Data Protection Policy
1. Introduction
Hope for the Future needs to gather and use certain information about individuals. This
can include clients, contacts, employees and other people the organisation has a
relationship with or may need to contact.
This policy describes how this personal data must be collected, handled and stored to
meet the organisation’s data protection standards and to comply with the law.
This data management policy ensures Hope for the Future:
● complies with data protection law and follows good practice
● protects the rights of clients, staff and partners
● is transparent about how it stores and processes individuals’ data
● protects itself from the risks of a data breach
2. Data protection law
The UK General Data Protection Regulation (UK GDPR) applies in the UK. It outlines that personal data must be:
a. Processed lawfully, fairly and in a transparent manner in relation to individuals.
b. Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Further processing for archiving purposes in the public interest, scientific or historical research or statistical purposes shall not be considered to be incompatible with the initial purposes.
c. Adequate, relevant and limited to what’s necessary in relation to the purposes for
which they’re processed.
d. Accurate and, where necessary, kept up to date.
e. Protected – every reasonable step must be taken to ensure that personal data that’s inaccurate, having regard to the purposes for which they’re processed, is erased or rectified without delay.
f. Kept in a form that permits identification of data subjects for no longer than is necessary, and for the purposes for which the personal data is processed (personal).
g. Stored for longer periods only where this is necessary. For example, the personal data will be processed solely for archiving purposes in the public interest, or statistical purposes. This will also be subject to implementation of the appropriate technical and organisational measures required by UK GDPR in order to safeguard the rights and freedoms of individuals.
h. Processed in a manner that ensures appropriate security of personal data.
This Approved by the HR & Governance Subcommittee on 5/11/24 and the Board on 5/12/24
Date for review [November 2026] page 1 includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
i. Managed by a controller responsible for, and be able to demonstrate, compliance with the principles.
2. Roles and responsibilities
Everyone at Hope for the Future contributes to compliance with UK GDPR. Key decision-makers must understand the requirements and accountability of the organisation to prioritise and support the implementation of compliance.
Data Protection Officer (DPO), the person responsible for fulfilling the tasks of the DPO in respect of Hope for the Future, is the Director of Operations.
They are responsible for
● informing and advising HFTF’s employees about their obligations to comply with UK GDPR and other data protection laws
● monitoring compliance with UK GDPR and other data protection laws – including managing internal data protection activities, advising on data protection impact assessments, and conducting internal audits
● being the first point of contact for supervisory authorities and for individuals whose data is processed (employees, clients)leading on compliance with the regulations,
● dealing with subject access requests, deletion requests and queries from clients, stakeholders and data subjects about data protection related matters,
● checking and approving contracts or agreements with third parties that may handle the organisation’s sensitive data,
● ensuring all systems, services and equipment used for storing data meet acceptable security standards,
● evaluating any third party services the company is considering using to store or process data, to ensure their compliance with obligations under the regulations.
● developing privacy notices to reflect a lawful basis for fair processing, ensuring that intended uses are clearly articulated.
● ensuring that data subjects understand how they can give or withdraw consent, or exercise their rights in relation to HFTF’s use of their data.
The Director for Income Generation is responsible for
● Ensuring that audience development, marketing, fundraising and all other initiatives involving processing personal information and/or contacting individuals abide by the UK GDPR principles.
The Director of Operations is responsible for
● sharing policies across the organisation,
● arranging training and advice for staff.
● Updating the Risk Register
● via the Board and HR & Governance Committee Meetings keeping senior management and the board updated about data protection issues, risks and responsibilities.
● Ensuring that ongoing privacy measures are embedded into policies and day-to-day
Approved by the HR & Governance Subcommittee on 5/11/24 and the Board Dec 2024
Date for review [November 2026] page 2 activities, throughout the organisation. See annex for list of policies
All employees are responsible for
● performing regular checks and scans to ensure security hardware and software are functioning properly.
● completing their GDPR and Cyber Security Training.
