Data protection policy

At Breaking Barriers we are committed to being transparent about how we collect and use personal data

Share this

At Breaking Barriers we are committed to being transparent about how we collect and use the personal data of our colleagues and how we meet our data protection obligations. This statement explains how Breaking Barriers (“we” and “our”) handles and uses personal data we collect about our past, current, and future clients, supporters, donors, referral partners, employees, and volunteers (“you” and “your”). We use data to tailor our support to our clients and inform current and future delivery practices. In addition, we use data to provide updates on our activities and developments, to report on our activities to donors and funders, as well as to identify ways in which our supporters can contribute through donations and/or other forms of financial and non-financial support. Breaking Barriers acts as both a Data Controller and a Data Processor.

At Breaking Barriers, we process personal data in accordance with the following data protection principles:

  • We process personal data lawfully, fairly and in a transparent manner
  • We collect personal data only for specified, explicit and legitimate purposes in line with our Data Handling Policy
  • We process personal data only where it is relevant, and we limit the data to what is necessary for the purposes of processing
  • We keep accurate personal data and take all reasonable steps to ensure that inaccurate personal data is rectified or deleted without delay
  • We keep personal data only for the period necessary for processing in line with our Data Handling Policy
  • We adopt appropriate measures to make sure that personal data is secure and protected against unauthorised or unlawful processing, and accidental loss, destruction or damage
  • We explain the reasons for processing personal data, how we use such data and the legal basis for processing in our privacy notices. We do not process the personal data of individuals for other reasons
  • We will update personal data promptly if we are advised that information has changed or is inaccurate
  • All staff members and volunteers sign a confidentiality agreement when they start working or volunteering for Breaking Barriers
  • We keep a record of our processing activities in respect of personal data in accordance with the requirements of the UK General Data Protection Regulation (GDPR).

1: Programme Data

Throughout this section we categorise the individuals whose data is held by Breaking Barriers as clients, contacts, or non-enrolled clients. Below is a definition of these terms: ‘Clients’[1]: Beneficiaries of Breaking Barriers’ programmes and activities.

‘Contacts’: Non-service users who have an involvement in Breaking Barriers’ activities in another respect. This includes:

  • Trust and Foundations
  • Individual Donors
  • Corporate Partners
  • Referral Partners
  • Newsletter Recipients
  • Volunteers

‘Non-enrolled clients’: Potential clients whose personal information is stored by Breaking Barriers prior to reviewing prospective applications.

The basis for holding programme data

  • Consent: We will operate under this basis where explicit consent is given by the individual.
  • Contract: We will operate under this basis where there is an explicit contract.
  • Legitimate interest: For clients enrolled before 25th May 2018 and clients that have yet to be enrolled, whose data is stored and used by Breaking Barriers on the basis of having a legitimate interest.

How Breaking Barriers collects, shares and stores data

Breaking Barriers uses data to carry out our services and conduct outreach, for both clients and contacts. To ensure the efficient running of each programme, data is stored across multiple platforms.


  • Data is collected through two online platforms – Kobo Toolbox and Zoho Forms and through direct correspondence. Both platforms are password protected and have committed to complying with the UK GDPR. In addition, we may collect data on paper forms when it is appropriate. The hard copies are kept secure in locked storage cabinets, which are only accessible to Breaking Barriers authorised staff members.
  • Before collecting and storing data through any means, we ask for consent either verbally (for contact details), or as a question within the enrolment questionnaire.
  • We store data on the Kobo Toolbox server, Zoho, SharePoint and work computers[2]. All these platforms are password protected and have committed to being GDPR compliant. We may also store a limited amount of information in hard copies, which are kept in our offices and only available to authorised BB staff members with secure access
  • Contact details are shared via email and phone with Breaking Barriers staff and volunteers, as well as with corporate partners and referral partners in the event of the client accessing their services
  • At the point of enrolment, clients are presented with the option to consent to sharing contact details, personal information, and education and employment history with Breaking Barriers staff and volunteers, as well as progress update reports to the organisation that referred them and to donors for programme reporting purposes. At this stage clients also provide consent for their CV and other relevant documentation to be shared with Breaking Barriers’ corporate partners for access to placements and workshops
  • Data will be stored by Breaking Barriers for 10 years from the point of enrolment. If it is in the interest of Breaking Barriers’ programming or funding requirements, data may be stored longer than this period but will be anonymised.


