Data Protection Policy – Cambridge Student Community Action

Introduction

Cambridge Student Community Action (SCA) holds personal data about our staff, volunteers, clients,
trustees, suppliers and other individuals for the business purposes defined below.

This policy:
● Outlines how we seek to protect personal data.
● Ensures staff understand the rules governing the use of personal data.
● Ensures staff treat sensitively and appropriately the data to which they have access and are
required to process as part of their role.
● Requires staff to ensure that the Data Protection Officer (DPO) is consulted to address any
relevant compliance issues before significant new data processing activity begins.
Definitions

Business Purposes

For a more detailed report on the specific data we collect for each of our
activities, please refer to our Privacy Notice located in appendix I of this
document.

Legitimate business purposes for which we may use your personal data
include, but are not limited to:
● Facilitating volunteering opportunities
● Day-to-day operations of the charity
● Marketing our business
● Improving services
● Checking references
● Ensuring safe working practices
● Recording transactions
● Training and quality control
● Ensuring the confidentiality of commercially sensitive information
● Safeguarding vetting
● Monitoring and managing staff access to systems and facilities
● Monitoring and managing staff absences, administration and
assessments
● Monitoring staff conduct and disciplinary matters
● Compliance with our legal, regulatory, corporate and charitable
governance obligations and good practice
● Gathering information as part of investigations by regulatory bodies
or in connection with legal proceedings or requests
● Ensuring business policies are adhered to
Personal Data Information relating to identifiable individuals. SCA holds personal data
about clients, volunteers, trustees, job applicants, as well as current and
former employees and supplies.

Student Community Action Data Protection Policy
To achieve our legitimate business purposes, we will collect, process and
store personal data. Personal data we gather may include, but is not limited
to:
● Contact details
● Age and gender identity
● Educational and/or employment history
● Additional needs statements
Sensitive Personal
Data
Sensitive personal data that is collected by us may include, but is not limited
to:
● Racial or ethnic origin
● Family circumstances
● Physical or mental health conditions
● Criminal offences or related proceedings.
Any use of sensitive personal data should be strictly controlled in
accordance with this policy and stored securely in a locked cupboard or
encrypted spreadsheet.
Scope
This policy is applicable to all SCA staff and volunteers. You must be familiar with this policy and
comply with its terms.
This policy supplements SCA’s Confidentiality Policy and SCA’s Internet and Email Policy Statement.
SCA may supplement or amend this policy with additional policies and guidelines. Any new or
modified policy will be circulated to staff and ratified by the Executive Committee before coming into
effect.
Who is responsible for this policy?
SCA’s Data Protection Officer (DPO) is Nicola (Nicky) Massey
The Data Protection Officer has overall responsibility for the day-to-day implementation of this
policy. You can contact the DPO with queries or concerns in the following ways:
Email Telephone In writing or in person
mail@cambridgesca.org.uk 01223 92 6101 Student Services, Benet
Street, New Museum Site,
Cambridge CB2 3PT

Student Community Action Data Protection Policy
Fair and Lawful Processing
Cambridge SCA must process personal data fairly and lawfully in accordance with an individual’s
rights as outlined in the General Data Protection Regulation.
Responsibilities of the Data Protection Officer
The Data Protection Officer is required to:
● Keep the Executive Committee updated regarding data protection responsibilities, risks and
issues.
● Review all data protection procedures and policies on a regular basis.
● Arrange data protection training and advice for all staff members and individuals highlighted
in this policy.
● Answer questions on data protection from staff, the Executive Committee, and other
stakeholders.
● Respond to requests from those who wish to know which personal data SCA holds on them.
● Check and approve contracts and/or agreements regarding data processing with any third
parties that handle Cambridge SCA’s data.
● Ensure all systems, services, software and equipment meet acceptable security standards.
● Check and scan security hardware and software regularly to ensure functionality.
● Research any third-party services Cambridge SCA would like to use to store or process
personal data.
Responsibilities of the Volunteers and Projects Officer
The Volunteers and Projects Officer is required to:
● Approve data protection statements used in emails and marketing materials.
● Address data protection queries from clients, target audiences or media outlets.
● Coordinate with the DPO to ensure all marketing initiatives adhere to data protection laws
and Cambridge SCA’s Data Protection Policy.
Data Processing
The processing of all data must be necessary to deliver our services. We will not collect, process or
store unnecessary data.
In most cases, this provision will apply to routine business data processing activities. A list of our
business processes can be found in Appendix I of this document.
