Data protection policy

A definition of key terms is attached to this document. Your attention is also drawn to the Trust’s Privacy policy.

The General Data Protection Regulation

The General Data Protection Regulation (GDPR) is an EU-wide law that replaced the previous Data Protection Act (1988). The purpose is to help EU citizens better understand and control how their personal data is being used and how to raise objections if necessary. The GDPR achieves this by placing responsibilities on those who control and process data and by giving rights to data subjects. In the UK, the Information Commissioner’s Office (ICO) oversees compliance with the GDPR.

The Chartered Secretaries’ Charitable Trust

The Chartered Secretaries’ Charitable Trust (‘the Trust’) is registered with the ICO as a data controller (registration number ZA050205). The Trustees have assessed the scale of our data processing and decided that the quantity of data being processed does not justify appointing a Data Protection Officer. Responsibility is delegated to the Charities Officer, who is responsible for reporting any data breaches to the ICO within 72 hours of our becoming aware of the breach and to the Charity Commission as a significant incident.

Personal data processed by the Trust

The Trust will always respect our data subject’s rights, which are stated in our Privacy policy. The Trust will only process personal data where we have obtained consent, where there is a legal basis to do so, or because we have a legitimate interest to carry out our charitable objectives and fulfil contractual obligations to provide data subjects with services, products, or information they have requested. Where we rely on a legitimate interest, we will always ensure that it is done in a way that respects the rights of our data subjects.

The collection, processing and storage functions are regularly reviewed to check that data is accurate, adequate, relevant, secure and limited to that which is necessary. Data protection and security controls are recorded in the risk register, which is regularly reviewed. Training is also provided for employees, trustees, Support and Grants Committee members and volunteers on data protection.

The Trust informs individuals about the data we require from them and sets out how it will be used in our Privacy policy statement. Additional information for applicants is attached to our Application for assistance form.

The Trust will always ask for additional written consent should data be required to be shared with a third party in order to carry out a contractual arrangement. For example, the provision to a beneficiary of a bespoke service. We will ensure that prior to using a third party they will have a published Privacy policy and will obtain where appropriate a GDPR compliant Data Sharing Agreement.

Information received from individuals will not be shared with any other organisation, unless express permission has been obtained or the Trust is required to do so by law. For example, the Trust will need to disclose personal data to HMRC if a supporter has agreed to the Trust claiming Gift Aid on their donation.

The Trust obtains personal data from applicants for financial assistance, our volunteer visitors and supporters, trustees and Support and Grants Committee members and from third parties. The data is required to ensure that its charitable objectives are carried out effectively, fairly and in compliance with legislation.

Liaison with The Chartered Governance Institute UK & Ireland

In order to confirm applicants’ relationship to The Chartered Governance Institute UK & Ireland, the Trust has access to The Institute’s database of members’ records. This access also allows the Trust to record donations received from the Institute’s members and assists with the administration of Gift Aid claims, and assists with the facilitation of the awards of bursaries and prizes to students. The Trust also seeks liaison with the Institute to confirm and make payment of The Institute’s membership subscriptions as appropriate and seeks liaison with the Institute to raise awareness of the opportunity of support available from the Trust. The Institute services the administration, support and IT systems, and employees must also comply with The Institute’s own Data Protection Policy.

Beneficiaries

Information on applicants to the Trust is held on a separate database to the Institute’s records and on a separate password protected server. All details are kept confidential and are securely stored or used only to assist with the administration of a request and provision of any benefit. For example, each applicant is allocated a reference number. Only details regarding specific circumstances are provided to the Chairman and the Committee, along with the allocated number and statement of the applicant’s hometown. Names and addresses are not disclosed, other than to the visitor and The Institute’s employees required to administer the support.

The information held on applicants is updated annually, on the receipt of completed application forms and authorisation from the applicant. Trustees send an annual letter to all of the beneficiaries who are kept on record, whose files had been held for over six years. This seeks permission to continue to hold details on file. Should beneficiaries not provide permission or no reply is received, papers are destroyed through confidential waste and details are removed from the database. Following the cessation of consideration of assistance, details on former beneficiaries are also retained for a maximum of six years to support financial records of the Trust in order to comply with accounting and audit requirements. Following the retention period of six years, all paper records and any details held electronically are destroyed. Should former applicants request the right for erasure of all details within this six-year period, they will be advised to raise this issue with the Information Commissioner’s Office (ICO).

Visitors

All visitors are requested to sign a non-disclosure agreement to confirm that they will maintain confidentiality in line with the Trust’s policies and will report to the Trust any breach or loss of personal data of beneficiaries within 24 hours of being aware of the breach or the loss.

Contributors

Paper and electronic records are also securely held on The Institute’s members who make donations to the Trust supported by a Gift Aid declaration. These details include full names and addresses, amounts of donations and when and how these donations have been paid. Copies of the Gift Aid declaration are also scanned in an electronic format. These records are held only for the purpose of facilitating Gift Aid claims and in accordance with HMRC requirements.

Recipients of Bursaries and Prizes

Paper and electronic records are securely held on recipients of bursaries and prize-winners. These details include full names, examination centres and The Institute’s membership numbers. These records are held only for the purpose of facilitating awards and to publicly record achievement in the Annual report. The Trust might contact recipients to obtain comment on the value of the bursary or prize, in order to monitor the impact of the award and would seek permission to use these comments for marketing and publicity purposes.

Trustees will continue to monitor this policy and ensure that appropriate operational procedures are in place to safeguard information held.

Definition of key terms:

Personal data: data conveying any information relating to an identified or identifiable natural person. This may include name, address, telephone number; it also includes online or electronically stored identifiers, if they can be used alone or in combination to identify a person. In addition there is a category of ‘sensitive personal data’ which includes genetic, biometric and medical data; racial and ethnic identity; religious and political beliefs; and sexual orientation.

Data controller: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing personal data.

Data processor: a natural or legal person, public authority, agency or other body which is responsible for processing personal data on behalf of the controller.

Data processing: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Data subject: the individual to whom the personal data belongs. This could be an applicant, beneficiary, donor, trustee, visitor, contractor, or any other individual whose personal data are held by us.

Consent: means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.