Data Protection Policy

Change history

Version number	Date of release	Policy owner	Authorised by
5.0	01/09//2023	Naomi da Silva, Head of Business Assurance	Board of Trustees

Policy statement

Central YMCA (‘the Charity’) fully understands its obligations to ensure that personal data is treated fairly, lawfully and correctly, and it is committed to achieving compliance with relevant Data Protection legislation.

The Charity needs to collect and process personal data about people, including staff and individuals with whom it deals with, to operate its daily business and for the organisation to operate effectively.

The Data Protection Act 2018 (‘the Act’) and the UK General Data Protection Regulation) (‘UK GDPR’), as amended from time to time, sets out the rules about how personal data and sensitive personal data about living individuals must be processed.

Most businesses hold personal data on their customers, employees and partners. The explosion in the use of the Internet, electronic communication and computerisation of business data has led to an increase in the importance of privacy. Breaches of computerised data security have prompted the introduction of legislation on a national and European level. These include:

Human Rights Act 1998;
Freedom of Information Act 2000;
Privacy and Electronic Communications Regulations 2003;
Regulation of Investigatory Powers Act 2000;
Telecommunications (Lawful Business Practice) Interception of Communications Regulations 2000;
The Act;
Computer Misuse Act 1990; and
UK GDPR.

The purpose of UK GDPR is to protect the “rights and freedoms” of living individuals, and to ensure that personal data is processed fairly, lawfully and transparently.

The Charity aims to ensure that information held about employees, ex-employees, volunteers and service users is relevant and accurate; stored safely and available to individuals within reasonable timescales.

The Charity is committed to ensuring that staff are appropriately trained and supported to achieve compliance with the Data Protection Act and other relevant legislation. This is regarded by the Charity as vital in maintaining the confidence between Central YMCA and with those whose personal data they hold.

The Charity fully endorses and adheres to the Data Protection Principles listed below:

personal data shall be processed fairly and lawfully;
personal data shall be obtained only for specified and lawful purposes, and shall not be processed in any manner incompatible with those purposes;
personal data shall be adequate, relevant and not excessive in relation to the purposes for which it is processed;
personal data shall be accurate and, where necessary, kept up to date;
personal data shall be kept for no longer than is necessary for the purposes for which it is processed;
personal data shall be processed in accordance with the rights of Data Subjects in line with the UK GDPR;
personal data shall be subject to appropriate technical and organisational measures to protect against unauthorised or unlawful processing and accidental loss, destruction or damage;
personal data shall not be transferred to a country or territory outside the UK unless that country or territory ensures an adequate level of data protection or appropriate technical and organisational measures are put in place such as the EU Standard Contractual Clauses with the UK Addendum.

Trustees and the Executive Team are strongly committed to the rights of individuals (the ‘Data Subjects’) whose data they collect and process and will comply with laws related to personal data in line with the UK GDPR. These include customers, suppliers, business contacts, employees and other people the organisation has a relationship with or may need to contact.

This policy describes how this personal data must be collected, handled and sorted to meet the company’s data protection standards and to comply with the law.

Scope

This policy applies to all personal data and special category personal data collected and processed by the Charity in the conduct of its business, in electronic medium and within structured filing systems.

This policy applies to all Charity staff, whether permanent, temporary, contractors, consultants, Trustees and volunteers.

The Central Young Men’s Christian Association (Central YMCA) is the Controller and is registered with the Information Commissioner’s Office (‘ICO’) for collecting and using personal data for the following activities:

to provide services to our students, customers, and partners as well as administer membership records for the Charity;
to enable us to provide a voluntary service for the benefit of the public;
to fundraise and promote the interests of the charity;
to manage our employees and volunteers.

This policy ensures that Central YMCA:

complies with data protection laws and follows good practice;
protects the rights of staff, customers and partners;
is open about how it stores and processes individuals’ data; and
protects itself and data subjects from the risks of a data breach.

Responsibilities

Board of Trustees
Overall responsibility for the policies and procedures that govern the work at Central YMCA.

Chief Executive
Overall responsibility for ensuring Central YMCA’s resources are used effectively and appropriately.

Policy Owner and Senior Information Risk Owner (SIRO)

Responsible for understanding how the strategic business goals of the organisation may be impacted by any information risks, and for taking steps to mitigate them. The SIRO is accountable and responsible for information risk across the Charity. Responsible for ensuring guidelines are in place and that policies and procedures reflect our charitable ethos and commitment to equality and diversity.

Data Protection Officer (DPO)

Accountable to the SIRO and responsible for the management of personal data within Central YMCA and for ensuring that compliance with data protection legislation and good practice can be demonstrated. This accountability includes the development and implementation of the data protection policy and security and risk management to ensure compliance.

Policy Owner

Responsible for ensuring guidelines are in place and that policies and procedures reflect our charitable ethos and commitment to equality and diversity.

All Line Managers
Responsible for ensuring all employees are aware of and follow this policy.

All Employees and Volunteers
To follow policies and procedures, promoting best practice throughout the organisation.

Everyone who works for or with Central YMCA has the responsibility for ensuring data is collected, stored and handled appropriately.
Each team that handles personal data must ensure that it is handled and processed in line with this policy and data protection principles.
All third parties who require access to personal data will be required to sign a confidentiality agreement before access is permitted. This agreement will ensure that the third party has the same legal obligations as the Charity. This will also include an agreement that the Charity can audit compliance with the agreement.
Any breach of the UK GDPR or this Policy, could also be considered as a breach of the disciplinary policy and could also be considered a criminal offence, potentially resulting in prosecution.

Company Responsibilities

Central YMCA is both a Controller and Processor as defined under the UK GDPR.
Senior Management and all those in managerial or supervisory roles throughout the Charity are responsible for developing and encouraging good information handling practices within the organisation.
The Charity has appointed a suitably qualified and experienced DPO who is responsible for day to day compliance with this policy. The DPO is responsible for ensuring that Central YMCA complies with the UK GDPR in relation to all aspects of data processing. The DPO has direct responsibility for giving advice on policy and procedures, including any Data Subject Access Requests. The DPO is also the person to whom all staff should seek guidance regarding UK GDPR compliance.
It should be noted that compliance with UK GDPR requirements remains the responsibility of all staff who process or control personal data for Central YMCA. All members of staff employed by the Charity are also responsible for ensuring that any personal data that is about them that is supplied by them to the Charity is accurate and up-to-date.
The Charity is responsible for ensuring that staff have regular suitable training in order to undertake their data protection responsibilities.

Policy

The objectives of this policy are to ensure that:

Proper procedures are in place for the processing and management of personal data;
There is documentation within the organisation to provide knowledge about data protection compliance;
All staff understand their responsibilities when processing personal data, and that methods of handling that information are clearly understood;
Individuals are assured that their personal data is processed in accordance with the data protection principles, that their data is secure and safe from unauthorised access, alteration, use or loss;
Other organisations with whom the Charity needs to share or transfer data, meet compliance requirements;
Prior to entering into a contract with a new supplier/third party service provider, who has access to personal data, a Vendor Risk Assessment is carried out, along with a Data Protection Impact Assessment, where needed.

1. Fair Collecting and Processing

2. Security

3. Data Protection Impact Assessments

4. Data Sharing

5. Access, Data Subject Access Requests and other Data Subject Rights

Members of staff will have access to personal data only where it is required as part of their functional remit.

All individuals who are the subject of personal data held by the Charity are entitled to:

Ask what information the company holds about them and why;
Ask how to gain access to it;
Be informed how to keep it up to date; and
Be informed how the company is meeting its data protection obligations.

If an individual contacts the Charity requesting this information, this is called a Data Subject Access Request. Data Subject Access Requests from individuals could be made by any means or addressed to the Charity. Data Subject Access Requests must be responded to within 30 calendar days of receipt and are free of charge, unless there are excessive requests coming from a certain individual.

The Charity’s Privacy Notice will include a contact address for Data Subjects to use should they wish to submit a Data Subject Access Request, make a comment or complaint about how the Charity is processing their data, or about the Charity’s handling of their request for information.

The Charity’s Head of Business Assurance and Data Protection Officer must be informed of any Data Subject Access Requests and the Charity’s internal procedure for responding to such requests must be followed.

Data Subject Access Requests will be acknowledged to the Data Subject within three working days, with the final response and disclosure of information (subject to exemptions) being provided within 30 days from verification. In certain circumstances we may request an extension of two more months.

The Charity must always verify the identity of anyone making a Data Subject Access Request before handing over any information.

Information must be provided in a secure format and all responses must be logged and traceable.

In certain circumstances, the data protection legislation allows personal data to be disclosed to law enforcement agencies without the consent of the Data Subject. Only under such circumstances, will the Charity disclose requested data. However, the Data Protection Officer will ensure the request is legitimate, seeking assistance from the Charity’s legal advisers where necessary.

