Data Protection and Security Policy
At Breaking Barriers we are committed to being transparent about how we collect and use the personal data of our colleagues and how we meet our data protection obligations. This statement explains how Breaking Barriers (“we” and “our”) handles and uses data we collect about our past, current, and future clients, supporters, donors referral partners, employees, and volunteers (“you” and “your”). In broad terms, we use your data to tailor our support to our clients and inform current and future delivery practice. In addition, we use data to update you on our activities and developments, and to identify ways in which you can support us through donations and/or other forms of financial and non-financial support. Breaking Barriers acts as both a Data Controller, as well as a Data Processor.
At Breaking Barriers, we process HR-related personal data in accordance with the following data protection principles:
- We process personal data lawfully, fairly and in a transparent manner.
- We collect personal data only for specified, explicit and legitimate purposes.
- We process personal data only where it is relevant, and we limit the data to what is necessary for the purposes of processing.
- We keep accurate personal data and take all reasonable steps to ensure that inaccurate personal data is rectified or deleted without delay.
- We keep personal data only for the period necessary for processing.
- We adopt appropriate measures to make sure that personal data is secure, and protected against unauthorised or unlawful processing, and accidental loss, destruction or damage.
- We explain the reasons for processing your personal data, how we use such data and the legal basis for processing in our privacy notices. We do not process personal data of individuals for other reasons.
- We will update personal data promptly if you advise us that your information has changed or is inaccurate.
- All staff members and volunteers sign a confidentiality agreement when they start working or volunteering for Breaking Barriers.
- We keep a record of our processing activities in respect of personal data in accordance with the requirements of the General Data Protection Regulation (GDPR).
1: Programme data
Throughout this policy we categorise the individuals whose data is held by Breaking Barriers as clients, contacts, or non-enrolled clients. Below is a definition of these terms:
- Clients: the beneficiaries of Breaking Barriers’ programmes
- Contacts: Non-service users who have an involvement in Breaking Barriers’ activities in another respect. This includes:
- Trust and Foundations
- Corporate Partners
- Referral Partners
- Newsletter Recipients
- Non-enrolled clients: potential clients whose names and contact details are held by Breaking Barriers prior to their initial appointment
The basis for holding programme data
- Consent: We will operate under this basis where explicit consent is given by the individual.
- Contract: We will operate under this basis where there is an explicit contract.
- Legitimate interest: For clients enrolled before 25th May 2018 and clients that have yet to be enrolled, whose data is stored and used by Breaking Barriers on the basis of having a legitimate interest.
How Breaking Barriers collects, shares and stores data
Due to the varied ways in which Breaking Barriers uses data to implement our delivery and conduct outreach, for both clients and other types of contacts, it is often stored across a variety of platforms.
- We collect data about you using two online platforms – Kobo Toolbox and Zoho Forms. Both platforms are password protected and have committed to complying with the GDPR. In addition, we collect data on paper forms when it is appropriate. Data from these forms is transferred to a Google Sheet, and the hard copies are kept in the Breaking Barriers office, which is only accessible to Breaking Barriers staff members with a key card.
- Before collecting and storing data through any means, we ask you for your consent either verbally (for contact details), or as a question within the enrolment questionnaire.
- We store data about you on the Kobo Toolbox server, Zoho, Dropbox, Sharepoint, work computers and Google docs. All these platforms are password protected and have committed to being GDPR compliant. We also may store a limited amount of information about you in hard copies, which are kept in our offices and only available to BB staff members with key cards.
- Your contact details are shared via email and phone with Breaking Barriers staff, Breaking Barriers volunteers, corporate partners and referral partners when a client wishes to access their services.
- You have the option to consent to share your contact details, personal information, education and employment history upon enrolment with Breaking Barriers staff and volunteers, as well as progress update reports to the organisation that referred you to Breaking Barriers’ services. In addition, at this stage you can provide consent for your CV and other relevant documentation to be shared with Breaking Barriers’ corporate partners for access to placements and workshops.
