Data Protection Policy  




The purpose of this policy is to enable KCAH to: 

  • comply with the law in respect of the data it holds about individuals 
  • follow good practice 
  • protect KCAH’s clients, staff, volunteers and other individuals 
  •  protect the organisation from the consequences of a breach of its responsibilities 


This policy sets out how KCAH processes the personal data of data subjects, including the personal data of job applicants and the personal data of our current and former directors, employees, workers, agency workers, apprentices, interns, volunteers, contractors, consultants, clients, customers, suppliers and other third parties. It applies to all personal data that we process, regardless of the media on which those personal data are stored, e.g. electronically, on paper or on other materials. KCAH is committed to being clear and transparent about how we collect and use personal data and to complying with our data protection obligations. Protecting the confidentiality, security and integrity of the personal data that we process is also of paramount importance to our operations. KCAH will process personal data relating to data subjects in accordance with this policy, the data protection legislation and the latest privacy notice which is available on request. 

This policy applies to all members of staff and volunteers. It is non-contractual and does not form part of any employment contract, agreement or any other contract for services. 



In this policy, the following words and phrases have the following meanings: 

“Consent” means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which they, by a statement or by a clear affirmative action, signify their agreement to the processing of personal data relating to them. 

“Criminal records personal data” means personal data relating to criminal convictions and offences and personal data relating to criminal allegations and proceedings. 

“Data protection legislation” means the EU General Data Protection Regulation (GDPR), the Data Protection Act 2018 and any other applicable primary or secondary legislation as may be in force in the UK from time to time. 

“Data subject” means a living identified or identifiable individual about whom KCAH holds personal data. 

“Member of staff” is any director, employee, worker, agency worker, apprentice, intern, volunteer, contractor and consultant employed or engaged by KCAH. 

“Personal data” is any information relating to a data subject who can be identified (directly or indirectly) either from those data alone or by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that data subject. It excludes anonymised data, i.e. where all identifying particulars have been removed. 

“Processing” is any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collecting, recording, organising, structuring, storing, adapting, altering, retrieving, using, disclosing, disseminating, restricting, erasing or destroying. It also includes transmitting or transferring personal data to third parties. 

“Special categories of personal data” means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, genetic data, biometric data, data concerning the physical or mental health of a data subject or data concerning a data subject’s sex life or sexual orientation. 


Brief introduction to the data protection principles 


Data protection legislation gives individuals the right to know what information is held about them. It provides a framework to ensure that personal information is handled properly. 


The Act works in two ways. Firstly, it states that anyone who processes personal information must comply with six principles, which make sure that personal information is: 


  • Fairly and lawfully processed and in a transparent manner 
  • Processed for limited purposes (specified, explicit and legitimate) 
  • Adequate, relevant and limited (data minimisation) 
  • Accurate and, where necessary, up to date with every reasonable step to keep accurate 
  • Not kept for longer than is necessary (storage limitation) 
  • Secure, ensuring integrity and confidentiality of all processing activities 


The second area provides individuals with important rights, including the right to find out what personal information is held on computer and most paper records. 


Policy statement 


KCAH will:  

  • comply with both the law and good practice 
  • respect individuals’ rights 
  • be open and honest with individuals whose data is held 
  • provide training and support for staff and volunteers who handle personal data, so that they can act confidently and consistently 


KCAH recognises that its first priority under the Data Protection Act is to avoid causing harm to individuals.  Information about staff, volunteers and clients will be used fairly, securely and not disclosed to any person unlawfully. 


Secondly, KCAH aims to ensure that the legitimate concerns of individuals about the ways in which their data may be used are taken into account.  In addition to being open and transparent, KCAH will seek to give individuals as much choice as is possible and reasonable over what data is held and how it is used. 


KCAH as an organisation is the Data Controller and is registered with the ICO (Information Commissioner’s Office). All processing of personal data will be undertaken in accordance with the data protection principles. 




The Data Subject is the individual whose personal data is being processed. Examples include:  


  • employees – current and past 
  • volunteers, including trustees
  • job applicants 
  • donors 
  • users 
  • suppliers 


Processing means the use made of personal data including:  


  • obtaining and retrieving 
  • holding and storing 
  • making available within or outside the organisation 
  • printing, sorting, matching, comparing, destroying 


The Data Controller is the legal ‘person’, or organisation, that decides why and how personal data is to be processed. The data controller is responsible for complying with the Data Protection Act. 


The Data Processor - the data controller may get another organisation to be their data processor, in other words to process the data on their behalf. Data processors are not subject to the Data Protection Act. The responsibility of ‘what’ is processed and ‘how’ remains with the data controller. There should be a written contract with the data processor who must have appropriate security. 


