Privacy Policy

Wiltshire Scrapstore and Resource Centre
Unit 5 Griffin Farm, Bowden Hill, Lacock, Chippenham,
Wiltshire SN15 2PP
Charity No. 1077193 Company No. 3748418

Privacy/Data Protection Policy

Policy statement
It is Wiltshire Scrapstore and Resource Centre (WSRC) policy that all information which identifies an individual living person including employees, parents, carers and children is respected as confidential information. The law in the UK requires us to manage personal information in accordance with data protection principles. This notice tells you what personal information we collect, how we use it, who we may share it with, steps we take to protect and secure it, your rights under data protection law and finally, how you can contact us with questions or concerns.

We are committed to the privacy of the personal information that is entrusted to us and we want to ensure you can exercise your privacy rights.

What personal information we may hold about you
We use a wide range of personal information about you that we have put into the following categories:
* Contact – Information we can use to make contact with you and where you live.
* Transactional – Information relating to payments, credit and debit payments.
* Consents – Information relating to permissions, consents and contact preferences.
* Disclosure & Baring Service (DBS) Checks – Information relating to checks completed on individuals within the church who work with children and vulnerable adults.
* Conference and Event Management – Information relating to your attendance at conferences, courses or special events you or your children attend including those run by third parties.
* Giving / Gift Aid – Information relating to the money you give to church and where relevant our engagement with the HMRC to claim back tax via the gift aid process.

Where we collect personal information from
We may collect personal information about you from the following sources:
* In application forms you complete, from emails and letters you send us, when registering for events, conferences and special events and when using our website.
* The Disclosure & Baring Service (DBS) when you ask to work with children or vulnerable adults.
What we use your personal information for
We will use your personal information for the following purposes:
* Managing our relationship with you, including administering membership records;
* Responding to your enquiries and complaints;
* Providing you with services and notifying you about either important changes or developments to the features and operation of those services;
* Updating, consolidating, and improving the accuracy of our records;
* Informing you of news, events and activities;
* Booking you or your children into events and workshops
* Ensuring we comply with the law for example when responding to court orders, or legal processes; to establish or exercise our legal rights or, defend against legal claims;
* To investigate, prevent or detect crime or illegal activities and situations involving potential threats to the safety of any person;
* HM Revenue & Customs or other authorities require it; and
* Testing new systems and checking upgrades to existing systems.
WSRC staff, volunteers and trustees accept their responsibilities to comply with the Data Protection Principles outlined in the General Data Protection Regulations 25th May 2018 and Data Protection Act 1998 which are that data, either manual or computerised, which identifies an individual living person must:
* be processed fairly
* only be used for specified purposes
* be adequate, relevant and not excessive
* be accurate and up to date
* not be kept longer than necessary
* only be processed in accordance with the rights of data subjects
* be held securely
* only be contacted if specifically given consent to do so

The Director, with the support of the Assistant Director, will oversee compliance with current data protection regulations. All staff and volunteers who process this data will be made aware of and comply with this Data Protection Policy.

Parents and Carers Personal Information
When a parent or carer contacts WSRC they often provide personal details. Additionally there are professional staff working with WSRC who may be providing personal information relating to parents, carers or children. This information is judged as confidential information and maintaining confidentiality is very important to the parent, carer or child.

Parents and Carers – Exceptions where you can disclose information
There are only a few exceptions to when you can disclose information to others, regardless of whether the parent or carer has consented or not. These exceptions include:
* if there is an indication of abuse of a child
* where there are indications of self-harm by a child
* if a child’s health and well-being are at risk generally
* if the parent’s health and well-being are at risk
* if other people may be in danger because of threatening behaviour
* where it is required by law
* where it is in the public interest to do so

Should you have to breach a parent’s or carer’s confidentiality for one of the special reasons above, you must inform him or her that you have done so at the earliest possible moment. You must be honest if you breach confidentiality.

However if you have to disclose information about a possible crime that has been committed or there is a suspicion of child abuse for example, then in these cases you should not inform him or her that you are going to breach their confidence. Instead you should seek support from the designated staff member of the scrapstore. In each circumstance you will need to document the breach of confidentiality.

Parents and Carers – believed ‘right to know’
There are people who believe they have a ‘right to know’ confidential information about a child. These people may be estranged parents, partners or other relatives. We might be working with the mother of a child separated from the father or partner for example and we should not share confidential information with the father or partner without the mother’s approval.

They may think that they have a right to know, however without the consent of the parent or carer information must not be passed on. This can lead to very difficult situations for you as a representative of WSRC. If the other relative asks you for information about the child you need to be quite clear and assertive, and explain to them that you are unable to disclose any information except with the parent’s or carer’s permission. You can advise them to talk to your manager or supervisor if they wish to discuss it further.

Passing on confidential information where needed
There are three ways of passing on information:
* verbally
* in writing through letters and notes
* electronically through email or file sharing

It is very important that you take great care in case you breach confidentiality. When talking on the phone or with your colleagues in WSRC think about who is around you who may be able to overhear what you say. This is one of the commonest ways of breaching confidentiality. We all feel the need to talk to friends about our day work however make sure you do not use names or any other personal information when you do this.

Processing of Personal Information
1. Fair Processing
WSRC will ensure that the data subject will:
* not be deceived or misled
* know the purpose for which the data is intended
* know when WSRC is the Data Controller
* know the identity of the Data Controller when WSRC is the Data
Processor
* know when the data is likely to be passed to a third party.