- Data will be stored by Breaking Barriers for 10 years from the point of enrolment. If it is in the interest of Breaking Barriers’ programming, data may be stored longer than this period. Data stored beyond 10 years will be anonymised.
- Volunteers’, referral partners’, donors’ , and business supporters’ details are stored on Breaking Barriers’ Gmail, Dropbox, MailChimp, GoogleDocs, and Zoho accounts.
- All storage platforms are password controlled and GDPR compliant.
- Contact details are only stored on MailChimp with your permission, which was provided by you upon signing up to the newsletter.
- No contact details are shared without your permission.
- Data will be stored for a maximum of 5 years.
- Data is provided to us by referral partners. Referral partners are responsible for getting the consent of the client to share their data with Breaking Barriers.
- Data is sent to us by the client upon enquiring about Breaking Barriers services.
- Data will be stored for a maximum of 2 months.
What data is held by Breaking Barriers
- Full names, contact details and addresses.
- Unique personal identifiers (including date of birth, country of origin, gender, religion, sexual orientation, length of asylum process, education and employment history, and organisation providing employment).
- Psychological information, such as levels of confidence, stress, health, and motivation to achieve goals.
- Name and contact details.
- Volunteers – CV or short bio, and whether they are actively volunteering, hours and location of volunteering, and availability to volunteer.
- Organisation providing employment.
- Referral partner.
- Short bio if it has been provided by either themselves or the referral partner including information such as, but not limited to, level of English, date of birth, nationality, and interests.
- Email address and/or phone number.
We will retain your data for 10 years if you are an enrolled client, 5 years if you are a contact, and 2 months if you are a non-enrolled client, or until you request us to do otherwise.
How Breaking Barriers uses your data
- Identifying suitable opportunities for you.
- Recording the support you have received from Breaking Barriers and the suggested next steps.
- Recording the outcomes you have achieved since working with Breaking Barriers.
- Submission as programme evidence to donors and consortium managers.
- If applicable, providing updates to the organisation that referred you.
- Briefing volunteers about the client they will be working with and updating them on the progress of clients.
- Data analysis to inform our future programming, providing performance reports to be shared both internally and externally.
- Briefing corporate partners on the clients that will be attending workshops, through sending CVs or bios.
- Distribution of our e-newsletter.
- Promotion of events.
- Promotion of opportunities.
- Appeals and requests for donations.
- Donor stewardship.
- To inform clients of the services we provide, and book their first appointment with them.
Communications to you may be sent by post, telephone or electronic means.
If you have concerns or queries about any of these purposes, or how we communicate with you, please contact us at firstname.lastname@example.org.
When Breaking Barriers shares your data with others
Breaking Barriers will never share your data with any third party without seeking your explicit consent either upon enrolment or at a later date. Clients provide consent for us to share their information with our donors, volunteers, corporate partners, and referral partners upon enrolment.
We will not sell your personal data to third parties under any circumstances.
2: Human Resources Data
This section explains how Breaking Barriers (“we” and “our”) handles and uses HR-related data and sets out our commitment to data protection and to your individual rights in relation to your personal data.
This policy applies to the personal data of job applicants and all those who work with us, including employees, workers, contractors, interns and students, and former employees. This is referred to as HR-related personal data. This policy does not apply to the personal data of clients, supporters, donors, referral partners or to other personal data processed to undertake the work of Breaking Barriers.
Where we process special categories of personal data or criminal records data to perform obligations or to exercise rights in employment law, this is done in accordance with our policy below on special categories of data and criminal records data.
Matthew Powell, the CEO, is the person with responsibility for HR-related data protection compliance within the Charity. He can be contacted at email@example.com. Questions about this policy, or requests for further information, should be directed to him.
Certain definitions are used in this policy:
- Personal Data: is any information that relates to an individual who can be identified, either directly or indirectly, from that information. It could be a name or some other identifier, such as an employee number or other online identifier.
- Processing: is any use that is made of data, including collecting, storing, amending, disclosing or destroying it.
