Data protection policy

1. Introduction

1.1.This Data Protection Policy is the overarching policy for data security and protection for Martha Trust (hereafter referred to as “us”, “we”, or “our”). 1.2. Martha Trust needs to collect and use certain types of personal information, for example about the individuals we support and their families, employees, volunteers, supporters and funders, in order to carry out our work. To comply with the law, information must be collected, used appropriately, stored safely and not disclosed to any other person unlawfully. To do this Martha Trust must comply with the Data Protection Principles which are set out in the Data Protection Act,1998.

1.3. Martha Trust and all its¡¦ staff who process or use personal information must ensure that they follow these principles at all times. In order to ensure that this happens, Martha has developed this Data Protection Policy.

2. Purpose

2.1. The purpose of the Data Protection Policy is to support the 10 Data Security Standards, the General Data Protection Regulation (2016), the Data Protection Act (2018), the common law duty of confidentiality and all other relevant national legislation. We recognise data protection as a fundamental right and embrace the principles of data protection by design and by default.

2.2. This policy covers:

Our data protection principles and commitment to common law and legislative compliance;

Procedures for data protection by design and by default

3. Scope

3.1. This policy includes in its scope all data which we process either in hardcopy or digital copy, this includes special categories of data.

3.2. This policy applies to all staff, including temporary staff and contractors.

4. Principles

4.1. We will be open and transparent with service users and those who lawfully act on their behalf in relation to their care and treatment. We will adhere to our duty of candour responsibilities as outlined in the Health and Social Care Act 2012.

4.2. We will establish and maintain policies to ensure compliance with the Data Protection Act 2018, Human Rights Act 1998, the common law duty of confidentiality, the General Data Protection Regulation and all other relevant legislation.

4.3. We will establish and maintain policies for the controlled and appropriate sharing of service user and staff information with other agencies, taking account all relevant legislation and citizen consent.

4.4. Where consent is required for the processing of personal data, we will ensure that informed and explicit consent will be obtained and documented in clear, accessible language and in an appropriate format. The individual can withdraw consent at any time through processes which have been explained to them and which are outlined in our Record Keeping Policy: Withdrawal of Consent procedures. We ensure that it is as easy to withdraw as to give consent.

4.5. We will undertake / commission delete as appropriate annual audits of our compliance with legal requirements.

4.6. We acknowledge our accountability in ensuring that personal data shall be:

4.6.1. Processed lawfully, fairly and in a transparent manner.

4.6.2. Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.

4.6.3. Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’).

4.6.4. Accurate and kept up to date.

4.6.5. Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (‘storage limitation’).

4.6.6. Processed in a manner that ensures appropriate security of the personal data.

4.7. We uphold the personal data rights outlined in the GDPR:

4.7.1. The right to be informed.

4.7.2. The right of access.

4.7.3. The right to rectification.

4.7.4. The right to erasure.

4.7.5. The right to restrict processing.

4.7.6. The right to data portability.

4.7.7. The right to object.

4.7.8. Rights in relation to automated decision making and profiling.

4.8. In line with legislation, we employ a Data Protection Officer (DPO) who will report to the highest management level of the organisation. We will support the DPO with the necessary resources to carry out their tasks and ensure that they can maintain expertise. We guarantee that the DPO will not be pressured on how to carry out their tasks, and that they are protected from disciplinary action when carrying out the tasks associated with their role.

4.9. We complete the Data Security and Protection Toolkit on an annual basis and our publication status can be found at https://www.dsptoolkit.nhs.uk/OrganisationSearch/A2AH

5. Underpinning policies and procedures

This policy is underpinned by the following:

5.1. Data Quality Policy – outlines procedures to ensure the accuracy of records and the correction of errors;

5.2. Record Keeping Policy – details transparency procedures, the management of records from creation to disposal (inclusive of retention and disposal procedures), information handling procedures, procedures for subject access requests, right to erasure, right to restrict processing, right to object, and withdrawal of consent to share;

5.3. Data Security Policy – outlines procedures for the ensuring the security of data including the reporting of any data security breach;

5.4. Network Security Policy – outlines procedures for securing our network;

5.5. Business Continuity Plan – outlines the procedures in the event of a security failure or disaster affecting digital systems or mass loss of hardcopy information necessary to the day to day running of our organisation;

5.6. Staff Data Security Code of Conduct – provides staff with clear guidance on the disclosure of personal information.

6. Data protection by design and by default

6.1. We shall implement appropriate organisational and technical measures to uphold the principles outlined above. We will integrate necessary safeguards to any data processing to meet regulatory requirements and to protect individual’s data rights. This implementation will consider the nature, scope, purpose, and context of any processing and the risks to the rights and freedoms of individuals caused by the processing.

