Data Protection Policy

Who is covered by this policy?

All trustees, paid staff, volunteers, beneficiaries and customers.

What is covered by this policy?

This policy covers data protection in relation to all areas of Age Concern Chesterfield and District's (working name BrightLife) activities, including:

  • customer records;
  • legal compliance (UK General Data Protection Regulation – UK GDPR);
  • recruitment, promotion, training, redeployment and/or career development;
  • administration and payment of wages;
  • calculation of certain benefits, including pension;
  • disciplinary purposes arising from an employee's conduct or inability to perform their duties;
  • performance review;
  • recording of communication with employees and their representatives;
  • compliance with policy and/or legislation with regard to health and safety or other employment legislation and regulation;
  • provision of references to financial institutions, to facilitate entry onto educational courses and/or to assist future employers.

Purpose

The purpose of this policy is to protect Age Concern Chesterfield and District and its staff from the misuse of individuals' personal data and to ensure that Age Concern Chesterfield and District complies with all relevant legislation.

The policy

Recruitment and selection

If the charity is placing a recruitment advert, the recruitment agency must identify itself properly – people should know who they are applying to. If using a recruitment agency, Age Concern Chesterfield and District must ensure the agency identifies itself.

Information collected for recruitment or selection for an interview must be used for that purpose only and must be kept securely. Where sensitive personal data is collected, explicit written consent should be obtained from applicants at the point of data collection. The Trustees should ensure that equal opportunities data for applicants is anonymised before the applications are considered.

If verifying the information a person provides, the charity and recruitment agency must ensure the person knows how this will be done and what information will be checked.

If Age Concern Chesterfield and District needs to verify criminal conviction information, it will only do this by getting a Disclosure and Barring Service (DBS) check. Age Concern Chesterfield and District must ensure it is entitled to receive this information and must follow the DBS's procedures strictly. Age Concern Chesterfield and District may only keep a record that a satisfactory/unsatisfactory check was made, but it may not store any detailed information.

Employment records

Age Concern Chesterfield and District is permitted to collect, maintain and use employment records. However, staff should know what information about them is kept and what it will be used for. Age Concern Chesterfield and District will not keep information for which it has no genuine business need or legal duty to keep.

Employment records must be kept in a secure, locked place, and computerised records must be password protected. Only authorised staff should have access to employment records (usually, the individual's line manager, relevant director, HR Manager and the Chief Executive).

Age Concern Chesterfield and District will keep employment records of staff who have left for three years to allow for information to be supplied for references. After this time, records will be destroyed.

Sickness records

Age Concern Chesterfield and District will collect information about a staff member's health in accordance with Age Concern Chesterfield and District's Sickness Policy and Procedure and record it on the HR management system. Access to the information is strictly limited to authorised staff. All records are held securely on the charity's Google account stored on the cloud.

Pension or insurance scheme records

Age Concern Chesterfield and District will only use the information about a staff member for the administration of the scheme and will inform the staff member of what information the insurance company or scheme provider will pass back to Age Concern Chesterfield and District.

Disclosure

Age Concern Chesterfield and District will only disclose information on a staff or volunteer member if, in all the circumstances, it is satisfied that it is in line with GDPR and is reasonable to do so or as part of legal disclosure. Fairness to the staff/volunteer member will always be Age Concern Chesterfield and District's first consideration. Age Concern Chesterfield and District will allow staff and volunteers access to their own records to ensure the information is correct.

Staff and volunteers' rights

Staff have a legal right of access to the information the charity holds on them and the right to challenge the information if it is thought to be inaccurate or misleading. If a staff member objects to Age Concern Chesterfield and District holding or using information about them because it causes them distress or harm, Age Concern Chesterfield and District will delete the information or stop using it in the way complained about unless Age Concern Chesterfield and District has a compelling reason to continue holding and/or using that information.

To see what information Age Concern Chesterfield and District holds on you, ask a Trustee or Manager for access to your records.

Customer / beneficiary data

Age Concern Chesterfield and District will process personal data that may identify a customer/beneficiary or prospective customer/beneficiary, according to the UK GDPR. Customer data will be processed in the legitimate interest of Age Concern Chesterfield and District's work and/or if Age Concern Chesterfield and District has a contractual or legal obligation. Such data may be retained indefinitely or in accordance with a legal or contractual obligation where such data is for accounting purposes.