  • Volunteers’, referral partners’, donors’, and business supporters’ details are stored on Breaking Barriers’ Gmail, MailChimp, SharePoint, and Zoho accounts.
  • All storage platforms are password controlled and GDPR compliant.
  • Contact details are only stored on MailChimp with permission, which was provided by the contact upon signing up to the newsletter.
  • No contact details are shared without permission.
  • Volunteers data will be kept for 6 months after the last point of contact, unless there is a specific reason to keep the volunteers data on file

Non-enrolled clients

  • Data is provided to Breaking Barriers by referral partners or, in the case of self-referral, the client themselves. Referral partners are responsible for obtaining the client’s consent to share their data with Breaking Barriers
  • Data will be stored for a maximum of 6 months following the last contact.

What data is held by Breaking Barriers


  • Full names, contact details and addresses
  • Unique personal identifiers (including date of birth, country of origin, gender, religion, sexual orientation, mental health, criminal history, length of asylum process, education and employment history, and organisation providing employment)
  • Psychological information, such as levels of confidence, stress, health, and motivation to achieve goals

Photos, stories and case study information may be stored with active consent from the client themselves for events such as the exhibition or marketing materials


  • Name and contact details
  • Volunteers – CV or short bio, and whether they are actively volunteering, hours and location of volunteering, and availability to volunteer
  • Organisation providing employment

Non-enrolled clients

  • Name
  • Referral partner
  • Short bio if it has been provided by either themselves or the referral partner including information such as, but not limited to, level of English, date of birth, nationality, and interests
  • Email address and/or phone number

How Breaking Barriers uses data


  • Identifying suitable opportunities
  • Recording the support delivered by Breaking Barriers and the suggested next steps for each beneficiary
  • Recording the outcomes achieved since working with Breaking Barriers
  • Submission as programme evidence to donors and consortium managers
  • If applicable/requested, providing updates to the organisation that referred the client to Breaking Barriers
  • Briefing volunteers about the client they will be working with and updating them on the progress of clients
  • Data analysis to inform our future programming, providing performance reports to be shared both internally and externally[3]
  • Briefing corporate partners on the clients that will be attending workshops, through sending CVs or bios


  • Distribution of our e-newsletter
  • Promotion of events
  • Promotion of opportunities
  • Appeals and requests for donations
  • Donor stewardship

Non-enrolled clients

  • To inform clients of the services we provide and book initial appointments or direct to appropriate resources.

Communications may be sent by post, telephone, or electronic means.

If there are concerns or queries about any of these purposes, or on our methods of communication, please contact Breaking Barriers Data Protection Officer. When Breaking Barriers shares data with others

Breaking Barriers will never share client or contact data with a third party without seeking explicit consent either upon enrolment or at a later date. Clients provide consent for us to share their information with our donors, volunteers, corporate partners, and referral partners upon enrolment.

2: Human Resources Data

This section explains how Breaking Barriers (“we” and “our”) handles and uses HR-related data and sets out our commitment to data protection and to individual rights in relation to personal data.

This policy applies to the personal data of job applicants and all those who work with us, including employees, workers, contractors, interns and students, clients on Employment Academy placements who are paid through the Breaking Barriers payroll, and former employees. This is referred to as HR-related personal data. This policy does not apply to the personal data of clients, supporters, donors, referral partners or to other personal data processed to undertake the work of Breaking Barriers.

Where we process special categories of personal data or criminal records data to perform obligations or to exercise rights in employment law, this is done in accordance with our policy below on special categories of data and criminal records data.

Matthew Powell, the CEO, is the person with responsibility for HR-related data protection compliance within the Charity. He can be contacted at [email protected]. Questions about this policy, or requests for further information, should be directed to him.


