Data Protection Policy

AquAid Lifeline Fund (UK) Data Protection Policy

This document was approved by the Trustees on 2020-07-23

1. Introduction

1.1.   Purpose

This document defines the policy of the AquAid Lifeline Fund (LLF) regarding actions taken by Trustees or Volunteers acting on behalf of LLF to meet the requirements of the General Data Protection Regulations (GDPR).

Trustees and Volunteers are informed of their duties and obligations through this policy.  This document does not attempt to summarize the extensive Law on the topic, but to highlight the subset of obligations and rights that are relevant to the operation of LLF.

1.1.1.                        Intended Audience

The policy is public.  Anybody may read it.  When somebody with a role identified in Section 3 first enters that role they will be provided with a data-protection notice related to that role.  That notice references this policy.

2. Scope

This policy applies to actions taken by Trustees or Volunteers handling any of the data identified in Section 0 and acting on behalf of LLF.  The policy applies to data being processed (including storage and transmission) within the European Economic Area (EEA).

3. Roles and responsibilities

3.1.   Trustees

A Trustee is an individual appointed as a trustee of AquAid Lifeline Fund and registered as such with the Charity Commission.

A Trustee shall follow this policy.  Trustees approve this policy.

3.2.   Volunteers

A Volunteer is an individual (including representatives of a corporate entity) that acts on behalf of LLF, with the permission of the Trustees.   For example, those individuals that visit AquAid Lifeline Fund Malawi (LLF Malawi) sites with the cooperation of the Trustees.

A Volunteer has certain rights and obligations under this policy, as described in Section 5.

3.3.   Donors

A Donor is an individual or corporate entity that provides financial or other material support to the LLF.  A Donor has rights under this policy related to protection of their data, as described in Section 6.

3.4.   Contacts

A Contact is an individual that has been in contact with LLF (for example through the website “book a speaker” form) but doesn’t fit the Donor or Volunteer category.

A Contact has certain rights under this policy.

3.5.   LLF Malawi contacts

An LLF Malawi contact is an individual or corporate entity that LLF needs to communicate with in order to perform the objects of the charity.

Such contacts might include employees (potential, current, past), volunteers, residents and organizational (government or NGO) representatives.

An LLF Malawi contact has rights under this policy related to protection of their data, as described in Section 7.

3.6.   Data Protection Trustee

According to the Information Commissioner’s Office (ICO), and based on the types of data that are defined in the Register (Section 9) the LLF is not required to appoint a Data Protection Officer.

LLF will appoint a Data Protection Trustee with the following responsibilities:

  • To ensure that this policy is accurate and up-to-date, being reviewed at least every 3 years
  • To ensure that Trustees are familiar with the policy
  • To ensure that Trustees comply with the policy
  • To ensure that those interacting with Volunteers, Donors and LLF Malawi contacts provide them with the appropriate notices, as described in this policy.
  • To ensure that the website shows the Notice to Website visitors and this policy.
  • To assist the Malawi LLF trustees in their defining and operating a data protection policy

Note, this role is not the Data Protection Officer (DPO) role described by the ICO.

4. General principles

This Section describes the general principles under which this policy operates. The details of handling particular types of data are described in the Register (Section 0).

Where this policy defines a requirement (“ensure”, “shall”, “must”, “will”) on an LLF Trustee or Volunteer to take an action, the policy should be read as expecting the individual to make a reasonable attempt to satisfy the requirement.  Any statement of an action by LLF should be read as any agent of LLF taking the action on its behalf.

This policy covers an individual’s personal data held or processed by LLF in order to pursue its charitable objects.

Data may be held for a number of reasons, including:

  • LLF is required to hold the data by law (legal obligation)
  • An individual gave consent to hold the data (consent)
  • The data is required for the pursue its charitable objects (legitimate interests)

LLF will hold and process personal data only as described in the Register (Section 9).   LLF will purge from its records any data that is outside its retention period.

LLF will not hold or process “Special categories of personal data”, which includes data that relates to an individual’s health, sex life, sexual orientation, race, ethnic origin, political opinion, religion, and trade union membership.

LLF will protect the privacy of personal data it holds.  Personal data will be shared between the Trustees to the minimum extent required for the charity to meet its charitable objects.

LLF will only provide personal data to third parties as required by law or permitted by law and necessary for the charity to meet its charitable objects.  An individual’s personal data (such as contact details for Malawi LLF staff) may be shared with Volunteers only with the consent of the individual concerned.

LLF will protect the integrity of personal data it holds such that no one Trustee or Volunteer holds data that is necessary for the charity to meet its charitable objects.

Where consent is the lawful basis of holding an individual’s personal data:

  • evidence of such consent shall be kept with the personal data
  • the data shall be deleted on request by the individual

A Trustee that receives personal information from a (potential) donor, volunteer or Malawi LLF contact shall in the first instance after the approval of this policy provide them a copy of the relevant notice, as shown below in this policy (Sections 5, 6 and 7).  This is also a good time to seek and document any consent to sharing the data with Volunteers.

LLF will provide a copy of personal data held on an individual on request by that individual and allow for factual errors to be corrected.

