This security policy explains how we store and process any personal data we collect about you.
How we store and process your online data
- The information we collect, and process is stored in the UK.
- We use specialist suppliers to provide our data storage, web hosting & email services.
- Minimal data is held on desktops, tablets and mobile phones.
- We have reviewed the policies of our suppliers to ensure they GDPR compliant.
- We have file backups in place and a procedure to regularly check that files can be restored.
How we store and process your offline data
- We limit hard copy collection and processing.
- Where possible paper copies are scanned into electronic format and stored online.
- Hard copy storage is kept in locked offices with all reasonable fire and theft protections in place.
- Paper files are shredded before disposal.
Where your data is stored
We regularly review where our offline and online data is held. We also track who has access to it. This is reviewed as part of our ongoing compliance procedures.
Who has access to your data?
Employees, suppliers and other trusted parties may be given access to personal data when this is required for carrying out work on your behalf (for example an IT technician or a sub-contractor to provide part or all of a service). When appropriate, employees and sub-contractors will be requested to sign a non-disclosure document and all users that have access to your data are expected to adhere to our policies.
Reviewing policies, procedures and staff training
We carry out a full-scale review and update of our data management procedures annually. Employee training is carried out at regular intervals throughout the year to ensure they understand our how we use your data.
Personal data breach
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. In the event of a personal data breach, we will alert you and carry out an immediate investigation. This includes, shutting down any further electronic access, investigating how the breach occurred and what data has been accessed. We will carry out repairs and/or restoration of services as soon as possible. If it is deemed appropriate the Information Commissioners Office will be contacted within 72 hours to report the breach.
Data Protection Impact Assessments (DPIA)
We have an ongoing review process to assess the necessity, proportionality, security and compliance measures we have in place. If we are planning to use your personal data in a new way, we will carry out a data protection impact assessment before we start. This helps us to identify and minimise any risks to your data before a project starts.
If you are unhappy about any aspect of us holding your personal data or how it is stored, contact us straight away. We prefer communication to be made in writing so that we have a record of our correspondence.
Please see https://ico.org.uk for further information of your data protection rights as an individual.
Changes to our security policy
We keep our security policy under regular review and we will place any updates on this page. This security policy was last updated on 13/05/2018.
How to contact us
If you have any questions about our retention policy, please contact:
Mike Newton, Data Co-ordinator
Telephone: 024 7667 3745
Post: St Andrew’s House, 19 St Andrew’s Road, Earlsdon, Coventry, CV5 6FP.
Registered Charity No 214293 | Founded 1956