DATA PROTECTION AND GDPR POLICY – Raedan Institute

1. Introduction and Purpose

1.1 Policy Statement

Raedan Institute is committed to protecting the privacy and security of personal data in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018).

This policy sets out our approach to data protection and the legal requirements we must meet. It applies to all personal data we process regardless of format (electronic or paper-based) or location.

1.2 Scope

This policy applies to:

All trustees, employees, volunteers, and contractors of Raedan Institute

All personal data processed by or on behalf of Raedan Institute

All locations, systems, and processes where personal data is held or processed

1.3 Purpose

This policy aims to:

Ensure compliance with UK data protection law

Protect the rights of individuals whose data we process

Establish clear responsibilities and procedures

Minimise risks of data breaches and non-compliance

Promote a culture of data protection awareness

Provide guidance for staff and volunteers

1.4 Related Policies

This policy should be read alongside:

Cookie Policy

Information Security Policy

Safeguarding Policy

Confidentiality Policy

Records Management and Retention Policy

Data Breach Response Plan

Subject Access Request Procedure

Acceptable Use Policy (IT)

CCTV Policy

2. Legal Framework

2.1 Applicable Legislation

Raedan Institute complies with:

Primary Legislation:

UK General Data Protection Regulation (UK GDPR) 2021

Data Protection Act 2018 (DPA 2018)

Privacy and Electronic Communications Regulations (PECR) 2003 (as amended)

Sector-Specific Legislation:

Children Act 1989 and 2004

Care Act 2014

Education Act 1996

Equality Act 2010

Freedom of Information Act 2000

Charities Act 2011

Safeguarding Vulnerable Groups Act 2006

Statutory Guidance:

Working Together to Safeguard Children (2023)

Keeping Children Safe in Education (2023)

Information Sharing: Advice for Practitioners (2018)

Guide to the UK GDPR (ICO)

2.2 Regulatory Oversight

We are regulated by:

Information Commissioner’s Office (ICO) – data protection supervisory authority

Charity Commission – charity governance and accountability

Local Safeguarding Partnerships – safeguarding compliance

NACCC – Contact Centre accreditation and standards

JCQ/Examination Boards – examination centre requirements

2.3 Registration

Raedan Institute is registered with the ICO as a data controller.

Registration Number: 00019565851
Renewal Date: 04/03/2025

We maintain accurate ICO registration covering all our processing activities and update it promptly when changes occur.

3. Data Protection Principles

We process all personal data in accordance with the seven principles of UK GDPR:

3.1 Lawfulness, Fairness, and Transparency

Lawfulness: We process personal data only where we have a valid legal basis (consent, contract, legal obligation, vital interests, public task, or legitimate interests).

Fairness: We process data in ways people would reasonably expect and not in ways that have unjustified adverse effects.

Transparency: We are clear, open, and honest about how we use personal data. Our Privacy Policy explains our processing in accessible language.

Staff Responsibilities:

Identify and document the legal basis before processing

Provide privacy information at point of collection

Ensure processing aligns with reasonable expectations

Never process data in deceptive or misleading ways

3.2 Purpose Limitation

We collect personal data for specified, explicit, and legitimate purposes and do not process it in ways incompatible with those purposes.

Staff Responsibilities:

Clearly define purposes before collecting data

Collect only data necessary for specified purposes

Do not use data for unrelated new purposes without consent or legal basis

Review purposes regularly and delete data when purposes are fulfilled

Compatible Processing: Further processing for archiving, research, or statistical purposes may be compatible if appropriate safeguards exist.

3.3 Data Minimization

We collect and process only the personal data that is adequate, relevant, and limited to what is necessary for our purposes.

Staff Responsibilities:

Review what data is truly necessary before collection

Avoid collecting “nice to have” data

Regularly review data held and delete unnecessary information

Design forms and systems to request minimum necessary data

Question requests for excessive data

Practical Examples:

✓ Collect date of birth for age verification

✗ Collect full date of birth when only age range needed

✓ Collect emergency contact details

✗ Collect emergency contact’s employment details

3.4 Accuracy

We take reasonable steps to ensure personal data is accurate, kept up to date, and rectified or deleted without delay when inaccurate.

Staff Responsibilities:

Verify accuracy at point of collection

Encourage individuals to check and update their information

Implement processes for regular data review and updates

Promptly correct inaccuracies when notified

Delete or mark as inaccurate data that cannot be verified

Data Quality Checks:

Annual review of active service user records

Verification at key points (enrolment, re-registration, annual reviews)

Data cleansing exercises removing duplicates and outdated records

3.5 Storage Limitation

We retain personal data only for as long as necessary for the purposes for which it was collected, in accordance with our Retention Schedule.

Staff Responsibilities:

Understand retention periods for different data types

Review data regularly against retention schedules

Delete or anonymize data when retention period expires

Document reasons for retaining data beyond standard periods

Securely destroy data at end of retention

Our Retention Schedule (summary – see full schedule in Records Management Policy):

Educational records: Until age 25 or 6 years after service (whichever longer)

Safeguarding records: Until age 25 minimum, potentially longer

Financial records: 7 years

Employment records: 6 years after employment ends

CCTV: 30 days unless required for investigations

3.6 Integrity and Confidentiality (Security)

We process personal data securely using appropriate technical and organizational measures to protect against unauthorized or unlawful processing, accidental loss, destruction, or damage.

Staff Responsibilities:

Follow all information security policies and procedures

Use strong passwords and never share credentials

Lock screens when away from desk

Store paper records in locked cabinets

Only access data necessary for your role

Report security incidents immediately

Complete annual data protection training

Security Measures (see section 7 for details):

Access controls and user permissions

Encryption of sensitive data

Secure disposal of confidential waste

Regular backups and disaster recovery

Physical security of premises and records

3.7 Accountability

We are responsible for demonstrating compliance with data protection principles through documented policies, procedures, training, and audits.

Staff Responsibilities:

Follow this policy and related procedures

Complete mandatory data protection training

Maintain accurate records of processing activities

Report non-compliance or concerns

Cooperate with audits and reviews

Accountability Measures:

Data Protection Officer appointed

Data Protection Impact Assessments (DPIAs) for high-risk processing

Records of Processing Activities maintained

Regular audits and compliance reviews

Board oversight and governance

4. Roles and Responsibilities

4.1 Board of Trustees

Overall accountability for data protection compliance.

Responsibilities:

Approve data protection policies

Ensure adequate resources for compliance

Receive regular compliance reports from DPO

Review data protection risks in risk register

Ensure data protection is embedded in governance

Champion data protection culture

Demonstrate accountability to regulators and stakeholders

4.2 Chief Executive Officer / Senior Management

Operational responsibility for data protection implementation.

