Contact
Donate
Donate

Data Policy

1. Introduction and Purpose.

1.2 Scope

This policy applies to:

All trustees, employees, volunteers, and contractors of Raedan Institute

All personal data processed by or on behalf of Raedan Institute

All locations, systems, and processes where personal data is held or processed

1.3 Purpose

This policy aims to:

Ensure compliance with UK data protection law

Protect the rights of individuals whose data we process

Establish clear responsibilities and procedures

Minimise risks of data breaches and non-compliance

Promote a culture of data protection awareness

Provide guidance for staff and volunteers

1.4 Related Policies

This policy should be read alongside:

Privacy Policy (external-facing)

Cookie Policy

Information Security Policy

Safeguarding Policy

Confidentiality Policy

Records Management and Retention Policy

Data Breach Response Plan

Subject Access Request Procedure

Acceptable Use Policy (IT)

CCTV Policy

2. Legal Framework

2.1 Applicable Legislation

Raedan Institute complies with:

Primary Legislation:

UK General Data Protection Regulation (UK GDPR) 2021

Data Protection Act 2018 (DPA 2018)

Privacy and Electronic Communications Regulations (PECR) 2003 (as amended)

Sector-Specific Legislation:

Children Act 1989 and 2004

Care Act 2014

Education Act 1996

Equality Act 2010

Freedom of Information Act 2000

Charities Act 2011

Safeguarding Vulnerable Groups Act 2006

Statutory Guidance:

Working Together to Safeguard Children (2023)

Keeping Children Safe in Education (2023)

Information Sharing: Advice for Practitioners (2018)

Guide to the UK GDPR (ICO)

2.2 Regulatory Oversight

We are regulated by:

Information Commissioner’s Office (ICO) – data protection supervisory authority

Charity Commission – charity governance and accountability

Local Safeguarding Partnerships – safeguarding compliance

NACCC – Contact Centre accreditation and standards

JCQ/Examination Boards – examination centre requirements

2.3 Registration

Raedan Institute is registered with the ICO as a data controller.

Registration Number: 00019565851

Renewal Date: 04/03/2025

We maintain accurate ICO registration covering all our processing activities and update it promptly when changes occur.

3. Data Protection Principles

We process all personal data in accordance with the seven principles of UK GDPR.

3.1 Lawfulness, Fairness, and Transparency

Lawfulness: We process personal data only where we have a valid legal basis.

Fairness: We process data in ways people would reasonably expect.

Transparency: We are clear, open, and honest about how we use personal data.

3.2 Purpose Limitation

We collect personal data for specified, explicit, and legitimate purposes and do not process it incompatibly.

3.3 Data Minimization

We collect and process only the personal data that is adequate, relevant, and limited to what is necessary.

3.4 Accuracy

We take reasonable steps to ensure personal data is accurate and kept up to date.

3.5 Storage Limitation

We retain personal data only for as long as necessary in accordance with our Retention Schedule.

3.6 Integrity and Confidentiality (Security)

We process personal data securely using appropriate technical and organisational measures.

3.7 Accountability

We are responsible for demonstrating compliance through documented policies, procedures, training, and audits.

4. Roles and Responsibilities

4.1 Board of Trustees

Overall accountability for data protection compliance.

4.2 Chief Executive Officer / Senior Management

Operational responsibility for data protection implementation.

4.3 Data Protection Officer (DPO)

Contact: [email protected]

Expert advisory role providing guidance and oversight.

4.4 Service Managers / Department Leads

Day-to-day compliance within their areas.

4.5 All Staff, Volunteers, and Contractors

Individual responsibility for protecting personal data.

4.6 Data Processors (Third Parties)

Contractual obligations to process data only on our instructions.

5. Legal Bases for Processing

We process personal data only where we have a lawful basis under Article 6 UK GDPR.

5.1 Consent (Article 6(1)(a))

The individual has given clear, informed, and freely given consent for specific purposes.

5.2 Contract (Article 6(1)(b))

Processing necessary to perform a contract with the individual.

5.3 Legal Obligation (Article 6(1)(c))

Processing necessary to comply with legal obligations.

5.4 Vital Interests (Article 6(1)(d))

Processing necessary to protect life or critical wellbeing.

5.5 Public Task (Article 6(1)(e))

Processing necessary for tasks in the public interest.

5.6 Legitimate Interests (Article 6(1)(f))

Processing necessary for legitimate interests unless overridden by rights.

5.7 Special Category Data

Special category data requires additional Article 9 conditions.

5.8 Criminal Offence Data

Criminal data requires official authority or safeguards.

6. Individual Rights

We respect and facilitate the rights of individuals under UK GDPR.

7. Data Security

We implement appropriate technical and organisational measures to protect data.

8. Data Sharing and Transfers

We share personal data only when lawful, necessary, and secure.

9. Data Protection Impact Assessments (DPIAs)

DPIAs identify and minimise data protection risks.

10. Records of Processing Activities (RoPA)

We maintain records of processing activities under Article 30 UK GDPR.

11. Data Breaches

A data breach is any security incident involving personal data.

12. Training and Awareness

All staff and volunteers receive mandatory data protection training.

13. Monitoring and Auditing

We monitor compliance through audits, reviews, and reporting.

14. Accountability and Governance

We demonstrate compliance through documentation, processes, and culture.

15. Non-Compliance and Enforcement

Non-compliance may result in regulatory, organisational, and disciplinary action.

16. Policy Review and Updates

This policy is reviewed regularly and updated as required.

17. Related Documents

This policy links to internal and external governance documents.

18. Definitions and Glossary

Definitions of key data protection terms used in this policy.

19. Contact and Further Information

Contact details for internal and external data protection support.

Policy Statement

Raedan Institute is committed to protecting the privacy and security of personal data in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018).

This policy sets out our approach to data protection and the legal requirements we must meet. It applies to all personal data we process regardless of format (electronic or paper-based) or location

20. Policy Approval

This Data Protection and GDPR Policy has been approved by the Board of Trustees of Raedan Institute.