Page | 4
Student Community Action Data Protection Policy
Our Privacy Notice which you can find in Appendix I of this document details the data processes for
individual data subjects (staff, volunteers, clients etc) and individual projects.
The Privacy Notice highlights:
● The purposes for which we hold personal data on individual data subjects.
● The fact that our work may require us to share information to third parties such as expert
witnesses and other professional advisers.
● That clients have a right of access to the personal data we hold on them.
● That Client Referral Forms contain a link to our full Privacy Notice to clients on data
protection.
Sensitive Personal Data
In the processing of sensitive personal data Cambridge SCA will require the data subject’s explicit
consent, unless in exceptional circumstances or Cambridge SCA is required to do this by law. For
example, to comply with legal obligations to ensure health and safety at work.
Any such consent will need to clearly identify:
● What sensitive personal data is being collected?
● Why is this data being processed?
● To whom will this data be disclosed?
Our Privacy Notice (in Appendix I) details our data processes for individual projects and data
subjects.
Accuracy and Relevance
Cambridge SCA will ensure that any personal data we process and/or store is:
● Accurate
● Adequate
● Relevant
● Not excessive
● Used for the purpose it was obtained.
We will not process personal data obtained for one purpose for another business process unless the
individual concerned has consented to this or would reasonably expect this.
Individuals may ask that we correct inaccurate personal data stored by Cambridge SCA. If you believe
that any information stored by Cambridge SCA is inaccurate, you should:
● Record the fact that the accuracy of the information has been disputed
● Inform the Data Protection Officer Nicola (Nicky) Massey:
Page | 5
Student Community Action Data Protection Policy
Email Telephone In writing or in person
mail@cambridgesca.org.uk 01223 92 6101 Student Services, Benet
Street, New Museum Site,
Cambridge CB2 3PT
Your Personal Data
You must take reasonable steps to ensure that personal data Cambridge SCA holds about you is
accurate and updated as required.
If your personal circumstances change, please inform us by one of the following channels to update
your records:
Email Telephone In writing or in person
mail@cambridgesca.org.uk 01223 92 6101 Student Services, Benet
Street, New Museum Site,
Cambridge CB2 3PT
Storing Data Securely
At Cambridge SCA we take the security of data extremely seriously and employ the following
guidelines:
● Where data is stored in hard-copy, it should be kept in a secure location within the
Cambridge SCA main office where only authorised personnel can access it.
● Data stored in hard-copy should be shredded when no longer needed. Our retention period
for data is clearly laid out in our Privacy Notice (Appendix I).
● Data stored electronically should be protected by strong passwords that are regularly
updated. We require all staff to encrypt all documents containing personal data.
● Data stored on CDs or memory sticks must be securely locked away when not in use.
● The Executive Committee must approve any cloud storage, having considered the relevant
security risks.
● Servers containing personal data must be kept in a secure location, separate from the
general office space.
● General data should be regularly backed-up in line with Cambridge SCA’s backup procedures.
This backup is stored on a password protected Dropbox account to which current SCA staff
have access to.
● Backups of financial and personal data are stored securely on password protected folders.
Copies of back-up data should also be shared with trustees to store on Google Drive with
restricted access.
Page | 6
Student Community Action Data Protection Policy
● Data should never be saved directly to personal devices such as laptops, personal computers,
mobile phones or tablets. This includes forwarding emails containing personal data to
personal email accounts.
● All servers containing sensitive data must be approved and protected by security software
and a strong firewall.
● Passwords must not be shared via email or stored insecurely.
Data Retention
We do not retain data for longer than is set out in our Retention of Data Policy. You may find this
information in our Privacy Notice in Appendix I.
Transferring Data Nationally and Internationally
There are restrictions on international transfers of personal data. You must not transfer personal data
anywhere outside the UK without first consulting the Data Protection Officer..
Any documents containing personal data transferred within the UK should be encrypted and only
shared if it is necessary for our business processes, consent has been given by the data subject or we
are legally required to do so.
Subject Access Requests
Under the General Data Protection Regulation (UK GDPR) and the Data Protection Act (DPA) 2018
individuals are entitled to request access to information held about them, subject to certain
exceptions.
If you receive a subject access request, you should refer the request immediately to the Data
Protection Officer . We may ask you to help us comply with those requests.