Certain definitions are used in this policy:

  • Personal Datais any information that relates to an individual who can be identified, either directly or indirectly, from that information. It could be a name or some other identifier, such as an employee number or other online identifier.
  • Processingis any use that is made of data, including collecting, storing, amending, disclosing or destroying it.
  • Controlling: determination of the purposes for which and the manner in which any personal data are, or are to be, processed.
  • Special Categories of Personal Datameans information about an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation and biometric data.
  • Criminal Records Data: means information about an individual’s criminal convictions and offences, and information relating to criminal allegations and proceedings.

How Breaking Barriers uses data

We process data to enter into an employment contract with a prospective member of staff and to meet our obligations to staff under their employment contracts. For example, we need to process staff data to provide employment contracts, to pay staff in accordance with their contracts and to administer benefits.

We also need to process data to ensure that we comply with our legal obligations. For example, we are required to check each member of staff’s entitlement to work in the UK, to deduct tax, to comply with health and safety laws and to enable staff to take the holiday leave to which they are entitled.

In other cases, we have legitimate business interests for processing personal data before, during, and after the end of the term of employment. Processing employee data allows us to:

  • Run recruitment processes.
  • Offer contracts to successful candidates.
  • Maintain accurate and up-to-date employment records and contact details (including details of who to contact in the event of an emergency).
  • Evidence programme activity and costs for funding purposes (e.g. timesheets and payroll data).
  • Keep records of contractual and statutory rights.
  • Operate and keep a record of disciplinary and grievance processes, to ensure safety and acceptable conduct at work.
  • Operate and keep a record of employee performance and related processes, to plan for career development and to identify training needs.
  • Operate and keep a record of absence and absence management procedures, to allow effective management and to ensure that staff receive the pay or other benefits to which they are entitled.
  • Obtain medical or occupational health advice, to ensure that we comply with duties in relation to those with disabilities and to meet our obligations under health and safety law.
  • Operate and keep a record of other types of leave (including maternity, paternity, adoption, parental and shared parental leave), to allow effective management and to ensure that we comply with duties in relation to leave, pay and benefits entitlement.
  • Ensure effective general HR and business administration.
  • Add employees and consultants to our payroll, and remunerate each employee on a monthly basis.
  • Provide references on request for current or former employees.
  • Respond to and defend against legal claims.
  • Maintain and promote equality in the workplace.

How Breaking Barriers collects, shares and stores data

Data may be collected in a variety of ways, for example, through application forms, CVs or resumes; from passports or other identity documents such as driving licences; from forms completed at the start of or during employment; from correspondence; or through interviews, meetings or other assessments.

Personal data gathered during the employment, worker, contractor or volunteer relationship, or studentship or internship is held in the following locations:

  • On dedicated HR online software – Breathe HR
  • On online platforms – SharePoint, and Zoho.
  • In digital personnel files on the Charity’s servers and computers;
  • On laptop computers or other mobile devices provided by the Charity or owned by Trustees or employees and used for work purposes.
  • On third party computers and servers, such as our payroll, pensions and benefits providers and our accountants and auditors.
  • On hard copy records located with our payroll, pensions and benefits providers and our accountants.
  • Hard copy in the personnel files, kept in the Breaking Barriers office.
  • Hard copy in the accident book kept in the Breaking Barriers office.

We aim to be transparent about our data retention policies and procedures. In our Register of HR-Related Personal Data we identify the legal basis for retaining each category of personal data. We have a policy on retention periods for particular types of HR personal data, based on the purpose of the data and the needs of the business. There are also legal obligations on us to keep certain records for specific periods of time.

In general:

  • Records relating to recruitment are kept for six months after the completion of the recruitment exercise to defend against legal claims;
  • Records relating to employees are retained for the duration of the employment;
  • Records required to evidence programme activity and costs for funding purposes (e.g. timesheets and payroll data) are kept for the duration of the reporting period and/or funding requirements;
  • Most records relating to ex-employees are retained for 12 months after the end of their employment to defend against legal claims;
  • Records relating to the right to work in the UK are retained for two years after the end of employment as this is a statutory requirement;
  • Information relating to the payment of salary, bonuses and commission is kept for seven years following the end of employment, unless required for funding purposes in which case they are kept for the duration of the reporting period and/or funding requirements;
  • Health and safety incidents are kept for five years to meet statutory requirements and defend against legal claims.

