Disclaimer

INTRODUCTION

Josimah Baby Bank is committed to a policy of protecting the rights and privacy of individuals. Josimah Baby Bank needs to collect and use certain types of Data in order to carry out our work. This personal information must be collected and dealt with appropriately. The General Data Protection Regulation (GDPR) governs the use of information about people (personal data). Personal data can be held on computer or in a manual file, and includes email, minutes of meetings, and photographs. Josimah Baby Bank will remain the Data Controller for the information held. Josimah Baby Bank and volunteers will be personally responsible for processing and using personal information in accordance with the GDPR.

Trustees and volunteers running Josimah Baby Bank who have access to personal information, will be expected to read and comply with this policy.

PURPOSE

The purpose of this policy is to set out Josimah Baby Bank commitment and procedures for protecting personal data. Josimah Baby Bank regards the lawful and correct treatment of personal information as very important to successful working, and to maintaining the confidence of those with whom we deal with.

  1. We want to collect limited personal information of clients in order to fulfil a referral request.
  2. We want to use (1) to contact individuals about deliveries, product safety recalls or other information critical to completing our referral service.
  3. We want to use (1) to contact individuals who have received our support to inform them about changes to our service or events which might be of interest to them.
  4. We want to use (1) to contact individuals to invite them to return as volunteers and/or to work as ambassadors.
  5. We want to collect personal information from our referral partners and volunteers in order for our service to ensure good communication.
  6. We want to maintain a list of people who have donated to us before, so that we can contact them to ask them to do so again.
  7. We want to claim gift aid on a person’s donations.
  8. We want to use (3) to research the donors’ financial background using public sources to work out what kind of approach to make to them.
  9. We want to maintain accurate records of clients in order to anonymise data to use in funding applications and publicity.
  10. We want to use the limited personal data we collect and store for 5 years before anonymising for long term use in order to assess the impact of our services.
  11. We want to maintain a list of people who have explicitly told us that they don’t want to be contacted by us again.
  12. We want to maintain contact information for anyone who has volunteered for Josimah Baby Bank so we can contact them about future volunteering opportunities.
  13. We want to keep our volunteer, client and referrer database information up to date.

THE GDPR

In line with the GDPR principles (Article 5), Josimah Baby Bank will ensure that personal data will:

  • Be obtained fairly and lawfully and shall not be processed unless certain conditions are met.
  • Be obtained for a specific and lawful purpose.
  • Be adequate, relevant but not excessive.
  • Be accurate and kept up to date.
  • Not be held longer than necessary.
  • Be processed in accordance with the rights of data subjects.
  • Be subject to appropriate security measures.
  • Not to be transferred outside the European Economic Area (EEA).

Where collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;

The definition of ‘Processing’ is obtaining, using, holding, amending, disclosing, destroying and deleting personal data. This includes paper based personal data as well as that kept on computer.

The Personal Data Guardianship Code suggests five key principles of good data governance on which best practice is based. The organisation will seek to abide by this code in relation to all the personal data it processes, i.e.

  • Accountability: those handling personal data follow publicised data principles to help gain public trust and safeguard personal data.
  • Visibility: Data subjects should have access to the information about themselves that an organisation holds. This includes the right to have incorrect personal data corrected and to know who has had access to this data.
  • Consent: The collection and use of personal data must be fair and lawful. Personal data should only be used for the purposes agreed by the data subject. If personal data is to be shared with a third party or used for another purpose, the data subject’s consent should be explicitly obtained.
  • Access: Everyone should have the right to know the roles and groups of people within an organisation who have access to their personal data and who has used this data.
  • Stewardship: Those collecting personal data have a duty of care to protect this data throughout the data life span.