6. Data Breaches

7. Consent

8. Complaints

Appendix A: Data Controller Names for the Central YMCA Group

Data Controller: The Central Young Men’s Christian Association. Registration Number: Z670975X

Address:

112 Great Russell Street
London
WC1B 3BQ

Other Names:

CENTRAL SERVICES
CENTRAL YMCA
ONE KX
POSITIVE HEALTH
THE CLUB
YMCA AWARDS
YMCA FITNESS INDUSTRY TRAINING (YMCAFIT)
YMCA TRAINING

Appendix B: Data Protection Definition and Terms

Data
Information which is recorded in any format, whether stored electronically or in a structured paper-based filing system.

Personal Data
Any information that identifies a living individual. This includes any expression of opinion about the individual and any Intentions towards the individual.

Special Category Personal Data
Personal data relating to racial or ethnic origin, political opinion, religious beliefs, trade union membership, sexual life, physical or mental health, commission or alleged commission of any offence.

Processing
Any activity where the data is used, such as obtaining, recording, storing, viewing, copying, accessing, disclosing, erasing, destroying.

Data Subject
An individual who is the personal data relates to.

Data Controller
The organisation that determines how the personal data will be used and the way it will be processed.

Data Processor
An organisation that processes personal data on behalf of a Data Controller.

Subject Access Request
A request by a Data Subject, to the data controller, asking to see their personal data.

Third Party
This can either mean that the data is about someone else, or someone else is the source; i.e. any other person or organisation other than -the Data Subject;

the data controller;
a data processor.

Appendix C: Conditions for Processing Personal Data

The UK GDPR requires personal data to be processed fairly and lawfully, and, not to be processed unless one of the conditions (below) is met.

At least one of the following conditions must be met for personal data to be considered fairly processed:

the individual has consented to the processing
processing is necessary for the performance of a contract with the individual
processing is required under a legal obligation (other than one imposed by the contract)
processing is necessary to protect the vital interests of the individual
processing is necessary to carry out public functions, e.g. administration of justice
processing is necessary to pursue the legitimate interests of the data controller or third parties

Appendix D: Rights under the Act

There are eight rights under the Data Protection Bill:

1. The right to be informed
The right to be informed covers some of the key transparency requirements of the UK GDPR. It is about providing individuals with clear and concise information about what we do with their personal data..

2. The right of Access
The right of access, commonly referred to as subject access, gives individuals the right to obtain a copy of their personal data as well as other supplementary information. It helps individuals to understand how and why we are using their data, and check we are doing it lawfully.

3. The right to rectification
Individuals have the right to have inaccurate personal data rectified. An individual may also be able to have incomplete personal data completed – although this will depend on the purposes for the processing. This may involve providing a supplementary statement to the incomplete data.

4. The right to erasure
Individuals have the right to have personal data erased. This is also known as the ‘right to be forgotten’. The right is not absolute and only applies in certain circumstances.

5. The right to restrict processing
An individual has the right to restrict the processing of their personal data in certain circumstances. This means that an individual can limit the way that an organisation uses their data. This is an alternative to requesting the erasure of their data.

6. The right to data portability
The right to data portability gives individuals the right to receive personal data they have provided to a controller in a structured, commonly used and machine-readable format. It also gives them the right to request that a controller transmits this data directly to another controller.

7. The right to object
Individuals have the right to object to the processing of their personal data. This effectively allows individuals to ask us to stop processing their personal data. The right to object only applies in certain circumstances. Whether it applies depends on our purposes for processing and our lawful basis for processing.

8. Rights in relation to automated decision making and profiling
Individuals who are Data Subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

Appendix E: Privacy Electronic Communication Regulations 2003

The Privacy and Electronic Communications (EC Directive) Regulations 2003 (‘PECR’) are derived from European law. They implement European Directive 2002/58/EC, also known as ‘the e-privacy Directive’.
PECR complements the general data protection regime and sets out more-specific privacy rights on electronic communications. It recognises that widespread public access to digital mobile networks and the internet opens up new possibilities for businesses and users, but also new risks to their privacy.
PECR have been amended seven times. The more recent changes were made in 2018, to ban cold-calling of claims management services and to introduce director liability for serious breaches of the marketing rules; and in 2019 to ban cold-calling of pension schemes in certain circumstances.
This guide covers the latest version of PECR, which came into effect on 9 January 2019, with some updates to cover changes made by the UK GDPR from 25 May 2018.
The EU is in the process of replacing the e-privacy Directive with a new e-privacy Regulation to sit alongside the EU GDPR. However, the new Regulation is not yet agreed but will not be implemented in the UK. PECR will continue to apply alongside the UK GDPR.