What data is held by Breaking Barriers

We collect and process a range of information. This includes:

  • Name, address, and contact details, including work and private email addresses and telephone number, date of birth and gender;
  • The terms and conditions of employment;
  • Details of staff member and applicants’ qualifications, skills, experience, training and employment history, including start and end dates with previous employers and with Breaking Barriers;
  • Information about remuneration, including entitlement to any benefits such as pensions;
  • Details of any salary sacrifice arrangements, such as pension schemes;
  • Details of bank accounts and national insurance numbers;
  • Information about staff members’ marital status, next of kin, dependents, and emergency contacts;
  • Bank details (sort code and account numbers)
  • Information related to maternity, paternity, adoption, shared parental leave and parental leave entitlements;
  • Information about nationality and entitlement to work in the UK;
  • Information about criminal records;
  • Details of working patterns (days of work and working hours) and attendance at work;
  • Details of periods of leave taken, including holiday, sickness absence, family leave and sabbaticals, and the reasons for the leave;
  • Details of any disciplinary or grievance procedures, including any warnings issued and related correspondence;
  • Assessments of performance, including appraisals, performance reviews and ratings, performance improvement plans and related correspondence;
  • Information about training completed by staff members while at Breaking Barriers;
  • Information about medical or health conditions, including any disabilities which require reasonable adjustments;
  • Information about expenses claimed;
  • Equal opportunities monitoring information, including information about age, ethnic origin, sexual orientation, health and religion or belief.

When Breaking Barriers shares data with others

We share HR data with some third parties for legal reasons, or to meet our obligations under staff contracts. The third parties who may have access to HR data are:

  • HMRC and other government bodies
  • Our payroll provider
  • Our accountants
  • Our auditors
  • Our bank
  • Our pension provider
  • Donors and funders

Special Categories of Personal Data and Criminal Records Data

We only process and retain special categories of personal data where this is necessary for the purposes of performing or exercising employment law obligations or rights. For example, we may retain information about a disability for the purpose of making reasonable adjustments.

Where we want to use sensitive personal data for equality monitoring purposes we will ask for consent.

Responsibilities of staff members

Breaking Barriers’ staff members are responsible for helping us keep personal data up to date. They should let us know if data provided has changed, for example if staff members move house or change bank details.

Staff members may have access to the personal data of other individuals in the course of their employment or other engagement with Breaking Barriers. Where this is the case, we rely on staff to help us meet our data protection obligations by keeping data secure, for example by complying with rules on computer access, password protection, and secure file storage and destruction;

Staff members with access to personal data have certain responsibilities:

  • Read the HR Data Protection and Security Policy and keep it to hand;
  • Access only the data that they have authority to access and only for authorised purposes;
  • Do not disclose data except to individuals (whether inside or outside the organisation) who have appropriate authorisation;
  • Use a suitable computer password, in line with our strong password policy;
  • Perform multi-factor authentication procedures;
  • Change passwords regularly;
  • Do not use a password that has been used on any home computer or system;
  • Be mindful when working on personal data, ensuring that work is not overlooked and that computer screens or paperwork is not left unattended;
  • Mark all emails that contain personal data ‘confidential’;
  • Ensure that computer screens are always locked when unattended;
  • Keep to the clean desk policy;
  • Be mindful when making telephone calls, ensuring that confidential conversations cannot be overheard;
  • Keep personal data in a locked drawer or filing cabinet;
  • Stand by the printer when printing out personal data;
  • Do not remove personal data from the organisation’s premises without adopting appropriate security measures (such as encryption or password protection) to secure the data and the device;
  • Do not save copies of personal data or store personal data except on designated drives and servers;
  • Ensure personal data is shredded and disposed of securely when no longer required;
  • Be vigilant about data.

Failing to observe these requirements may amount to a disciplinary offence, which will be dealt with under the disciplinary procedure. Significant or deliberate breaches of this policy, such as accessing employee or customer data without authorisation or a legitimate reason to do so, may constitute Gross Misconduct and could lead to dismissal without notice.