Type of Information Processed

Some examples of Personal Data:

  • Name
  • Date of Birth
  • Family Name
  • Current and Previous Address
  • Evening/Daytime/Mobile telephone numbers
  • E-mail Address
  • Family Relationships

Some examples of Sensitive Personal data:

  • Gender
  • Ethnic Origin
  • Disability
  • Marital Status

Josimah Baby Bank processes the following personal information (information that allows a person to be identified):

  • Volunteer and donor name, address, email and contact number.
  • Referrer name, email address and contact number
  • Client name, postcode but NOT full address unless specifically given by client for delivery purposes, in which case it is destroyed once delivery is complete, sex and age of children, ethnicity. If possible, email and phone numbers are also obtained for the purposes set out in 2, 3 &4 above.
  • Information required by HMRC in relation to financial donations subject to Gift Aid.

Personal information is emailed to a secure email address by the referrer, volunteer or donor and is then uploaded to the client database. If paper requests of referrals or volunteer applications are received they are uploaded to the client database upon which the paper copy is destroyed.

Staff data including personal and financial records are only available to the Trustees.

Groups of people within the organisation who will process personal information are:

  • Trustees, staff, specific contractors, treasurers, front desk volunteers, delivery volunteers.

Applying the GDPR within Josimah Baby Bank

Whilst access to personal information is limited to the aforementioned staff and volunteers at Josimah Baby Bank, volunteers at Josimah Baby Bank may undertake additional tasks which involve the collection of personal details from members of the public.

In such circumstances we will let people know why we are collecting their data and it is our responsibility to ensure the data is only used for this purpose.

Correcting data

Individuals have a right to have data corrected if it is wrong, to prevent use which is causing them damage or distress or to stop marketing information being sent to them.

Responsibilities

Josimah Baby Bank is the Data Controller under the GDPR, and is legally responsible for complying with the GDPR, which means that it determines what purposes personal information held will be used for.

The Board of Trustees will take into account legal requirements and ensure that it is properly implemented, and will through appropriate management, strict application of criteria and controls:

  • Observe fully conditions regarding the fair collection and use of information.
  • Meet its legal obligations to specify the purposes for which information is used.
  • Collect and process appropriate information, and only to the extent that it is needed to fulfil its operational needs or to comply with any legal requirements.
  • Ensure the quality of information used.
  • Ensure that the rights of people about whom information is held, can be fully exercised under the GDPR. These include:
    • The right to be informed that processing is being undertaken.
    • The right of access to one’s personal information.
    • The right to prevent processing in certain circumstances.
    • The right to correct, rectify, block or erase information which is regarded as wrong information.
  • Take appropriate technical and organisational security measures to safeguard personal information.
  • Ensure that personal information is not transferred abroad without suitable safeguards.
  • Treat people justly and fairly whatever their age, religion, disability, gender, sexual orientation or ethnicity when dealing with requests for information.
  • Set out clear procedures for responding to requests for information.

The Data Protection Officer on the Board of Trustees is: Wura Adeyinka

The Data Protection Officer(s) will be responsible for ensuring that the policy is implemented and will have overall responsibility for:

  • Everyone processing personal information understands that they are contractually responsible for following good data protection practice.
  • Everyone processing personal information is appropriately trained to do so.
  • Everyone processing personal information is appropriately supervised
  • Anybody wanting to make enquiries about handling personal information knows what to do.
  • Dealing promptly and courteously with any enquiries about handling personal information.
  • Describe clearly how Little Village handles personal information
  • Will regularly review and audit the ways Little Village holds, manages and uses personal information.
  • Will regularly assess and evaluate Little Village’s methods and performance in relation to handling personal information.
  • All staff and volunteers are aware that a breach of the rules and procedures identified in this policy may lead to action being taken against them.

This policy will be updated as necessary to reflect best practice in data management, security and control and to ensure compliance with any changes or amendments made to the GDPR.

In case of any queries or questions in relation to this policy please contact the Data Protection Officer.

Training

Training and awareness raising about the GDPR and how it is followed in this organisation will take the following forms:

On induction: all volunteers are given a copy of our data protection policy and asked to sign the Volunteers’ Agreement to show they have read and understood it. Specific induction is given regarding volunteer roles that deal with personal data. Only trustees have access to passwords and locked files.

Further training is available to trustees and staff through outside agencies where necessary and a training log is kept of those who have attended.