- Controlling: determination of the purposes for which and the manner in which any personal data are, or are to be, processed.
- Special Categories of Personal Data: means information about an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation and biometric data.
- Criminal Records Data: means information about an individual’s criminal convictions and offences, and information relating to criminal allegations and proceedings.
How Breaking Barriers uses your data
We process your data to enter into an employment contract with you and to meet our obligations to you under your employment contract. For example, we need to process your data to provide you with an employment contract, to pay you in accordance with your contract and to administer benefits.
We also need to process data to ensure that we comply with our legal obligations. For example, we are required to check your entitlement to work in the UK, to deduct tax, to comply with health and safety laws and to enable you to take the holiday leave to which you are entitled.
In other cases, we have legitimate business interests for processing personal data before, during, and after the end of our employment relationship with you. Processing employee data allows us to:
- run recruitment processes.
- offer contracts to successful candidates.
- maintain accurate and up-to-date employment records and contact details (including details of whom to contact in the event of an emergency).
- keep records of your contractual and statutory rights.
- operate and keep a record of disciplinary and grievance processes, to ensure safety and acceptable conduct at work.
- operate and keep a record of employee performance and related processes, to plan for career development and to identify training needs.
- operate and keep a record of absence and absence management procedures, to allow effective management and to ensure that you are receiving the pay or other benefits to which you are entitled.
- obtain medical or occupational health advice, to ensure that we comply with duties in relation to those with disabilities and to meet our obligations under health and safety law.
- operate and keep a record of other types of leave (including maternity, paternity, adoption, parental and shared parental leave), to allow effective management and to ensure that we comply with duties in relation to leave, pay and benefits entitlement.
- ensure effective general HR and business administration.
- provide references on request for current or former employees.
- respond to and defend against legal claims.
- maintain and promote equality in the workplace.
How Breaking Barriers collects, shares and stores data
Data from you may be collected in a variety of ways, for example, through application forms, CVs or resumes; from your passport or other identity documents such as your driving license; from forms completed by you at the start of or during employment; from correspondence with you; or through interviews, meetings or other assessments.
Personal data gathered during the employment, worker, contractor or volunteer relationship, or studentship or internship is held in the following locations:
- on online platforms – DropBox, Sharepoint, and Zoho.
- on our drives which form part of Google’s cloud-based system.
- in digital personnel files on the Charity’s servers and computers, located in London;
- on laptop computers or other mobile devices provided by the Charity or owned by Trustees or employees and used for work purposes.
- on third party computers and servers, such as our payroll, pensions and benefits providers and our accountants and auditors.
- on hard copy records located with our payroll, pensions and benefits providers and our accountants.
- hard copy in the personnel files, located in London.
- hard copy in the accident book kept in the Breaking Barriers office.
We aim to be transparent about our data retention policies and procedures. In our Register of HR-Related Personal Data we identify the legal basis for retaining each category of personal data. We have a policy on retention periods for particular types of HR personal data, based on the purpose of the data and the needs of the business. There are also legal obligations on us to keep certain records for specific periods of time.
- Records relating to recruitment are kept for six months after the completion of the recruitment exercise to defend against legal claims;
- Records relating to employees are retained for the duration of the employment;
- Most records relating to ex-employees are retained for 12 months after the end of their employment to defend against legal claims;
- Records relating to the right to work in the UK are retained for two years post employment as this is a statutory requirement;
- Information relating to the payment of salary, bonuses and commission is kept for seven years following the end of employment;
- Health and safety incidents are kept for five years to meet statutory requirements and defend against legal claims.