Internal transfers

Personal data shall not be transferred to a country or territory outside the United Kingdom (UK), unless that country or territory ensures an adequate level of protection for the ‘rights and freedoms’ of Data Subjects in relation to the processing of personal data.
The transfer of personal data outside of the UK is prohibited unless one or more of the safeguards or exceptions specified below apply:

Binding corporate rules
Central YMCA may adopt approved Binding Corporate Rules for the transfer of data outside the UK.

EU Standard contract clauses
Central YMCA may adopt approved EU model contract clauses for the transfer of data outside of the UK. If Central YMCA adopts the model contract clauses it will also incorporate the UK Addendum. Alternatively, Central YMCA can rely on an International Data Transfer Agreement for any transfers of personal data out of the UK.

Ad Hoc contractual clauses
Central YMCA may adopt ad hoc contractual clauses that will have to be approved by the ICO. They allow the Central YMCA to individually tailor the transfer to its needs.

Exceptions
In the absence of the above, transfer of data shall only take place subject to the fulfilment of the following conditions:

the Data Subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the Data Subject due to the absence of an adequacy decision and appropriate safeguards;
the transfer is necessary for the performance of a contract between the Data Subject and the controller or the implementation of pre-contractual measures taken at the Data Subject’s request;
the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the Data Subject between the controller and another natural or legal person;
the transfer is necessary for important reasons of public interest;
the transfer is necessary for the establishment, exercise or defence of legal claims;
the transfer is necessary to protect the vital interests of the Data Subject or of other persons, where the Data Subject is physically or legally incapable of giving consent;
the transfer is made from a register which according to Union or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down in Union or Member State law for consultation are fulfilled in the particular case.

The Charity’s Data Protection Officer will assess the adequacy of the safeguards considering the following factors:

the nature of the information being transferred;
the country or territory of the origin, and destination, of the information;
how the information will be used and for how long;
the laws and practices of the country of the transferee, including relevant codes of practice and international obligations; and
the security measures that are to be taken about the data in the overseas location. (This is a UK-specific option.)

A list of countries that satisfy the adequacy requirements of the Commission are published in the Official Journal of the European Union and in the UK GDPR.

Appendix F: Data Storage and Management

Data storage

These rules describe how and where data should be safely stored. Questions about storing data safely can be directed to the IT Manager or Data Protection Officer.

Hard Copies

When data is stored on paper, it should be kept in a secure place where unauthorised people cannot see it.
These guidelines also apply to data that is usually stored electronically but has been printed out for some reason. In such instances:
- When not required, the paper or files should be kept in a locked drawer or filing cabinet;
- Employees should make sure paper and printouts are not left where unauthorised people could see them, like on a printer;
- Data printouts should be shredded and disposed of securely when no longer required.

Soft Copies

When data is stored electronically, it must be protected from unauthorised access, accidental deletion and malicious hacking attempts
Data should be protected by strong passwords that are changed regularly and never shared between employees.
If data is stored on removable media (like a USB, CD or DVD), these should be kept locked away securely when not being used.
Data should only be stored on designated drives and servers, and should only be uploaded to an approved cloud computing services.
Servers containing personal data should be sited in a secure location, away from general office space.
Data should be backed up frequently. Those backups should be tested regularly, in line with the Charity’s standard back up procedures.
Data should never be saved directly to laptops or other mobile devices like tablets or smart phones.
All servers and computers containing data should be protected by approved security software and a firewall.

Data use

Personal data is of no value to the Charity unless the business can make use of it. However, it is when personal data is accessed and used that it can be at the greatest risk of loss, corruption or theft
When working with personal data, employees should ensure the screens of their computers are always locked when left unattended
Personal data should not be shared informally. In particular, it should never be sent by email, as this form of communication is not secure
Data must be encrypted before being transferred electronically
Personal data should never be transferred outside of the UK
Employees should not save copes of personal data to their own computers. Always access and update the central copy of any data.

Data accuracy

The data protection legislation requires the Charity to take reasonable steps to ensure data is kept accurate and up to date.
The more important it is that the personal data is accurate, the greater the effort the Charity should put into ensuring its accuracy.
It is the responsibility of all employees who work with data to take reasonable steps to ensure it is kept as accurate and up to date possible.
Data will be held in as few places as necessary and should not be duplicated wherever possible
Staff should take every opportunity to ensure data is updated. For instance, by confirming a customer’s details when they call.
Central YMCA will make it easy for Data Subjects to update the information the Charity holds about them. Data should be updated as inaccuracies are discovered. For instance, if a customer can no longer be reached on their stored telephone number, it should be removed from the database.
It is the marketing department’s responsibility to ensure marketing databases are checked against industry suppression files every six months.

**Some processes are for internal use only.