3: Fundraising

The below is based on a review of the Institute of Fundraising GDPR Spotlight on Fundraising, which was agreed with the Information Commissioner’s Office.

Sources of personal data relevant to Fundraising team’s work

  • Email addresses with contact name
  • Direct line phone numbers / mobile numbers
  • Correspondent’s name / Trustee’s name
  • Business dealings of Trustees / settlors
  • Philanthropic activities and interests of Trustees / settlors
  • Contacts with individuals for Trust fundraising purposes, stored on the database

The basis for fundraising

  • Consent: We will operate under this basis where explicit consent is given by the individual
  • Contract: We will operate under this basis where there is an explicit contract with a donor
  • Legitimate interest: The great majority of our work will be done on the basis of having a legitimate interest.

Basis of legitimate interest consideration

  • When using legitimate interest as the basis for our work, we only use post, phone calls, or emails to the funder’s stated email address.
  • The principle legitimate interest we rely on is our interest in funding the work of Breaking Barriers to enable us to fulfil our charitable objects. Connected to that, Breaking Barriers’ service users also have a legitimate interest in receiving Breaking Barriers’ services, which are funded through fundraising activities.
  • We have a legitimate interest in the kind of funders that have funded our work. These funders are those with an interest in funding services and related research in the fields of: refugees, disadvantaged groups, employment support, education, relief of poverty, vulnerable persons/groups; and those with very broad funding aims who fund charitable work either nationally or in specific local areas (such as Community Foundations). We also have a legitimate interest in identifying funders that fall into the above category. Evidence that funders do fund this work would not only include stated interests, it would include that they have funded charities delivering related work (e.g. refugee/employment support services).
  • This is the overall basis on which we work. However, we will also review other legitimate interests regarding individuals, trusts and foundations and corporate donors (recording alternative bases for legitimate interest against their database record).

Sources we use

  • We use a full range of standard sources for fundraising, including: Trust databases, Trust directories, Trust websites, Charity Commission records and our existing records.
  • In instances where the information provided is not clear enough to enable an effective approach, we may look more broadly again, undertaking an online search on the funder and the philanthropic behaviour of the individuals connected to it and asking both people connected to us and other recipients of donations for further information.
  • We may also make phone calls for research purposes prior to submitting proposals or applications, ensuring the telephone number is not listed on the TPS.

How we use the sources

We use these sources to identify:

  • The interests of the funder
  • Potential size and timing of any gift
  • The best way to engage and approach them
  • Stewardship requirements including reporting requirements

The research needs listed are those that determine whether we get funding now and in the future. To meet these needs, it is necessary to use the sources and techniques mentioned. It is often necessary to conduct in depth research to gain sufficient information to make use of the potential funding opportunity. We will do the above in a way that enables the efficient raising of money from funders.

Balancing of Breaking Barriers’ and Funder’s interests

The interests of the individuals covered by the data include:

  • Right not to be pestered/ receive “excessive” communication
  • Right to a level of privacy
  • Right to keep control of their personal information

Our usages meet our legitimate interests without unduly infringing the following rights of current and potential funders:

Right not to be pestered / receive “excessive” communication

  • By understanding a funder better we can present the most appropriate funding opportunities and report on these to a high standard.
  • We will make our approaches in good faith and as efficiently as possible. This will avoid any imposition on the individuals, trusts and foundations and companies concerned, beyond what is required to fund the work and help them perform their duties. As such, the level of imposition will be very limited as compared to the financial benefit to Breaking Barriers and the benefit to service users receiving assistance that is funded by the funder.

Right to keep control of their personal information

Breaking Barriers has a privacy policy that enables control of personal information. It includes:

  • The right to change contact preferences or see the information we hold on them.
  • That we will maintain a suppression list for individuals (including individuals at trusts and foundations and companies) that do not wish to be contacted – though we reserve the right to contact them for relevant administrative purposes.
  • The majority of the personal information we obtain is in the public domain.

Right to a level of privacy

This is covered by the same points given above.

New Funders

Newly formed Trusts, Foundations and companies have less information available because they have not formed policies or submitted accounts.

We will need to provide them more information on our work to identify whether they would be suitable for an approach. Also, they will benefit from seeing projects and arguments in favour of their stated interests.

