Insulin Dependent Diabetes Trust Data Protection and Privacy Policy

This policy is designed to set out the aims, objectives and responsibilities of the organisation. It is designed to be read in conjunction with the Charity’s Data Protection and Privacy Statement. It has been produced according to the principles and framework laid out in the Data Protection Act 1998. These eight principles relate to:

  1. fair and lawful processing
  2. purposes for holding data
  3. status of data
  4. accuracy of data
  5. retention and disposal of data
  6. rights of data subjects
  7. disclosure of data
  8. transfer of data

The purpose of this policy is to enable the Charity to:

  • Comply with our legal, regulatory and corporate governance obligations and good practice.
  • Gather information as part of investigations by regulatory bodies or in connection with legal proceedings or requests.
  • Ensure charity policies are adhered to (such as policies covering email and internet use).
  • Fulfill operational reasons, such as recording transactions, training and quality control, ensuring the confidentiality of commercially sensitive information, security vetting and checking.
  • Investigate complaints.
  • Check references, ensuring safe working practices, monitoring and managing staff access to systems and facilities and staff absences, administration and assessments.
  • Monitor staff conduct and disciplinary matters.
  • Market our business.
  • Improve services.

This policy applies to all employees of the Charity and applies to information relating to identifiable individuals e.g. staff, applicants, former staff, clients, suppliers and other third-party contacts.

The Company has identified the following potential key risks, which this policy is designed to address:

  • Breach of confidentiality (information being given out inappropriately).
  • Insufficient clarity about the range of uses to which data will be put — leading to Data Subjects being insufficiently informed
  • Failure to offer choice about data use when appropriate
  • Breach of security by allowing unauthorised access.
  • Failure to establish efficient systems of managing changes, leading to personal data being not up to date.
  • Harm to individuals if personal data is not up to date
  • Insufficient clarity about the way personal data is being used e.g. given out to general public.
  • Failure to offer choices about use of contact details for staff, clients, workers or employees.

The person responsible for Data Protection is currently Martin Hirst (CEO) with the following responsibilities:

  • Briefing the board on Data Protection responsibilities
  • Reviewing Data Protection and related policies
  • Advising other staff on Data Protection issues
  • Ensuring that Data Protection induction and training takes place
  • Notification
  • Handling subject access requests
  • Approving unusual or controversial disclosures of personal data
  • Approving contracts with Data Processors
  • Ensuring Data is stored securely
  • Maintain a Data Audit and keep this up to date
  • Reporting breaches to the Information Commissioners Office and the relevant Data Subject(s)

Significant breaches of this policy will be handled under the Company’s disciplinary procedures which may amount to gross misconduct.

What information we collect
We collect data you provide to us. This includes information you give when joining or registering, placing an order or communicating with us. For example:

  • personal details (name, email, address, telephone etc.) when you join as a member
  • financial information (payment information such as credit/debit card or direct debit details and whether donations are gift-aided.

Your activities and involvement with IDDT will result in personal data being created. This could include details of how you’ve helped us by volunteering or being involved with our campaigns and activities.

We do not collect or store sensitive personal data. However, there are some situations where this is necessary (e.g. if you volunteer with us). If this does occur, we’ll take extra care to ensure your privacy rights are protected.

How we use information
We only ever use your personal data to:

  • enter into, or perform, a contract with you;
  • comply with a legal duty;
  • contact you with information of legitimate interest
  • protect your vital interests;
  • for our own (or a third party’s) lawful interests, provided your rights don’t override these.

We may use personal data to communicate with people, to promote IDDT and to help with fundraising. This includes keeping you up to date with our newsletters, updates, campaigns and fundraising information.
We also use personal data for administrative purposes.  This includes:

  • receiving donations (e.g. direct debits or gift-aid instructions);
  • maintaining databases of our volunteers, members and supporters;
  • performing our obligations under membership contracts;
  • fulfilling orders for goods or services (whether placed online, over the phone or in person); helping us respect your choices and preferences

Disclosing and sharing data
We will never sell your personal data.
We may share personal data with subcontractors or suppliers who provide us with services. For example, to deliver your quarterly newsletter(s).

How we protect data
We employ a variety of physical and technical measures to keep your data safe and to prevent unauthorised access to, or use or disclosure of your personal information.

Electronic data and databases are stored on secure computer systems and we control who has access to information (using both physical and electronic means).

We will only use and store information for so long as it is required for the purposes for which it was collected. How long information will be stored for depends on the information in question and for what it is to be used.

We continually review what information we hold and delete what is no longer required.

Subject Access Requests
Any subject access requests will be handled by the CEO. Subject access requests must be in writing.  All staff are required to pass on anything, which might be a subject access request to the CEO without delay.
The applicant will be given their data within 1 month unless there are complexities in the case which justify extending this to 2 months.  The applicant will be notified of any extensions to the deadline for response and the reasons as soon as possible.

IDDT have the right to refuse a subject access request where data is requested at unreasonable intervals, manifestly unfounded or excessive.  You will be notified of the reasons as soon as possible.

Where the individual making a subject access request is not personally known to the CEO their identity will be verified before handing over any information. The required information will be provided in a permanent and portable form unless the applicant makes a specific request to be given supervised access in person.

The applicant has the right to request the information we hold is rectified if it is inaccurate or incomplete.  You should contact the CEO and provide the details of any inaccurate or incomplete data.  We will then ensure that this is amended within one month.  We may, in complex cases, extend this period to two months. 

The applicant has the right to erasure in the form of deletion or removal of personal data where there is no compelling reason for its continued processing.  We have the right to refuse to erase data where this is necessary in the right of freedom of expression and information, to comply with a legal obligation for the performance of a public interest task, exercise of an official authority, for public health purposes in the public interest, for archiving purposes in the public interest, scientific research, historical research, statistical purposes or the exercise or defence of legal claims.  The applicant will be advised of the grounds of our refusal should any such request be refused.

Cookies and external links
Our website uses local storage (such as cookies) to provide you with the best possible experience and to allow you to make use of certain functionality (such as being able to shop online).

Our website contains hyperlinks to many other websites. We are not responsible for the content or functionality of any of those external websites (but please let us know if a link is not working).

If an external website requests personal information from you (e.g. in connection with an order for goods or services), the information you provide will not be covered by IDDT policies. We suggest you read the privacy policy of any website before providing any personal
information.

Complaints
You can complain to the IDDT directly by contacting us by writing to us at:
Independent Diabetes Trust, PO Box 294, Northampton, NN1 4XS,
by telephoning 01280 818964,
or e-mailing enquiries@iddtinternational.org

If you wish to make a complaint which does not directly relate to your data protection and privacy rights, you can do so in accordance with our charity’s complaints policy.

If you are not happy with our response, or you believe that your data protection or privacy rights have been infringed, you can complain to the UK Information Commissioner’s Office which regulates and enforces data protection law in the UK. Details of how to do this can be found at www.ico.org.uk

Implementation Date: 24-03-10
Reviewed: 25-03-11
Reviewed: 29-12-21
Annual Review Due: January

Insulin Dependent Diabetes Trust Data Protection and Privacy Statement

This statement is designed to supplement the aims, objectives and responsibilities of the organisation as outlined in the Charity’s Data Protection and Privacy Policy document.
We will:

  • Comply with both the law and good practice
  • Respect individuals’ rights
  • Be open and honest with individuals whose data is held
  • Provide training and support as necessary for staff who handle personal data, so that they can act confidently and consistently

We recognise that its first priority under the DPA is to avoid causing harm to individuals.  In the main this means:

  • Complying with your rights,
  • Keeping you informed about the data we hold, why we hold it and what we are doing with it,
  • Keeping information securely in the right hands, and
  • Holding good quality information.

We will not:

  • Sell your personal data, and will only ever share it with organisations we work with and where it is necessary.
  • Keep data longer than is necessary which will vary from according to the circumstances. 
  • Transfer data internationally, without explicit, prior permission.

In accordance with the principles of the DPA, the Charity aims to ensure that the legitimate concerns of individuals about the ways in which their data may be used are taken into account. We will be open and transparent and we will seek to give individuals as much choice as is possible and reasonable over what data is held and how it is used.  This includes the right to erasure where data is no longer necessary and the right to rectification where the data is incorrect. 

Keeping you in control
We want to ensure you remain in control of your personal data. Part of this is making sure you understand your legal rights, which are as follows:

  • The right to confirmation as to whether or not we have your personal data and, if we do, to obtain a copy of the personal information we hold (this is known as subject access request)
  • The right to have your data erased (though this will not apply where it is necessary for us to continue to use the data for a lawful reason).
  • The right to have inaccurate data rectified.

Complaints
You can complain to the IDDT directly by contacting us using the details set out in this document
IDDT will aim to ensure you remain informed and in control of your information. You can decide not to receive communications or change how we contact you at any time. If you wish to do so please contact us by writing to us at:
Independent Diabetes Trust, PO Box 294, Northampton, NN1 4XS,
by telephoning 01280 818964,
or e-mailing enquiries@iddtinternational.org

Implementation Date: 24-03-10
Reviewed: 25-03-11
Reviewed: 29-12-21
Annual Review Due: January