What data is held by Breaking Barriers
We collect and process a range of information about you. This includes:
- your name, address and contact details, including work and private email addresses and telephone number, date of birth and gender;
- the terms and conditions of your employment;
- details of your qualifications, skills, experience, training and employment history, including start and end dates with previous employers and with Breaking Barriers;
- information about your remuneration, including entitlement to any benefits such as pensions;
- details of any salary sacrifice arrangements, such as pension schemes;
- details of your bank account and national insurance number;
- information about your marital status, next of kin, dependents, and emergency contacts;
- information related to maternity, paternity, adoption, shared parental leave and parental leave entitlements;
- information about your nationality and entitlement to work in the UK;
- information about your criminal record;
- details of your working pattern (days of work and working hours) and attendance at work;
- details of periods of leave taken by you, including holiday, sickness absence, family leave and sabbaticals, and the reasons for the leave;
- details of any disciplinary or grievance procedures in which you have been involved, including any warnings issued to you and related correspondence;
- assessments of your performance, including appraisals, performance reviews and ratings, performance improvement plans and related correspondence;
- information about training you have completed while at Breaking Barriers;
- information about medical or health conditions, including whether or not you have a disability for which we need to make reasonable adjustments;
- information about expenses claimed by you;
- equal opportunities monitoring information, including information about your age, ethnic origin, sexual orientation, health and religion or belief.
When Breaking Barriers shares your data with others
We share your data with some third parties for legal reasons, or to meet our obligations to you under your contract. The third parties who may have access to your data are:
- HMRC and other government bodies
- Our payroll provider
- Our accountants
- Our auditors
- Our pension provider
Special Categories of Personal Data and Criminal Records Data
We only process and retain special categories of personal data where this is necessary for the purposes of performing or exercising employment law obligations or rights. For example, we may retain information about a disability for the purpose of making reasonable adjustments.
Where we want to use sensitive personal data for equality monitoring purposes we will ask for consent.
Your individual responsibilities
You are responsible for helping us keep your personal data up to date. You should let us know if data you have provided changes, for example if you move house or change your bank details.
You may have access to the personal data of other individuals in the course of their employment or other engagement with the Breaking Barriers. Where this is the case, we rely on you to help us meet our data protection obligations by keeping data secure, for example by complying with rules on computer access, password protection, and secure file storage and destruction;
If you have access to personal data, you have certain responsibilities:
- Read the HR Data Protection and Security Policy and keep it to hand;
- Access only the data that you have authority to access and only for authorised purposes;
- Do not disclose data except to individuals (whether inside or outside the organisation) who have appropriate authorisation;
- Use a suitable computer password, in line with our strong password policy;
- Change your password regularly;
- Do not use a password that you have used on any home computer or system;
- Be mindful when working on personal data, ensuring that you are not overlooked and that computer screens or paperwork is not left unattended;
- Mark all emails that contain personal data ‘confidential’;
- Do not use fax for personal data;
- Ensure that the screen of your computer is always locked when you are away from your desk;
- Keep to the clean desk policy;
- Be mindful when making telephone calls, ensuring that you can not be overheard;
- Keep personal data in a locked drawer or filing cabinet;
- Make sure that you stand by the printer when printing out personal data;
- Do not remove personal data from the organisation’s premises without adopting appropriate security measures (such as encryption or password protection) to secure the data and the device;
- Do not save copies of personal data or store personal data except on designated drives and servers;
- Ensure personal data is shredded and disposed of securely when no longer required;
- Be vigilant about data.
Failing to observe these requirements may amount to a disciplinary offence, which will be dealt with under the disciplinary procedure. Significant or deliberate breaches of this policy, such as accessing employee or customer data without authorisation or a legitimate reason to do so, may constitute Gross Misconduct and could lead to dismissal without notice.
3: Trust Fundraising
The below is based on a review of the Institute of Fundraising GDPR Spotlight on Trust Fundraising, which was agreed with the Information Commissioner’s Office.
Sources of personal data relevant to Trusts team’s work
- Email addresses with contact name
- Direct line phone numbers / mobile numbers
- Correspondent’s name / Trustee’s name
- Business dealings of Trustees / settlors
- Philanthropic activities and interests of Trustees / settlors
- Contacts with individuals for Trust fundraising purposes, stored on the database
The basis for Trust fundraising
- Consent: We will operate under this basis where explicit consent is given by the individual.
