Our contact details:

The Lewy Body Society

Unity House, Westwood Park, Wigan, WN3 4HE

T: 01942 914 000 | E: info@lewybody.org | W: www.lewybody.org

Date of Policy: May 2022 | Review Date: May 2024

Introduction

The Lewy body Society is committed to protecting the personal data of our stakeholders and fulfilling our obligations under UK data protection legislation. This policy sets out the charities commitment to data protection and how we comply with key legislation.

This policy applies to all individuals whose personal data is processed by The Lewy body Society including:

• Our trustees
• Our staff, contractors, and volunteers
• Our donors and fundraisers
• Individuals using our services
• Visitors to our website

This policy applies to all personal data held on a filing system by The Lewy body Society, regardless of whether it is in paper or electronic format.

Legislation and guidance

This policy meets the requirements of the UK General Data Protection Regulation (UK-GDPR), the Data Protection Act (DPA) and the Privacy and Electronic Communications Regulations (PECR). In addition, guidance published by the Information Commissioners Office (ICO) has been taken into account.

Key definitions

Data Controller

The Lewy body Society is the Data Controller for all personal data processed by the charity which means we are ultimately responsible for how that data is processed and make decisions related to it. As a charity, we are not currently obliged to register with the ICO or pay the annual fee; this is reviewed annually using the ICO’s registration tool available here: https://ico.org.uk/for-organisations/data-protection-fee/self-assessment/

Responsibilities

The Board of Trustees hold the overall responsibility for data protection compliance within the charity and will make any key decisions regarding the processing of personal data.

The charity is not currently required to register an official Data Protection Officer with the ICO, however we have appointed an individual responsible for data protection within our organisation. Jacqueline Cannon is the data protection representative (DPR) for the charity and will be responsible for the day-to-day implementation of policies and procedures. The DPR is the first point of call for the charity for any questions related to this policy or data protection and can be contacted using the following details:

T: 01942 914 000 | E: info@lewybody.org

All staff, contractors and volunteers working on behalf of our charity have a responsibility to comply with this policy when processing personal data. We also ask that individuals inform us of any changes to their own personal data such as changes in address to ensure our records are accurate.

In addition, we ask that all individuals working on our behalf notify the charity without undue delay if one or more of the following circumstances occur:

• There are concerns that this policy is not being followed
• They are unsure if they have a lawful basis to process personal data in a particular way or are uncertain whether to seek consent or not
• They receive a request relating to the rights of individuals under the UK-GDPR
• They wish to transfer data outside of the United Kingdom
• There has been a data breach

The Lewy body Society ensure that all individuals working with the charity understand their obligations and the charities commitments to keeping data secure. Staff who do not comply with this policy may face disciplinary action.

Data protection principles

The UK-GDPR outlines six key principles that all organisations must comply with. Below we have outlined our commitments:

1. Personal data will be processed lawfully, fairly and in a transparent manner: The charity will only process personal data if we have one of the 6 lawful bases to do so under data protection law. We currently rely upon one of the following:

• The data needs to be processed so that the charity can fulfil a contract with the individual.
• The data needs to be processed so that the charity can comply with a legal obligation
• The data needs to be processed to ensure the vital interests of the individual e.g., to protect someone’s life
• The data needs to be processed for the legitimate interests of the charity or a third party (provided the individual’s rights and freedoms are not overridden)
• The individual has freely given clear consent

The charity does not currently process special categories of personal data. Should this change, this policy will be updated to incorporate the additional conditions that we need to meet from the UK-GDPR and DPA.  

Where consent is applicable, all individuals are informed of their right to withdraw consent and provided with instructions on how to do so.

2. Personal data will be collected for specified, explicit and legitimate purposes only.

3. The charity processes personal data only where it is adequate, relevant and limited to what is necessary for the purposes of processing.

4. All personal data processed will be kept accurate and up to date; individuals have a right to rectify any incorrect personal data.

5. Personal data is kept for only as long as necessary to fulfil the purpose it was collected for; a process is in place to review and dispose of any personal data that is no longer required.

6. The charity adopts appropriate measures to make sure that personal data is secure, and protected against unauthorised or unlawful processing, and accidental loss, destruction, or damage.

Please note that the principles are numbered for reference purposes only; all principles are equal and not one is more important than the other.