There are restrictions on the information to which you are entitled under applicable law. If you would
like to correct or request the information that we hold about you, please contact the Data Protection
Officer :
Email Telephone In writing or in person
mail@cambridgesca.org.uk 01223 92 6101 Student Services, Benet
Street, New Museum Site,
Cambridge CB2 3PT
Page | 7
Student Community Action Data Protection Policy
Processing Data in Accordance with the Individual’s Rights
You should abide by any request from an individual not to use their personal data for direct
marketing purposes and notify the Data Protection Officer about any such request.
Do not send direct marketing material electronically unless you have an existing professional
relationship with the individual in relation to the services being marketed.
Please contact the Data Protection Officer Nicola (Nicky) Masseyfor advice on direct marketing
before starting any new direct marketing activity.
Training
All staff will receive training on this policy.
New joiners will receive training as part of the induction process and further training will be provided
at least every two years or when a substantial change in the law or Cambridge SCA’s policy and
procedures occurs.
Training is provided via an in-house seminar, supported by completion of an online course. It covers:
● The law relating to data protection
● Cambridge SCA’s data protection and related policies and procedures.
Completion of training is compulsory.
GDPR Provisions
Where not specified previously in this policy, the following provisions will come into effect on or
before 25 May 2018.
Justification for Personal Data
Cambridge SCA will process personal data in compliance with all data protection principles.
● We will collect, store and process personal data only where we have a lawful basis to do so
and it is necessary for us to do so.
● We will document the lawful bases for which we are collecting, storing and processing
personal data.
● Our Privacy Notice will include our lawful basis for processing as well as the purposes of the
processing.
● We will document the additional justification for the processing of sensitive data and will
ensure any biometric and genetic data is considered sensitive.
Page | 8
Student Community Action Data Protection Policy
Consent
For personal data that we collect and is subject to active consent by the data subject, we will ensure
the data subject is aware they may revoke their consent at any time by contacting the Data
Protection Officer :
Email Telephone In writing or in person
mail@cambridgesca.org.uk 01223 92 6101 Student Services, Benet
Street, New Museum Site,
Cambridge CB2 3PT
Criminal Record Checks
Any criminal record checks are justified by law and cannot be undertaken based solely on the
consent of the subject.
Cambridge SCA undertake DBS (Disclosure and Barring Service) check on all staff members, all
volunteers in one-to-one projects and group projects where work is with vulnerable children or
adults.
Data Portability
Upon request, a data subject should have the right to receive a copy of their data in a structured
format. These requests should be processed within one month, provided there is no undue burden
and it does not compromise the privacy of other individuals.
A data subject may also request that their data is transferred directly to another system. This must be
carried out free of charge.
Right to be Forgotten
A data subject may request that any information held on them is deleted or removed. Any third
parties who process or use that data must also comply with the request. An erasure request can only
be refused if an exemption applies.
Data Audit and Register
Yearly reviews of this data protection policy will take place by the Executive Committee from April
2019. This will review what data is held, where it is stored, how it is used, who is responsible and any
further regulations or retention timescales that may be relevant.
Reporting Breaches
All members of staff, volunteers, clients and Executive Committee members have an obligation to
report actual or potential data protection compliance failures. This allows us to:
● Investigate the failure and take remedial steps if necessary
Page | 9
Student Community Action Data Protection Policy
● Maintain a register of compliance failures
● Notify the Supervisory Authority (SA) of any compliance failures that are material either in
their own right or as part of a pattern of failures
To report a breach, you must contact the Data Protection Officer in writing:
Email Telephone In writing or in person
mail@cambridgesca.org.uk 01223 92 6101 Student Services, Benet
Street, New Museum Site,
Cambridge CB2 3PT
The Data Protection Officer must report the breach immediately to the Executive Committee so they
can oversee the steps taken to remedy the issue. Any actual breaches of personal data must be
reported to the ICO within the required timeframe.
Monitoring
All those involved with Cambridge SCA must observe this policy. The Data Protection Officer has
overall responsibility for this policy and will regularly ensure that it is adhered to.
Consequences of Failing to Comply
Cambridge SCA takes compliance with this policy very seriously. Failure to comply puts you and the
organisation at risk. Therefore, failure to comply with any requirement of this policy may lead to
disciplinary action under our procedures and may result in dismissal.
If you have any questions or concerns regarding this policy, please contact the Data Protection Officer
Nicola (Nicky) Massey.
Email Telephone In writing or in person
mail@cambridgesca.org.uk 01223 92 6101 Student Services, Benet
Street, New Museum Site,
Cambridge CB2 3PT
Page | 10
Student Community Action Data Protection Policy
Privacy Notice (Appendix I)
Being transparent and providing accessible information to individuals about how we use their
personal data is important for Cambridge SCA. This privacy notice sets out clearly why and how we
use data you provide to us.