Responsibilities:

Implement policies and procedures

Allocate resources and assign responsibilities

Support the Data Protection Officer

Ensure staff training and awareness

Address non-compliance promptly

Report breaches and issues to trustees

Embed data protection in organizational culture

Lead by example

4.3 Data Protection Officer (DPO)

Contact: [email protected]

Expert advisory role providing guidance and oversight.

Responsibilities:

Advise on data protection obligations and compliance

Monitor compliance with UK GDPR and this policy

Provide training and awareness programs

Conduct Data Protection Impact Assessments (DPIAs)

Maintain Records of Processing Activities (RoPA)

Act as contact point for ICO and data subjects

Advise on data breaches and oversee response

Conduct audits and compliance reviews

Update policies to reflect legal changes

Report to board on compliance status

Independence: The DPO operates independently and reports directly to the highest management level. They must not be dismissed or penalized for performing DPO duties.

4.4 Service Managers / Department Leads

Day-to-day compliance within their areas.

Responsibilities:

Implement data protection policies in their service/department

Ensure staff understand and follow procedures

Identify data protection training needs

Conduct DPIAs for new projects or changes

Maintain accurate records of processing

Report incidents and near-misses to DPO

Review data quality and retention regularly

Address subject access requests promptly

Promote data protection culture in their teams

4.5 All Staff, Volunteers, and Contractors

Individual responsibility for protecting personal data.

Responsibilities:

Comply with data protection policies and procedures

Complete mandatory training

Process personal data only when authorized

Follow security procedures (passwords, clear desk, etc.)

Access only data necessary for your role

Respect confidentiality

Report data breaches, incidents, or concerns immediately

Cooperate with audits and investigations

Ask for guidance when uncertain

Key Message: Data protection is everyone’s responsibility. If you handle personal data, you must understand and follow this policy.

4.6 Data Processors (Third Parties)

Contractual obligations to process data only on our instructions.

Requirements:

Process data only according to written instructions

Implement appropriate security measures

Maintain confidentiality

Assist with subject access requests and other rights

Notify us of data breaches without undue delay

Delete or return data when contract ends

Demonstrate compliance with UK GDPR

We maintain a register of data processors and review contracts regularly.

5. Legal Bases for Processing

We process personal data only where we have a lawful basis under Article 6 UK GDPR. We identify and document the legal basis before processing begins.

5.1 Consent (Article 6(1)(a))

Definition: The individual has given clear, informed, and freely given consent for specific purposes.

When we use it:

Marketing communications (newsletters, fundraising appeals)

Photographs and videos for promotional purposes

Optional surveys and feedback

Sharing case studies with funders (identifiable information)

Non-essential cookies (analytics, functionality)

Requirements for valid consent:

Freely given: No coercion, pressure, or negative consequences for refusing

Specific: Separate consent for different purposes

Informed: Clear explanation of what they’re consenting to

Unambiguous: Positive opt-in (not pre-ticked boxes)

Provable: We must be able to demonstrate consent was given

Obtaining consent:

Use clear, plain language

Separate consent from other terms and conditions

Allow granular choices (e.g., email vs. post)

Make it as easy to withdraw as to give

Keep records of when, how, and what consent was given

Withdrawing consent:

Individuals can withdraw consent any time

Withdrawal doesn’t affect past processing

We must honour withdrawal promptly

If consent is our only legal basis, we must stop processing

Children’s consent:

Under 13: Parental consent required (except safeguarding/counselling)

13-17: May consent themselves if mature enough to understand

Staff responsibilities:

Document consent clearly

Review consent regularly (refresh if stale)

Make withdrawal options clear

Don’t assume old consent covers new purposes

5.2 Contract (Article 6(1)(b))

Definition: Processing is necessary to perform a contract with the individual or to take steps at their request before entering a contract.

When we use it:

Enrolling individuals in educational services

Delivering tuition, counselling, Contact Centre, or other contracted services

Processing payments and managing accounts

Communicating about services (schedules, cancellations)

Examination entries and administration

Requirements:

Must be genuinely necessary for the contract

Cannot be used as excuse to collect unnecessary data

Doesn’t apply to third-party beneficiaries (e.g., children don’t have contracts – parents do)

Staff responsibilities:

Collect only data genuinely needed for service delivery

Explain why data is necessary for the contract

Don’t rely on contract for non-essential processing

5.3 Legal Obligation (Article 6(1)(c))

Definition: Processing is necessary to comply with legal obligations.

When we use it:

Statutory safeguarding duties (reporting concerns to social services, police)

Financial record-keeping (7 years for HMRC)

Health and safety compliance

Charity Commission reporting

Examination board requirements (JCQ regulations)

Court orders and legal proceedings

DBS checking for regulated activities

Responding to ICO or other regulatory investigations

Requirements:

Legal obligation must be clear and specific

We must be the entity with the legal duty

Staff responsibilities:

Understand legal obligations affecting your role

Process data as required by law even without consent

Document the legal obligation

5.4 Vital Interests (Article 6(1)(d))

Definition: Processing is necessary to protect someone’s life or critical wellbeing.

When we use it:

Medical emergencies (sharing health information with paramedics)

Immediate safeguarding threats (child at imminent risk)

Life-threatening situations

Requirements:

Only when truly necessary to protect life

Cannot rely on vital interests if another legal basis applies

Primarily for emergencies where consent cannot be obtained

Staff responsibilities:

Use only in genuine emergencies

Document circumstances clearly

Inform individuals afterward when possible

5.5 Public Task (Article 6(1)(e))

Definition: Processing is necessary for tasks in the public interest or exercising official authority.

When we use it:

Safeguarding functions (statutory duty to safeguard)

Providing education meeting statutory requirements

Working in partnership with local authorities

Contact Centre services (facilitating child contact as public benefit)

Requirements:

Must have a basis in UK law or statutory guidance

Must be in public interest

Common for charities delivering public services

Staff responsibilities:

Understand statutory functions and guidance

Document public task basis clearly

Don’t assume all charitable activities qualify

5.6 Legitimate Interests (Article 6(1)(f))

Definition: Processing is necessary for our legitimate interests or those of a third party, unless overridden by the individual’s rights and freedoms.

When we use it:

Fraud prevention and security

Network and information security

CCTV for security and safeguarding

Internal administration and record-keeping

Improving services through feedback analysis

Fundraising for charitable purposes (with opt-out)

Direct marketing to existing service users (soft opt-in with opt-out)

Asserting or defending legal claims

Three-part test (Legitimate Interests Assessment – LIA):

Purpose test: Is there a legitimate interest?

Necessity test: Is processing necessary for that interest?

Balancing test: Do individual’s rights override the interest?

We document LIAs for all processing relying on legitimate interests.

