top of page

Privacy Policy

South Derbyshire CVS (SDCVS) is a company registered in England, Registration Number: 4958843.  Our Registered Office is Top Floor Unit G, Sharpes Industrial Estate, Alexandra Road, Swadlincote. DE11 9AZ. We are also a registered charity, Charity Number: 1101450. 

 

We provide a number of services including: 

  • Transport 

  • Befriending support and social contact groups. 

  • Home from Hospital  

  • Safer Homes 

  • Volunteering information and recruitment. 

  • Office facilities and equipment for community use 

  • Community Development 

  • Food Bank and Community Food Projects 

 

Details of all services can be found on our primary website www.sdcvs.org.uk.

We may need to process your personal data to provide our services. This Privacy Notice explains how we will use the personal data we hold about you in accordance with the General Data Protection Regulations (GDPR).  

We respect your privacy and are committed to maintaining the security of your personal information. This notice outlines how and why we collect and use personal data. We want to ensure you are informed and in control of your personal data. Please be assured that we will never sell your personal data.

 

If you have any questions about this Privacy Notice, please contact our Data Controller (the Chief Executive Officer) by emailing managers@sdcvs.org.uk or calling 01283 219761. 

 

To reduce the use of technical terms in this document, we talk about SDCVS as the Data Controller.

 

We talk about you as the Data Subject and your data as Personal Data.  

 

If you are reading this document in your capacity as a parent or guardian of someone who uses our services, please understand that “you” covers both you and the beneficiary. 

 

1. Introduction

 

1.1 South Derbyshire CVS (SDCVS) needs to keep appropriate personal information about its staff, volunteers and service users to allow the organisation to run efficiently and effectively.

 

1.2 In order to ensure that this happens, SDCVS has drawn up this policy. There are two main groups to accommodate within the policy: -

 

1.3 (1) Service Users and (2) Staff and Volunteers

Separate sections have been drawn up for each group

 

1.4 This policy contains guidelines for Staff and Volunteers who handle information during their work for SDCVS. 

 

1.5 This policy relates to the Data Protection Act 2018 and to the General Data Protection Regulations (GDPR) applicable from 25th May 2018.

 

1.6 There are circumstances where the law allows SDCVS to disclose data (including sensitive data) without the data subject’s consent.

These are:

  • Carrying out a legal duty or as authorised by the Secretary of State

  • Protecting vital interests of an individual/service user or other person

  • The individual/service user has already made the information public.

  • Conducting any legal proceedings, obtaining legal advice or defending any legal rights

  • Monitoring for equal opportunities purposes – e.g. race, disability or religion

Providing a confidential service where the individual/service user’s consent cannot be obtained or where it is reasonable to proceed without consent, for example where we would wish to avoid pressing stressed or ill Individuals to provide consent signatures.

 

1.7 SDCVS has a Privacy Notice – notification of which is published on its website and on materials for service users and the general public (see Appendix 1)

 

*Note: The term “Privacy” in this context relates to personal information (data) that is protected by law (i.e. the Data Protection Act and GDPR), whilst “confidentiality” relates to the ethics of individuals in an organisation and how they treat personal information. SDCVS also has a Confidentiality Policy – there will be some overlap regarding how information is treated, but the former relies upon personal commitment within an organisation whereas the latter is a legal duty that everyone must comply with.

 

2. Scope

 

2.1 To comply with the law, information that is collected must be collected and used fairly, appropriately, stored safely and not disclosed to any other person unlawfully. To do this, SDCVS must follow the eight Data Protection Principles set out in the Data Protection Act 2018 which are summarised below:

 

i)             Personal data must be obtained and processed fairly and lawfully.

ii)            Data can only be collected and used for specified purposes.

iii)          Data must be adequate, relevant & not excessive.

iv)           Data must be accurate and up to date.

v)            Data must not be held any longer than necessary.

vi)           Data Subjects’ rights must be respected.

vii)         Data must be kept safe from unauthorised access, accidental loss or damage.

viii)        Special rules apply to transfers abroad (including publication over the Internet)

 

2.2 Personal Data relating to Service Users

 

2.2.1 Purposes

 

SDCVS collects and stores personal data (sometimes including sensitive personal data) on its service users. This data is obtained, stored and processed solely to assist in the efficient running of the services provided to the service user and to monitor and report on delivery of services (e.g. to funders.)

