The Data Protection Act 1998 states:

“…. it shall be the duty of a data controller to comply with the data protection principles in relation to all personal data with respect to which he is the data controller.”
The 1998 Act places a strong legal duty on the charity to comply with the Act.

To this end, the Charity has adopted the Policy as specified below.

Scope
An essential activity within the Charity is the requirement to gather and process information about service users, staff, children at our day nursery, parents and other individuals who have contact with the charity, in order to enable it to provide information, advice and guidance, learning, leisure, education, health and wellbeing and other associated functions.

In addition, there may be a legal requirement to collect and use information to ensure that the charity complies with its statutory obligations.


This will be done in accordance with the Data Protection Act 1998 and other related government legislation.


The Manor Farm Community Association registered charity – acting as custodians of personal data – recognise their moral duty to ensure that it is handled properly and confidentially at all times, irrespective of whether it is held on paper or by electronic means.


This covers the whole lifecycle, including:
• The obtaining of personal data;
• The storage and security of personal data;
• The use of personal data;
• The disposal/destruction of personal data.

The Charity also has a responsibility to ensure that data subjects have appropriate access upon written request – to details regarding personal information relating to them.

This Data Protection policy works in conjunction with:
Child Protection Policy
Safeguarding Policy
E-Safety Policy
Intimate Care
Policy
Whistleblowing Policy
Complaints Procedure
The Data Protection Act 1998

Objectives
By following and maintaining strict safeguards and controls, The Manor Farm Community Association registered charity:
• Acknowledge the rights of individuals to whom personal data relate, and ensure that these rights may be exercised in accordance with the Act;
• Ensure that both the collection and use of personal data are done in a way that recognises the Fair Processing Code, i.e. that personal data is obtained fairly and lawfully.
• Ensure Personal data will only be obtained and processed for the purposes specified in the Charity’s Notification, which should reflect our Charity’s objectives. The notification can be viewed at the Information Commissioner’s website here http://www.ico.org.uk/what_we_cover/register_of_data_controllers
• Collect and process personal data on a “need to know” basis, ensuring that they are fit for the purpose, are not excessive, and are disposed of at a time appropriate to their purpose.
• Ensure that adequate steps are taken to ensure the accuracy and currency of data;
• Ensure that for all personal data, appropriate security measures are taken – both technically and organisationally – to protect against damage, loss or abuse;
• Ensure that the movement of personal data is done in a lawful way – both inside and outside the organisation and that suitable safeguards exist at all times.

In order to support these objectives, our charity will:
• Have a “Senior Information Risk Owner” (SIRO) to ensure that there is accountability and that Information Risk is recognised at a Senior Level.  This position is held by the MFCA Charity Manager/Safeguarding Officer;
• Ensure that all activities that relate to the processing of personal data have appropriate safeguards and controls in place to ensure information security and compliance with the Act;
• Ensure that all contracts and service level agreements between our Charity and external third parties (including contract staff – where personal data is processed) make reference to the Data Protection Act and appropriate Organisational and Technological measures will be put in place to safeguard the data;
• Ensure that all staff (including volunteer staff) acting on the Charity’s behalf understand their responsibilities regarding information security under the Act, and that they receive the appropriate training/instruction and supervision so that they carry these duties out effectively and consistently and are given access to personal information that is appropriate to the duties they undertake;
• Ensure that all third parties acting on the Charity’s behalf are given access to personal information that is appropriate to the duties they undertake and no more;
• Ensure that any requests for access to personal data are handled courteously, promptly and appropriately, ensuring that either the data subject or their authorised representative have a legitimate right to access under the Act, that their request is valid, and that information provided is clear and unambiguous;
• Ensure that all staff are aware of the Data Protection Policy and Guidance;
• Review this policy and the safeguards and controls that relate to it annually to ensure that they are still relevant, efficient and effective.
• This Policy and Procedure and the Subject Access Information material will be made available in other formats where necessary.

Please follow this link to the ICO’s website (www.ico.org.uk) which provides further detailed guidance on a range of topics including individual’s rights, exemptions from the Act, dealing with subject access requests, how to handle requests from third parties for personal data to be disclosed etc.