Requirements:

Cannot use for processing children’s data for marketing/profiling

Must conduct balancing test fairly

Individuals have absolute right to object (we must stop unless compelling grounds)

Staff responsibilities:

Don’t assume processing is in legitimate interests

Consult DPO before relying on legitimate interests

Complete LIA before processing

Respect objections promptly

5.7 Special Category Data – Additional Conditions

For special category data (health, ethnicity, religion, etc.), we need both an Article 6 legal basis AND an Article 9 condition:

Article 9 conditions we use:

(a) Explicit consent: For counselling disclosures, photographs showing ethnicity/religion, optional equal opportunities monitoring

(b) Employment, social security, social protection: For employee health data, benefits assessments

(g) Substantial public interest: For safeguarding, preventing fraud

(h) Health or social care: For counselling, health assessments, medical needs

(i) Public health: For pandemic response, health emergencies

(j) Archiving, research, statistics: For anonymized research (with safeguards)

Staff responsibilities:

Treat special category data with extra care

Identify both Article 6 basis and Article 9 condition

Minimize processing of special category data

Apply enhanced security measures

5.8 Criminal Offence Data

Processing data about criminal convictions/offences requires both Article 6 legal basis and official authority or appropriate Article 10 safeguards.

When we process criminal data:

DBS checks for staff/volunteers (official authority)

Safeguarding records (substantial public interest)

Risk assessments for Contact Centre (safeguarding)

Staff responsibilities:

Very limited processing (only where legally authorized)

Strict access controls

Enhanced security and confidentiality

6. Individual Rights

We respect and facilitate the rights of individuals under UK GDPR. All staff must understand these rights and how to respond to requests.

6.1 Right to be Informed

What it means: Individuals have the right to know how their data is used.

How we comply:

Provide Privacy Policy on website and at premises

Give privacy information at point of collection (registration forms, consent forms)

Use clear, plain language appropriate for audience

Explain purposes, legal bases, retention, rights, and recipients

Provide information without delay (at collection for direct collection, within one month for indirect collection)

Staff responsibilities:

Provide privacy information when collecting data

Point individuals to full Privacy Policy

Explain processing in accessible language

Answer questions about data use

6.2 Right of Access (Subject Access Request – SAR)

What it means: Individuals can request copies of their personal data and supplementary information.

How we comply:

Respond within one month (extendable by two months for complex requests)

Verify identity before disclosing data

Provide free copies (charge only for unfounded/excessive requests)

Give data in accessible, structured format

Include supplementary information (purposes, legal bases, retention, recipients, rights)

Staff responsibilities:

Recognize SARs (any request for personal data, regardless of wording)

Forward SARs to DPO immediately

Assist in locating and compiling data

Never alter or delete data in response to SAR

Respond promptly to DPO requests for information

SAR Procedure:

Receive request and forward to DPO

DPO verifies identity and clarifies scope

DPO coordinates search across all systems/locations

Relevant staff compile data from their areas

DPO reviews and redacts third-party data if necessary

DPO prepares response with supplementary information

Response sent within one month

Exemptions:

Legal professional privilege

Management forecasts

Negotiations with data subject

Third-party confidentiality (redact third-party data unless consent given or reasonable to disclose)

Manifestly unfounded or excessive requests

Safeguarding considerations:

May withhold data if disclosure would cause serious harm to child/individual

Balance parental rights with child’s rights and maturity

Seek legal advice for complex safeguarding SARs

6.3 Right to Rectification

What it means: Individuals can request correction of inaccurate or incomplete data.

How we comply:

Correct inaccurate data without undue delay

Complete incomplete data (including supplementary statements)

Notify third parties we’ve shared data with (unless impossible or disproportionate)

Respond within one month

Staff responsibilities:

Accept rectification requests from any channel

Verify facts before making corrections

Update all systems/locations where data appears

Document corrections and reasons

Notify DPO of significant rectifications

Limitations:

We may challenge rectification if we believe data is accurate

Some data cannot be changed (e.g., historical examination results – controlled by exam boards)

May add supplementary statement if facts are disputed

6.4 Right to Erasure (‘Right to be Forgotten’)

What it means: In certain circumstances, individuals can request deletion of their data.

When it applies:

Data no longer necessary for purposes collected

Consent withdrawn (where consent was legal basis)

Objection upheld (no overriding legitimate grounds)

Data processed unlawfully

Legal obligation requires erasure

Data collected from child for online services

When it doesn’t apply (we can refuse):

Legal obligation to retain (e.g., financial records, safeguarding)

Necessary for legal claims

Public interest (archiving, research, statistics)

Exercising/defending legal rights

Public health purposes

Staff responsibilities:

Forward erasure requests to DPO

Don’t delete data without DPO authorization

When authorized, delete from all systems/backups

Document erasure and reasons

Notify third parties if we’ve shared data

Retention overrides erasure: Most of our data is subject to statutory retention periods that override erasure rights (safeguarding, education, financial). We explain this clearly when declining erasure requests.

6.5 Right to Restrict Processing

What it means: In certain circumstances, individuals can request we stop using their data (but still store it).

When it applies:

Accuracy is contested (while we verify)

Processing is unlawful but individual prefers restriction to erasure

We no longer need data but individual needs it for legal claims

Objection raised (pending verification of our legitimate grounds)

What restriction means:

We store the data but don’t process it

We can process with consent, for legal claims, to protect others, or for public interest

We lift restriction when circumstances resolve

Staff responsibilities:

Forward restriction requests to DPO

Mark restricted data clearly in systems

Don’t process restricted data (except as permitted)

Notify individual before lifting restriction

6.6 Right to Data Portability

What it means: Individuals can receive their data in structured, machine-readable format and transmit to another controller.

When it applies:

Processing is based on consent or contract

Processing is automated

When it doesn’t apply:

Paper records or manual processing

Processing based on legal obligation or public task

Third-party data mixed with individual’s data

Staff responsibilities:

Forward portability requests to DPO

Provide data in common format (CSV, JSON, XML)

Include only data subject’s own data (not third-party data)

Transmit directly to new controller if technically feasible

Our approach:

Provide in CSV or PDF format

Include data subject provided and data generated about them

Exclude derived or inferred data

Exclude opinion or professional judgments

6.7 Right to Object

What it means: Individuals can object to processing, and we must stop unless we have compelling legitimate grounds.

Direct marketing: Absolute right to object – we must stop immediately with no exceptions.

Legitimate interests/public task: We must stop unless we demonstrate compelling legitimate grounds overriding individual’s interests, or processing is for legal claims.

Staff responsibilities:

Honor marketing objections immediately (no delay, no questions)

Forward other objections to DPO for assessment

Don’t process while objection is assessed

Respect upheld objections promptly

Our approach:

Make objecting easy (unsubscribe links, simple processes)

Maintain “do not contact” suppression lists

Document objections and our response

Balance rights fairly for non-marketing objections

6.8 Rights Related to Automated Decision-Making

What it means: Individuals have rights not to be subject to solely automated decisions with legal/significant effects.