 

This document is necessary to help ensure compliance with our legal obligations in respect of data processing and seeks to protect personal information relating to our workforce.

It is also intended to be a key tool toward demonstrating compliance measures to regulators and may be regarded by them as a top layer document and therefore comprises part of our layered approach to documenting practices in this area.  As well as ensuring our staff understand and comply with the rules regarding the collection, use and deletion of personal information for which they may have access to, through the course of their work.

Through this policy and other practices, the organisation aims to create and operate a culture of openness in respect of data processing.

 

3. Principles

All persons who process personal data with our permission must always endorse and adhere to these principles and especially when they obtain, handle, process, transfer, store or erase personal data.

The six fundamental principles of personal data processing are as follows:

 

  1. Fairness, lawfulness and transparency - All personal data must be processed fairly, lawfully and transparently.

  2. Purpose limitation - All personal data must be collected for specified, explicit and legitimate purposes and shall not be further processed in any manner that is incompatible with those purposes.

  3. Data Minimisation - All personal data must be adequate, relevant and limited to what is necessary for the purpose for which they are processed.

  4. Accuracy - All personal data must be accurate and where necessary, kept up to date with regards to the purposes. Every reasonable step to rectify or erase inaccurate personal data must be taken without delay.

  5. Storage limitation - No personal data should ever be kept in a form which permits identification of a data subject for longer than is necessary to achieve the purpose.

  6. Integrity and confidentiality - All personal data must be processed in a manner that ensures appropriate security of the personal data. At the very least, it must always be protected against unauthorised or unlawful processing, accidental loss, destruction or damage, by using appropriate technical and organisational measures.

The data controller (CEO) is ultimately accountable for each of these principles and is obliged by law to be able to demonstrate compliance at all times. It is for this reason that everyone in the organisation is required to take responsibility for their own strict adherence to these principles.

3.1 Consent

 

Personal data from new service users is generally collected over the telephone, via email or face to face, and recorded by the relevant member of staff. During this initial contact, the service user is informed of the details of the service and given an explanation of how their personal data will be used (for example: to help volunteer drivers provide the required service and to understand any particular needs).

  • Written consent is not requested from service users who have initiated contact, as it is felt that consent has been granted when a service user freely gives their own details over the telephone or in person, when informed of the purpose of the request for information and in order to receive a service.

  • Where data is to be used for marketing purposes, written consent to use data in this way will always be obtained from the service user. Where this is not possible, a carer (or other representative) will be asked if the service user gives consent.  If the service user does not have capacity to give consent, then the carer will be asked if they have authority (e.g. power of attorney) to give consent on the service user’s behalf.

3.1.1 Third party referrals

 

When a referral is made for service provision on behalf of an adult via a third party (for example: a relative, friend or health worker) contact will be made with the potential service user (where appropriate) to ensure that they wish us to provide the service. Where this is not possible, the third party will be asked if the service user gives consent. If the service user does not have capacity to give consent, then the third party will be asked if they have authority (e.g. power of attorney) to give consent on the service user’s behalf. Where a referral is made for service provision for someone under 18 years of age, written consent will be obtained from a parent or guardian.

3.1.2 Sharing service users’ personal data

 

A service user’s personal data will not be passed on to a third party unless this is:

 

  • required for delivery of the service (e.g. where we work with delivery partners who have signed a data sharing agreement) or

  • where we have explicit consent from the service user (or from a third party with authority to give consent on their behalf) to pass on their details e.g. a referral to another service provider. Consent may be collected in written form or recorded as given verbally.

