Data protection policy

A definition of key terms is attached to this document. Your attention is also drawn to the Trust’s Privacy policy.

Data Protection Act 2018 and UK General Data Protection Regulation

The Data Protection Act 2018 (DPA) incorporating the UK General Data Protection Regulation is the current UK legislative regime that replaced the previous EU General Data Protection Regulations when the UK left the EU. The DPA places responsibilities on those who control and process personal data and gives rights to individuals (data subjects). The Information Commissioner’s Office (ICO) oversees compliance with the DPA.

The Chartered Secretaries’ Charitable Trust

The Chartered Secretaries’ Charitable Trust (‘the Trust’) is registered with the ICO as a data controller (registration number ZA050205). The Trustees have assessed the scale of our data processing and decided that the quantity of data being processed does not justify appointing a Data Protection Officer. Responsibility is delegated to the Charities Officer, who is responsible for reporting any data breaches to the ICO within 72 hours of our becoming aware of the breach and to the Charity Commission as a significant incident.

Personal data processed by the Trust

The Trust will always respect our data subject’s rights, which are stated in our Privacy policy. The Trust will only process personal data where it has a lawful base to do so, for example where we have obtained consent, where it is determined the Trust has a legitimate interest to carry out our charitable objectives, or where it is necessary to fulfil contractual obligations to provide services, products, or information. Where we rely on a legitimate interest, we will always ensure that it is done in a way that respects the rights of our data subjects.

The collection, processing and storage of personal information by the Trust are regularly reviewed to check that the personal data we hold is accurate, adequate, relevant, secure and limited to that which is necessary. Data protection and security controls are recorded in the Trust’s risk register, which is regularly reviewed. Training is provided for staff, trustees, Support and Grants Committee members and volunteers on data protection matters both on appointment and at least biannually thereafter.

The Trust informs individuals about the data we require from them, and sets out how it will be used in our Privacy policy statement. Additional information for applicants is attached to our Application for assistance form.

The information we receive from individuals will not be shared with any other organisation, unless express permission has been obtained, or the Trust is required to do so by law. For example, the Trust will share information with HMRC to claim Gift Aid on eligible donations, and it may seek permission from an individual to share their information with a trusted third party partner where it is identified they would benefit from receiving a bespoke service. If the Trust partners with a third party organisation, we will always review their data protection practices and ensure they have a published Privacy policy, entering into, where required, an Information Sharing Agreement.

The Trust obtains personal data from individuals who are seeking financial assistance, our volunteer visitors and supporters, trustees and Support and Grants Committee members and from third parties. The data is required to ensure that its charitable objectives are carried out effectively, fairly and in compliance with legislation.

Liaison with The Chartered Governance Institute UK & Ireland

In order to confirm applicants’ relationship to The Chartered Governance Institute UK & Ireland, the Trust has access to the Institute’s database of members’ records. This access also allows the Trust to record donations received from the Institute’s members and assists with the administration of Gift Aid claims and assists with the facilitation of the awards of bursaries and prizes to students. The Trust also seeks liaison with the Institute to confirm and make payment of the Institute’s membership subscriptions as appropriate and seeks liaison with the Institute to raise awareness of the opportunity of support available from the Trust. The Institute services the Trust’s administration, support and IT systems, and staff must also comply with the Institute’s own Data Protection Policy.

Beneficiaries

Information on applications made to the Trust is only accessible by the Trust and all personal data is held on a separate database to the Institute’s database of members’ records and on a separate password protected server. All details are kept confidential and are securely stored or used only to assist with the administration of the individuals request to the Trust and provision of any subsequent benefit. All applications considered by the Trust’s Support and Grants Committee are anonymised. Names and addressed are only available to the administration, and only disclosed where a visitor is appointed to support the individual. For example, each applicant is allocated a reference number.

The information held on applicants is updated annually, on the receipt of completed application forms and authorisation from the applicant. Where an individual has not received any services from the Trust for a period of six clear years, which supports the Trust in complying with accounting and audit requirements, the Trust will write to the individual and if no further services are required, or no response is received, the personal information held will be securely destroyed. Should former applicants exercise their right for erasure of all details either within this six-year period or at any time, the request will be considered and a response given. In the event that the Trust is unable to comply with the request at that time, the individual will be given a clear reason and provided with information on how they may escalate the matter with the Information Commissioner’s Office (ICO).

Visitors

All visitors are required to sign a non-disclosure agreement to confirm that they will maintain confidentiality in line with the Trust’s policies and will report to the Trust any breach or loss of personal data of beneficiaries within 24 hours of being aware of the breach or the loss.

Contributors

Paper and electronic records are also securely held on any individual who makes a donation to the Trust, with or without a supporting Gift Aid declaration. These details include full names and addresses, amounts of donations and when and how these donations have been paid. Copies of the Gift Aid declaration are scanned in an electronic format and records held only for the purpose of facilitating Gift Aid claims in accordance with HMRC requirements.

Recipients of Bursaries and Prizes

Paper and electronic records are securely held on recipients of bursaries and prize-winners. These details include full names, examination centres and the Institute’s membership numbers. These records are held only for the purpose of facilitating awards and to publicly record achievement in the Annual report, where permission to do so is granted by the individual. The Trust might contact recipients to obtain comment on the value of the bursary or prize, in order to monitor the impact of the award and would seek permission prior to using these comments for marketing and/or publicity purposes.

Trustees will continue to monitor this policy and ensure that appropriate operational procedures are in place to safeguard information held.

Definition of key terms:

Personal data: information about an individual, who they are, where they live, what they do etc. It’s any and all information that identifies the individual as a “data subject”. This may include names, addresses, photographs, customer reference numbers, health and financial information. In addition, there is a category of ‘special category personal data’ which includes genetic, biometric and medical data; racial and ethnic identity; religious and political beliefs; and sexual orientation.

Data controller: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing personal data.

Data processor: a natural or legal person, public authority, agency or other body which is responsible for processing personal data on behalf of the controller.

Data processing: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Data subject: the individual to whom the personal data belongs. This could be an applicant, beneficiary, donor, trustee, visitor, contractor, or any other individual whose personal data are held by us.

Consent: means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.