Our practices:

We do NOT currently use automated decision-making or profiling with legal/significant effects

If we introduce such processing, we will:

Update Privacy Policy

Obtain consent or establish another lawful basis

Provide rights to human intervention, contest decision, and obtain explanation

Conduct DPIA

Staff responsibilities:

Don’t implement automated decision-making without DPO approval

Report any algorithmic or AI-based tools to DPO

6.9 Facilitating Rights – General Procedures

Receiving requests:

Accept requests by any channel (email, phone, letter, in person)

Don’t require specific forms or formats

Recognize requests regardless of wording (“Can I have my data?”, “Delete my information”)

Identity verification:

Verify identity to prevent unauthorized disclosure

Request ID documents if first request or identity unclear

Balance security with accessibility

Timescales:

One month from receipt (extendable to three months for complex/multiple requests)

Inform individual if extension needed, with reasons

Count from receipt of identity verification if required

Fees:

Usually free

May charge reasonable fee for manifestly unfounded/excessive requests

May charge for additional copies beyond first SAR

Refusals:

Explain reasons clearly

Inform of right to complain to ICO

Inform of right to judicial remedy

Document decision

Third-party data:

Redact third-party personal data (names, contact details) unless:

Third party consents

Reasonable to disclose without consent

7. Data Security

We implement appropriate technical and organizational measures to protect personal data against unauthorized or unlawful processing, accidental loss, destruction, or damage.

7.1 Security Principles

Confidentiality: Only authorized individuals can access personal data.

Integrity: Personal data is accurate, complete, and protected from unauthorized modification.

Availability: Authorized users can access data when needed (subject to backup and disaster recovery).

Resilience: Systems can withstand and recover from security incidents.

7.2 Risk-Based Approach

Security measures are proportionate to:

Sensitivity of data (special category data gets enhanced protection)

Volume of data

Context of processing

Potential impact of breach

State of the art and cost of implementation

7.3 Technical Measures

Access Controls:

Unique user accounts (no shared logins)

Strong password requirements (minimum 12 characters, mix of types)

Multi-factor authentication for remote access and sensitive systems

Role-based access (principle of least privilege)

Regular review and removal of unused accounts

Automatic logout after inactivity

Audit logs of access and changes

Network Security:

Firewalls protecting network perimeter

Anti-virus and anti-malware on all devices

Regular security updates and patches

Intrusion detection/prevention systems

Secure Wi-Fi with WPA2/WPA3 encryption

Network segmentation where appropriate

Secure remote access (VPN)

Data Protection:

Encryption of data in transit (SSL/TLS for websites, encrypted email for sensitive data)

Encryption of data at rest (full disk encryption on laptops, encrypted cloud storage)

Encryption of backup media

Pseudonymization/anonymization where possible

System Security:

Regular security updates and patching

Endpoint protection on all devices

Application whitelisting where feasible

Secure configuration baselines

Security testing (vulnerability scans, penetration tests)

Data Backup and Recovery:

Regular automated backups (daily for critical systems)

Backups stored securely offsite or in cloud

Encrypted backup media

Regular restore testing

Business continuity and disaster recovery plans

Email and Communications:

Spam and phishing filters

Email encryption for sensitive data

Clear email security guidance for staff

Caution with attachments and links

Verification procedures for payment requests

Mobile Devices and Remote Working:

Mobile Device Management (MDM) for organizational devices

Encryption of mobile devices

Remote wipe capability for lost/stolen devices

Secure remote access to systems

Clear remote working policies

VPN for accessing organizational data remotely

7.4 Organizational Measures

Policies and Procedures:

This Data Protection Policy

Information Security Policy

Acceptable Use Policy (IT)

Clear Desk Policy

Password Policy

Data Breach Response Plan

Incident Management Procedures

Staff Training and Awareness:

Mandatory data protection training for all new staff/volunteers

Annual refresher training

Specific training for roles handling sensitive data

Regular security awareness communications

Phishing simulation exercises

Clear escalation procedures for concerns

Physical Security:

Locked offices and storage areas

Access control to buildings (key/fob systems)

Visitor sign-in and escort procedures

CCTV monitoring

Locked filing cabinets for paper records

Secure destruction of confidential waste (cross-cut shredding)

Clear desk policy (no sensitive data left visible)

Screen privacy filters where appropriate

Third-Party Management:

Due diligence on processors before engagement

Data Processing Agreements with clear security obligations

Regular review of processor security practices

Contractual right to audit processors

Notification requirements for sub-processors

Incident notification clauses

Change Management:

Security implications assessed for all changes

Testing before deployment

Change approval processes

Rollback capabilities

Monitoring and Auditing:

Regular access log reviews

Monitoring for unusual activity

Periodic security audits

Penetration testing (as budget allows)

Compliance reviews

7.5 Specific Security Measures by Data Type

Special Category Data (health, ethnicity, religion, etc.):

Enhanced access restrictions

Encryption mandatory

Separate storage where feasible

Additional training for handlers

Regular audits of access

Safeguarding Information:

Highly restricted access (need-to-know basis)

Encrypted storage

Separate filing systems

Transmission only via secure methods

Strict confidentiality

Enhanced audit trails

Financial Data:

PCI-DSS compliance for card data (we minimize card data processing)

Encrypted storage and transmission

Limited retention

Segregation of duties

Children’s Data:

Enhanced protections reflecting higher risks

Strict access controls

Parental engagement

Age-appropriate transparency

7.6 Staff Responsibilities

All staff must:

Use strong, unique passwords (don’t reuse passwords)

Never share passwords or login credentials

Lock screens when away from desk (Windows+L or Ctrl+Alt+Del)

Log out at end of day

Report lost/stolen devices immediately

Don’t write down passwords

Be cautious with emails (verify senders, don’t click suspicious links)

Only access data necessary for your role

Don’t use personal devices for work data (unless authorized and protected)

Report security concerns or incidents immediately

Clear Desk Policy:

No personal data left visible when desk unattended

Lock away paper files at end of day

Don’t leave printouts at printers

Secure laptops/tablets when not in use

Shred confidential waste (cross-cut shredder)

Confidential Waste:

Shred any document containing personal data

Don’t put personal data in general waste

Use locked confidential waste bins

Contracted secure shredding service for bulk destruction

7.7 Bring Your Own Device (BYOD)

Use of personal devices for work is discouraged. If essential:

Must be authorized by line manager and DPO

Device must meet security requirements (password, encryption, anti-virus)

Access limited to specific approved systems

Remote wipe must be enabled

Personal and work data must be separated

Device may be checked for compliance

All organizational data must be deleted when employment ends

7.8 Encryption

When encryption is required:

Laptops and mobile devices (full disk encryption)

