collected and processed in a fair, lawful and transparent way
- Used only for the reasons it was collected
- Relevant and not excessive
- Kept accurate and up to date, and corrected or deleted if there are mistakes
- Kept for no longer than it is needed
- Kept safe to protect it from being lost, stolen or used inappropriately
- Processed in accordance with people’s rights
In addition, the GDPR provides rules relating to the transfer of personal data to countries outside of the European Economic Area.
See Slough Foodbank’s ‘Data Protection Guidance’ for Slough Foodbank’s data protection working practices.
Slough Foodbank’s data subjects include supporters, employees, volunteers, trustees and beneficiaries.
Data processing purposes
Slough Foodbank needs to process personal information about our different data subjects to:
- Process donations and gift aid claims
- Process legacies and pledges
- Enable supporters to fundraise for us
- Enable supporters to participate in events
- Manage relationships with our supporters
- Provide supporters with information about us and the work that we do
- Manage marketing and communication preferences of our supporters
- Provide support to people who need to use the food bank
- Develop case studies and stories about our beneficiaries to promote and report on the work that we do
- Recruit and employ members of staff
- Recruit and manage volunteers
- Fulfil our legal and governance obligations as a registered charity and company
Legal basis for processing personal information
Slough Foodbank’s legal basis for processing personal information is documented in detail in our ‘Record of Processing Activity’. Personal information is processed with consent where appropriate, in order to meet our legal obligations as an employer and registered charity, and for our legitimate interests.
Slough Foodbank may process some personal information based upon our legitimate interests. This is where the processing is required to fulfil our organisational objectives, is not to the detriment of our data subjects, and will not cause them damage or distress. We undertake legitimate interest assessments to balance the rights and interests of our data subjects with that of Slough Foodbank in order to make a judgement as to whether the legitimate interest condition applies to our processing.
Responsibilities of staff and volunteers
Slough Foodbank’s Data Protection Lead, who is also Foodbank Manager, is required to:
- Provide compliance advice to staff
- Ensure that staff receive appropriate data protection training and guidance
- Ensure that Slough Foodbank’s data protection policies and documents are appropriate and up to date
- Be the focal point for the administration of any subject access requests
- Deal with data subject rights in relation to erasure, objection, restriction and rectification that staff feel unable to manage themselves
- Log and assess all personal data breaches at Slough Foodbank
- Refer data breach assessments to the board of Trustees for a final decision on whether they should be reported to the ICO
- Renew and ensure that Slough Foodbank’s notification with the ICO is accurate
- Keep a central register of all organisations that Slough Foodbank shares personal information with
- Advise staff on the interpretation of this policy and guidelines and to monitor compliance with the policy.
All staff and volunteers are responsible for:
- Working in compliance with the data protection principles as set out in this policy and Slough Foodbank’s ‘Data Protection Guidance’
- Ensuring that any personal information that they provide to Slough Foodbank in connection with their employment, volunteering or other contraction agreement is accurate
- Informing Slough Foodbank of any changes to any personal information which they have provided, e.g. changes of address
- Responding to requests to check the accuracy of the personal information held on them and processed by Slough Foodbank.
Data subject rights
Slough Foodbank respects the rights of its data subject including the right to:
- To be informed – we do this by including appropriate privacy notice information when collecting personal information
- Subject access – the right to view their personal information which we hold
- Object and / or withdraw consent – where the processing of personal data could cause them significant damage or distress.
- Rectification – we must correct any inaccurate or incomplete personal information when asked
- Erasure – deletion or the removal of their personal information where there is no compelling reason for its continued processing
See Slough Foodbank’s ‘Data Protection Guidance’ for information on how to respond to data subject rights.
It is the responsibility of all staff and volunteers authorised to access personal data processed by Slough Foodbank to ensure that data, whether held electronically or manually, is kept securely and not disclosed unlawfully, in accordance with this Policy. Unauthorised disclosure will usually be treated as a disciplinary matter and could be considered as constituting gross misconduct in some cases.
Data protection awareness will be included as part of induction. Changes to policy on data protection policy or guidance will be circulated to all staff and volunteers. All staff and volunteers are expected to be familiar with and comply with the policy at all times.
Anyone who considers that this policy has not been followed in respect of personal data about themselves should raise the matter with the Data Protection Lead.
Status of this policy
This policy does not form part of the formal contract of employment, but it is a condition of employment that employees will abide by the rules and polices made by Slough Foodbank from time to time.
Compliance is the responsibility of all staff and volunteers. Any breach of this policy may lead to disciplinary action being taken, or even a criminal prosecution.
Any questions or concerns about the interpretation or operation of this policy should be taken up with the Data Protection Lead.