- Contract: We will operate under this basis where there is an explicit contract with a donor.
- Legitimate interest: The great majority of our work will be done on the basis of having a legitimate interest.
Basis of legitimate interest consideration
- When using legitimate interest as the basis for our work, we will only use post, phone calls, or emails to the funder’s stated email address.
- The principle legitimate interest we will rely on is our interest in funding the work of Breaking Barriers to enable us to fulfil our charitable objects. Connected to that, Breaking Barriers’ service users also have a legitimate interest in receiving Breaking Barriers’ services, which are funded through Trust fundraising activities.
- We have a legitimate interest in the kind of Trust funders that have funded our work. These funders are those with an interest in funding services and related research in the fields of: refugees, disadvantaged groups, employment support, education, relief of poverty, vulnerable persons groups; and those with very broad funding aims who fund charitable work in specific local areas (such as Community Foundations). We also have a legitimate interest in identifying funders that fall into the above category. Evidence that Trusts/Lottery funders do fund this work would not only include stated interests, it would include that they have funded charities delivering related work (e.g. refugee/employment support services).
This is the overall basis on which we will work. However, we will also review other legitimate interests regarding individual Trusts (recording alternative bases for legitimate interest against their database record).
Sources we will use
- We will use a full range of standard sources for Trust and Lottery fundraising, including: Trust databases, Trust directories, Trust websites, Charity Commission records and our existing records.
- In instances where the information provided is not clear enough to enable an effective approach, we may look more broadly again, undertaking an online search on the Trust and the philanthropic behaviour of the individuals connected to it and asking both people connected to us and other recipients of donations for further information.
- We may also make phone calls for research purposes prior to submitting applications. We will make sure the telephone number is not listed on the TPS.
Uses we will make of the sources
We will use these sources to identify:
- The interests of the Trust
- Potential size and timing of any gift
- The best way to engage and approach them
- Stewardship requirements including reporting requirements
Are the above sources and uses necessary?
The research needs listed are those that determine whether we will get funding now and in the future. To meet them, it is necessary to use the sources and techniques mentioned. Many Trusts are not skilled in communication and it can be necessary to research in depth in order to form an accurate enough picture to make good use of the potential funding opportunity. We will do the above in a way that enables the efficient raising of money from Trusts.
Balancing of Breaking Barriers’ and Trust’s interests
The interests of the individuals covered by the data include:
- Right not to be pestered/ receive “excessive” communication
- Right to a level of privacy
- Right to keep control of their personal information
Our usages will meet our legitimate interests without unduly infringing their rights:
Right not to be pestered / receive “excessive” communication
- Individuals at the Trust have legal obligations to fund charitable activities. The staff act through the delegation of authority by the Trustees. The Charity Commission states that Trustees “must act responsibly, reasonably and honestly. This is sometimes called the duty of prudence. Prudence is about exercising sound judgement.” It further states that Trustees “must use reasonable care… taking appropriate advice when necessary.”
- By understanding them better we can present the best projects and report well on these. This enables Trustees to perform their functions at the Trust better.
- We will make our approaches in good faith and as efficiently as possible. This will avoid any imposition on the individuals concerned, beyond what is required to fund the work and help them perform their duties. As such, the level of imposition will be very limited as compared to the financial benefit to Breaking Barriers and the benefit to service users receiving assistance that is funded by the Trust’s money: limited numbers of time on the phone or skimming a letter/email, as compared to hundreds, or many thousands, of pounds worth of funded work.
Right to keep control of their personal information
- That at any time they can change their contact preferences or see the information we have on them.
- That we will maintain a suppression list for individuals (including individuals at Trusts) that do not wish to be contacted – though we reserve the right to contact them for relevant administrative purposes.
The majority of the personal information we obtain is in the public domain.
Right to a level of privacy
This is covered by the same points given above.
Newly formed Trusts have less information available because they have not formed policies or submitted accounts.
