Purpose

The purpose of this policy is to set out Choose2 Youths commitment and procedures for protecting personal data. The Directors regard the lawful and correct treatment of personal information as very important to successful working, and to maintaining the confidence of those with whom we deal with.
Choose2 Youth needs to process information about employees, organisations and individuals who use our services. When we process information, we need to keep to the terms of the Data Protection Act 1998 and the General Data Protection Regulation (GDPR EU 2016/679). In particular, we need to make sure that we process information in line with eight principles of data protection described in the Act.

The Data Protection Act sets limits on the way we collect, store and use information.
The Act controls how:
• We file information
• How we access information
• How we pass information on to other organisations and individuals;
• How and when we destroy information we are storing.
• The Act says that people have a right to access any information that we hold about them. This includes employees, Choose2 Youth members and people who use our services.
• The Act says that we have to respond to requests for access to information within 30 calendar days.
• The Act says that organisations that process information need to register with the Information Commissioner’s Office. There are exceptions to this rule for some not-for-profit organisations. Under these exceptions, Choose2 Youth does not have to register with the Information Commissioner.

The eight principles of data protection

• The Data Protection Act states that anyone who processes personal information must comply with eight principles. These state that information must be:
• Fairly and lawfully processed
• Processed for limited purposes
• Adequate, relevant and not excessive
• Accurate and up to date
• Not kept for longer than is necessary
• Processed in line with individuals' rights
• Secure
• Not transferred to other countries without adequate protection

Responsibilities
Choose2 Youth will be acting as both the:
“Data Controller” a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be processed.

“Data Processor” in relation to personal data, any person (other than an employee of the data controller) who processes the data on behalf of the data controller.

Choose2 Youth will:
• Comply with both the law and good practice
• Protect the right of individual’s privacy when processing personal information.
• Take appropriate measures to make sure that the data we hold
is stored securely, archived and destroyed in line with the policy and law.
• Provide ongoing training and support to staff and volunteers. All staff and volunteers are required to read, understand and accept any policies and procedures that relate to the personal data they handle in the course of their work. All staff will be required to show acceptance of their responsibilities to data protection by signing an additional clause in their contract. All staff are required to share any breaches with the Privacy Lead. Any breaches of security will be dealt with through the disciplinary process.
• Notify the Information Commissioner voluntarily, even if this is not required.
The Directors have overall responsibility for ensuring that the organisation complies with its legal responsibilities.
Security of data

All data is treated with the strictest importance and breaches of security will be dealt with by disciplinary procedures.
• Passwords are needed to access ICT
• Password protection for all EHCP and Core assessments
• Data log of all data coming into and out of the organisation.

Data storage and recording

• Regular checks and data reviews will take place in any review meeting to ensure accuracy of information held. 
• Young person’s data will be held for 3 years
• All inactive data will be destroyed after 3 years
• All data is kept in locked cabinets in Directors office
• Electronic data is stored in secure system
• All staff data will be kept for the duration of their employment and the destroyed after 1 year.

Transparency

Data subjects are aware that their data is being processed and for what purpose it is being processed. They will also be made aware of what types of disclosure are likely, and how to exercise their rights in relation to the data.

Parents and young people will be made aware in their welcome letters and application packs. Staff will be made aware in their induction pack. Information can also be found on the web page. Our Privacy lead will take responsibility for transparency in relation to the different types of data subject.

Right to access
Employees, members, and people who use our services have the right to access personal information Choose2 Youth holds about them, whether in electronic or paper form.

People who want to access information held about them should contact the Privacy Lead in writing. Where an individual is not known to us the Privacy Lead will be required to check their identity before handing over any information. Request may be subject to a £30 administration fee.

Lawful Basis

• All data held by Choose2 Youth is for the purpose of providing the best support possible for young people and staff.
• To be able to keep people safe when in our care. 
• If consent is not given to hold the data we need to keep you safe we will not be able to work with you or employ you. 
• No data is used for commercial purposes.

For further information on data protection please go to visit the ICO website
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/

Website Appendix

by Choose2 web team

What data is exchanged?

This website uses WordPress software & drops a cookie, 24hour duration to keep logged in users (website admins) logged in from one click to another. Unfortunately it drops that same cookie on public visitors, in case we have any functions enabled that would use that cookie (we don't). The Cookie data isn't looked at or used for any purpose whatsoever & expires after 24 hours anyway.

If users request a password reset for the admin functions on this website the requesting IP address will be included in the email

We don't share website visitor data with anyone

end of web appendix