Data Protection Policy

DATA PROTECTION STATEMENT

Creative Alternatives is a programme commissioned by St.Helens Council and delivered by Alef Trust. As the Data Controller for Creative Alternatives, Alef Trust takes full responsibility for privacy and the protection of your data. We will only use your personal information to maintain communications, to complete the process of programme referral and to maintain your involvement as a client on Creative Alternatives.

Alef Trust deals with all personal information provided in a responsible manner that respects personal privacy and is in full compliance with the Data Protection Act 2018 (DPA) and the new General Data Protection Regulation (GDPR). Although the DPA/GDPR are UK and EU regulations, Alef Trust applies the same high standards for the protection of your privacy and personal information, regardless of where you are located. Additional information on the Alef Trust Privacy, Data Protection and other policies can be found by visiting our Privacy & Data Protection page. If you have any questions about how Alef Trust collects or uses your personal information, the Alef Trust Data Protection Officer (DPO) can be contacted in writing via the mailing address located on our Contact Page, or directly by emailing [email protected].

CONTENTS

  1. General Statement of Alef Trust’s Duties and Scope
  2. Definitions
  3. Accessibility of this document
  4. Data Protection Controller and Data Protection Officer
  5. The Principles
  6. Personal Data
  7. Data Security
  8. Rights of the Data Subject
  9. Processing of Personal Data
  10. Sensitive Personal Data
  11. Rights of Access to Information (Subject Access Request or ‘SAR’)
  12. Exemptions
  13. Accuracy
  14. Enforcement
  15. External Processors and Controllers
  16. Secure Destruction
  17. Retention of Data

DATA PROTECTION POLICY

1. General Statement of Alef Trust’s Duties and Scope

Alef Trust is required to process relevant personal data regarding members of staff and clients and shall take all reasonable steps to do so in accordance with this policy. Alef Trust does not buy or sell personal data.

2. Definitions

  • “Clients” are all persons inducted with Creative Alternatives & Alef Trust.
  • “All Staff” is all staff or employees of Alef Trust, including those on temporary or part time contracts and volunteers.
  • “Data Subject”, is a living natural individual who is the subject of the personal data.

3. Accessibility of this document

This policy is written using clear and plain language and is considered as age appropriate (Age 13 and above) for the accessibility of all data subjects of Alef Trust.

4. Data Protection Controller and Data Protection Officer

Alef Trust has appointed our Programme Coordinator as Data Protection Officer (DPO) who will endeavour to ensure that all personal data is processed in compliance with this Policy and the Principles of current Data Protection Legislation, currently the Data Protection Act 2018 and the General Data Protection Regulation (GDPR). The Protection of Freedoms Act 2012 is also relevant to parts of this policy.

5. The Principles

Alef Trust shall comply with the Data Protection principles contained in the legislation to ensure all data is:

  • Fairly and lawfully processed in a transparent manner.
  • Processed for a legitimate purpose.
  • Adequate, relevant and not excessive.
  • Accurate and up to date.
  • Not kept for longer than necessary.
  • Processed in accordance with the data subject’s rights.
  • Processed securely.

6. Personal Data

Personal data covers both facts and opinions about an individual where that data identifies an individual. For example, it includes information necessary for client induction such as the client’s name and address. Personal data may also include sensitive personal data as defined in the legislation.

7. Data Security

Alef Trust will take appropriate technical and organisational steps to ensure the security of personal data. All staff will be made aware of this policy and their duties under the legislation.

Alef Trust and therefore all staff and clients are required to respect the personal data and privacy of others and must ensure that appropriate protection and security measures are taken against unlawful or unauthorised processing of personal data and against the accidental loss of, or damage to all personal data. Violations of this policy by staff may be treated as misconduct or gross misconduct.

An appropriate level of data security must be deployed for the type of data and the data processing being performed. In most cases, personal data must be stored in appropriate systems and should be password protected when transported or saved on personal computers or portable devices such as cell phones or tablets.

8. Rights of the Data Subject

GDPR expands the rights of the data subject over previous legislation, specifically data subjects have:

  1. The right to be informed.
  2. The right of access.
  3. The right to rectification.
  4. The right to erasure.
  5. The right to restrict processing.
  6. The right to data portability.
  7. The right to object.
  8. Rights in relation to automated decision making and profiling.

This policy and the published Privacy Statement are part of these rights. If you wish to exercise any of these rights, with the exception of the right to access, please contact the Alef Trust Data Protection Officer using the form at the bottom of this page. Information on the right of access and how to exercise that are specifically detailed in this policy.

Not all rights are applicable to all personal data, and may depend on the lawful basis that personal data is being processed under.

9. Processing of Personal Data

Alef Trust maintains a Privacy Statement which details personal information processed and the legal basis for processing that data. The current version can be viewed at https://www.creativealternatives.org.uk/privacy-statement/

10. Sensitive Personal Data

In order to deliver Creative Alternatives, Alef Trust is required to process sensitive personal data. Sensitive personal data that Alef Trust may handle includes data relating to medical information, gender, religion, and race.

11. Rights of Access to Information (Subject Access Request or ‘SAR’)

Data subjects have the right of access to their Personal data held by Alef Trust, subject to the provisions of current Data Protection legislation. Any data subject wishing to access their personal data should put their request in writing or through email to the Alef Trust DPO. Alef Trust will endeavour to respond to any such written or emailed requests as soon as is reasonably practicable and, in any event, within one month for access to personal data and 21 days to provide a reply to a Subject Access Request. The information will be made available to the data subject as soon as is reasonably possible after it has come to Alef Trust’s attention and in compliance with the relevant legislation. Proof of identity is required before any information will be made available.

Only the DPO may accept or respond to a Subject Access Request. Any other staff receiving such a request MUST immediately pass it to the DPO for processing or refer the person making the request to the DPO. Subject Access Requests can be submitted in writing via the mailing address located on our Contact Page, directly by emailing [email protected] or by completing the Subject Access Request form.

12. Exemptions

Certain personal data or obligations are exempted from some of the provisions of the Data Protection legislation which includes matters such as processing for National Security and Public Security, the prevention or detection and prosecution of criminal offences. The above are examples only of some of the exemptions under the legislation. Any further information on exemptions should be sought from the DPO.

13. Accuracy

Alef Trust will endeavour to ensure that all personal data held in relation to all data subjects is accurate. Data subjects must notify Alef Trust of any changes to information held about them.

14. Enforcement

If an individual believes that Alef Trust has not complied with this policy or acted otherwise than in accordance with data protection legislation, the data subject or staff member should notify the DPO.

15. External Processors and Controllers

Alef Trust must ensure that data processed by external processors, for example cloud services and web sites are compliant with this policy and the relevant legislation. All external processors and controllers must be listed in the data processing register maintained by the DPO.

16. Secure Destruction

When data held in accordance with this policy is destroyed, it must be destroyed securely in accordance with best practice at the time of destruction.

17. Retention of Data

Subject to any other notices that we may provide to you, Alef Trust may retain your personal data for a period of 18 months after your association with us has come to an end.