Deletion of old data

We do not foresee that we will need to delete in bulk the individual data regarding individuals who left Trusts, Foundations or companies. This is because the infringement of their rights is zero or negligible from any mistaken use of their data. The usages of such data might be:

  • Approaching the funder via those contact details, in which case that might be a matter for the funder but of zero interest to the individual formerly involved.
  • Considering the individual in the context of the history of the funder. This would have negligible impact on the individual.
  • Considering the circumstances / interests of the individual when planning an approach. In that case, the first thing we would do is to check whether the individual is still at the funder.

4: General

The below outlines the aspects of Breaking Barriers’ Data Protection Policy that are relevant across all forms of data.

The data protection policy will be reviewed annually, following internal changes to data collection, storage or use methods, or prior to any changes in UK Data Protection Regulations. An updated policy will be added to our website, and any significant changes will be communicated to the affected parties at the earliest possible date.

Data security and Responsibilities

Breaking Barriers takes the security of personal data seriously. We have internal policies and controls in place to protect personal data against loss, accidental destruction, misuse, or disclosure, and to ensure that data is not accessed, except by employees or trained volunteers in the proper performance of their duties.

Everyone who works for or with Breaking Barriers has some responsibility for ensuring that data is collected, stored, and handled appropriately. In terms of personal data:

  • The Board of Trustees is ultimately responsible for ensuring that Breaking Barriers meets its legal obligations;
  • Matthew Powell, the CEO, is responsible for ensuring appropriate policies are in place; dealing with questions and queries on personal data; and checking and approving any contracts or agreements with third parties that may handle personal data.

The Data Protection Officer, is responsible for handling subject access requests; ensuring that Breaking Barriers is not only capable of meeting the Subject Access Request within the 1-month time window, but also to ensure that all of the relevant personal data requested is provided to the individual and the data is presented in a clear, understandable way that meets the individuals needs.

Technical Security Measures

  • There is a strong password policy and multi-factor authentication
  • There is restricted user access on systems containing personal data and permission-based access to files;
  • Only server administrators and outsourced IT providers can set up new IT services or electronic storage areas for personal data;
  • Security is reviewed internally once every six months and improvements made as required;
  • Servers are built and configured in accordance with standard server build instructions;
  • Anti-virus software is kept-up-to-date and regular scans are performed by outsourced IT providers

Organisational Security Measures

  • Colleagues are alerted to the dangers of scam emails and attempts to gain access to our systems via team meetings;
  • There is a clean desk policy;
  • There is a shredding policy for documents that are no longer needed;
  • There is a process for dealing with starters and leavers;
  • All employees are asked to sign Confidentiality Agreements;
  • All employees and other parties working with personal data are made aware of their responsibilities under the UK GDPR and this policy;
  • There are processes in place to deal with issues that could lead to data being exposed, such as lost equipment, hacking, viruses or passwords becoming known;
  • When we engage third parties to process personal data on our behalf, such parties do so on the basis of formal instructions or under an on-going contract, are under a duty of confidentiality, and are obliged to implement appropriate technical and organisational measures to ensure the security of data.

Individuals’ rights

The legal basis for processing personal data is consent, where provided, and otherwise our legitimate interest. Data subjects have a number of rights in relation to their personal data.

Subject access requests

Individuals have the right to make a subject access request. If an individual makes a subject access request, we will tell them:

  • Whether or not their data is processed and if so why, the categories of personal data concerned and the source of the data, if it is not collected from the individual
  • To whom data is, or may be, disclosed to, including to recipients located outside the European Economic Area (EEA) and the safeguards that apply to such transfers;
  • For how long personal data is stored (or how that period is decided)
  • Their right to have data corrected or erased, or to restrict or object to processing;
  • Their right to complain to the Information Commissioner if they think we have failed to comply with data protection rights
  • Whether or not we carry out automated decision-making and the logic involved in any such decision-making

We will also provide a copy of the personal data undergoing processing.

To make a subject access request, the request should be sent to Breaking Barriers’ Data Protection Officer.

A request will normally be responded to within a period of one month from the date it is received. If we need more time, we will write within one month of receiving the original request to let the subject know.