Accountability

The UK-GDPR sets ‘accountability’ as the overarching principle that binds together the 6 key principles outlined above. Organisations should be able to effectively demonstrate compliance with the key principles of the UK-GDPR. The charity complies with the accountability principle by maintaining up to date records of data protection compliance including, details of the decisions made, logs of consent, information requests and data breaches and implementing key policies and procedures.

How we comply with the key principles of the UK-GDPR and demonstrate accountability

The Lewy body Society has compiled a ‘Record of Processing Activities’ containing an inventory of the personal data that we process. This forms the basis of our data protection strategy and outlines the following information:

• The categories of personal data that we process
• The data subjects concerned
• The purpose for processing
• The lawful bases for processing
• Third party data processors if applicable & details of international transfers
• Technical security measures in place to protect that data
• Retention period of each category of data

This document is reviewed on an annual basis, or sooner should the charity engage in a new processing activity, or an amendment is required.

Privacy Notices have been formulated to inform data subjects how and why we process their personal data, these are issued accordingly prior to any processing taking place and stored in accessible locations. These are reviewed on an annual basis. Personal data will not be processed for any new purpose unless the individual has been informed and consent sought where applicable.

Staff, Contractors & Volunteers are provided with a privacy notice and agree that only personal data necessary to perform their role is processed. Access to personal data is only granted if it is necessary for the performance of their role.

Any data shared with third parties will be clearly highlighted in the relevant privacy notice; compliance checks will be performed where necessary on Data Processors to ensure they maintain the high levels of compliance and security expected by The Lewy body Society.

The charity will update personal data promptly if an individual advises that their information has changed or is inaccurate. In addition, an email marketing system is utilised for newsletters that informs the charity if any correspondence is undeliverable or if an individual has unsubscribed; any data is securely deleted automatically.

An annual check is performed on all personal data held within filing systems to ensure it is not kept for longer than necessary. Data is securely shredded or deleted if electronic in line with the charity’s retention schedule.

Procedures have been put in place to cover the rights of individuals set out in the UK-GDPR; logs are also in place to record any information requests. Similarly, the charity has put measures in place outlining steps in the event of a data breach along with a log to record all breaches. Logs are reviewed on an annual basis to assess any areas for improvement.

The charity review security and confidentiality measures on a regular basis; key steps include limiting access of personal information to those staff and contractors that need it to perform their role only. All electronic systems are password protected and regular backups performed, whilst paper documentation is kept within a locked cupboard in a locked room with access limited. Paper documentation is converted to electronic means where possible.  

Rights of Individuals

Individuals have several rights in relation to their personal data under the UK-GDPR which are outlined below along with the process the charity will follow to effectively meet those rights:

Right of Access

Commonly referred to as a ‘Subject Access Request’ (SAR); individuals have a right to gain access to the personal data that an organisation processes. Individuals have a right to ask the following:

• Confirmation that the charity processes their personal data
• The categories of personal data processed
• The purpose of the processing
• Whether it is shared with any third parties
• The source of the data (if not the individual)
• How long the data will be stored, or the criteria used to determine this period
• Access to a copy of their personal data
• Whether any automated decision-making is being applied to their data, and what the significance and consequences of this might be for the individual

The Lewy body Society ask that all SAR’s are submitted in writing either by letter or email to the charity’s representative for data protection. Requests should include:

• Name of individual
• Correspondence address
• Contact number and email address
• Details of the information requested

Any individual employed in a working capacity for the charity that receives a request for personal information, no matter the method or format should forward it immediately to the charity’s representative for data protection.

The charity reserves the right to verify the identity of the individual making the request.

Unless specified otherwise, copy data will be provided in electronic format and sent via a password protected email. We ask that a proof of receipt is provided for our records.

The charity will keep a log of all SARs including:

• Name & correspondence details of the requester
• Whether identity needed to be verified
• Date of request
• Details requested
• Whether the request was met in full, part or not at all
• Date the request was fulfilled
• Proof of receipt
•  

Other data protection rights of individuals

Individuals have the right to:

• Withdraw their consent to the processing of personal data where consent is the lawful basis for processing.
• Ask us to rectify inaccurate data.
• Ask us to restrict processing or erase data that is no longer necessary for the purposes of processing.
• Ask us to restrict processing or erase data if the individual’s interests override the charities legitimate grounds for processing data (where the company relies on its legitimate interests as a reason for processing data).
• Be notified of a data breach in certain circumstances.
• Request a copy of agreements under which their personal data is transferred outside of the United Kingdom
• Object to decisions based solely on automated decision making or profiling (decisions taken with no human involvement, that might negatively affect them)
• Ask for their personal data to be transferred to a third party in a structured, commonly used, and machine-readable format (in certain circumstances)