Removable media (USB drives, external hard drives)

Email containing special category or sensitive data

Cloud storage

Backups

Approved encryption:

BitLocker (Windows)

FileVault (Mac)

TLS 1.2 or higher for data in transit

AES-256 for data at rest

7.9 Password Management

Password requirements:

Minimum 12 characters

Mix of uppercase, lowercase, numbers, symbols

No dictionary words, names, or common patterns

Unique (don’t reuse across systems)

Changed if compromised

Password managers:

Approved password managers may be used

Master password must be very strong

Enable two-factor authentication

Multi-factor authentication (MFA):

Required for remote access

Required for access to sensitive systems

Encouraged for all accounts supporting MFA

7.10 Data Loss Prevention

Preventing data loss:

Regular backups

Version control

“Save early, save often” culture

Cloud sync for critical documents

Testing backups regularly

Preventing data theft/leakage:

USB port restrictions (where feasible)

Email attachment size limits and scanning

Data Loss Prevention (DLP) tools (as budget allows)

Monitoring for unusual data transfers

Confidentiality agreements

8. Data Sharing and Transfers

8.1 General Principles

We share personal data only when:

Necessary and proportionate

We have legal basis and lawful grounds

Appropriate safeguards are in place

Recipients are informed of confidentiality and security obligations

Sharing is documented

Staff responsibilities:

Never share data without authorization

Verify recipient identity and authority

Use secure transmission methods

Document sharing (what, why, who, when)

Minimize data shared (only what’s necessary)

8.2 Statutory Sharing (Safeguarding)

Legal basis: Legal obligation, vital interests, public task

Recipients: Social services, police, LADO, Cafcass, courts

When: Safeguarding concerns, child protection, risk of serious harm

Process:

Identify concern requiring sharing

Consult Designated Safeguarding Lead (DSL)

Document decision to share (reasons, what, who)

Share necessary information securely

Record sharing and recipient’s response

Follow up as required

Key principle: Safeguarding overrides confidentiality and data protection when necessary to protect children or vulnerable adults.

8.3 Professional Sharing (With Consent or Legal Basis)

Recipients: Schools, GPs, therapists, social workers, examination boards

When: Coordinating care, educational transitions, health referrals, examination administration

Process:

Obtain consent (unless legal basis exists without consent)

Explain what will be shared and why

Share minimum necessary information

Use secure methods (encrypted email, secure portal, hand delivery)

Verify recipient identity

Document sharing

8.4 Organisational Sharing (Data Processors)

Recipients: IT providers, cloud services, payment processors, email services, shredding companies

Requirements:

Written Data Processing Agreement before sharing

Processor must process only on our instructions

Adequate security measures required

Confidentiality obligations

Assistance with rights requests

Breach notification obligations

Deletion/return of data at contract end

DPO maintains register of processors

8.5 Research and Fundraising Sharing

Recipients: Grant-making trusts, researchers (academic or internal)

Requirements:

Anonymization/pseudonymization where possible

Explicit consent for identifiable case studies

Clear purposes and limitations

Ethical approval for research

Secure data sharing agreements

Limited retention and destruction after use

8.6 International Transfers

General rule: We primarily process data within UK. International transfers require additional safeguards.

When we transfer internationally:

Cloud services with international servers

International teacher training (Academica Mentoring)

Examination boards with international operations

Safeguards:

UK GDPR-compliant Standard Contractual Clauses (SCCs)

Adequacy decisions (for approved countries)

Binding Corporate Rules (BCRs) of processors

Appropriate safeguards documented

Process:

Identify need for international transfer

Assess destination country protections

Implement appropriate safeguards (SCCs, adequacy)

Document transfer and safeguards

Inform individuals in Privacy Policy

Review transfers regularly

Prohibited:

Transfers to countries without adequate protections and no safeguards

Transfers in breach of UK export controls or sanctions

8.7 Secure Sharing Methods

Email:

Encrypt emails containing special category or sensitive data

Use secure email services (NHS.net for health data)

Verify recipient address before sending

Use BCC for bulk emails (protect recipients’ addresses)

Password-protect attachments with sensitive data (send password separately)

Physical documents:

Hand delivery in sealed envelope

Tracked delivery services for valuable/sensitive data

No identifiable data in window envelopes

Record delivery

Secure portals:

Use approved secure file sharing services

Encrypt before upload

Set access permissions and expiry dates

Notify recipient separately (not in same email as link)

Prohibited methods:

Unencrypted email for special category data

Personal email accounts for work data

Unsecured cloud services (Dropbox, personal Google Drive, etc.)

Unencrypted USB drives sent by post

Fax (except encrypted fax where essential)

9. Data Protection Impact Assessments (DPIAs)

9.1 What is a DPIA?

A DPIA is a process to identify and minimize data protection risks of a project or processing activity. It’s a key tool for accountability and demonstrating compliance.

9.2 When DPIAs are Required

Mandatory for:

Systematic and extensive profiling with significant effects

Large-scale processing of special category data

Systematic monitoring of publicly accessible areas (extensive CCTV)

New technologies with high privacy risks

Processing likely to result in high risk to individuals

Good practice for:

New projects involving personal data

Significant changes to processing

New technologies or systems

Sensitive processing (even if small scale)

Examples requiring DPIA:

Implementing new CRM or database system

New CCTV installation (if extensive)

Launching new service collecting health data

Implementing AI or automated decision-making

Large-scale data analytics or profiling

9.3 DPIA Process

Step 1: Identify need for DPIA

Use DPIA screening questions

Consult DPO if uncertain

Step 2: Describe processing

What data? (types, sources, volume)

Why? (purposes, legal basis)

How? (systems, processes, flows)

Who? (recipients, processors)

When? (start date, duration, retention)

Step 3: Assess necessity and proportionality

Is processing necessary for purpose?

Is there less intrusive alternative?

Is data minimized?

Are purposes clear and specific?

Step 4: Identify risks

What could go wrong?

What would be the impact on individuals? (likelihood x severity)

Consider: unauthorized access, loss, disclosure, excessive collection, inaccuracy, function creep

Step 5: Identify measures to reduce risks

Technical measures (encryption, access controls, etc.)

Organizational measures (policies, training, audits)

How do measures reduce risks?

Are residual risks acceptable?

Step 6: Integrate outcomes

Implement identified measures

Update project plans and designs

Ensure ongoing compliance

Step 7: Document and sign off

Complete DPIA form

DPO reviews and approves

Senior management signs off

Keep under review (update if processing changes)

9.4 Consulting ICO

If DPIA identifies high residual risks that cannot be mitigated, we must consult ICO before processing.