As a small charity, KCAH does not have a Data Protection OfficerHowever, KCAH is still accountable for how it handles the information of data subjectsMatt Hatton, KCAH’s CEO, is the central point of contact for all data compliance issues.   




The Board of Trustees recognises its overall responsibility for ensuring that KCAH complies with its legal obligations. 


Matt Hatton, the CEO, has the following responsibilities: 


  • Briefing the board on Data Protection responsibilities 
  • Reviewing Data Protection and related policies 
  • Advising other staff on Data Protection issues 
  • Ensuring that Data Protection induction and training takes place 
  • Handling subject access requests 
  • Approving unusual or controversial disclosures of personal data 
  •  Ensuring contracts with Data Processors have appropriate data protection clauses 
  •  Electronic security 
  •  Approving data protection-related statements on publicity materials and letters 


Each member of staff and volunteer at KCAH who handles personal data will comply with the organisation’s operational procedures for handling personal data (including induction and training) to ensure that good Data Protection practice is established and followed.  


All staff and volunteers are required to read, understand and accept any policies and procedures that relate to the personal data they may handle in the course of their work.  They must contact the CEO if they have any questions about the operation of this policy, need further information about the data protection legislation or have any concerns that this policy is not being or has not been followed. 


Staff and volunteers must liaise with the CEO to seek further advice in the following circumstances: 


  • if you are in any doubt about what you can or cannot disclose and to whom 
  • if you are unsure about the lawful basis you are relying on to process personal data 
  • if you need to rely on consent to process personal data 
  • if you need to obtain or issue privacy notices 
  • if you are not clear about the retention period for the personal data being processed 
  • if you are unsure about what appropriate security measures you need to implement to protect personal data 
  • if you need assistance in dealing with any rights invoked by a data subject 
  • if you suspect there has been a personal data breach 
  • where you propose to use personal data for purposes other than that for which they were collected 
  • where you intend to engage in a significant new or amended data processing activity 
  • where you plan to undertake any activities involving automated decision-making, including profiling 
  • if you need assistance with, or approval of, contracts in relation to sharing personal data with third-party service providers 
  • if you believe personal data are not being kept or deleted securely or are being accessed without the proper authorisation 
  • if you suspect there has been any other breach of this policy or any breach of the data protection principles 


Significant breaches of this policy will be handled under KCAH’s disciplinary procedures. 




Because confidentiality applies to a much wider range of information than Data Protection, KCAH has a separate Confidentiality Policy. This Data Protection Policy should be read in conjunction with KCAH’s Confidentiality Policy. 


KCAH has a privacy statement, setting out how individuals’ information will be used. This is available on request. 


Staff, volunteers and sessional workers are required to sign a short statement indicating that they have been made aware of their confidentiality responsibilities.  (See Confidentiality Policy and Statement.) 


In order to provide some services, KCAH will need to share client’s personal data with other agencies (Third Parties). Verbal or written agreement will always be sought from the client before data is shared.  


Where anyone within KCAH feels that it would be appropriate to disclose information in a way contrary to the confidentiality policy, or where an official disclosure request is received, this will only be done after discussions with a line manager or the Operational Director.  All such disclosures will be documented. 




This section of the policy only addresses security issues relating to personal data.  It does not cover security of the building, business continuity or any other aspect of security. 


Any recorded information on clients, volunteers and staff will be: 

  • Kept in locked cabinets 
  • Protected by the use of passwords if kept on computer 
  • Destroyed confidentially if it is no longer needed 


Access to information on the main database is controlled by a password and only those needing access are given the password. Staff and volunteers should be careful about information that is displayed on their computer screen and make efforts to ensure that no unauthorised person can view the data when it is on display.  


Notes regarding personal data of clients should be shredded or destroyed.  



Data Recording and storage 


KCAH has a single database holding basic information about all clients and volunteers with a back-up hard drive.  KCAH also keeps a file on each client which are kept in locked cabinets. 


KCAH will regularly review its procedures for ensuring that its records remain accurate and consistent and, in particular: 

  • The database system is reviewed and re-designed, where necessary, to encourage and facilitate the entry of accurate data 
  • Data on any individual will be held in as few places as necessary, and all staff and volunteers will be discouraged from establishing unnecessary additional data sets. 
  • Effective procedures are in place so that all relevant systems are updated when information about any individual changes 
  •  Staff and volunteers who keep more detailed information about individuals will be given additional guidance on accuracy in record keeping 
  •  Data will be corrected if shown to be inaccurate 


KCAH stores archived paper records of clients and volunteers securely in the office.  