Data storage and transfers

Age Concern Chesterfield and District may store data in the UK or the European Economic Area, or any country deemed to be adequate by either the UK or the EU. Where Age Concern Chesterfield and District stores data outside these jurisdictions, it may undertake a data transfer risk assessment. Age Concern Chesterfield and District will ensure appropriate UK safeguards are in place to protect the rights of those identified by personal data stored in such locations.

Records and legal compliance

Under the UK GDPR, 'personal data' (i.e. data about identifiable living individuals – 'data subjects') should be:

  1. processed fairly and lawfully and in a transparent manner;
  2. collected for specified, explicit and legitimate purposes;
  3. adequate, relevant and limited to what is necessary;
  4. accurate and, where applicable, kept up to date;
  5. kept for no longer than is necessary;
  6. processed in accordance with the rights of data subjects;
  7. kept secure by the data controller (i.e. Age Concern Chesterfield and District, which holds ultimate responsibility for complying with data protection requirements), following appropriate technical and other measures to prevent unauthorised or unlawful processing or accidental loss or destruction of, or damage to, personal data;
  8. only be transferred to a country outside the European Economic Area if that country has equivalent levels of protection for personal data.

GDPR applies to both automated and manual personal data filing systems, where personal data is accessible according to specific criteria.

In order to be able to carry out its functions, Age Concern Chesterfield and District needs to keep and use certain types of information about people and organisations, employees, donors, trustees, volunteers and so on. This may include address and contact details, bank details, personal references and the legal status of groups.

Information is obtained, held, processed and disclosed for the purposes of the administration, management and business activities of Age Concern Chesterfield and District. These include:

  • making and holding lists of beneficiaries, members, donors, volunteers, social prescribers, customers and relevant organisations;
  • statistical analysis;
  • maintaining relationships with external associates and other partners;
  • reporting to donors and other partners;
  • keeping beneficiaries and other partners informed of products and services that may help them;
  • keeping beneficiaries and other partners informed of events, campaigns, etc.;
  • using basic information in marketing materials, on any of the websites run by Age Concern Chesterfield and District or in the annual report;
  • keeping business process records (including financial records such as purchase information, donations and grant details);
  • maintaining lists of event delegates.

When collecting information, Age Concern Chesterfield and District will ensure that individuals:

  • clearly understand why Age Concern Chesterfield and District needs to collect the information and receive sufficient detail on how it will be used;
  • understand what it will be used for and what the consequences are should the individuals decide not to give/withdraw consent to processing;
  • where required, provide explicit written or verbal consent (a record of which should be kept) for data to be processed;
  • give their consent freely and without any duress.

All employees, trustees and volunteers are expected to maintain professional standards and respect confidentiality. Ann Monk is the named trustee and is the Data Protection Officer for the charity, and should be the first point of contact with regard to any data protection issues, queries or complaints.

Age Concern Chesterfield and District will review all personal data held on its databases annually to ensure it should be retained. The categories of data listed below have to be retained under the following specific criteria:

  • Personal data of donors associated with finance data must be retained for at least six years.
  • Personal data associated with records of transactions/purchases needs to be kept for at least six years.
  • Personal data of employees needs to be retained for six years with reference to payroll and ten years with reference to pension information.
  • Personal data of volunteers and trustees needs to be retained for at least six years if it is associated with financial transactions.

Individual rights

Age Concern Chesterfield and District complies with GDPR by providing the following rights for individuals:

  • the right to be informed;
  • the right to access a copy of their personal data;
  • the right of rectification of data;
  • the right of erasure (or right to be forgotten);
  • the right to restrict processing;
  • the right to data portability (in relation to processing by automated means);
  • the right to object to processing;
  • rights in relation to automated decision-making and profiling.

The right to be informed encompasses Age Concern Chesterfield and District's obligation to provide information on how personal data is collected and used, typically through the Age Concern Chesterfield and District privacy notice, which can be found at the charity's offices.

With regard to the right of access, Age Concern Chesterfield and District will provide confirmation that the data is being processed and, if requested, grant access to personal data free of charge within 28 days of receiving the request (this can be extended by a further month if the request is complex or onerous).

Under the right of rectification, Age Concern Chesterfield and District will correct any inaccurate or incomplete data within 28 days of notification. Age Concern Chesterfield and District will also inform any third parties, if applicable, of these rectifications.