If a subject access request is manifestly unfounded or excessive, we are not obliged to comply with it. Alternatively, we can agree to respond but will charge a fee, which will be based on the administrative cost of responding to the request. A subject access request is likely to be manifestly unfounded or excessive where it repeats a request to which we have already responded. If a request is submitted that is unfounded or excessive, we will notify the subject that this is the case and let them know whether or not we will respond.

The right to be forgotten

All individuals have the right to be forgotten, that is, to have personal data erased and to prevent the processing of data where:

  • The data is no longer required for the purpose for which it was originally collected or processed
  • The individual withdraws their consent
  • The individual’s interests override our legitimate grounds for processing data (where we are relying on our legitimate interests as a reason for processing data)
  • Data is being processed in breach of the UK General Data Protection Regulation (GDPR)

Other rights

Individuals have a number of other rights in relation to their personal data. They can require the Charity to:

  • Rectify inaccurate data
  • Stop processing data if their interests override our legitimate grounds for processing data (where we are relying on our legitimate interests as a reason for processing data)
  • Stop processing or erase data if processing is unlawful
  • Stop processing data for a period if data is inaccurate or if there is a dispute about whether their interests override the Charity’s legitimate grounds for processing data

To ask Breaking Barriers to take any of these steps, a request should be sent to Louise Thomson at [email protected] and Anna Simons at [email protected] for Programme data, and Matthew Powell at [email protected] for HR or Fundraising related data.

We will publish on our website any changes made to this data protection statement and notify data subjects by other communication channels where appropriate.

Data Disposal

When data retention periods have expired or if a data subject exercises their right to have their personal data erased, this data will be deleted, destroyed or otherwise disposed of as follows:

  • Personal data stored electronically, including all and any backups, will be deleted.
  • Personal data stored in hard copy will be shredded.

Data breaches

If we find that there has been a breach which poses a risk to the rights and freedoms of data subjects, we will report this to the Information Commissioner within 72 hours of discovery. We will record all data breaches regardless of their effect.

If the breach is likely to result in a high risk to the rights and freedoms of individuals, we will tell affected individuals that there has been a breach, and provide them with information about its likely consequences and the mitigation measures we has taken.

If an individual suspects that a data breach has occurred they should immediately notify  the Data Protection Officer.

International data transfers

Breaking Barriers uses SharePoint is committed to compliance with the UK General Data Protection Regulations.

Other than the above, Breaking Barriers does not transfer personal data outside the EEA.


Breaking Barriers provides information to all staff and volunteers about their data protection responsibilities as part of the induction process and refreshers when necessary.

Those whose roles require regular access to personal data, or who are responsible for implementing this policy, or responding to subject access requests under this policy, receive additional training to help them understand their duties and how to comply with them.

Questions and further statutory information

The controller for personal data is Breaking Barriers. Breaking Barriers’ Data Protection Officer, is responsible for monitoring compliance with relevant legislation in relation to the protection of personal data.

Please contact us if there any concerns or questions about the above information. Where specific requests relating to how we manage data are concerned, we will endeavor to resolve them, but please note that there may be circumstances where we cannot comply with specific requests.

When an individual opts out of all future communications, or exercises their right to erasure, we will continue to maintain a core set of personal data (name, date of birth, organisation, country of origin) to ensure we do not inadvertently contact the same individual in the future, while still maintaining our record of their involvement with a Breaking Barriers’ programme. We may also need to retain some immigration records for statutory purposes (e.g. donor reporting).

Breaking Barriers’ Data Protection Officer is Matt Powell and he can be contacted at [email protected]

[1] Some clients on Employment Academy placements with a Breaking Barriers’ corporate partner are paid for the duration of their placement by Breaking Barriers. Breaking Barriers stores additional data for these clients, which are covered in the Section 2 – Human Resources.

[2] All work IT and software is protected by secure passwords, consisting of at least 1 capital and 1 number and multi-factor authentication. Passwords will not include words that are obviously related to the charity. All staff IT has been equipped with data security and virus protection software.

[3] Analysed data shared externally will be anonymous and not include personal identifiers