LLF will provide training to Trustees about their obligations under this policy.  Such training might take place in the form of a review of this policy by all trustees on its adoption and similar review by new Trustees.

A Trustee or Volunteer that visits LLF Malawi sites might receive and handle personal data that is outside the scope of the Register (for example, employment records and CVs).  That individual shall not retain any of that data outside Malawi, except as permitted by the Register.

This policy shall be reviewed and approved by the LLF Trustees every 3 years.

The notice to website visitors (Section 8) shall be presented to website visitors at least when they first access the website.

This policy is public, and shall be publicly accessible via the LLF website.

5. Notice to Volunteers

AquAid Lifeline Fund (LLF) records and processes your personal data in compliance with its Data Protection Policy.  This data includes your name, address, email, phone number, and records of any visits to Malawi.

You have a right to see a complete copy this personal data, and a right to correct any factual errors.  When you supply these details to LLF, you are consenting to them being held.  You can ask LLF to delete records of your address, email and phone at any time.

If you are provided with contact details for AquAid Lifeline Fund Malawi (LLF Malawi) individuals (e.g. staff, volunteers or residents) you agree not to share these details with anyone else.

You can read the full LLF Data Protection Policy here:  <Insert URL>

6. Notice to Donors

AquAid Lifeline Fund (LLF) records and processes your personal data in compliance with its Data Protection Policy.

The records comprise your Name, Address, Email, Phone, plus records of your donations and gift-aid status.

You have a right to see a complete copy of this personal data, and a right to correct any factual errors.

We will retain this data only as required by UK law, which is 3 years (not gift-aided) or 6 years (gift-aided).

You can read the full LLF Data Protection Policy here:  <Insert URL>

7. Notice to LLF Malawi contacts

AquAid Lifeline Fund (LLF) records and processes your personal data in compliance with its Data Protection Policy.

LLF will record your Name, Address, Phone and Email address, your role in AquAid Lifeline Fund Malawi (LLF Malawi).  LLF might keep a copy of email exchanges with you.

You have a right to see a complete copy of this personal data, and a right to correct any factual errors.

We will retain this data while you are performing a role in LLF Malawi.

You can read the full LLF Data Protection Policy here:  <Insert URL>

8. Notice to Website visitors

This website can collect personal information from you in two circumstances:

  1. You donate using the PayPal donation button on the home page. In this case, information is recorded on your computer in the form of “cookies” to make any subsequent donations quicker.  AquAid Lifeline Fund staff have no access to this data.
  2. You provide your details using one of the contact forms, e.g., “Book a speaker”. In this case the details you provide are kept secure according to our data protection policy.  You have the right to review and correct this data.  You have the right to ask for the data to be deleted.

Also, the website might collect data from your browser to present statistics to AquAid Lifeline Fund staff.  This might include: Browser type and version; information about your visit, including the full Uniform Resource Locators (URL); information about what you viewed or searched for in order to locate the site; length of visits to certain pages.  No personally identifiable information is stored.

You can read the full LLF Data Protection Policy here:  <Insert URL>

 

9. Register of Data Types

 

Data Type Information held Information used for Basis under which held Retention
Trustee Email address, phone number Communicating amongst trustees Legitimate interest & Legal obligation During term as trustee
Donor Name, Address, Email, Phone, possibly bank account

 

Per donation: amount and date

 

Per tax year: any Gift Aid declaration

 

Copies of emails sent to or by the Donor to LLF related to donation.

Maintaining LLF financial records

 

Seeking Gift Aid tax recovery from Her Majesty’s Revenue and Customs (MHRC).

 

Provide donor with information related to their donation

Legal Obligation

 

 

 

 

 

 

Legitimate interest

If not gift-aided, 3 years.

 

If gift-aided, 6 years.

 

 

7 years

Volunteer Name, Address, Email, Phone

 

Types of work performed

 

Dates of any visits to Malawi

 

Trustee or LLF Malawi staff comments on any visits

Email exchanges with Volunteer

 

Outcome of any “Disclosure and Barring Service” (DBS) check

Communicating with Volunteers

 

 

 

 

 

Supporting or not supporting future visits.

Address, email and phone: consent.

 

The remainder: Legitimate interest

7 years or deleted on request

 

7 years

Other Contact Name, Address, Email, Phone Speaker bookings or other enquiries about the operation of LLF Consent 7 years or deleted on request
Malawi LLF Contact Name, Address, Email, Phone, role in LLF Malawi

 

Email exchanges with contact.

Managing donations to LLF Malawi

 

Managing Trustee and Volunteer visits to Malawi

Legitimate interest Removed when individual no longer performs role in LLF Malawi
Website News Articles

 

Social Media Postings

May include articles that identify day-care or boarder children or adult service users by Christian name only.

Other forms of identification should be avoided unless absolutely necessary.

 

May include photos of individual residents or groups of residents with the permission of LLF Malawi staff.

Communicating the work of LLF with potential supporters Legitimate interest Indefinitely
Website visitor statistics Whatever is collected by the statistics package installed on the website.  This might include: Browser type and version; information about your visit, including the full Uniform Resource Locators (URL); information about what you viewed or searched for; length of visits to certain pages Monitoring website usage Legitimate interest Indefinitely