Data Protection Policy

Purpose

1. This policy document sets out how Trefoil House Limited (Trefoil), a Scottish registered charity supporting children and young people with additional needs, handles personal data and enacts privacy principles

2. The purpose of this policy is to protect the privacy and personal data of Trefoil’s stakeholders, and to protect the integrity and reputation of Trefoil.

Regulatory framework

3. Trefoil has been a registered entity with the Information Commissioners’ Office (ICO) for two years. The ICO is the UK regulator for data protection and privacy law.

4. Trefoil has adopted procedures to comply with the Data Protection Act 1998 and the EU General Data Protection Regulation (GDPR). Trefoil must comply with GDPR from 25 May 2018.

5. Trefoil makes an annual return to the ICO relative to Trefoil’s service, activities and data held.

Categories of data

6. Trefoil keeps and processes personal data for the following groups: referees

  1. grant holders, including children and young people up to the age of 25

  2. grant applicants, including children and young people up to the age of 25

  3. referees

  4. trustees

  5. administrative staff

Special category - children

7. Trefoil recognises that children need particular protection when their personal data is collected and processed.

8. Trefoil recognises there are special requirements under GDPR relative to data held for children. This is termed a ‘special category data’ and the data may include, for instance, medical and sensitive information for children under the age of 13.

Consent

9. Article 6 of the GDPR sets out the lawful bases for the processing of data. Consent will be the lawful basis most commonly used by Trefoil to process data.

10. Consent to process data has been built into Trefoil’s grant application forms, both online and hard copy. Trefoil has designed the application forms with consent to process data in mind. Application forms are accessible via Trefoil’s website.

11. Where consent is given to process personal data, Trefoil recognises only children aged 13 or over are able provide their own consent. For children under the age of 13, Trefoil will obtain consent from whoever holds parental responsibility for the child.

12. Trefoil recognises that consent is not the only lawful basis for processing data. The lawful basis of legitimate interest may be relied upon when contacting referees for applicants. However, legitimate interest flows from the initial consent which is ascertained at the time of the application.

Use of personal data – privacy notice

13. Trefoil will only use personal data for the following purposes:

  1. To inform and allow Trefoil’s trustees to evaluate an application, and make a decision on whether to award a grant, and to determine the value of the grant.

  2. To contact an applicant’s referees to confirm the applicant’s circumstances. Trefoil’s current procedures request two references are given at the time of the application.

  3. To retain information for an appropriate period (and as a maximum until the grant holder reaches the age of 25), in order that Trefoil can assess the level of support given to the grant holder.

14. Trefoil is not engaged in fundraising or marketing activities. Personal data is only processed in connection with grant making activities.

15. Trefoil will respond to requests by grant holders and grant applicants to access, rectify and suppress their personal data held by Trefoil.

Storage

16. Trefoil has a password protected network drive for storage of online records. The network drive is only accessible by authorised Trefoil administrative staff. Hard copy records are kept in a locked filing facility on site at Trefoil’s registered office.

Trefoil Company Secretary

28 March 2018

Scottish Charity Number SC013744

TREFOIL HOUSE LIMITED DATA PROTECTION POLICY
To be adopted 7 May 2018