Access to data 


All clients and customers have the right to request access to all information stored about them. Any subject access requests will be handled by the CEO within the required time limit. 


Subject access requests must be in writing.  All staff and volunteers are required to pass on anything which might be a subject access request to the CEO without delay.  


All those making a subject access request will be asked to identify any other individuals who may also hold information about them, so that this data can be retrieved. 


Where the individual making a subject access request is not personally known to the CEO, their identity will be verified before handing over any information. 


The required information will be provided in permanent form unless the applicant makes a specific request to be given supervised access in person. 


KCAH will provide details of information to service users who request it unless the information may cause harm to another person.  


Staff have the right to access their file to ensure that information is being used fairly. If information held is inaccurate, the individual must notify the CEO so that this can be recorded on file.   




KCAH is committed to ensuring that in principle Data Subjects are aware that their data is being processed and 


  • for what purpose it is being processed; 
  • what types of disclosure are likely; and 
  •  how to exercise their rights in relation to the data. 


Data Subjects will generally be informed in the following ways: 


  • Staff: in the staff terms and conditions 
  • Volunteers: in the volunteer welcome/support pack  
  • Clients: when they request (on paper, on line or by phone) services 


Standard statements will be provided to staff for use on forms where data is collected. 




Consent will normally not be sought for most processing of information about staff.  Although staff details will only be disclosed for purposes unrelated to their work for KCAH (e.g. financial references) with their consent. 


Information about volunteers will be made public according to their role, and consent will be sought for (a) the means of contact they prefer to be made public, and (b) any publication of information which is not essential for their role. 


Information about clients will only be made public with their consent (this includes photographs). 


‘Sensitive’ data about clients (including health information) will be held only with the knowledge and consent of the individual. 


Consent should be given in writing, although for some services it is not always practicable to do so. In these cases verbal consent will always be sought to the storing and processing of data. In all cases it will be documented on the database that consent has been given.   


All Data Subjects will be given the opportunity to opt out of their data being used in particular ways, such as the right to opt out of direct marketing (see below). 


KCAH acknowledges that, once given, consent can be withdrawn, but not retrospectively.  There may be occasions where KCAH has no choice but to retain data for a certain length of time, even though consent for using it has been withdrawn. 


Storage limitation 


Personal data must not be kept in a form which permits identification of data subjects for longer than is necessary for the purposes for which the personal data has been processed.  KCAH will only retain personal data for as long as is necessary to fulfil the legitimate purposes for which they were originally collected and processed.  KCAH staff must comply with the charity’s rules on data retention and destruction (read: Document Retention Policy).  This applies to retention of information relating to: job applicants, members of staff, other third parties including clients, supporters and suppliers. 


KCAH will generally hold personal data, including criminal records personal data, for the duration of a member of staff’s employment or engagement.  There will be exceptions relating to the recruitment process, where a DBS criminal record check is relevant to the ongoing working relationship or for disciplinary, grievance and capability or performance management records. 


Once a member of staff has left employment, their file of personal data may be “thinned” so that KCAH only continues to retain information for any period that is strictly necessary and also in line with insurance requirements. 


Direct marketing 


KCAH will treat the following unsolicited direct communication with individuals as marketing: 


  • seeking donations and other financial support; 
  • promoting any KCAH services; 
  • promoting KCAH events; 
  • promoting membership to supporters; 
  • promoting sponsored events and other fundraising exercises; 
  •  marketing on behalf of any other external company or voluntary organisation. 


Whenever data is first collected which might be used for any marketing purpose, this purpose will be made clear, and the Data Subject will be given a clear opt out.  If it is not possible to give a range of options, any opt-out which is exercised will apply to all KCAH marketing. KCAH does not have a policy of sharing lists, obtaining external lists or carrying out joint or reciprocal mailings. 


KCAH will only carry out telephone marketing where consent has been given in advance, or the number being called has been checked against the Telephone Preference Service. 


Whenever e-mail addresses are collected, any future use for marketing will be identified, and the provision of the address made optional. 


Data subject rights to access personal data 


Under the data protection legislation, data subjects have the right, on request, to obtain a copy of the personal data that KCAH holds about them by making a written data subject access request (SAR).This allows the data subject to check that KCAH is lawfully processing their personal data. 


Please refer to KCAH’s ‘Access to Information’ Policy in respect to this. 



Staff obligations in relation to personal data 


KCAH is responsible for, and must be able to demonstrate compliance with, the data protection principles. This means that KCAH staff must implement appropriate and effective technical and organisational measures to ensure compliance.  The charity also requires staff to fully assist and co-operate in this regard. 