2. Conditions for Processing Any Personal Data
WSRC will only process personal data when it meets at least one of the following conditions:
* the Data Subject has given his/her consent, including when the consent is implicit in the supplying of details, e.g.   for membership administration or when the Data Subject holds an official position
* the processing is necessary for the performance of a contract to which the Data Subject is a party, including the Employment Contract
* the processing is necessary for the taking of steps at the request of the Data Subject with a view to entering into a contract
* it is necessary to protect the vital interests of the Data Subject
* it is necessary for the compliance with any legal obligation
* it is necessary for the purposes of legitimate interests pursued by WSRC or by the third party or parties to whom the data is disclosed, except where it prejudices the rights or interests of the Data Subject.

3. Conditions for Processing Sensitive Personal Data
WSRC will only process sensitive personal data as defined by the Data Protection Act 1998 when it meets at least one of the following conditions:
* the Data Subject has given his/her explicit consent
* it is a legal requirement of the data subject’s employment
* it is necessary for legal proceedings
* it is used for monitoring equal opportunities

Sensitive personal data is defined as information relating to the Data Subject:
* Racial or ethnic origin
* Political opinions or beliefs
* Religious or other similar beliefs
* Membership of a trade union
* Physical or mental health condition
* Sexuality
* Commission or alleged commission of any offence
* Court proceedings

4. Rights of the Data Subject
WSRC accepts that the Data Subject will have the right to:
* have information.
* not have their data processed if they have been asked for consent and
refused
* opt out of direct marketing/fundraising initiatives
* apply for subject access

5. Subject Access
All requests for subject access must be made in writing and will require a fee of £10 to be paid to WSRC. All requests for access to personal data should be passed to the Company Secretary. When an individual makes a subject access request, WSRC will tell them whether personal data about them is being processed by, or on behalf of, WSRC. If it is, WSRC will give the Data Subject a description of:

* the personal data of which that individual is the Data Subject
* the purposes for which the data is being or is to be processed, and
* the recipients or classes of recipients to whom it is or may be disclosed.

WSRC will also inform the Data Subject about:
* the contents of the personal data, and
* any information available to WSRC as to the source of the data.

When a Data Subject makes a subject access request WSRC will ask for reasonable information in order to check the identity of the person making the request and locate the information the person seeks.

If WSRC cannot comply with the request without disclosing information relating to another individual who can be identified from that information, it will not comply unless:
* the other individual has consented to the disclosure, or
* it is reasonable in all the circumstances to comply with the request without
consent.

6. Opt In Clauses – Marketing and Electronic Commerce
* Data Protection Disclaimers
The following statements should appear on all documents (whether hard copy or electronic) with the appropriate wording being substituted for italics:

Data Protection
WSRC will use the information you provide (on your booking form, order form, membership form etc), and additional information you may provide in the future, for administering or delivering our services. (conferences and events, publications, orders, etc). We will not disclose this information to any other person or organisation except in connection with the above purpose.

The following opt in clause should also appear on the form/document:

We may send information about other WSRC events, publications or services that we think may be of interest to you. If you do wish to receive this information, please tick this box [ ].

7. E-Mails
E-mail accounts will be set up with a disclaimer clause to be inserted at the end of all outgoing e-mails stating that the information transmitted is confidential and intended for the recipient only. If the person receiving the e-mail is not the intended recipient it will ask them to delete it, not to use, review, distribute, disclose, alter, print, copy, transmit or rely on the e-mail and any file transmitted with it.

Disclosure and Barring Service
General Principles
As an organisation using the Disclosure and Barring Service to help access the suitability of applicants for positions of trust, WSRC complies fully with the DBS Code of Practice regarding the correct handling, use, storage, retention and disposal of Disclosures and Disclosure information. It also complies fully with its obligations under the Data Protection Act and other relevant legislation pertaining to the safe handling, use, storage, retention and disposal of Disclosure information and has a written policy on these matters, which is available to those who wish to see it on request.
Storage & Access
Disclosure information is never kept on an applicant’s personnel file and is always kept securely, in lockable, non-portable storage containers with access strictly controlled and limited to those who are entitled to see it as part of their duties.

Handling
In accordance with section 124 of the Police Act 1997, Disclosure information is only passed to those who are authorized to receive it in the course of their duties. We maintain a record of all those to whom Disclosure or Disclosure information has been revealed and we recognise that it is a criminal offence to pass this information to anyone who is not entitled to receive it.
Usage
Disclosure information is only used for the specific purpose for which it was requested and for which the applicant’s full consent has been given.
Retention
Once a recruitment (or other relevant) decision has been made, we do not keep Disclosure information for any longer than is absolutely necessary.
Disposal
Any Disclosure information is immediately suitably destroyed by secure means, i.e. by shredding, pulping or burning. While awaiting destruction, Disclosure information will not be kept in any insecure receptacle (e.g. waste bin or confidential waste sack). We will not keep any photocopy or other image of the Disclosure or any copy or representation of the contents of a Disclosure. However, notwithstanding the above, we may keep a record of the date of issue of a Disclosure, the name of the subject, the type of Disclosure requested, the position for which the Disclosure was requested, the unique reference number of the Disclosure and the details of the recruitment decision taken.

Reviewed 24/5/2018