Process:

Complete DPIA thoroughly

Document risks and mitigation attempts

Submit to ICO with DPIA and supporting information

Await ICO advice (8 weeks, extendable to 14)

Implement ICO recommendations before processing

9.5 Staff Responsibilities

Project managers and service leads:

Identify when DPIA is needed

Contact DPO to initiate DPIA

Provide information about processing

Implement risk mitigation measures

Update DPIA if processing changes

DPO:

Provide DPIA guidance and support

Review and approve DPIAs

Maintain DPIA register

Advise on high risks and mitigation

Consult ICO when necessary

10. Records of Processing Activities (RoPA)

10.1 What is RoPA?

Article 30 UK GDPR requires controllers to maintain written records of processing activities. This is a key accountability measure.

10.2 What We Record

For each processing activity:

Name and contact details of controller (Raedan Institute)

Purposes of processing

Categories of data subjects (service users, employees, donors, etc.)

Categories of personal data (contact details, health data, financial data, etc.)

Categories of recipients (schools, social services, examination boards, etc.)

International transfers (if any) and safeguards

Retention periods

Security measures (general description)

10.3 Format

We maintain RoPA in spreadsheet/database format with separate entries for distinct processing activities (e.g., educational services, counselling, Contact Centre, employment, fundraising).

10.4 Responsibilities

DPO:

Maintain RoPA

Update as processing changes

Review annually

Make available to ICO on request

Service managers:

Notify DPO of new processing or changes

Provide information for RoPA entries

Review RoPA entries for their areas annually

10.5 Review

RoPA is reviewed:

Annually (full review)

When new processing begins

When significant changes occur

Before audits or ICO inspections

11. Data Breaches

11.1 What is a Data Breach?

A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data.

Examples:

Lost or stolen laptop, phone, USB drive containing personal data

Email sent to wrong recipient

Unauthorized access to systems or files

Ransomware attack encrypting data

Paper records lost or stolen

Confidential waste not shredded

Unauthorized disclosure of information

Hacking or cyber-attack

Data sent to wrong person by post

Database left publicly accessible online

Not just cyber incidents: Physical breaches (lost files, wrongly addressed post) are equally important.

11.2 Reporting Breaches Internally

All staff must report potential breaches immediately:

To whom: Data Protection Officer and line manager

How: Email [email protected] with subject “URGENT: Data Breach” or phone 07725974831

When: Immediately upon discovery (don’t delay to investigate yourself)

What to report:

What happened? (facts known)

What data was affected? (types, volume, sensitivity)

Who was affected? (individuals, numbers)

When did it happen?

How did you discover it?

What actions have been taken?

Don’t:

Delay reporting while trying to fix it yourself

Assume it’s not serious enough to report

Assume someone else will report it

Try to cover it up

Remember: Early reporting enables faster containment and reduces harm. There is no penalty for reporting suspected breaches that turn out not to be breaches. There is serious penalty for not reporting genuine breaches.

11.3 Breach Response Process

DPO coordinates response:

Step 1: Containment (immediate)

Stop the breach if ongoing

Secure affected systems/data

Prevent further loss or damage

Preserve evidence

Step 2: Assessment (within 24 hours)

Gather facts (what, when, how, who affected)

Assess severity and likelihood of harm to individuals

Consider: volume of data, sensitivity, identifiability, who can access it, consequences

Determine if breach must be notified to ICO and/or individuals

Step 3: Notification (if required)

To ICO (if likely to result in risk to individuals):

Within 72 hours of becoming aware

Via ICO online reporting tool

Include: description, categories and numbers affected, consequences, measures taken/proposed, DPO contact

To individuals (if likely to result in high risk):

Without undue delay

In clear, plain language

Include: description, consequences, measures taken/proposed, contact point

Directly to individuals (not via public notice unless disproportionate effort)

Step 4: Investigation

Determine root cause

Identify failures or weaknesses

Assess effectiveness of existing measures

Step 5: Remediation

Implement fixes to prevent recurrence

Update policies/procedures if needed

Provide additional training

Review and improve security measures

Step 6: Documentation

Record all breaches in breach register (even if not notified to ICO)

Document: facts, effects, remedial action

Provide to ICO on request

Learn lessons for future

11.4 Examples of Breach Responses

Example 1: Lost encrypted laptop

Containment: Report to IT to disable remote access

Assessment: Data encrypted, low risk of access

Notification: Not required (encryption mitigates risk)

Remediation: Replace laptop, reinforce laptop security procedures

Example 2: Email to wrong recipient (special category data)

Containment: Request recipient delete/return email, confirm deletion

Assessment: Sensitive data, one recipient, high risk

Notification: ICO within 72 hours, affected individual immediately

Remediation: Email verification procedures, training on checking recipients

Example 3: Ransomware attack

Containment: Isolate infected systems, engage IT support

Assessment: Potential loss of access, possible exfiltration, high risk

Notification: ICO within 72 hours, individuals if data exfiltrated

Remediation: Restore from backups, security review, patch vulnerabilities, staff training

11.5 Prevention

Prevention is better than cure. We prevent breaches through:

Security measures (section 7)

Staff training and awareness

Regular audits and testing

Clear procedures and policies

Culture of vigilance and reporting

11.6 Staff Responsibilities

Prevent breaches:

Follow all security policies

Be vigilant and careful with data

Think before clicking, sending, or sharing

Secure devices and documents

Report risks and near-misses

Report breaches:

Immediately upon discovery

No matter how small

Even if uncertain

Preserve evidence

Learn from breaches:

Participate in investigations

Implement lessons learned

Share knowledge with colleagues

12. Training and Awareness

12.1 Mandatory Training

All staff and volunteers must complete:

Data protection induction training (before accessing personal data)

Annual data protection refresher training

Role-specific training (for roles handling sensitive data)

Training covers:

UK GDPR principles and requirements

Individual rights and how to respond

Security procedures (passwords, clear desk, encryption, etc.)

Recognizing and reporting data breaches

This policy and related procedures

Consequences of non-compliance

Format:

Online modules (e-learning)

Face-to-face sessions (for complex topics)

Practical scenarios and case studies

Assessment/quiz (must pass to confirm understanding)

Records:

Training records maintained

Completion tracked

Refreshers scheduled automatically

Gaps addressed promptly

12.2 Role-Specific Training

Additional training for:

DPO and senior management:

Advanced GDPR training

DPIAs and LIAs

Breach management

ICO liaison

Regulatory updates

Designated Safeguarding Leads:

Information sharing in safeguarding

Balancing confidentiality with protection

Multi-agency working

Recording and retention

IT staff:

Technical security measures

Encryption and access controls

Incident response

Security testing

Staff handling sensitive data (counselling, Contact Centre, etc.):

Extra confidentiality requirements

Special category data handling

Secure storage and transmission

Professional boundaries

Managers approving DPIAs and processing changes:

DPIA process and requirements

Risk assessment

Legal bases for processing

Accountability

12.3 Ongoing Awareness

Beyond formal training, we promote awareness through:

Regular bulletins and updates

Posters and reminders at premises

Team meeting discussions

Case studies of breaches (anonymized, external examples)

Simulated phishing exercises

Data protection champions in each team

Annual Data Protection Week activities

12.4 Induction

All new starters receive:

Data protection policy and procedures

Privacy information (they’re data subjects too as employees/volunteers)

Security guidance (passwords, clear desk, etc.)