  • overridden by safeguarding/criminal legislation.

3.1.3 Access to service users’ data by SDCVS staff/volunteers

Only relevant staff and volunteers of SDCVS will have access to service users’

personal data.  All staff and volunteers are made aware of the SDCVS confidentiality policy and their obligation not to disclose personal data to anyone who is not authorised to have it. 

 

3.1.4 Request for records

 

Service users (or carers) will be supplied with a copy of all their personal data held by SDCVS within 28 days if a written request is made. It is currently SDCVS’s policy to supply this information free of charge.

3.1.5 Accuracy and Longevity

 

The relevant service’s manager/co-ordinator will take reasonable steps to keep personal data up to date, accurate and make appropriate (or requested) amendments in a timely fashion. Personal data on software management systems will be stored for as long as the service user accesses any of our services and will be removed from the database 3 years after the end of the financial year in which the service ended (if time limited) or from when the service was last accessed.

 

3.1.6 Storage and disposal

 

Personal data stored in paper filing systems is kept in a locked filing cabinet with access only to relevant staff. Access to electronic records is password protected and where data is stored on a portable device e.g. laptop or data stick, also encrypted. When personal data is deleted or disposed of this will be done in such a way that the data cannot be recovered – for example by shredding paper records, the physical destruction of hardware or professional data erasure.

Please refer to Data Retention & Destruction Policy for further retention details

 

3.1.7 Use of photographs / case studies

 

SDCVS will inform participants when photographs will be taken at events, training sessions group activities, etc. so that they may inform the photographer if they do not wish to be included. If this is not possible (for example: a large group photo) SDCVS will remove any displayed photograph if a member of staff or a volunteer request this. Where we want to use a case study/photo which identifies or names an individual consent, will be sought.

 

3.2 Personal Data relating to Staff and Volunteers

 

3.2.1 Purposes

 

SDCVS collects and stores personal data and sensitive personal data on staff and volunteers including contact details, employment history, “protected characteristics” i.e. age, disability, gender reassignment, race, religion or belief, sex, sexual orientation, marriage and civil partnership and pregnancy and maternity, financial details, criminal records, emergency contact/next of kin. This data is stored and processed for the following purposes:

  • assessing the suitability of an applicant for a specific job or role

  • to enable legal compliance as employers in relation to staff (e.g. for HMRC and pension payments)

  • to run the organisation as efficiently and as effectively as possible and manage services.

3.2.2 Access to staff and volunteer information

 

  • Relevant information about staff and volunteers is made accessible to other, appropriate, staff and volunteers of SDCVS as required to run the organisation and manage services.

  • Data is kept securely and accessed only by appropriate personnel who need to know in order to carry out their duties.

  • Contact details of volunteers and staff members will not be passed on to anyone outside SDCVS, for example: a service user, without their explicit consent.

3.2.3 Request for records

 

Volunteers and staff will be supplied with a copy of all the personal data held about them by SDCVS within 28 days if requested in writing. It is currently SDCVS’s policy to supply this information free of charge.

 

3.2.4 Accuracy and Longevity

 

SDCVS will take reasonable steps to keep Personal Data up to date, accurate and make corrections in a timely fashion.  Personal Data about staff or volunteers will be stored as per the Data Retention & Destruction Policy.

 

4. Roles and responsibilities

 

Important Note: “The Data Controller”

 

SDCVS as an organisation is the Data Controller under the Data Protection Act 1998, and SDCVS’s Board of Trustees is ultimately responsible for the policy’s implementation.  However, SDCVS has designated the Chief Executive Officer (CEO) to deal with all day-to-day matters arising from the implementation of the Data Protection and Privacy Policy.

 

The role

 

The Data Controller is the key decision maker in respect of why and how personal data is used and handled. The Data Controller will ensure that, both in the planning and implementation phases of processing activities, data protection principles and appropriate safeguards are addressed and implemented and that records of processing activity are kept.

