Data Protection Policy

07561 120 831

info@aspireandreach.org.uk

Volunteer Donate

1. Purpose & Commitment

Aspire & Reach is committed to protecting personal data and handling it responsibly, securely, and transparently.

We comply with:

UK General Data Protection Regulation (UK GDPR)
Data Protection Act 2018
Relevant guidance from the Information Commissioner’s Office (ICO)

We recognise that safeguarding personal information is essential to maintaining trust with participants, families, volunteers, donors, partners, and staff.

2. Scope of This Policy

This policy applies to:

Staff (paid and voluntary)
Trustees
Contractors and partners
Anyone processing personal data on behalf of Aspire & Reach

It covers all personal data processed by the organisation, whether stored digitally or in paper format.

3. GDPR Principles

Aspire & Reach processes personal data in accordance with the following principles:

Lawfulness, fairness, and transparency
Purpose limitation – Data collected for specified, legitimate purposes only
Data minimisation – Only data that is necessary is collected
Accuracy – Data kept up to date
Storage limitation – Data retained only as long as necessary
Integrity and confidentiality – Data protected against unauthorised access, loss, or damage
Accountability – We take responsibility for compliance

4. Lawful Basis for Processing

We process personal data under lawful bases including:

Consent
Contractual necessity
Legal obligation
Legitimate interests
Vital interests (where safeguarding concerns arise)

Special category data (e.g., health, safeguarding records) is handled with additional protections.

5. Types of Data We May Process

Depending on engagement, we may process:

Contact details (name, email, phone number, address)
Safeguarding records
DBS information (where required)
Donation records
Volunteer and employment information
Programme participation records
Emergency contact information

We do not collect more data than is necessary.

6. Data Handling & Security

Aspire & Reach ensures:

Secure password-protected systems
Restricted access to sensitive data
Secure cloud storage where applicable
Locked storage for paper records
Encryption where appropriate
Secure disposal of data when no longer required

Access to safeguarding data is strictly limited to authorised personnel.

7. Data Retention

Personal data is retained only for as long as necessary to:

Fulfil the purpose for which it was collected
Meet legal or regulatory requirements
Address safeguarding or insurance obligations

Retention schedules are reviewed periodically.

8. Data Sharing

We may share data only when necessary:

With safeguarding authorities (Children’s Services, Police, Adult Social Care)
With regulators or funding bodies (where required)
With trusted service providers under data processing agreements

We do not sell personal data.

9. Individual Rights (Under UK GDPR)

Individuals have the right to:

Access their personal data
Request correction of inaccurate data
Request erasure (“right to be forgotten”)
Restrict processing
Object to processing
Data portability (where applicable)
Withdraw consent at any time (where processing is based on consent)
Lodge a complaint with the ICO

Requests will be responded to within one month in accordance with GDPR.

10. Data Breaches

In the event of a personal data breach, Aspire & Reach will:

Assess the severity and risk
Take immediate corrective action
Notify affected individuals where required
Report to the Information Commissioner’s Office (ICO) within 72 hours if legally required