Induction training before accessing personal data

Signed acknowledgment of understanding obligations

12.5 Specialist Support

Access to:

DPO for advice and guidance

External legal advice (when needed)

ICO guidance and helpline

Professional networks and forums

13. Monitoring and Auditing

13.1 Purpose

We monitor and audit to:

Verify compliance with this policy and UK GDPR

Identify risks and areas for improvement

Demonstrate accountability

Detect breaches or non-compliance

Provide assurance to trustees, regulators, and stakeholders

13.2 Internal Audits

Annual compliance audit:

Review all processing activities against RoPA

Check documentation (DPIAs, consent records, contracts)

Test security controls (access controls, encryption, etc.)

Review training completion

Check breach register and responses

Assess policy compliance

Sample transactions and records

Interview staff

DPO conducts audits with support from service managers

Findings reported to:

Senior management

Board of Trustees

Improvement actions agreed and tracked

Audit schedule:

Annual full audit

Ad hoc audits when risks identified

Pre-emptive audits before major changes

13.3 Access Monitoring

IT systems:

Audit logs reviewed regularly

Unusual access patterns investigated

Failed login attempts monitored

Privileged access audited more frequently

Physical access:

Key/fob issuance tracked

Access to restricted areas logged

Visitor records reviewed

13.4 Data Quality Checks

Regular reviews:

Accuracy of service user records

Completeness of essential data

Outdated or stale data identified

Duplicates merged or removed

Retention schedules applied

Service managers responsible for data quality in their areas

13.5 Policy Compliance Checks

DPO spot-checks:

Privacy information provision at point of collection

Consent records (valid, documented, refreshed)

Data sharing documentation

Secure disposal of confidential waste

Clear desk compliance

Subject access request handling

13.6 Third-Party Audits

We may commission:

Independent data protection audits

IT security assessments (penetration testing, vulnerability scans)

ISO 27001 or Cyber Essentials certification audits (if pursuing)

13.7 ICO Inspections

If ICO inspects:

Cooperate fully and promptly

Provide requested documentation

Facilitate access to systems and staff

Address findings seriously

Implement recommendations

Report progress to ICO as required

13.8 Reporting

DPO provides:

Annual compliance report to trustees

Quarterly updates to senior management

Breach summaries and lessons learned

Audit findings and action plans

Regulatory developments and implications

Board receives:

Annual data protection report

Significant breaches or ICO communications

Data protection risks for risk register

Assurance on compliance

14. Accountability and Governance

14.1 Demonstrating Compliance

We demonstrate compliance through:

Documentation:

This policy and related policies

Records of Processing Activities (RoPA)

Data Protection Impact Assessments (DPIAs)

Legitimate Interest Assessments (LIAs)

Data Processing Agreements with processors

Consent records

Subject access request logs

Breach register

Training records

Audit reports

Processes:

Privacy by design and default

DPIAs for high-risk processing

Regular reviews and audits

Breach notification procedures

Rights request handling

Third-party due diligence

Culture:

Board and senior management commitment

Data protection champions

Open discussion of issues

Learning from incidents

Continuous improvement

14.2 Privacy by Design and Default

Privacy by Design: We build data protection into projects from the outset, not as an afterthought.

When designing new processing, services, or systems:

Conduct DPIA early in planning

Minimize data collection (collect only what’s needed)

Provide clear privacy information

Build in security (encryption, access controls)

Limit retention (automatic deletion)

Enable individual rights (portability, erasure)

Default to privacy-protective settings

Privacy by Default: Systems and processes default to the most privacy-friendly settings.

Examples:

Opt-in (not opt-out) for marketing

Minimal data fields in forms (not comprehensive)

Need-to-know access (not open access)

Short retention (not indefinite)

Anonymization where possible (not identifiable)

14.3 Data Protection Officer (DPO) Independence

The DPO must be independent to provide objective advice and oversight.

Safeguards:

Reports directly to highest management level

Not dismissed or penalized for DPO work

No instructions regarding DPO duties

No conflicts of interest (doesn’t determine purposes/means of processing)

Adequate resources and time

Access to all processing activities and systems

Included in decision-making on data protection matters

14.4 Board Oversight

Trustees’ data protection responsibilities:

Approve data protection policies

Receive annual compliance reports

Oversee data protection risks in risk register

Ensure adequate resources for compliance

Champion data protection culture

Hold senior management accountable

Respond to serious breaches or ICO actions

Data protection on board agenda:

Annual compliance review

Significant breach reports

ICO correspondence

Major processing changes (new systems, services)

Data protection risks

14.5 Risk Management

Data protection risks in organizational risk register:

ICO enforcement action (fines, orders)

Data breaches (reputational damage, financial cost)

Non-compliance with safeguarding duties

Loss of trust and confidence

Legal claims from individuals

Inadequate security

For each risk:

Likelihood and impact assessed

Mitigation measures identified

Residual risk evaluated

Risk owner assigned

Regular review

14.6 Contracts and Agreements

Data Processing Agreements (DPAs) with processors:

Processing only on documented instructions

Confidentiality of personnel

Security measures appropriate to risk

Sub-processor approval and contracts

Assistance with rights requests and DPIAs

Data breach notification (without undue delay)

Deletion or return of data at contract end

Audit and inspection rights

Compliance with UK GDPR

Template DPA maintained by DPO

All processor contracts reviewed before signing

14.7 Records and Documentation

We maintain records of:

All processing activities (RoPA)

DPIAs and LIAs

Data breaches (even if not reported to ICO)

Subject access requests and responses

Other rights requests (rectification, erasure, etc.)