Data collection

Before personal information is collected, we will consider:

  • What information we need in order to deliver our service efficiently.
  • What information we need in order to show the impact of our service.
  • How long we will keep the information on record:
    • We will keep data on clients for a maximum of 5 years from the client’s last use of our service.
    • We will keep volunteer data for 1 year after their last contact with us, then it will be deleted.
    • We will keep data on Gift Aid declarations for 6 years, in accordance with HMRC regulations.
    • Anonymised data and aggregate totals will be maintained beyond the destruction of individual records so we can assess the impact of our services.
  • Application forms, interview records (including notes taken at interview) and references for unsuccessful internal or external candidates for paid employment will be kept for a period of 12 months following application, after which they should be confidentially shredded.
  • 6 years after employees have left, all information other than their name, job title, department and period of employment should be deleted.
  • Data relating to disciplinary and grievance records of current employees are removed from personnel files once they become spent in accordance with Little Village’s disciplinary procedure; and deleted three years from the date issued. Where disciplinary or grievance cases have involved concerns of sufficient severity or gravity, data will be deleted five years from the date issued.

We will inform people whose information is gathered about the following:

  • That we need key information in order to deliver our service.
  • That their information will be recorded in our Client Database, which is only accessed by trustees and is password protected.
  • That by ticking the box on the referral and/or volunteer form, they consent to Josimah Baby Bank using their anonymised data.
  • That by ticking the box on the referral and/or volunteer form, they can opt in to our communications about future events, etc.
  • That by ticking the box on the referral form, they consent to being contacted in order for us to complete our service (such as delivery, product recall, out of stock items).
  • That donors who donate will need to explicitly opt in to our communications, requests for further donations etc.
  • That staff will have relevant financial and personal information kept in the HR files in order to enable Josimah Baby Bank to meet legal and contractual obligations.

Data Security

Once received, all correspondence containing ‘personal’ or ‘sensitive personal’ data must immediately be either securely processed, stored, or destroyed; or immediately passed on to another member of staff or a volunteer for secure processing, storing or destruction.

No visible, unattended Data

All staff and volunteers must adopt a ‘clear desk policy’ when it comes to data. This means that all versions of any ‘personal’ or ‘sensitive personal’ data must be handled in a timely and secure fashion and at no time left unattended, particularly outside hours of business e.g. not left on desks overnight.

Electronic Copies

Electronic copies should at no time left open and unattended on a computer monitor, and never should be unnecessarily distributed.

Computer screens should be locked if they are left unattended for any time.

All electronic correspondence containing ‘personal’ or ‘sensitive personal’ data should be deleted, and then deleted from any electronic ‘trash’ bin, once it has been processed.

Paper Copies

Paper copies should exist in only one of three states; being securely processed, being securely stored, or being securely destroyed.

The organisation will take steps to ensure that personal data is kept secure at all times against unauthorised or unlawful loss or disclosure. The following measures will be taken:

  • All referrals are emailed to a secure email address which only trustees have access to.
  • Once entered into the client database they are anonymised with a serial number and only first names. Clients are only requested to give their full address if they require our delivery service, the information of which is held on a secure password protected spreadsheet on a password protected device and destroyed once delivery is completed.
  • Volunteers are sometimes required to collect the above data from clients and record on a paper referral form. All volunteers are specifically told in their induction and reminded at each session briefing that all paper copies of referral documents should be given to the trustees at the end of each session.
  • All volunteer and donor information are contained on separate, password protected spreadsheets.
  • Any paper copies of volunteer agreements are kept in a secure filing cabinet.
  • Josimah Baby Bank will use our best efforts to ensure that any outside agencies or contractors used to process data (such as payroll, fundraising etc.) also comply to the law and will adhere to the GDPR regulations.

Existing Records

Josimah Baby Bank intends to use the “legitimate interest” principle of the GDPR in relation to information about volunteers and donors which was collected and stored before the date of this policy. Appendix 1 details the circumstances in which legitimate interest will be applied.

Data Breach

Any unauthorised disclosure of personal data to a third party by an employee may result in disciplinary action being taken.

The trustees are accountable for compliance of this policy. A trustee could be personally liable for any penalty arising from a breach that they have made.

Any unauthorised disclosure made by a volunteer may result in the termination of the volunteering agreement.

If a volunteer or member of staff is made aware of a data breach they should notify the trustees.

Any serious data breaches or data loss will be reported to the Information Commissioners Office and the Charity Commission. This includes:

  • Charity data that has been accessed by an unknown person and/or deleted.
  • A charity device, containing personal details of beneficiaries or staff, has been stolen or gone missing and it’s been reported to the police;
  • Charity funds lost due to an online or telephone ‘phishing scam’, where trustees were conned into giving out bank account details;
  • A Data Protection Act breach has occurred and been reported to the ICO.

Data Subject Access Requests

Anyone whose personal information we process has the right to know:

  • What information we hold and process on them
  • How to gain access to this information
  • How to keep it up to date
  • What we are doing to comply with the Act.

They also have the right to prevent processing of their personal data in some circumstances and the right to correct, rectify, block or erase information regarded as wrong.

Individuals have a right under the Act to access certain personal data being kept about them on computer and certain files. Any person wishing to exercise this right should apply in writing to Leanne Simcoe ([email protected])

The following information will be required before access is granted:

  • Full name and contact details of the person making the request
  • Relationship with the organisation and applicable timescales

We may also require proof of identity before access is granted. The following forms of ID may be required: passport, birth certificate.

Queries about handling personal information will be dealt with swiftly and politely.

We will aim to comply with requests for access to personal information as soon as possible, but will ensure it is provided within the 28 days required by the GDPR from receiving the written request.

Disclosure

Josimah Baby Bank may need to share data with other agencies such as the local authority, funding bodies and other voluntary agencies.

The Data Subject will be made aware in most circumstances how and with whom their information will be shared. There are circumstances where the law allows Josimah Baby Bank to disclose data (including sensitive data) without the data subject’s consent.

These are:

  1. Carrying out a legal duty or as authorised by the Secretary of State.
  2. Protecting vital interests of a Data Subject or other person.
  3. The Data Subject has already made the information public.
  4. Conducting any legal proceedings, obtaining legal advice or defending any legal rights.
  5. Monitoring for equal opportunities purposes – i.e. race, disability or religion.
  6. Providing a confidential service where the Data Subject’s consent cannot be obtained or where it is reasonable to proceed without consent: e.g. a safeguarding concern for the welfare of the child or adult.

Josimah Baby Bank regards the lawful and correct treatment of personal information as very important to successful working, and to maintaining the confidence of those with whom we deal.

Risk Management

The consequences of breaching Data Protection can cause harm or distress to service users if their information is released to inappropriate people, or they could be denied a service to which they are entitled. Volunteers should be aware that they can be personally liable if they use clients’ personal data inappropriately. This policy is designed to minimise the risks and to ensure that the reputation of Josimah Baby Bank is not damaged through inappropriate or unauthorised access and sharing.

Further information

If members of the public/or stakeholders have specific questions about information security and data protection in relation to the Josimah Baby Bank please contact the Data Protection Officer.

The Information Commissioner’s website (www.ico.gov.uk) is another source of useful information.

Signed:

Dated: October 2021

Next Review Date: October 2022

Appendix 1: Josimah Baby Bank GDPR Approaches

Background and Definitions

CONSENT

Consent is not defined in the Data Protection Act. However, the European Data Protection Directive (to which the Act gives effect) defines an individual’s consent as:

…any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.

Under the GDRP, organisations using consent as the basis for contact or data processing, will need to actively collect and then maintain consents (opt-ins) from existing and new contacts in order to store information, or before any contact can be made (using personal data). The bar is set very high on the quality of this consent.

LEGITIMATE INTEREST

GDPR presents legitimate interest as a valid condition for processing as follows:

“where processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”

Organisations using legitimate interest as the basis for processing data will need to be able to demonstrate that they have balanced the rights of the individual data subject with their own interests. They will need to record and explain the rationale for using legitimate interest and they need to be aware that the data subject can challenge.

Contacting all individuals who we already hold data on to collect permission could lead to a significant reduction in numbers of people on our databases. Not everyone will respond and of those that do, tick a consent box – even if they are actively in contact with Josimah Baby Bank. Harvesting and maintaining permissions could quickly become the major preoccupation of our volunteers and trustees.

Legitimate interest is a simpler approach and recent guidance from the Information Commissioner’s Office (ICO) suggests they now consider this route is likely to be chosen by charities in many cases. However, the charity needs to specify and record the grounds on which it believes legitimate interest applies in each case. Organisations can also not rely on consent and legitimate interest for the same set of data, i.e., if a group of individuals are contacted to request consent but consent is not given by some, we could not then retain their information under legitimate interest.

Proposed Approaches for Josimah Baby Bank

Our Data Protection Policy outlines the personal information we collect on various groups that come into contact with our charity, why this collected and how and why it is held. We have updated all of the forms we use to collect this information to contain a robust set of consents around storing data and opt-ins for future contact for relevant reasons depending on the group of people using the form. Given consents will be recorded and stored securely.

To judge which route should apply, and to enable us to articulate these to others, we set out to establish some principles.

  • We believe we have a legitimate interest to contact volunteers and referrers which enable us to operate.
  • We would balance the interests of volunteers and referrers with our need to operate.
  • Where we are using legitimate interest, we would ensure we are staying within the realms of what people might expect.
  • We would use legitimate interest as a basis to contact engaged volunteers and referrers with materials consistent with their current behaviour.
  • We would use legitimate interest to contact existing volunteers and referrers with newsletters and through this route invite further participation via consent.
  • We would use consent for all new contact service users, volunteers and referrers.

Fundraising

We do not currently have any financial donors on a regular giving scheme, and as such do not have a large financial donor database who we would contact about and future fundraising campaigns. If this is something we decide to pursue in the future, we should revisit this policy. Many other charities are relying on legitimate interest for contact relating to fundraising.

Group

Proposed Approach

Action Required

Confirmation Action Confirmed & Notes

Existing Volunteers

Legitimate interest to hold their information as charity needs to be able to contact them to operate. Not harming rights of individuals as contact is in line with reason individuals originally provided data. Inform individuals that they will be kept on our database and give them the option to opt-out.

New Volunteers

Collect consents (data retention and future contact) at point of contact and store securely.

Online contact form to be updated with new opt-in consents

Existing Service Users

Hold anonymised data in line with policy. Cannot contact without obtaining new set of consents. New consents to be obtained for any service user we have contact with and stored securely.

Site Directors and Referrals Managers to delete historic correspondence by which individuals could be identified.

New Service Users

Collect consents (data retention and future contact) at point of contact and store securely.

Paper and online contact form to be updated with new opt-in consents. Site Directors/Referral Managers to email consents to individuals contacting us not using standard new forms.

Existing Referrers

Legitimate interest to hold their information as charity needs to be able to contact them to operate. Not harming rights of individuals as contact is in line with reason individuals originally provided data. Inform individuals that they will be kept on our database and give them the option to opt-out.

Send local newsletters to existing data base (legitimate interest) including link to new policy and right to have data removed and no longer receive correspondence: Site Directors to include language from HQ in email sent May 2018

New Referrers

Collect consents (data retention and future contact) at point of contact and store securely.

Paper and online contact form to be updated with new opt-in consents. Site Directors/Referral Managers to email consents to individuals contacting us not using standard new forms.

Donors – equipment

We do not currently have an existing database of equipment donors. New consent will be obtained if we wish to establish this in the future.

Donors – financial

We retain the information we are required to relating to Gift Aid. This is in the legitimate interest of thecharity to allow us to comply with regulations. If we wanted to use this information to contact donors about future giving, we could use legitimate interest but we should revisit this at the time.

Reviewed by Leanne Simcoe, Founder – August 2020

WEBSITE TERMS OF USE

Please note, this policy covers the website only.

Welcome to our website. If you continue to browse and use this website [our ‘Site’] you are agreeing to comply with and be bound by the following terms and conditions of use.

The content of the pages of this website is for your general information and use only. It is subject to change without notice.

This website contains material which is owned by or licensed to us. This material includes, but is not limited to, the design, layout, look, appearance and graphics. Reproduction is prohibited other than in accordance with the copyright notice, which forms part of these terms and conditions.

Unauthorised use of this website may give rise to a claim for damages and be a criminal offence.

From time to time this website may also include links to other websites. These links are provided for your convenience to provide further information. They do not signify that we endorse the website. We have no responsibility for the content of the linked website(s).

Your use of this website and any dispute arising out of such use of the website is subject to the laws of England and Wales.

Information we may collect from you

We may collect and process the following data about you:

Information that you provide by filling in forms on our Site.

If you contact us, we may keep a record of that correspondence.

Details of your visits to our Site and the resources that you access.

IP addresses

We may collect information about your computer, including where available your IP address, operating system and browser type, for system administration. This is statistical data about our users’ browsing actions and patterns, and does not identify any individual.

Cookies

For the same reason, we may obtain information about your general internet usage by using a cookie file which is stored on your browser or the hard drive of your computer. Cookies contain information that is transferred to your computer hard drive. They help us to improve our Site and to deliver a better and more personalised service.

If you register with us or if you continue to use our Site, you agree to our use of cookies.

On 26 May 2012, new rules about cookies on websites came into force. The Site uses Google Analytics, a web analytics service provided by Google, Inc. (‘Google’). Google Analytics uses cookies to help us analyse how users use the Site. The information generated by the cookie about a user’s use of the Site (including your IP address) will be transmitted to and stored by Google on servers in the United States. Google will use this information for the purpose of evaluating the user’s use of the Web Site, compiling reports on Site activity for web site operators and providing other services relating to web site activity and internet usage. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google’s behalf. Google will not associate a user’s IP address with any other data held by Google. Users may refuse the use of cookies (as above). By using the Site, the User consents to the processing of data about that user by Google in the manner and for the purposes set out above.

Where we store your personal data

Where we have given you (or where you have chosen) a password which enables you to access certain parts of our Site, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.

Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our Site; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.

Website Privacy Policy

This Website Privacy Policy informs you of our commitment to privacy and explains the ways that Josimah Baby Bank collects, uses and discloses your personal and non-personal information when you visit this Website. By visiting this site, you consent to the collection, use and disclosure of your personal information as described in this Website Privacy Policy.

Josimah Baby Bank reserves the right to modify the terms and conditions of this Website Privacy Policy at any time without notice, and such modifications shall be effective immediately upon posting of the modified Website Privacy Policy on this website. You agree to review this Website Privacy Policy periodically to be aware of such modifications and your continued use of the website following the posting of any modified terms shall be deemed your conclusive acceptance of the modified Website Privacy Policy. If you do not agree with any modifications posted by Little Village, your sole and exclusive remedy is to discontinue use of this website.

Collecting and Using Information

We will not collect personal information about you when you visit our website, unless you choose to directly provide such information when contacting us via email and by completing online forms. We do not disclose any personal information, however obtained through this website, without explicit permission from the person to whom it relates.

We will use this personal information to process your request and when applicable, respond to you. By contacting us in this manner, you consent to the collection and use of your personal information for the purpose of responding to your request.

We do store information collected from visitors for statistical monitoring purposes and to help respond to comments made about the site.

Protecting Information

We strive to protect all personal information we receive online with appropriate safeguards and security measures. However, the Internet is not a secure medium and neither the privacy of your communications nor that of visitors to this website can be ensured. Accordingly, by visiting this website, you acknowledge and agree that Little Village does not guarantee the security of any information you transmit to us, and that you do so at your own risk.

Providing Access and Maintaining Accuracy

We will provide access to the personal information we collect and retain about you and use all reasonable efforts to maintain the accuracy of your personal information.

This Website Privacy Policy does not cover any links to third party sites.

If you have any questions or concerns about this Website Privacy Policy or wish to know how to access any of your personal information held at Josimah Baby Bank and its website, please email us at [email protected]

October 2021