6.2. We shall uphold the principles of data protection by design and by default from the beginning of any data processing and during the planning and implementation of any new data process.

6.3. Prior to starting any new data processing, we will assess whether we should complete a Data Protection Impact Assessment (DPIA) using the ICO’s screening checklist.

6.4.All new systems used for data processing will have data protection built in from the beginning of the system change.

6.5. All existing data processing has been recorded on our Record of Processing Activities. Each process has been risk assessed and is reviewed annually.

6.6. We ensure that, by default, personal data is only processed when necessary for specific purposes and that individuals are therefore protected against privacy risks.

6.7. In all processing of personal data, we use the least amount of identifiable data necessary to complete the work it is required for and we only keep the information for as long as it is required for the purposes of processing or any other legal requirement to retain it.

6.8. Where possible, we will use pseudonymised data to protect the privacy and confidentiality of our staff and those we support.

7. Responsibilities

The chart below details who has overarching responsibility for data security and GDPR at Martha.

7.1. Our Data Protection Officer is Julie Gayler, CEO. They can be contacted via email: juliegayler@marthatrust.org.uk; by phone 01304 615223 or at the following address:

Data Protection Officer
Martha Trust
Homemead Lane
Hacklinge
Deal
Kent CT14 0PG

The key responsibilities of the DPO are:

Overseeing changes to systems and processes;

Monitoring compliance with the GDPR and the Data Protection Act 2018;

Completing DPIA;

Reporting on data protection and compliance with legislation to senior management;

Liaising, if required, with the Information Commissioner’s Office (ICO).

7.2. Our designated Data Security and Protection Lead is Alice Moir, Director – Fundraising and Marketing.

7.3. The key responsibilities of the lead are:

To ensure the rights of individuals in terms of their personal data are upheld in all instances and that data collection, sharing and storage is in line with the Caldicott Principles;

To define our data protection policy and procedures and all related policies, procedures and processes and to ensure that sufficient resources are provided to support the policy requirements.

To complete the Data Security & Protection Toolkit (DSPT) annually and to maintain compliance with the DSPT.

To monitor information handling to ensure compliance with law, guidance and the organisation¡¦s procedures and liaising with senior management and DPO to fulfil this work.

8. Data Controller

Martha Trust is the Data Controller under the Act and is therefore ultimately responsible for implementation of the data protection policy. This means we will determine what purposes the personal information held, will be used for and is responsible for notifying the Information Commissioner of the data it holds or is likely to hold, and the general purposes that this data will be used for.

9. Disclosure

Martha Trust may share data with other agencies such as the local authorities, adult protection, funding bodies and other voluntary agencies.

The Individual or their appointed representative will be made aware in most circumstances how and with whom their information will be shared. There are circumstances where the law allows us to disclose data – including sensitive data – without the subject’s consent. These are:

a) Carrying out a legal duty or as authorised by the Secretary of State.

b) Protecting vital interests of an Individual or other person.
c) The Individual/Service User has already made the information public.
d) Conducting any legal proceedings, obtaining legal advice, or defending any legal rights.
e) Monitoring for equal opportunities purposes – i.e. race, disability or religion
f) Providing a confidential service where the Individual/Service User’s consent cannot be obtained or where it is reasonable to proceed without consent: e.g., where we would wish to avoid forcing stressed or ill Individuals/Service Users to provide consent signatures.

We regard the lawful and correct treatment of personal information as very important to successful working, and to maintaining the confidence of those with whom we deal.

We intend to ensure that personal information is treated lawfully and correctly.
To this end, we will adhere to the Principles of Data Protection, as detailed in the Data Protection Act 1998 above.

10. Data Collection

Informed consent is when ‘An Individual/Service User clearly understands why their information is needed, who it will be shared with, the possible consequences of them agreeing or refusing the proposed use of the data’ and then gives their consent.

