The Data Protection legislation
The legislation that underpins Data Protection is The Data Protection Act 2018 and GDPR 2018 - which requires that personal data shall be:
a. processed lawfully, fairly and in a transparent manner in relation to individuals;
b. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible
with those purposes; further processing for archiving purposes in the public interest, scientific or historical research
purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
c. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
d. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data
that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without
e. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for
which the personal data are processed; personal data may be stored for longer periods insofar as the personal data
will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or
statistical purposes subject to implementation of the appropriate technical and organisational measures required
by the GDPR in order to safeguard the rights and freedoms of individuals; and
f. processed in a manner that ensures appropriate security of the personal data, including protection against
unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate
technical or organisational measures.”
What information does HemingfordHub hold ?
HemingfordHub needs to hold Information relating to its volunteers and the people we help (our residents), to enable the Hub to offer appropriate services to our residents
We need to keep data relevant to our residents’ needs which may include age, gender, ethnicity, disability, as well as name and contact details
In addition we need to hold this data for the purposes of monitoring our equal opportunities policy and for measuring performance
Your Rights to your data
The Hub has processes in place to ensure that it can facilitate any request made by an individual to exercise their rights under data protection law. All volunteers are aware of the rights of data subjects. All volunteers can identify such a request and know who to send it to.
All requests, which should be in writing, will be considered without undue delay and within one month of receipt as far as possible.
All volunteers and residents shall be informed that we need to hold information about them on a computer database and that they have the right to be provided with a printout of the data stored about them if they request it.
Access to data:
Volunteers and residents have the right to request information about how personal data is being processed, including whether personal data is being processed and the right to be allowed access to that data and to be provided with a copy of that data along with the right to obtain the following information:
the purpose of the processing
the categories of personal data
the recipients to whom data has been disclosed or which will be disclosed
the retention period
the right to lodge a complaint with the Information Commissioner’s Office (ICO)
the source of the information if not collected direct from the subject, and
the existence of any automated decision making
Rectification: the right to allow a data subject to rectify inaccurate personal data concerning them.
Erasure: the right to have data erased and to have confirmation of erasure, but only where:
the data is no longer necessary in relation to the purpose for which it was collected, or
where consent is withdrawn, or
where there is no legal basis for the processing, or
there is a legal obligation to delete data
Restriction of processing: the right to ask for certain processing to be restricted in the following circumstances:
if the accuracy of the personal data is being contested, or
if our processing is unlawful but the data subject does not want it erased, or
if the data is no longer needed for the purpose of the processing but it is required by the data subject for the establishment, exercise or defence of legal claims, or
if the data subject has objected to the processing, pending verification of that objection
Data portability: the right to receive a copy of personal data which has been provided by the data subject and which is processed by automated means in a format which will allow the individual to transfer the data to another data controller. This would only apply if HemingfordHub was processing the data using consent or on the basis of a contract.
Object to processing: the right to object to the processing of personal data relying on the legitimate interests processing condition unless HemingfordHub can demonstrate compelling legitimate grounds for the processing which override the interests of the data subject or for the establishment, exercise or defence of legal claims.
How we store and restrict access to information
We store data relating to volunteers and residents on the HH database. This information can only be accessed by the Trustees and our IT Support person. We store the database on the Cloud with restricted access on password-protected computers.
The Hub will hold all confidential data electronically - confidential data on paper shall be at a minimum. Any committee member holding paper copies of confidential data will destroy the information as soon as it is no longer required to deliver the Hub services to our residents.
We will retain data on the following:
Accident records/reports - 3 years
Trustee information - 7 years
DBS Disclosures - up to 6 months
Resident related information – PARTICULARLY IMPORTANT FOR Volunteers
We will only discuss information that will identify a resident or a resident’s affairs when necessary for the efficient delivery of Hub services.
At no time will we discuss resident information with other residents, volunteers, friends or family without the resident’s permission (See GDPR Permission Form). General gossip should be avoided at all times.
The Hub Trustees may share information with each other and a Designated Safeguarding Person in order to discuss issues and seek advice. No GDPR Permission Form is required for this.
Where the Hub has a legal duty to disclose information (for example, where abuse is suspected), the individual will be informed that disclosure has or will be made. No GDPR Permission Form is required for this.
Any personal data held about a resident who stops receiving support permanently from the Hub will be deleted when all support finishes.
Volunteer Related Information
If the HemingfordHub Trustees use other members of the Hub to interview potential volunteers, these representatives will have access to Volunteer Application Forms at the time of the interview. Following these interviews any Volunteer Application forms will be forwarded to the Trustees and not held by the interviewer.
The Hub will keep a record of the following information relating to a volunteer:
References if person not known to the Hub Trustees
Confidentiality and data protection agreement
Completion of Safeguarding training certificate
Where required, DBS date of issue, name of the subject, unique reference number of the Disclosure
Photograph for ID card
Confirmation of reading Hub Handbook and all attached policies
Only the Hub Trustees will have access to volunteer related data including DBS information (In accordance with section 124 of the Police Act 1977). Disclosure information shall only be used for the specific purpose for which it was requested and for which an applicant’s full consent has been given.
We will delete all data relating to volunteers who have permanently resigned from the Hub. If a Trustee resigns they will no longer have access to Dropbox, the database and other Hub Committee papers. They should return all sensitive paperwork to the Trustee group. Where applicable, removed as a bank signatory and the Charity Commission website.
Duty to disclose information
The Hub has a legal duty to disclose Abuse of Adults to the Social Services Department following any notification of abuse (see HH Safeguarding Adults Policy).
Breach of confidentiality and Data Protection policy
HemingfordHub requires every volunteer to sign a Confidentiality and Data Protection Agreement indicating that they understand this Confidentiality and Data Protection Policy. In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, the Hub shall promptly assess the risk to people’s rights and freedoms and if appropriate report this breach to the ICO (more information on the ICO website). Any committee member or volunteer who breaches any of the conditions within this policy will be dismissed from HemingfordHub.
The HemingfordHub Trustees will review this policy and related good practice annually.
Adopted by the HemingfordHub Trustees on: 16/08/2023 Latest Review Date: August 2024
Please sign and photograph/scan this page showing your signature, and return to
I agree to uphold the HemingfordHub Confidentiality and Data Protection policies and confirm that I have read the Volunteer Handbook
Signature Print name Date