Data protection padlock icon

Data Protection Policy

Dignity is committed to respecting your privacy and data. This is our Data Protection Policy and our Privacy Notice.

Policy statement

Dignity (Worldwide) (hereinafter called “Dignity”) is committed to protecting the rights and privacy of individuals, supporters, volunteers, staff, suppliers and others in accordance with The Data Protection Act 1998 [DPA] and the General Data Protection Regulation [GDPR] (effective from 28th May 2018). The policy applies to all staff, Directors and volunteers at Dignity. Any breach of DPA, GDPR or this Data Protection Policy is considered to be an offence and in that event, disciplinary procedures apply.

As an organisation we do not pass our mailing lists to others for publicity or otherwise sell our data.

Legal Requirements

Data we hold is protected by the DPA, which came into effect on 1 March 2000 and the GDPR, which came into effect on 28 May 2018. Their purpose is to protect the rights and privacy of individuals and to ensure that personal data is not processed without their knowledge, and, wherever possible, is not processed without their consent.

The DPA requires many organisations to register the fact that they hold personal data and to acknowledge the right of ‘subject access’. Supporters, employees, Directors and staff have the right to copies of their own data upon request.

Dignity is exempt from Registering with the Information Commissioner because it:

  • only processes information necessary to establish or maintain membership or support
  • only processes information necessary to provide or administer activities for people who are members of the organisation or have regular contact with it
  • only shares the information with people and organisations necessary to carry out the organisation’s activities or if individuals give their permission to share their information
  • only keeps the information while the individual is a member or supporter or as long as necessary for member/supporter administration.

Managing Data Protection

We will ensure that your details are kept in accordance with the guidelines produced by the Information Commissioner, and in particular the Eight Principles of good practice. The UK Information Commissioner’s website is www.ico.org.uk

We have appointed a person to supervise our compliance with the Act and to carry out risk assessments at least annually regarding data security. Everyone who handles data understands they are responsible for doing so according to good practice and we will adequately supervise those handling personal details.

Types of data

The 1998 DPA provides conditions for the processing of any personal data. It also makes a distinction between personal data and “sensitive” personal data.

Personal data is defined as, data relating to a living individual who can be identified from:

  • That data;
  • That data, and other information which is in the possession of, or is likely to come into our possession and includes an expression of opinion about the individual and any indication of the intentions of Dignity as the data controller, or any other person in respect of the individual.

“Sensitive personal data” is defined as personal data consisting of information as to:

  • Racial or ethnic origin;
  • Political opinion;
  • Religious or other beliefs;
  • Trade union membership;
  • Physical or mental health or condition;
  • Sexual life;
  • Criminal proceedings or convictions.

The DPA recognises that it is sometimes appropriate to disclose personal data for certain purposes to do with criminal justice or the taxation system. In these cases, individuals’ rights may occasionally need to be restricted. In particular, the Act deals with several situations in which personal data is processed for the following “crime and taxation purposes”:

  • the prevention or detection of crime;
  • the capture or prosecution of offenders; and
  • the assessment or collection of tax or duty.

GDPR allows the data subject the right to deny the use of their data in automated decision making or profiling. As a result, within the guidelines of GDPR, Dignity will only store data in relation to the legal justifications for data storage in line with the legal basis for storage, which are limited to:

  • Legal Obligation
  • Legitimate Interest
  • Consent
  • Contract
  • Public Task

Purpose of data held by Dignity

Data may be held by us for the following purposes:

  1. Staff and Volunteer Administration (including payroll and recruitment)
  2. Fundraising
  3. Realising the Objectives of a Charitable Organisation
  4. Accounts & Records (including Gift Aid)
  5. Advertising, Marketing & Public Relations
  6. Information and Database Administration
  7. Journalism and Media (aggregated and anonymised data only)
  8. Research (aggregated and anonymised data only)
  9. Volunteering

Eight Data Protection Principles

In terms of the Data Protection Act 1998, we are a ‘data controller’, and as such determine the purpose for which, and the manner in which, any personal data is, or may be, processed. We have appointed a member of staff to be our Information Officer to whom all requests for information should be given.