We will ensure that data is collected within the boundaries defined in this policy. This applies to data that is collected in person, over the phone or by completing a form.

When collecting data, Martha Trust will ensure that the Individual clearly understands why the information is needed:

  1. Understands what it will be used for and what the consequences are should the Individual/Service User decide not to give consent to processing.
  2. As far as reasonably possible, grants explicit consent, either written or verbal for data to be processed.
  3. Is, as far as reasonably practicable, competent enough to give consent and has given so freely without any duress.
  4. Has received sufficient information on why their data is needed and how it will be used.

11. Data Storage

Information and records relating to service users will be stored securely and will only be accessible to authorised staff and volunteers.

Information will be stored for only as long as it is needed or required statute and will be disposed of appropriately.

It is our responsibility to ensure all personal and company data is non-recoverable from any computer system previously used within the organisation, which has been passed on/sold to a third party.

12. Data Access and Accuracy

All Individuals/Service Users have the right to access the information we hold about them. We will also take reasonable steps ensure that this information is kept up to date by asking data subjects whether there have been any changes.

In addition, we will ensure that:

  • It has a Data Protection Officer with specific responsibility for ensuring compliance with Data Protection
  • Everyone processing personal information understands that they are contractually responsible for following good data protection practice.
  • Everyone processing personal information is appropriately trained to do so.
  • Everyone processing personal information is appropriately supervised.
  • Anybody wanting to make enquiries about handling personal information knows what to do.
  • It deals promptly and courteously with any enquiries about handling personal information.
  • It describes clearly how it handles personal information.
  • It will regularly review and audit the ways it hold, manage and use personal information.
  • It regularly assesses and evaluates its methods and performance in relation to handling personal information.
  • All staff are aware that a breach of the rules and procedures identified in this policy may lead to disciplinary action being taken against them.

This policy will be updated as necessary to reflect best practice in data management, security and control and to ensure compliance with any changes or amendments made to the Data Protection Act 1998.

13. Marketing

All data capture forms on marketing materials, on and offline, must include our data protection statement.

Martha Trust’s Data Protection Statement

Martha Trust would like to keep you updated on our future news, fundraising activities and ways to support us. To opt in to receiving information from Martha Trust please indicate how you would prefer to be contacted: phone, email, letter or email fundraising@marthatrust.org.uk. We do not sell or swap your details with any third parties, but in order to carry out our work we may need to pass your details to services companies authorised to act on our behalf.

Communication preferences of supporters or enquiries stated in the data protection statement must be captured on the Fundraising Database on the ‘Data Protection & Suppressions’ screen.

‘Opt out’ applies to records up-to and including 30th November 2017.

‘Opt in’ applies to all records recorded after 1st December 2017.

Marketing Data

All data requests, or mailing lists for Marketing or Promotional Activity must be requested from the Marketing Manager. All Marketing data will be extracted from the fundraising (FRDB) or care contacts database and prepared by the Director – Fundraising and Marketing. Ensuring any suppressions are removed and any communication preferences made on the data protection statement are adhered to.

All staff are responsible for checking the ‘Data Protection & Suppressions’ screen on the FRDB or Care Contacts database (CCD), before making individual approaches to supporters/enquiries on the database. All staff are responsible for ensuring any changes to supporters/enquiries details are kept-up-to date on the FRDB or CCD.

To ensure ongoing awareness and accessibility to supporters enabling them to change their ‘mailing preferences’ at any time, we intend to include an opt out message on all marketing activity and will send out our ‘Keeping You informed’ form periodically. Our ‘Keeping You Informed’ form outlines the details we hold on the supporter and gives them the option to amend their mailing preferences

Data Capture Forms

All completed data capture forms must be date/time stamped on receipt and the relevant database updated with the relevant consent and date given.

14. Right to be forgotten

Under GDPR individuals have the right to be forgotten which means having all your details completely removed.

Any requests under ‘Right to be forgotten’ should be dealt with within 28 days of receipt of request and passed across all areas of Martha to ensure no additional information is stored elsewhere – Fundraising, Care and HR.

15. Remote Working

All staff who work remotely are responsible for ensuring they treat and store information and data within the guidelines of the Act. Any paperwork taken home which contains personal or sensitive information should be transported and stored securely, in a lockable folder, filing cabinet or brief case.