One-to-One Volunteering Projects
Data Subject Volunteers
What information do we collect? Personal contact details, referee details, DBS reference
number, check in notes regarding ongoing visits and
photos of volunteer with their client if permission has
been given by the parent and volunteer.
Who collects it? Volunteers and Projects officer and SCA Manager
How is it collected? Email, phone, paper copy, recorded on encrypted
spreadsheet
Why is it being collected? To enable clients to receive support, to monitor
progress, to gather information on volunteers, to
monitor grants, to fulfil our safeguarding obligations to
both client and volunteer
How will it be used? To facilitate our work and provide monitoring
information to funders
Who will it be shared with? Client will be given a contact number for the volunteer,
external organisations will have the info if there are
safeguarding obligations.
Statistical data is shared with Trustees and funders
Data controllers V&P Officer – mail@cambridgesca.org.uk
Manager – Nicky Massey
Manager@cambridgesca.org.uk
Retention Period 1 year after graduation or after last contact with client.
Data Subject Clients
What information do we collect? Personal contact details, reason for referral, referring
agent, request of need, check in notes regarding
ongoing visits and distance travelled, photos of the
client with their volunteer if permission has been given
by the parent. Disability details, family situation
and background if relevant
Who collects it? Volunteers and Projects officer and SCA Manager
How is it collected? Email, phone, paper copy, recorded on encrypted
spreadsheet
Why is it being collected? To enable clients to receive support, to monitor
progress, to gather information to monitor grants, to
fulfil our safeguarding obligations to both client and
volunteer
How will it be used? To facilitate our work and provide monitoring
information to funders
Who will it be shared with? Volunteer will be given a contact number for the client
and will be aware of background if relevant to know.
External organisations will have the info if there are
safeguarding obligations.
Statistical data is shared with Trustees and funders
Data controllers V&P Officer – mail@cambridgesca.org.uk
Page | 11
Student Community Action Data Protection Policy
Manager – Nicky Massey
Manager@cambridgesca.org.uk
Retention Period 3 Years after last contact with family.
Data Subject Referring Agents
What information do we collect? Professional contacts and job titles
Who collects it? Volunteers and Projects officer and SCA Manager
How is it collected? Email or phone, recorded on encrypted
spreadsheet
Why is it being collected? To enable us to liaise with other professional
organisations working with the same client, to
advertise our events and projects
How will it be used? Email marketing and communication
Who will it be shared with? Nobody
Data controllers V&P Officer – mail@cambridgesca.org.uk
Office Manager – Nicky Massey
Manager@cambridgesca.org.uk
Retention Period Until the email bounces or the person asks to
be removed from the database.
Group Projects
Data Subject Volunteers
What information do we collect? Personal contact details, referee details, DBS reference
number, attendance register, personal details such as
disability, likes and dislikes,
Who collects it? Volunteers and Projects officer and Project
Leader
How is it collected? Volunteer application form, email and
electronic database
Why is it being collected? To facilitate provision of the project
How will it be used? To facilitate our work and provide monitoring
information to funders
Who will it be shared with? Volunteer Project Leader
Data controllers V&P Officer – mail@cambridgesca.org.uk
Manager – Nicky Massey
Manager@cambridgesca.org.uk
Retention Period 1 Year after graduation or the last time they
volunteered.
Data Subject Venues
What information do we collect? Contact details of the person we liaise with at
the venue,
Who collects it? Volunteers and Projects officer and Project
Leader
How is it collected? Email, phone, paper copy, recorded on encrypted
spreadsheet, recorded on electronic database
Why is it being collected? To facilitate provision of the project
Page | 12
Student Community Action Data Protection Policy
How will it be used? To facilitate our work and provide monitoring
information to funders, to advertise our projects.
Who will it be shared with? Volunteer Project Leader
Data controllers V&P Officer – mail@cambridgesca.org.uk
Volunteer Project Leader for individual projects
Retention Period 1 Year after we last working with the venue or
as soon as they ask to be removed
Disclosure and Barring Service
Data Subject DBS Registered Organisations
What information do we collect? Contact details of organisations who register
with us to act as their umbrella DBS
organisation
Who collects it? Manager – Nicky Massey
Manager@cambridgesca.org.uk
How is it collected? Paper form and recorded on encrypted
spreadsheet
Why is it being collected? To facilitate the processing of DBS checks
How will it be used? To inform DBS clients of any changes, send
invoices and chase up any missing information
on DBS forms.