In compliance with the right to erasure, Age Concern Chesterfield and District will delete data under the following specific circumstances:

  • Personal data is no longer necessary in relation to the purpose for which it was originally collected/processed.
  • An individual withdraws their consent.
  • The individual objects to the processing and there is no overriding legitimate interest for continuing processing.
  • The personal data was unlawfully processed.
  • The personal data has to be erased to comply with a legal obligation.
  • The personal data is processed in relation to online services to children.

Age Concern Chesterfield and District will ensure that, in certain circumstances, the right to restrict processing of personal data is satisfied. This can include situations where data may be inaccurate or where the individual has objected to the processing, and Age Concern Chesterfield and District is considering whether its legitimate grounds for processing data override the rights of the individual.

Under the right to data portability, an individual can ask for their data in a form that can easily and securely be transferred from one IT environment to another. Age Concern Chesterfield and District would ensure that data held can be securely transferred if a request is made.

Under the right to object, Age Concern Chesterfield and District will stop processing personal data where there is an objection unless there are compelling legitimate grounds to continue processing data, or if the processing is for the establishment, exercise or defence of legal claims. Age Concern Chesterfield and District will stop processing personal data for direct marketing purposes as soon as an objection is received. The right to object is included in the Age Concern Chesterfield and District privacy notice.

Age Concern Chesterfield and District will secure personal data in a way that is proportionate to the risk to the interests and rights of the individual and ensure that it cannot be used to discriminate against the individual.

Should an individual wish to exercise any of the above rights, they can do so by contacting Ann Monk (Trustee). On request from an individual, Ann Monk will supply details of what information is held, why it is held and to whom it may be disclosed. A copy of the relevant record of data on the individual may be supplied.

Age Concern Chesterfield and District will aim to comply with requests for access to personal data records within one month.

Breaches of procedure or loss of data

Important: Any breach of confidentiality should be reported to Ann Monk (Trustee), who will then appoint an appropriate independent person (e.g. a member of the board of trustees or a senior member of staff) to investigate the matter. If, following a written summary of findings, the investigation finds that a breach has occurred, the trustees have the discretion to take appropriate action within 28 days. This may include consideration of pursuing disciplinary action or, in the case of a volunteer, asking the person to withdraw from Age Concern Chesterfield and District's service.

Guidance to trustees, staff and volunteers

Age Concern Chesterfield and District's employees should bear in mind the following considerations:

  • Sensitive and confidential information must be treated with particular attention.
  • Personal data must not be emailed to staff members' personal email accounts, as there is no guarantee of security of these accounts.
  • Any personal data stored in paper format must be held securely, locked in filing cupboards in Age Concern Chesterfield and District's office. If it has to leave the office, consider pseudonymisation. If information leaves the office, then a Trustee must be informed.
  • All Age Concern Chesterfield and District's personal computers must be password protected. All personal data should be kept in the appropriate IT system. Volunteer and beneficiary details are stored in the charity's secure CRM system, named CharityLog, and staff details in Google Drive. The charity does not have a server to store any information. No member of staff, trustee or volunteer is to use any external data storage for Age Concern Chesterfield and District staff, beneficiary or volunteer data.
  • The database holding customers' personal data must be accessed only via Age Concern Chesterfield and District's electronic equipment. All employees and volunteers will be trained on how to use the database, relying on the written procedures for entering, amending and maintaining data. These procedures will be reviewed annually.
  • In line with Age Concern Chesterfield and District's IT Security Policy, no staff, trustee or volunteer should store or download their personal data (or other files) on Age Concern Chesterfield and District's electronic equipment. If you download any files for ease of working, make sure you save them in the appropriate place on Google, password protected if necessary, as soon as you have finished working on them, and delete any local files.
  • Any changes to personal data of trustees, volunteers or beneficiaries (e.g. a change in home address) must be updated on the CharityLog database within 28 days of receipt.
  • Personal data must not be given out to any third party unless the individual has agreed to release this information, in writing.
  • Any personal data kept in paper format that is no longer required must be destroyed.
  • Any personal data kept electronically that is no longer required must be deleted. Age Concern Chesterfield and District will carry out data minimisation as part of the annual data audit.
  • If data needs to be processed for profiling or for other statistical information, pseudonymise it. The procedures for this should be documented to ensure that the identification of the individuals is kept separate from the processed data.

Last updated: July 2026