We will need to provide them more information on our work to identify whether they would be suitable for an approach. Also, they will benefit from seeing projects and arguments in favour of their stated interests.
Deletion of old data
We do not foresee that we will need to delete in bulk the individual data regarding individuals who left Trusts. This is because the infringement of their rights is zero or negligible from any mistaken use of their data. The usages of such data might be:
- Approaching the Trust via those contact details – in which case that might be a matter for the Trust (which isn’t covered by GDPR) but of zero interest to the individual formerly involved.
- Considering the individual in the context of the history of the Trust (e.g., “perhaps the giving policy has changed because they have left”). Again, this would have negligible impact on the individual.
- Considering the circumstances / interests of the individual when considering an approach. In that case, the first thing we would do is to check whether the individual is still at the Trust.
The below outlines the aspects of Breaking Barriers’ Data Protection Policy that are relevant across forms of data.
Review of the team’s work under GDPR
The data protection policy will be reviewed in May of every year, following internal changes to data collection, storage or use methods, or prior to any changes in UK Data Protection Regulations. An updated policy will be added to our website, and any significant changes will be communicated to the affected parties at the earliest possible date.
Data security and Responsibilities
Breaking Barriers takes the security of HR-related personal data seriously. We have internal policies and controls in place to protect personal data against loss, accidental destruction, misuse, or disclosure, and to ensure that data is not accessed, except by employees or trained volunteers in the proper performance of their duties.
Everyone who works for or with Breaking Barriers has some responsibility for ensuring that data is collected, stored, and handled appropriately. In terms of personal data:
- The Board of Trustees is ultimately responsible for ensuring that Breaking Barriers meets its legal obligations;
- Matthew Powell, the CEO, is responsible for ensuring appropriate policies are in place; ensuring that hard-copy data is appropriately stored; arranging training on data protection procedures for personal data; dealing with questions and queries on personal data; and handling subject access requests;
- Mieke Dale Harris, the Data Protection Officer, is responsible for ensuring that all systems, services, and equipment used for storing electronic data meet acceptable security standards; performing regular checks and scans to ensure that security hardware and software is functioning properly; and ensuring that third party services, such as cloud computing services, are appropriately secure.
- The Finance Director is responsible for checking and approving any contracts or agreements with third parties that may handle personal data.
Technical Security Measures
- There is a strong password policy;
- There is an account sharing policy;
- There is restricted user access on systems containing personal data;
- Only server administrators can set up new IT services or electronic storage areas for personal data;
- Security is reviewed internally once every six months and improvements made as required;
- Servers are built and configured in accordance with standard server build instructions;
- Servers are updated monthly.
Organisational Security Measures
- The Data Security Policy which is regularly reviewed;
- Colleagues are alerted to the dangers of scam emails and attempts to gain access to our systems via team meetings;
- There is a clean desk policy;
- There is a shredding policy for documents that are no longer needed;
- There is a process for dealing with starters and leavers;
- All employees are asked to sign Confidentiality Agreements;
- All employees and other parties working with personal data are made aware of their responsibilities under the GDPR and this policy;
- There are processes in place to deal with issues that could lead to data being exposed, such as lost equipment, hacking, viruses or passwords becoming known;
- When we engage third parties to process personal data on our behalf, such parties do so on the basis of formal instructions or under an on-going contract, are under a duty of confidentiality, and are obliged to implement appropriate technical and organisational measures to ensure the security of data.
Your individual rights
The legal basis for processing your personal data is your consent, where you have provided this, and otherwise our legitimate interest. As a data subject, you have a number of rights in relation to your personal data.
Subject access requests
You have the right to make a subject access request. If you make a subject access request, we will tell you:
- whether or not your data is processed and if so why, the categories of personal data concerned and the source of the data, if it is not collected from the individual;
- to whom your data is, or may be, disclosed to, including to recipients located outside the European Economic Area (EEA) and the safeguards that apply to such transfers;
- for how long your personal data is stored (or how that period is decided);
- your rights to have data corrected or erased, or to restrict or object to processing;
- your right to complain to the Information Commissioner if you think we have failed to comply with your data protection rights; and
- whether or not we carry out automated decision-making and the logic involved in any such decision-making.
