We urgently need food donations – see how you can support us.

Data protection policy

 

Introduction

Slough Foodbank is registered with the Information Commissioner as a controller
1153813 and is governed by the Data Protection Act 2018, the UK General Data
Protection Regulation (GDPR) and the Privacy and Electronic Communications
Regulations 2003 (PECR).

Who this policy applies to

Slough Foodbank employees, volunteers, trustees and contractors are required to
adhere to this policy which is designed to protect the personal data of data subjects
– our beneficiaries, supporters, volunteers, employees and trustees.
Written data protection guidance is provided to help staff and volunteers comply
with this policy and relevant data protection legislation in the document titled
“understanding-your-responsibilities-for-data-protection”.

Key definitions

Data protection law applies to how we process people’s personal information. The
key terms that we need to understand are:
Controller – Slough Foodbank is a controller as it collects and decides how personal
information will be used.
Principles – These are the rules that we must follow when processing personal
information
Processing – This is what we do with personal information. It includes how we
collect, record, store, share and use personal information
Personal information – This includes personal data and special category personal
data
Personal data – This is information that can be used to identify a person. Held in
computer systems, mobile devices, laptops, tablets, or in manual records such in
paper files and notebooks.
Personal data might include but is not limited to; name, address, date of birth, bank
account details, interests.
It also includes opinions about a person. For example, notes on how you think
someone has behaved, performed or appears
Special category personal data – this is information about a person’s health,
religion, political opinion, trade union membership, race or ethnic origin, sexuality
A data subject – this is the person whose personal information is being processed.
For example, a supporter, employee, volunteer, trustee
A privacy notice – this is a short notice when we collect personal information from people to inform them how their personal information will be used and to look at our
privacy policy for more detail
A privacy policy – this is how we inform people about how their personal
information will be used. Slough Foodbank’s privacy policy is provided on our
website https://slough.foodbank.org.uk/privacy-cookies-policy/
Data processor – this is an organisation that we use to process personal
information on behalf of the organisation. For example, an IT service provider.
Information Commissioner’s Office (ICO) – this is the government body
responsible for enforcing data protection law in the UK

Data protection principles

All staff and volunteers are responsible for complying with the principles of data
protection legislation which states that personal information must be:
1. Collected and processed in a fair, lawful and transparent way
2. Used only for the reasons it was collected
3. Relevant and not excessive
4. Kept accurate and up to date, and corrected or deleted if there are mistakes
5. Kept for no longer than it is needed
6. Kept safe to protect it from being lost, stolen or used inappropriately
7. Processed in accordance with people’s rights
In addition, the GDPR provides rules relating to the transfer of personal data to
countries outside of the UK.
See Slough Foodbank’s data protection guidance (understanding-your-
responsibilities-for-data-protection) for additional information about our data
protection working practices.

Data subjects

Slough Foodbank’s data subjects include: Supporters, employees, volunteers,
trustees and beneficiaries.
 

Data processing purposes

Slough Foodbank needs to process personal information about our different data
subjects to:

  • Process donations and gift aid claims
  • Process legacies and pledges
    Enable supporters to fundraise for us
  • Enable supporters to participate in events
  • Manage relationships with our supporters
  • Provide supporters with information about us and the work that we do
  • Manage marketing and communication preferences of our supporters
  • Provide support to people who need to use the food bank
  • Develop case studies and stories about our beneficiaries to promote and
    report on the work that we do
  • Recruit and employ members of staff
  • Recruit and manage volunteers
  • Fulfil our legal and governance obligations

 

Legal basis for processing personal information

Slough Foodbank’s legal basis for processing personal information is documented in
detail in our ‘Record of Processing Activity’ which contains an inventory of all key
personal data processing activities.
Personal information is processed for our legitimate interests, where appropriate
with consent, and in order to meet our legal obligations.
Slough Foodbank may process some personal information based upon our legitimate
interests. This is where the processing is required to fulfil our organisational
objectives, is not to the detriment of our data subjects, and will not cause them
damage or distress. We undertake Legitimate Interest Assessments to balance the
rights and interests of our data subjects with that of Slough Foodbank in order to
make a judgement as to whether the legitimate interest condition applies to our
processing.

Responsibilities of staff and volunteers

Slough Foodbank’s Data Protection Lead, who is also Manager, is required to:
1. Provide compliance advice to staff
2. Ensure that staff receive appropriate data protection training and guidance
3. Ensure that Slough Foodbank’s data protection policies and documents are
appropriate and up to date
4. Be the focal point for the administration of any subject access requests
5. Deal with data subject rights in relation to erasure, objection, restriction and
rectification that staff feel unable to manage themselves
6. Log and assess all personal data breaches
7. Report applicable data breaches to the ICO within the statutory 72-hour time
limit
8. Renew, and ensure that Slough Foodbank’s controller registration with the
ICO is accurate annually.
9. Keep a central register of all organisations that Slough Foodbank shares
personal information with
10. Maintain and update the organisation’s Records of Processing Activity, Privacy
policy and notices and any associated data protection assessments (e.g.,
LIAs).
11. Advise staff on the interpretation of this policy and guidelines and to monitor
compliance with the policy.

All staff and volunteers are responsible for:
1. Working in compliance with the data protection principles as set out in this
policy and Slough Foodbank’s ‘Data Protection Guidance’ as set out in the
document titled ‘understanding-your-responsibilities-for-data-protection’
2. Ensuring that any personal information that they provide to Slough Foodbank
in connection with their employment, volunteering or other contraction
agreement is accurate
3. Informing Slough Foodbank of any personal data breach which they become
aware of immediately
4. Responding to any data subject requests to erase, access, correct or object to
the personal information held and processed by Slough Foodbank.

Data subject rights

Slough Foodbank respects the rights of its data subject including the right to:

  • To be informed – we do this by including appropriate privacy notice
    information when collecting personal information
  • Subject access – the right to view their personal information which we hold
  • Object and / or withdraw consent – where the processing of personal data
    could cause them significant damage or distress.
  • Rectification – we must correct any inaccurate or incomplete personal
    information when asked
  • Erasure – deletion or the removal of their personal information where there is
    no compelling reason for its continued processing

See Slough Foodbank’s data protection guidance set out in ‘understanding-your-
responsibilities-for-data-protection’ for information on how to respond to data
subject rights.

Data security

It is the responsibility of all staff, contractors and volunteers authorised to access
personal data processed by Slough Foodbank to ensure that data, whether held
electronically or manually, is kept securely and not disclosed unlawfully, inaccordance with this Policy and any associated policies. Unauthorised disclosure will
usually be treated as a disciplinary matter and could be considered as constituting
gross misconduct in some cases.

Policy awareness

Data protection awareness will be included as part of induction. Changes to policy on
data protection policy or guidance will be circulated to all staff, contractors and
volunteers. All staff, contractors and volunteers are expected to be familiar with and
comply with the policy at all times.

Redress

Anyone who considers that this policy has not been followed in respect of personal
data about themselves should raise the matter with the Data Protection Lead.

Status of this policy

This policy does not form part of the formal contract of employment, but it is a
condition of employment that employees will abide by the rules and polices made by
Slough Foodbank from time to time.

Compliance is the responsibility of all staff and volunteers. Any breach of this policy
may lead to disciplinary action being taken, or even a criminal prosecution.

Any questions or concerns about the interpretation or operation of this policy should
be taken up with the Data Protection Lead.