Individuals that wish to exercise any of these rights should do so in writing or contact us using the following details:

The Lewy body Society

Unity House, Westwood Park, Wigan, WN3 4HE

T: 01942 914 000 | E: info@lewybody.org | W: www.lewybody.org

A response to all requests will be provided within one calendar month unless the request is deemed complex, in which case a two-calendar month extension may apply. The charity will however inform individuals within one calendar month of any extensions.

All responses will include a cover letter outlining whether the charity has been able to fulfil the request in full, part or not at all. Explanations will be provided if the charity is unable to meet any part of a request.

The Lewy body Society will not charge a fee unless the request is deemed manifestly unfounded or excessive, in which case an administrative fee may apply. Manifestly unfounded or excessive requests may be refused.

If an individual is unhappy with how the charity has dealt with a request, we ask that they contact us in the first instance so that we can help resolve their complaint. Individuals also have a right to complain to the ICO using the following details: https://ico.org.uk/make-a-complaint/data-protection-complaints/

Images

As part of our fundraising activities, The Lewy body Society use images of individuals with their consent; images include photographs and videos.

The charity will gain written consent for the use of all images, and we will clearly outline how and why the image(s) will be used and if they will be shared on any third-party platforms including social media, the charity or partner websites or on printed publications.

Images will only be accompanied by an individual’s name if consent has been provided.

Consent can be refused or withdrawn at any time. If consent is withdrawn, we will delete the image and not distribute it further. Consent can be withdrawn by contacting the charity directly or unsubscribing to our emails.

Data protection by design and default

We will put measures in place to show that we have integrated data protection into all of our data processing activities, including:

• Appointing a suitably qualified individual to implement data protection policies and procedures and ensuring they have the necessary resources to fulfil their duties and maintain their expert knowledge through training.
• Only processing personal data that is necessary for each specific purpose of processing, and always in line with the data protection principles set out in relevant data protection law.
• Integrating data protection into internal documents including this policy, any related policies and privacy notices.
• Regularly briefing members who work on behalf of the charity on data protection law, security measures and procedures.
• Regularly conducting reviews and audits to test our privacy measures and make sure we are compliant.
• Maintaining records of our processing activities.

Data security and storage of records

We will protect personal data and keep it safe from unauthorised or unlawful access, alteration, processing, or disclosure, and against accidental or unlawful loss, destruction or damage.

In particular:

• Paper-based records and portable electronic devices, such as laptops and hard drives that contain personal data are locked away when not in use and contain secure passwords where applicable. Documents or devices should not be left unattended.
• Passwords should be at least 8 characters long and contain a sequence of letters and numbers. Passwords should be updated at regular intervals.
• Documents held on USB sticks or storage devices should be password protected.
• Individuals using personal devices to work on behalf of the charity should maintain the same security standards expected by the charity.
• Where we need to share personal data with a third party, we carry out due diligence and take reasonable steps to ensure it is stored securely and adequately protected.

Disposal of records

Personal data that is no longer needed will be disposed of securely. Personal data that has become inaccurate or out of date will also be disposed of securely, where we cannot or do not need to rectify or update it. Paper records will be shredded whilst electronic records will be overwritten or securely deleted.

Personal Data Breaches

The Lewy body Society will make all reasonable endeavours to ensure that there are no personal data breaches. In the unlikely event of a suspected data breach, we ask that individuals report to the DPR without undue delay so that the breach can be assessed accordingly. The reporting of breaches as soon as possible helps the charity to mitigate any potential impact that may occur.

Data breaches that are deemed reportable to the ICO will be reported within 72hours and Data Subjects will be informed where necessary. The charity will report the ICO using the following link: https://ico.org.uk/for-organisations/report-a-breach/personal-data-breach/

Records of all data breaches will be kept as a point of reference and method of improving practices.

Monitoring arrangements

The DPR is responsible for monitoring and reviewing this policy. This policy will be reviewed every 2years or sooner if any fundamental change in legislation occurs. The policy will be reviewed and shared with the full Trustee board.