We will also provide you with a copy of the personal data undergoing processing.
To make a subject access request, you should send the request to Matthew Powell at firstname.lastname@example.org.
We will normally respond to a request within a period of one month from the date it is received. If we need more time, we will write to you within one month of receiving the original request to let you know.
If a subject access request is manifestly unfounded or excessive, we are not obliged to comply with it. Alternatively, we can agree to respond but will charge a fee, which will be based on the administrative cost of responding to the request. A subject access request is likely to be manifestly unfounded or excessive where it repeats a request to which we have already responded. If you submit a request that is unfounded or excessive, we will notify you that this is the case and let you know whether or not we will respond.
The right to be forgotten
You have the right to be forgotten, that is, to have your personal data erased and to prevent the processing of your data where:
- the data is no longer required for the purpose for which it was originally collected or processed;
- you withdraw your consent;
- your interests override our legitimate grounds for processing data (where we are relying on our legitimate interests as a reason for processing data);
- data is being processed in breach of the General Data Protection Regulation (GDPR).
You have a number of other rights in relation to your personal data. You can require the Charity to:
- rectify inaccurate data;
- stop processing data if your interests override our legitimate grounds for processing data (where we are relying on our legitimate interests as a reason for processing data);
- stop processing or erase data if processing is unlawful; and
- stop processing data for a period if data is inaccurate or if there is a dispute about whether your interests override the Charity’s legitimate grounds for processing data.
To ask Breaking Barriers to take any of these steps, you should send a request to Mieke Dale-Harris at email@example.com for Programme data, and Matthew Powell at firstname.lastname@example.org for HR or Fundraising related data.
We will publish on our website any changes we make to this data protection statement and notify you by other communication channels where appropriate.
When data retention periods have expired or if a data subject exercises their right to have their personal data erased, this data will be deleted, destroyed or otherwise disposed of as follows:
- Personal data stored electronically, including all and any backups, will be deleted.
- Personal data stored in hard copy will be shredded.
If we find that there has been a breach which poses a risk to the rights and freedoms of you as an individual, we will report this to the Information Commissioner within 72 hours of discovery. We will record all data breaches regardless of their effect.
If the breach is likely to result in a high risk to the rights and freedoms of individuals, wewill tell affected individuals that there has been a breach, and provide them with information about its likely consequences and the mitigation measures we has taken.
If you suspect that a data breach has occurred you should immediately notify Mieke Dale Harris, the Data Protection Officer at email@example.com
International data transfers
Breaking Barriers uses Google for documents and storage. Google has confirmed that it is committed to compliance with the EU General Data Protection Regulations across Google Cloud Platform services.
Other than the above, Breaking Barriers does not transfer personal data outside the EEA.
Breaking Barriers provides information to all staff and volunteers about their data protection responsibilities as part of the induction process.
Those whose roles require regular access to personal data, or who are responsible for implementing this policy, or responding to subject access requests under this policy, receive additional training to help them understand their duties and how to comply with them.
Questions and further statutory information
The controller for your personal data is Breaking Barriers. Breaking Barriers’ Data Protection Officer, Mieke Dale-Harris, is responsible for monitoring compliance with relevant legislation in relation to the protection of personal data, and can be contacted at firstname.lastname@example.org
Please contact us if you have any concerns or questions about the above information. Where you have specific requests relating to how we manage your data, we will endeavour to resolve these, but please note that there may be circumstances where we cannot comply with your specific request.
Where you opt out of all future communications, or exercise your right to erasure, we will continue to maintain a core set of personal data (name, date of birth, organisation, country of origin) to ensure we do not contact you inadvertently in the future, while still maintaining our record of your enrolment in a Breaking Barriers’ programme. We may also need to retain some immigration records about you for statutory purposes (e.g. donor reporting).