Staff and volunteers must comply with this policy and the data protection principles at all times in all personal data processing activities where they are acting on behalf of KCAH in the proper performance of their job duties and responsibilities. KCAH is reliant on staff and volunteers to help the charity meet its data protection obligations to data subjects. 

Under the data protection legislation, staff are personally accountable for their actions and can be held criminally liable. It is a criminal offence to knowingly or recklessly obtain or disclose personal data (or to procure their disclosure to a third party) without the consent of the charity. This would include, for example, taking clients’ or customers’ contact details or other personal data without KCAH’s consent on the termination of your employment, accessing another employee’s personal data without authority or otherwise misusing or stealing personal data held by the charity. It is also a criminal offence to knowingly or recklessly re-identify personal data that has been anonymised without the consent of KCAH where it has de-identified the personal data, and it is a criminal offence to alter, block, erase, destroy or conceal personal data with the intention of preventing their disclosure to a data subject following a data subject access request. Where unlawful activity is suspected, the charity will report the matter to the Information Commissioner’s Office for investigation into the alleged breach of the data protection legislation and this may result in criminal proceedings being instigated against the person concerned. KCAH may also need to report the alleged breach to a regulatory body eg The Charity Commission. This conduct would also amount to a gross misconduct offence under KCAH’s disciplinary procedure and could lead to a summary dismissal. 

Staff and volunteers must also comply with the following guidelines at all times: 

  • only access personal data that you have authority to access and only for authorised purposes, e.g. if you need them for the work you do for KCAH, and then only use the data for the specified lawful purpose for which they were obtained 
  • only allow other members of staff to access personal data if they have the appropriate authorisation and never share personal data informally 
  • do not disclose personal data to anyone except the data subject. In particular, they should not be given to someone from the same family, passed to any other unauthorised third party, placed on KCAH’s website or posted on the Internet in any form unless the data subject has given their explicit consent to this 
  • be aware that those seeking personal data sometimes use deception to gain access to them, so always verify the identity of the data subject and the legitimacy of the request 
  • where KCAH provides you with code words or passwords to be used before releasing personal data, you must strictly follow KCAH’s requirements in this regard 
  • only transmit personal data between locations by e-mail if a secure network is in place, e.g. encryption is used for e-mail 
  • if you receive a request for personal data about another member of staff or data subject, you should forward this to KCAH’s CEO 
  • ensure any personal data you hold are kept securely, either in a locked non-portable filing cabinet or drawer if in hard copy, or password protected or encrypted if in electronic format, and comply with KCAH rules on computer access and secure file storage. Archived files must be placed in the locked archive cupboard. 
  • do not access another member of staff’s personal data, e.g. their personnel records, without authority as this will be treated as gross misconduct and it is a criminal offence 
  • do not obtain or disclose personal data (or procure their disclosure to a third party) without authority or without the charity’s consent as this will be treated as gross misconduct and it is a criminal offence 
  • do not write down (in electronic or hard copy form) opinions or facts concerning a data subject which it would be inappropriate to share with that data subject 
  • do not remove personal data, or devices containing personal data, from the workplace with the intention of processing them elsewhere unless this is necessary to enable you to properly carry out your job duties and responsibilities, you have adopted appropriate security measures (such as password protection, encryption or pseudonymisation) to secure the data and the device and it has been authorised by your line manager 
  • ensure that, when working on personal data as part of your job duties and responsibilities when away from your workplace and with the authorisation of your line manager, you continue to observe the terms of this policy and the data protection legislation, in particular in matters of data security 
  • do not store personal data on local computer drives, your own personal computer or on other personal devices 
  • do not make unnecessary copies of personal data and keep and dispose of any copies securely, e.g. by cross-shredding hard copies 
  • ensure that you attend all mandatory data protection training 
  • refer any questions that you may have about the data protection legislation or compliance with this policy to KCAH’s CEO 

Remember that compliance with the data protection legislation and the terms of this policy is your personal responsibility. 


All staff who have access to any kind of personal data will be given copies of all relevant policies and procedures during their induction process, including the Data Protection Policy, Confidentiality policy and the operational procedures for handling personal data. All staff will be expected to adhere to all these policies and procedures. 


Data Protection will be included in the induction training for all volunteers. 


KCAH will provide opportunities for staff to explore Data Protection issues through training, team meetings, and supervisions. 


Policy Review 


The policy will be reviewed in March 2021 by the CEO and approved by the Board of Trustees. It will also be reviewed in response to changes in relevant legislation, contractual arrangements, good practice or in response to an identified failing in its effectiveness.