● reading and complying with the relevant policies in the Staff handbook
3. Scope of personal information to be processed
The scope of the personal data HFTF processes:
● names of individuals
● postal addresses of individuals
● email addresses of individuals
● telephone numbers of individuals
● information about events and training attended by individuals
● data related to employees and contractors – including names, contact details, and
other information relevant to safeguarding and internal communications (See
Personal Employment Data Policy)
The data is collected from:
● HFTF website
● Emails
● Online forms
● Events/training online and in person
● Employees, during onboarding processes (See Personal Employment Data Policy)
The information is stored in HFTF’s Customer Relationship Management System (CRM) Beacon
Regular checks are made to ensure that the data is accurate. The CRM checks accuracy/duplication/completeness of data. Staff also ensure the data is relevant to the purpose, not excessive, up-to-date and not kept for longer than is necessary.
Consent to keep data is gained from all individuals (where under age of 13 years (12 in Scotland) parental (or guardian) consent is gained via completion of the consent form) (see Data Retention Guidance)
4. Uses and conditions for processing are covered in the following policies
● Data Retention Guidance
● Personal Employment Data Policy
● Privacy Policy
● Information Governance – Classification of Information
● Hope for the Future’s Fair Processing Policy 92017-E.
● Subject Access Request Procedure 92017-C
● Retention Requirements Policy 2017-F
● Access, storing and sharing information.
● Information Security Incident report form
Approved by the HR & Governance Subcommittee on 5/11/24 and the Board Dec 2024
Date for review [November 2026] page 3
5. Consent and lawful bases for data processing
When obtaining consent from individuals to gather or process their data, we aim to meet the following standards:
● Information about processes and systems is clear and unambiguous to make sure
that consent is freely and unambiguously given for specific purposes.
● All consent given is explicit and linked to the specific data processing activity
● Consent is provided in written or verbal form as appropriate to the circumstances
● We use Beacon to keep an audit trail which enables HFTF to demonstrate how and when consent was obtained (and withdrawn where relevant)
● We communicate an individual’s right to withdraw consent at any time, and HFTF’s processes and systems supports the functionality to do so
● Where email contact is used to gain consent the notification statement detailing the intended use of personal information is given at the point of collecting personal information and the individual is given the opportunity to opt out, and our subsequent emails notify the client of their right to unsubscribe.
● We will provide individuals of the data protection rights they hold over the data they have consented to provide.
Where ‘legitimate interest’ is the lawful basis for processing, details of the process by which the rights and freedoms of the individual have been weighed against the interests of the HFTF will be documented. How consideration/mitigation of the outcomes of the process have been made, will be also documented.
6. Data Protection Impact Assessments
Data Protection Impact Assessments (DPIAs) will be carried out where HFTF believes data processing is likely to pose high risks to the rights and freedoms of individuals. The DPIA helps to protect against the risk of harm through use or misuse of personal information: PIAs undertaken by HFTF are included in the appendix
The DPIA should contain:
● a description of the processing operations and the purposes – including, where applicable, the legitimate interests pursued by the controller
● an assessment of the necessity and proportionality of the processing in relation to the purpose
● an assessment of the risks to individuals
● the measures in place to address risk, including security and to demonstrate that you comply
When carrying out the DPIA, we will aim to meet the good practice standards outlined in the ICO’s DPIA guidance:
https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/guide-to-accountability-and-governance/accountability-and-governance/data-protection-impact-assessments/
7. Data Sharing
Details of any/all third party organisations that HFTF intends to share personal information
Approved by the HR & Governance Subcommittee on 5/11/24 and the Board Dec 2024
Date for review [November 2026] page 4
with: Tingle Ashmore – Payroll Provider
Nest – Pension Provider
Beacon – CRM provider
Mailchimp – Email provider
Ticket Tailor – Event booking provider
Collective Digital – website provider
● We will document how HFTF has obtained and recorded the necessary specific and clear permissions for sharing data with named third parties, for specifically defined uses, and in specified communications channels.