Who will it be shared with? Disclosure and Barring Service if requested
Data controllers V&P Officer – mail@cambridgesca.org.uk
Manager Nicky Massey Manager@cambridgesca.org.uk
Retention Period 3 Years after the last DBS form is processed for
that organisation or when they ask to be
removed
Data Subject DBS Individual Applicants
What information do we collect? Applicant contact details, date of birth and form
reference number. If offences are present on the form
we are shown we keep unidentifiable risk assessment
form.
Who collects it? Manager – Nicky Massey
Manager@cambridgesca.org.uk
How is it collected? Paper form and recorded on encrypted
spreadsheet
Why is it being collected? To enable an individual to have a DBS check
How will it be used? To process a DBS disclosure for the applicant.
Who will it be shared with? Disclosure and Barring Service
Data controllers V&P Officer – mail@cambridgesca.org.uk
Manager – Nicky Massey
Manager@cambridgesca.org.uk
Retention Period We securely destroy the processing form 2
months after the applicant has been sent their
disclosure. It stays on the encrypted
spreadsheet for up to 5 years.
Page | 13
Student Community Action Data Protection Policy
Personnel Data
Data Subject Cambridge SCA Staff
What information do we collect? Employment Application forms and interview
notes Contact details, Bank details, payroll
information, supervision and appraisal notes,
time sheets, sickness notes, disciplinary notes.
Who collects it? Manager – Nicky Massey
Manager@cambridgesca.org.uk
How is it collected? Job application form, staff starters form, P60,
Why is it being collected? To facilitate fair employment of staff
How will it be used? To contact and pay staff, to record any
development issues and training requirements
Who will it be shared with? Employment sub committee of the Executive
committee
Data controllers Manager – Nicky Massey
Manager@cambridgesca.org.ukChair of the
Employment sub committee
Retention Period 6 years after employment ceases for employed
staff
Data Subject Job Applicants
What information do we collect? Employment Application forms and interview
notes
Who collects it? Manager – Nicky Massey
Manager@cambridgesca.org.uk
How is it collected? SCA staff application forms
Why is it being collected? To facilitate fair employment of staff
How will it be used? To facilitate fair employment of staff
Who will it be shared with? Employment sub-committee of the Executive
committee
Data controllers Manager – Nicky Massey
Manager@cambridgesca.org.uk
Chair of the Employment sub committee
Retention Period 1 year after interview
Data Subject Trustees
What information do we collect? Contact details, date of birth, employment
history for new applicants
Who collects it? Manager – Nicky Massey
Manager@cambridgesca.org.uk
Chair of the Employment sub committee
How is it collected? Trustee Application form
Why is it being collected? To ensure fair recruitment of trustees
How will it be used? To ensure fair recruitment of trustees
Page | 14
Student Community Action Data Protection Policy
Who will it be shared with? Representatives of the Executive committee of
Student Community Action
Data controllers Manager – Nicky Massey
Manager@cambridgesca.org.uk
Chair of the Employment sub committee
Retention Period 3 months after the recruitment of Trustees if
unsuccessful, otherwise 3 years after resigning
from the board of trustees.
Data Subject Steering Group Volunteers
What information do we collect? Contact details, date of birth, employment /
volunteering history for applicants to the
steering group
Who collects it? V&P Officer – mail@cambridgesca.org.uk
How is it collected? Application form
Why is it being collected? To ensure fair recruitment of steering group
members
How will it be used? To ensure fair recruitment of steering group
members
Who will it be shared with? SCA Manager and Executive committee
Data controllers V&P Officer – mail@cambridgesca.org.uk
Manager – Nicky Massey
Manager@cambridgesca.org.uk
Retention Period 1 Year after recruitment of the steering group
Financial Data
Data Subject Financial documentation including financial
information of volunteers, staff and donors
What information do we collect? Account records; Income tax and NI returns; tax
records; correspondence with Inland Revenue;
Wage/ salary records; Statutory Sick Pay
records; Statutory Maternity Pay records
Who collects it? Manager – Nicky Massey
Manager@cambridgesca.org.uk
How is it collected? NICKY TO COMPLETE
Why is it being collected? To ensure accurate financial and management
records are kept
How will it be used? To ensure effective tracking of the charity’s
financial and management business
Who will it be shared with? Board of Trustees
Data controllers V&P Officer – mail@cambridgesca.org.uk
Manager Nicky Massey
Manager@cambridgesca.org.uk
Retention Period 6 years after the end of the financial year to
which they relate