16. Payment Card Industry Data Security Standard (PCI DSS) Compliance

When our supporters/customers pay by credit or debit card, they are entrusting us with their valuable personal and financial information such as their name, address, or payment card details. It’s important that we look after their data securely. This refers to data and payment details taken when using the card payment machine .

List of Devices

As part of the compliance with the Payment Card Industry Data Security Standard (PCI DSS) we are responsible for keeping a list of all payment devices. This list is saved on the shared drive :

  • Data Protection
  • Barclays Data Security Manager

Maintenance of Devices

All card payment devices must be checked twice yearly to ensure the machine(s) have not been tampered with. A schedule of checks carried out is saved in data protection folder. Checks are diarised in Outlook.

Security of Cardholder data

All data should be processed and stored within data protection guidelines. With regard to processing of card payments the following process should be used:

  • Complete banking sheet
  • Process card payment and attach card payment receipt to banking sheet
  • Original given to finance ; copy kept in fundraising bank rec
  • Clear card payment machine by ‘pressing Settle button’, swipe Supervisor card
    Receipts will be generated – ensure these are shredded
    This process with clear the card machine of any payment details as it pushes the payments through
  • All new staff using the card payment machine must be trained prior to use.

Annual Audit

Annual audit to be carried out to ensure PCI DSS compliance

  • check list of card payment devices is up-to-date
  • check six monthly maintenance procedures have been carried out on card payment machines
  • check correct training of new staff to use card payment machines is carried out
  • check card payment data is being processed and stored within data protection guidelines
  • check staff are aware of incident response plan; any incidents in past 12 months have been dealt with according to plan.

Incident Response Plan

The card payment machine should be stored in a locked cupboard in secure office of Martha Trust when not in use. The card payment machine should not be left unattended when in use on Martha premises or offsite. When card payment machine is taken offsite it should be with a member of Martha staff at all times or stored securely. When payments have been taken offsite – all transactions should be pushed through on the machine before leaving an event.

At the end of an event or when taken out of the office it should be checked by more than one member of staff that it is packed to come back. Receipt from final transaction must be stored securely to bring back to the office.

If the credit card machine is lost or stolen it must be reported immediately to the provider. Finance team must be notified immediately and ask them to check bank statements and make any notifications they are required to.

17. Contact

General enquiries about Martha Trust’s Data Protection Policy and for formal subject access requests under the Act:

Data Protection Officer
Martha Trust
Homemead Lane
Hacklinge
Deal
Kent CT14 0PG

01304 615223 
contact@marthatrust.org.uk

Glossary of Terms

Data Controller – The person who (either alone or with others) decides what personal information we will hold and how it will be held or used. Martha Trust – the organisation is the Data Controller.

Data Protection Act 1998 – The UK legislation that provides a framework for responsible behaviour by those using personal information.

Data Protection Officer – The person(s) responsible for ensuring that Martha Trust follows its data protection policy and complies with the Data Protection Act 1998.

Supporter/Enquiry/Individual/Service User – The person whose personal information is being held or processed by Martha Trust for example: a client, family member, an employee, or supporter.

Explicit consent – is a freely given, specific and informed agreement by an Individual/Service User in the processing of personal information about her/him. Explicit consent is needed for processing sensitive data.

Notification – Notifying the Information Commissioner about the data processing activities of Martha Trust, as certain activities may be exempt from notification.

The link below will take to the ICO website where a self assessment guide will help you to decide if you are exempt from notification: http://www.ico.gov.uk/for_organisations/data_protection/the_guide/exemptions.aspx

Information Commissioner – The UK Information Commissioner responsible for implementing and overseeing the Data Protection Act 1998.

Processing – means collecting, amending, handling, storing or disclosing personal information.

Personal Information – Information about living individuals that enables them to be identified, e.g. name and address. It does not apply to information about organisations, companies and agencies but applies to named persons, such as individual volunteers or employees within Martha Trust.

Sensitive data – refers to data about:

  • Racial or ethnic origin
  • Political affiliations
  • Religion or similar beliefs
  • Trade union membership
  • Physical or mental health
  • Sexuality
  • Criminal record or proceedings

Policy Area – Data Protection and Cyber Security
Written by Alice Moir
Approved by SMT 31/7/25
Version No 1
Review Date July 2026

Martha Trust