Walsall Community Active Projects CIC

Company number 17051741

Data Protection and GDPR Policy

Document titleData Protection and GDPR Policy
Version1.0
Date adopted14 February 2026
Next review dateFebruary 2027
Approved byBoard of Directors
Responsible officerFounder / Director

1. Statement of Intent

Walsall Community Active Projects CIC is committed to protecting the personal data of everyone we work with, including participants, parents, carers, staff, volunteers, trustees, partners and funders. We collect and use personal information lawfully, fairly and transparently, in line with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Definitions

  • Personal data: any information that can identify a living person, such as their name, address, date of birth or photograph.
  • Special category data: more sensitive information including health, race, ethnicity, religion, sexual orientation and biometric data.
  • Processing: anything done with personal data, including collecting, storing, sharing and deleting.
  • Data subject: the person whose data is being processed.
  • Data controller: the organisation that decides how and why data is processed. We are the data controller for the information we hold.

3. Data Protection Principles

We follow the six principles of UK GDPR. Personal data will be:

  • Processed lawfully, fairly and transparently
  • Collected for specified, explicit and legitimate purposes
  • Adequate, relevant and limited to what is needed
  • Accurate and, where necessary, kept up to date
  • Kept no longer than necessary
  • Processed securely, protecting against unauthorised access, loss or damage

4. Information We Collect

Depending on the service, we may collect:

  • Names, addresses, dates of birth and contact details
  • Emergency contact details and next-of-kin information
  • Medical information, dietary needs and access requirements
  • Safeguarding information
  • Equality monitoring information (collected voluntarily)
  • Attendance and progress records
  • Photographs and video, where consent has been given
  • Bank and payment details for staff and contractors

5. Lawful Bases for Processing

We rely on the following lawful bases under UK GDPR:

  • Consent: for activities such as marketing, photographs and optional services.
  • Contract: where we have a contract or service agreement with a person or organisation.
  • Legal obligation: for example, safeguarding reporting and tax records.
  • Vital interests: where someone's life is at risk.
  • Legitimate interests: such as running our services, communicating with participants and managing our organisation, where this does not override the rights of the individual.

For special category data, we also rely on additional bases such as explicit consent, safeguarding of children and adults at risk, and the substantial public interest.

6. How We Use Personal Data

We use personal data to:

  • Deliver and improve our services
  • Keep participants safe
  • Communicate about sessions, events and updates
  • Monitor and report on our impact to funders and partners
  • Manage staff, volunteers and trustees
  • Meet legal and regulatory obligations

7. Sharing Information

We will only share personal data where:

  • The person has given clear consent
  • There is a safeguarding concern and a duty to share
  • We are required to share by law or regulation
  • It is necessary to deliver a service the person has signed up to (for example, a school referral)

We may share data with partners such as schools, local authorities, housing providers, the NHS, the police and funders, where this is appropriate, lawful and proportionate. We will not sell personal data to any third party.

8. Storing and Securing Data

Personal data is held securely, whether on paper or in electronic form. Our security measures include:

  • Password protection on all devices and systems
  • Encryption where appropriate
  • Locked storage for paper records
  • Restricted access on a need-to-know basis
  • Anti-virus software, firewalls and regular updates
  • Secure disposal of records that are no longer needed

9. Retention

We keep personal data only for as long as needed. Typical retention periods include:

  • Participant records: up to 7 years after the last contact, longer where required for safeguarding or legal reasons
  • Safeguarding records: usually retained until the person reaches the age of 25, in line with guidance, then reviewed
  • Staff and volunteer records: up to 7 years after the end of their involvement
  • Financial records: at least 6 years
  • Photographs and marketing materials: for as long as consent is in place, and reviewed regularly

10. Rights of Individuals

Under UK GDPR, people have the following rights:

  • The right to be informed about how their data is used
  • The right of access to a copy of their data
  • The right to rectify inaccurate data
  • The right to erasure (the 'right to be forgotten') in certain circumstances
  • The right to restrict processing
  • The right to data portability
  • The right to object to processing
  • Rights relating to automated decision-making and profiling

Requests can be made in writing to the Founder. We will respond within one month and will not charge a fee in most cases.

11. Consent

Where we rely on consent, we will:

  • Make it clear what the person is agreeing to
  • Ask for consent in plain language
  • Record consent and the date it was given
  • Make it as easy to withdraw consent as it was to give it

For children under 13, we will seek consent from a parent or carer.

12. Photography, Video and Social Media

We will only take and share photographs or video of participants where:

  • Clear, specific consent has been given
  • The use is appropriate and respectful
  • Participants know how images will be used and for how long

People can withdraw consent at any time. We will not name children in social media posts and will not share information that could identify a vulnerable adult.

13. Data Breaches

A data breach is any incident that leads to personal data being lost, stolen, accessed or shared without permission. All suspected breaches must be reported immediately to the Founder.

We will:

  • Investigate without delay
  • Take action to contain the breach and reduce harm
  • Notify the Information Commissioner's Office (ICO) within 72 hours if the breach is likely to risk people's rights and freedoms
  • Notify affected individuals where required
  • Record all breaches, including those not reported to the ICO

14. Training

All staff, volunteers and trustees receive data protection training as part of induction, with refresher training at least every two years. Additional training is provided for anyone with specific data handling responsibilities.

15. Contact

Questions or concerns about how we handle personal data can be raised with the Founder. People also have the right to complain to the Information Commissioner's Office at ico.org.uk or on 0303 123 1113.

Policy Review

This policy was adopted on 14 February 2026 and will be reviewed annually, with the next scheduled review in February 2027. It will also be reviewed earlier if there are significant changes in legislation, guidance, or our activities.

All staff, volunteers and trustees will be made aware of any updates and asked to confirm they have read and understood the revised version.

Signed on behalf of the Board

Name: Martin O'Connor

Role: Founder and Director

Date: 14 February 2026