Background
As a not-for-profit organisation which processes personal data for the purposes of giving support to individuals, the Edridge Fund is exempt from the requirement to register with the Information Commissioner. However, this exemption only applies to the processing of data (which includes storing, copying, sharing) which is for the purposes of administering activities for the beneficiaries. Moreover, the Edridge Fund is still under the same obligations as organisations which are not exempt to adhere to the principles of the General Data Protection Regulation, introduced in May 2018.
The Edridge Fund will adhere to the following principles:
-
Process data fairly and lawfully
-
Use data only for the lawful purpose for which it was obtained
-
Personal data obtained shall be relevant and not excessive for the purpose required
-
Personal data must be accurate and, where necessary, kept up to date
-
Personal data shall not be kept for any longer than is necessary for that purpose
-
Personal data shall be processed in accordance with the individual’s rights under the Data Protection Act
-
Appropriate measures shall be taken to safeguard the data held.
Data Sharing
-
Applications received are processed by the Administrator and/or Business Officer and then shared between Trustees.
-
Secure and anonymised emails considering the merits of an application usually to be between trustees only. Trustees to be responsible for deleting these emails.
-
The final decision of trustees regarding an application to be set out in a summarising anonymised email. Summary email to be shared with the Business Officer and Administrator in order for payment to be processed and decision letter issued.
Recording decisions
-
Where decisions are made following telephone conversations, the detail of the telephone conversation should be recorded in writing (e.g. anonymised summary email).
-
Full reasons should be ascertainable from the summary email/decision letter.
-
The Complaints Procedure is available in the event that an individual is dissatisfied with the decision of trustees.
Data Retention
-
Records of all applications and the outcome to be retained for the purpose of legal proceedings for six years from the date of the decision.
-
Applications within the previous two years to be reviewed for purposes of identifying repeat applicants and to check the validity of applications. Administrator and/or Business Officer to circulate applications received within the last two years when sending out new applications.
-
Records of 50/50 forms to be retained for a year from the date of the return to the local authority for that period.
-
Consent is sought from applicants and donors for the use of their data for future fundraising.
-
Consent is sought from Trustees and Staff to retain and use personal data for the purpose of administering the fund.
Adopted and revised April 2020