Complaints and resolutions

Consent (when, how, what, who)

Data sharing (who, what, why, when)

Training completion

Audits and reviews

Policy approvals and updates

Retention: Data protection records kept for 7 years minimum (demonstrate compliance)

Location: Centralized repository managed by DPO

15. Non-Compliance and Enforcement

15.1 Consequences of Non-Compliance

For Raedan Institute:

ICO fines (up to £17.5 million or 4% of annual turnover)

ICO enforcement notices (requiring actions)

ICO warnings and reprimands

Criminal offenses for serious breaches

Civil claims from individuals

Reputational damage

Loss of trust and confidence

Service suspensions or restrictions

Loss of accreditations or registrations

Regulatory investigations

For individuals (staff/volunteers):

Disciplinary action (warning, suspension, dismissal)

Criminal prosecution (for serious offenses like unlawfully obtaining data)

Professional consequences (for regulated professionals)

Personal liability in exceptional cases

15.2 ICO Enforcement Powers

The ICO can:

Conduct investigations and audits

Issue information notices (requiring information provision)

Issue assessment notices (requiring audit cooperation)

Issue enforcement notices (requiring actions to comply)

Issue reprimands and warnings

Impose fines (up to £17.5 million or 4% of turnover)

Prosecute criminal offenses

Issue public statements

We cooperate fully with ICO:

Respond promptly to information requests

Facilitate audits and investigations

Implement recommendations

Report progress on actions

15.3 Internal Disciplinary Process

Non-compliance with this policy is a disciplinary matter:

Examples of misconduct:

Unauthorized access to personal data

Sharing data inappropriately

Failing to report data breach

Ignoring security procedures

Deliberate destruction or alteration of data

Using data for unauthorized purposes

Process:

Incident identified or reported

Initial investigation to establish facts

Disciplinary meeting with staff member

Decision and sanction (if appropriate)

Appeal processes available

Learning and improvement

Sanctions may include:

Verbal or written warning

Additional training

Enhanced supervision

Suspension of access to systems

Suspension or dismissal (for serious breaches)

Gross misconduct (dismissal without notice):

Deliberate unauthorized disclosure

Deliberate data destruction

Using data for personal gain

Identity theft or fraud

Serious breach for malicious purposes

15.4 Reporting Non-Compliance

Staff should report non-compliance:

To line manager or DPO

Anonymously via whistleblowing procedure if preferred

Without fear of retaliation

Whistleblowing protection:

Protected disclosure under Public Interest Disclosure Act

No detriment for reporting genuine concerns

Confidentiality maintained where possible

We take reports seriously:

Investigate thoroughly and fairly

Take action to address issues

Provide feedback to reporter (where possible)

Learn and improve

16. Policy Review and Updates

16.1 Review Schedule

This policy is reviewed:

Annually (scheduled full review)

When legislation changes (e.g., amendments to UK GDPR, new statutory guidance)

When processing changes significantly (new services, major system changes)

Following serious incidents or ICO actions

Following audit recommendations

When best practice evolves

Next scheduled review: January 2026

16.2 Review Process

DPO leads review:

Review current policy against legal requirements and guidance

Consult with staff and managers on practical issues

Review incident logs, audits, and feedback

Identify improvements and updates needed

Draft updated policy

Consult senior management and board

Approve updated policy

Communicate changes to all staff

Update training materials

Publish updated policy

16.3 Version Control

Each version:

Numbered (e.g., 1.0, 1.1, 2.0)

Dated

Approved by Board

Change summary documented

Previous versions archived

Current version: 1.0 (January 2, 2025)

16.4 Communication of Changes

Staff informed of updates via:

Email announcement

Team meetings

Training updates

Policy portal/shared drive

Induction for new starters

Significant changes:

Highlighted in communications

Additional training if needed

Reasonable implementation time

17. Related Documents

17.1 External-Facing Documents

Cookie Policy

Terms and Conditions

Service-specific privacy notices (e.g., Contact Centre, counselling)

17.2 Internal Policies and Procedures

Information Security Policy

Acceptable Use Policy (IT)

Clear Desk Policy

Password Policy

CCTV Policy

Records Management and Retention Policy

Safeguarding Policy

Confidentiality Policy

Whistleblowing Policy

Complaints Policy

Freedom of Information Policy (if applicable)

17.3 Procedures and Guidance

Data Breach Response Plan

Subject Access Request Procedure

DPIA Procedure and Template

Legitimate Interests Assessment Template

Data Sharing Protocols

Secure Disposal Procedures

Third-Party Due Diligence Checklist

Data Processing Agreement Template

Consent Recording Guidance

Privacy Notice Templates

17.4 Forms and Templates

Subject Access Request Form

DPIA Template

Legitimate Interests Assessment Template

Data Breach Report Form

Data Sharing Agreement Template

Consent Form Templates

Privacy Notice Templates

18. Definitions and Glossary

Personal Data: Information relating to an identified or identifiable living individual (e.g., name, email, ID number, online identifier, or factors specific to their identity).

Special Category Data: Sensitive personal data requiring extra protection: racial/ethnic origin, political opinions, religious/philosophical beliefs, trade union membership, genetic data, biometric data (for identification), health data, sex life, or sexual orientation.

Processing: Any operation on personal data, including collection, recording, organization, storage, alteration, consultation, use, disclosure, erasure, or destruction.

Data Controller: Organization determining the purposes and means of processing personal data (Raedan Institute).

Data Processor: Organization processing personal data on behalf of the controller (e.g., our IT provider, cloud storage provider).

Data Subject: The individual whose personal data is being processed.

Consent: Freely given, specific, informed, and unambiguous indication of the data subject’s agreement to processing (usually by statement or clear affirmative action).

Data Protection Officer (DPO): Person responsible for advising on and monitoring data protection compliance.

Data Protection Impact Assessment (DPIA): Process to identify and minimize data protection risks of processing, particularly high-risk processing.

Legitimate Interests Assessment (LIA): Assessment of whether processing is necessary for legitimate interests and whether these override the individual’s rights.

Records of Processing Activities (RoPA): Written record of processing activities required under Article 30 UK GDPR.

Data Breach: Breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data.

Pseudonymization: Processing data so it can no longer be attributed to a specific individual without additional information kept separately.

Anonymization: Irreversibly removing identifiers so data can never be linked back to an individual (no longer personal data).

Encryption: Converting data into code to prevent unauthorized access (only readable with decryption key).

Subject Access Request (SAR): Request by individual to access their personal data.

UK GDPR: UK General Data Protection Regulation 2021 (retained EU law adapted for UK).

DPA 2018: Data Protection Act 2018 (supplements UK GDPR).

ICO: Information Commissioner’s Office (UK supervisory authority for data protection).

PECR: Privacy and Electronic Communications Regulations 2003 (governs electronic marketing, cookies, etc.).

19. Contact and Further Information

19.1 Internal Contacts

Data Protection Officer: Mr Mohamed Sidat
Email: [email protected]
Phone: 07725974831

Chief Executive Officer / Senior Management: Mr Mohamed Sidat
Email: [email protected]
Phone: 07725974831

Designated Safeguarding Lead: Mr Mohamed Sidat / Juwayriyah Dhabhelia / Aisha Khalifah
Phone: 07725974831

19.2 External Contacts

Information Commissioner’s Office (ICO):
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
Helpline: 0303 123 1113
Website: www.ico.org.uk
Report a concern: www.ico.org.uk/make-a-complaint

Charity Commission:
Website: www.gov.uk/government/organisations/charity-commission
Tel: 0300 066 9197

19.3 Useful Resources

ICO Guidance: