Data Protection Policy

Bountiful Bridges is committed to protecting the privacy, confidentiality, integrity, and security of personal information entrusted to us.

We recognise our responsibility to process personal data fairly, lawfully, transparently, and securely in accordance with:

• UK General Data Protection Regulation (UK GDPR)
• Data Protection Act 2018
• Privacy and Electronic Communications Regulations (PECR)
• Relevant safeguarding legislation
• Charity governance best practice

This policy applies to all staff, volunteers, trustees, contractors, consultants, and anyone acting on behalf of Bountiful Bridges.

The purpose of this policy is to:

• Protect personal information held by Bountiful Bridges
• Ensure compliance with data protection legislation
• Establish clear responsibilities for handling data
• Minimise risks associated with data breaches
• Promote public confidence in our organisation
• Support safeguarding and legal obligations

This policy applies to:

• Electronic records
• Paper records
• Email communications
• Online systems
• Databases
• Cloud-based services
• Mobile devices
• Photographs and video recordings
• Volunteer records
• Staff records
• Service user information
• Donor information

The policy applies whether information is stored on-site, remotely, or through authorised third-party systems.

Bountiful Bridges will comply with the following UK GDPR principles.

Personal data shall be:

Lawfulness, Fairness and Transparency

Processed lawfully, fairly, and transparently.

Purpose Limitation

Collected only for specified, legitimate purposes.

Data Minimisation

Limited to what is necessary.

Accuracy

Kept accurate and up to date.

Storage Limitation

Retained only as long as necessary.

Integrity and Confidentiality

Protected through appropriate security measures.

Accountability

Managed in a way that demonstrates compliance.

Bountiful Bridges may process:

Personal Data

• Names
• Addresses
• Email addresses
• Telephone numbers
• Dates of birth
• Emergency contacts

Volunteer Information

• Applications
• References
• DBS information
• Training records
• Attendance records

Staff Information

• Employment records
• Payroll information
• Performance records
• Training records

Service User Information

• Programme registrations
• Attendance records
• Community support applications
• Feedback forms

Donor Information

• Contact details
• Donation records
• Gift Aid information

In certain circumstances, Bountiful Bridges may process sensitive information including:

• Health information
• Disability information
• Ethnicity information
• Religious information where relevant to programme delivery
• Safeguarding information

Special category data will only be processed where a lawful basis exists and appropriate safeguards are in place.

Bountiful Bridges processes data under one or more of the following legal bases:

Consent

Where individuals have given clear permission.

Contract

Where processing is necessary to fulfil an agreement.

Legal Obligation

Where required by law.

Vital Interests

To protect someone’s life or safety.

Public Task

For community and charitable activities.

Legitimate Interests

Where processing is necessary for organisational operations and does not override individual rights.

Personal information will only be collected where:

• Necessary for a legitimate purpose
• Relevant to services being provided
• Collected fairly and transparently
• Supported by an appropriate legal basis

Individuals will be informed about:

• Why information is collected
• How it will be used
• Who may receive it
• How long it will be retained
• Their rights under data protection law

Bountiful Bridges will implement appropriate security measures including:

Physical Security

• Locked filing cabinets
• Restricted office access
• Secure storage facilities

Electronic Security

• Password protection
• Multi-factor authentication where available
• Anti-virus software
• Firewalls
• Secure backups
• Encrypted systems where appropriate

Organisational Security

• Staff training
• Volunteer training
• Confidentiality agreements
• Access controls
• Regular reviews of permissions

Access to personal information will be restricted to authorised individuals who require the information for legitimate organisational purposes.

Access rights will be:

• Role-based
• Regularly reviewed
• Removed promptly when no longer required

Personal information will only be shared where:

• Consent has been obtained
• There is a legal obligation
• Safeguarding concerns require disclosure
• It is necessary for service delivery
• A legitimate organisational purpose exists

Any sharing will be limited to the minimum information required.

Where third-party providers process information on behalf of Bountiful Bridges, we will ensure:

• Appropriate contracts are in place
• Security standards are maintained
• Data protection requirements are met
• Processing is lawful and secure

Examples include:

• Website hosting providers
• Cloud storage providers
• Email systems
• Payment processors
• CRM systems

Personal information will be retained only as long as necessary.

Retention periods will consider:

• Legal requirements
• Safeguarding requirements
• Funding requirements
• Operational requirements

At the end of the retention period, data will be securely deleted, destroyed, or anonymised.

Individuals have the right to:

• Access their information
• Correct inaccurate information
• Request deletion of information
• Restrict processing
• Object to processing
• Withdraw consent
• Request data portability
• Complain to the Information Commissioner’s Office (ICO)

A data breach includes:

• Loss of personal data
• Unauthorised disclosure
• Unauthorised access
• Accidental destruction
• Theft of information

Any suspected breach must be reported immediately to organisational leadership.

Where required, breaches will be reported to:

• The Information Commissioner’s Office (ICO)
• Relevant safeguarding authorities
• Affected individuals

A breach register will be maintained.

Photographs and recordings may be used for:

• Programme promotion
• Fundraising activities
• Social media
• Website content
• Annual reports

Appropriate consent will be obtained where required.

Special care will be taken when children and vulnerable adults are involved.

Safeguarding records require enhanced protection.

Such records shall:

• Be securely stored
• Be accessible only to authorised safeguarding personnel
• Be shared only where necessary
• Be retained according to safeguarding requirements

Safeguarding responsibilities may override confidentiality where there is risk of harm.

All staff and volunteers must:

• Protect personal information
• Follow organisational procedures
• Maintain confidentiality
• Report data breaches immediately
• Attend required training
• Use organisational systems responsibly

Failure to comply may result in disciplinary action.

Bountiful Bridges will provide:

• Data protection induction training
• Refresher training
• Policy updates
• Guidance on handling personal information

Training records will be maintained.

Compliance with this policy will be monitored through:

• Internal reviews
• Data audits
• Incident reporting
• Security assessments
• Policy reviews

Corrective action will be taken where required.

This policy will be reviewed:

• Annually
• Following significant legislative changes
• Following a serious data breach
• Following significant organisational changes