Overview of responsibilities

  • To be ultimately accountable for the Company’s compliance with the six principles (see section ‘Principles’).

  • To be able to demonstrate compliance with the six principles and therefore the proper handling and processing of all personal data. This will include information about the various data protection management resources that have been put into place and take the primary responsibility for the internal data protection framework.

  • To implement appropriate technical,  organisational and security measures to ensure processing is performed in accordance with data protection laws. These measures will take into account the nature, scope, context and purposes of the data processing and the risks to the rights and freedoms of individuals.

  • To adopt measures to protect against any high levels of risk identified by a Privacy Impact Assessment, such as; discrimination, identity theft or significant legal, social or economic disadvantage. 

  • To implement internal data protection policies; assign protection responsibilities and to ensure adequate training on data protection is provided and carried out by all staff.

  • To comply with the UK GDPRs restrictions on international transfers of personal data outside of the UK.

  • Responsible for notifying data subjects as well as the Information Commission Office of personal data breaches and where necessary, any other applicable supervisory authorities within the EU (unless the breach is unlikely to result in a risk to the rights and freedoms of individuals). 

  • To determine how and ensure that data subjects may exercise their rights regarding their personal data, including rights of access, rectification, erasure, restriction, data portability, objection and those related to automated decision making.

  • To communicate any rectification or erasure of personal data or restriction of processing carried out to each recipient to whom the personal data has been disclosed unless this proves impossible or involves disproportionate effort.  The controller shall inform the data subject about those recipients if the data subject requests it.

 

Data Processor

 

The role

 

This role processes personal data on behalf of and further to documented instruction given by the Controller. This role is undertaken by the Senior Management Team and other officers, dictated by the needs of our business.

 

Overview of responsibilities:

 

  • To only process personal data as instructed by the Data Controller (unless otherwise required by law).

  • To take all measures required to ensure their own compliance with data protection legislation regarding security.

  • To make available all information necessary to demonstrate compliance with data protection legislation and to permit an audit should the Controller wish to further ensure compliance.

  • To assist the controller in compliance with its obligations under data protection legislation regarding;

  1. security of processing

  2. assist in meeting any rights exercised by a data subject e.g. subject access request

  3. notification of a personal data breach to the supervisory authority

  4. communication of a personal data breach to the data subject

  5. any necessary Data Protection Impact Assessments

  6. consultation with the supervisory authority about any processing that should be identified as being ‘high risk’

  • To ensure that on instruction from the Controller, any personal data held on behalf of a client for whom we act as a processor, is deleted and returned to that client, unless we are prohibited by data protection legislation.

  • To ensure data transfers outside of the UK are authorised by the Data Controller and complies with the UK GDPR transfer provisions.

  • To immediately inform the Controller if it believes any instruction given by them would be in breach of data protection legislation.

  • Any processors are not permitted to appoint another processor without prior written agreement from the Company. Equally when we act as a processor, we will not appoint another processor without written agreement of the Controller we act on behalf of.

 

Review & Monitoring

 

The policy will be reviewed every year or sooner if there are legislative changes.

Minor changes to the policy such as job titles resulting from organisational changes can be updated at any time.

 

Review completed      February 2026- Hollie Benton

Policy published          January 2024

Next review due           March 2027

Get In Touch With Us

If you have any questions or would like to further support, feel free to reach out to us. We'd love to hear from you!

communitydevelopment@sdcvs.org.uk

South Derbyshire CVS is registered in England & Wales as a charity (number 1101450) and a company limited by guarantee (number 4958843). Registered office: Top Floor of Unit G, Sharpe's Industrial Estate, Alexandra Rd, Swadlincote, DE11 9AZ.

01283 219761

© 2025 South Derbyshire CVS. All rights reserved. No part of this content may be copied, reproduced, or used in any form without explicit permission from South Derbyshire CVS..
feedback.png
bottom of page