In compliance with the Principles in the Data Protection Act, we must ensure that we have:

1. Fairly and lawfully processed personal data

We will make it clear what the intentions on processing data are and state if, to whom, and for what reason we intend to pass personal data. We will consider the reasonable duration the data will be kept for business reasons. We will include statement to say Policy available on request.

2. Processed for limited purpose

We will not use data for a purpose other than those agreed by the people we collect it from. If the data held by us is requested by external organisations for any reason, this will only be passed in accordance with this Policy.

3. Adequate, relevant and not excessive

Dignity will regularly monitor the data held for our purposes, ensuring we hold neither too much nor too little data in respect of the individuals about whom the data is held. If data given or obtained is excessive for the purposes of our business, it will be permanently deleted or destroyed.

4. Accurate and up-to-date

We will provide contacts on our database with a basic illustration of their data once a year for information and updating where relevant. It will always be possible for people on our mailing list to alter their contact details through CiviCRM communications by using the link provided. All amendments will be made as quickly as possible and data no longer required will be permanently deleted or destroyed. It is also the responsibility of individuals and third party organisations to ensure the data we have is accurate and kept up-to-date if you should make any changes we may not be aware of. Non-responses to our annual request for updates will be taken as an indication that the data contained is accurate.

Staff and volunteers should notify us of any changes to enable personnel records to be updated accordingly. It is the responsibility of Dignity to act upon notification of changes to data, amending where relevant.

5. Not kept longer than necessary

We will audit the retention of data on a regular basis to ensure we hold it no longer than it is required for business purposes. A Schedule of how long we keep various categories of information will be kept by the Dignity Office, in accordance with our data retention policy. Action taken when this becomes appropriate. Some information has to be retained for statutory reasons, such as for tax and national insurance, the Health and Safety Executive, others for organisational reasons (for example regarding disciplinary record, dealt with in the Staff Handbook).

6. Processed in accordance with the individual’s rights

All individuals that Dignity hold data on have the right to:

  • Be informed, upon request, of all the information held about them within the statutory period of 40 days.
  • Prevent the processing of their data for the purpose of direct marketing.
  • Compensation if they can show that they have been caused damage by any contravention of the Act.
  • The removal and correction of any inaccurate or wrong data about them.

7. Secure

Reasonably appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of data.

We will carry out risk assessments regarding the security of our data and document what measures we will take to keep our records secure. As appropriate, sensitive personal data and financial records will be password protected. We will seek to minimise the amount of paper storage and keep our paper records in a locked filing cabinet after close of business each day.

Everyone managing and handling personal information will appropriately supervised.

8. Not transferred to countries outside the European Economic Area, unless the country has adequate protection for the individual.

Data must not be transferred to countries outside the European Economic Area without the explicit consent of the individual. If any data is transferred to a country outside the EEC, we will ensure that an adequate level of data protection is in place. Dignity takes particular care to be aware of this when publishing or accessing information over the Internet.

We use CiviCRM for the purposes of email distribution. Information held on CiviCRM is based in the European Economic Area (the EEA). Under the terms of their privacy policy (https://civicrm.org/index.php/about/privacy-policy) with the exception of some issues, primarily legal issues, disclosed in their privacy policy, CiviCRM does not share information with third parties. Every marketing email we send includes a link to unsubscribe.

Additional Rights under the GDPR

In compliance with the Principles in the General Data Protection Regulations, all individuals that Dignity hold data on have the right to:

  • be forgotten, to correct data which is wrong or to restrict certain processing, and the right to ask for personal data to be handed back so it can be sent to another Data Controller (known as 'data portability')
  • erasure
  • receive a response to a Data Subject access requests within a month and without a requirement to pay a fee, unless the request is ‘manifestly unfounded or excessive’.