● We will record details of data sharing agreements, describing what they are and the arrangements concerning the collection of the necessary permissions
● We will define the scope of the personal data to be shared that will enable the receiving party to be able to create an audit trail, sufficient to enable them to respond to any challenge as to why an individual’s data has been processed, or to facilitate a data subject access request
● We will document the security measures that will be put in place to protect the data in transit, and which establishes the shared understanding of the receiving organisations’ obligations as a data controller with responsibility for all aspects of the regulation as data controllers of the new copy of the data which is being shared with them.
8. Security measures
The following policies are in place to protect the personal information that HFTF stores from breach.
● Data Retention Guidance
● Personal Employment Data Policy
● Privacy Policy
● Acceptable use of Information Systems Policy
● Home working Hybrid Working Policy
● Information Governance – Classification of Information
● Information security in the office
● Information Governance – Working away from the office.docx
● Information Governance – Use of email.docx
● Information Governance – Leaving/Changing roles.docx
● Information Governance – use of internet
● Information Security Incident report form
9. Subject access requests
All individuals who are the subject of data held by HFTF are entitled to:
● ask what information HFTF holds about them and why
● ask how to gain access to it
● be informed how to keep it up to date
● be informed how the company is meeting its data protection obligations
The following documents detail the process that Hope for the Future will use to fulfil subject access requests and how individuals are notified of this process.
Approved by the HR & Governance Subcommittee on 5/11/24 and the Board Dec 2024
Date for review [November 2026] page 5
● Access, storing and sharing information.
● Subject Access Request Procedure 92017-C
● Information Security Incident report form
10.Exercising data protection rights
UK citizens hold data protection rights under the UK GDPR. These include the:
● Right to be informed about the collection and use of their personal data
● Right of access to a copy of their personal data
● Right to rectification to correct any inaccurate or incomplete data
● Right to erasure where individuals wish for their data to be deleted
● Right to restrict processing to prevent their data being processed in undesirable ways
● Right to data portability, where individuals can obtain and reuse their data on different services
● Right to object to processing of personal data in certain circumstances.
In certain circumstances, subjects have the right to be deleted from our database, under their rights to erasure.
HFTF will keep a record within Beacon of individuals’ data protection rights requests and associated outcomes, and comply with all of them within thirty days unless HFTF is exempted from doing so under data protection of other relevant laws (for example for safeguarding reasons).
11.Privacy notices
Hope for the Future aims to ensure that individuals are aware that their data is being processed, and that they understand:
● who is processing their data
● what data is involved
● the purpose for processing that data
● the outcomes of data processing
● how to exercise their rights
HFTF has a privacy statement, setting out how data relating to these individuals is used.
● Privacy Policy
This policy is displayed on the HFTF website www.hftf.org.uk
12.Ongoing documentation of measures to ensure compliance Hope for the Future has ongoing measures to:
● maintain documentation/evidence of the privacy measures implemented and records of compliance
● regularly test the privacy measures implemented and maintain records of the testing and outcomes
● use the results of testing, other audits, or metrics to demonstrate both existing and continuous compliance improvement efforts
Approved by the HR & Governance Subcommittee on 5/11/24 and the Board Dec 2024
Date for review [November 2026] page 6
● keep records showing training of employees on privacy and data protection matters
13. Exceptions
Exceptions to the guiding principles in this policy must be documented and formally
approved by the CEO or the Board of Hope for the Future
14. Appendix
Linked/Other useful policies/procedures
This guidance should be read in conjunction with the:
● Data Protection Fair Processing Policy
● Data Protection Information Security Incident report form
● Data Protection Subject Access Request Procedure 92017-C
●●
Home working Hybrid Working Policy
● Information Governance – Acceptable use of Information Systems Policy
● Information Governance – Access, storing and sharing of HFTF information
● Information Governance – Classification of Information types
● Information Governance – Data Retention Guidance
● Information Governance – Use of HFTF email, messaging tools and apps
● Information Governance – Use of internet
● Information Governance – – Working from HFTF Office Data Security – Office
● Information Governance – – Working away from the Office- Working on the move/from home
● Personal Employment Data Policy
● Privacy Policy
● Social Media Policy
This policy will be reviewed every two years, or when any other significant change impacts upon the policy.
