Bromley & Croydon Women’s Aid (BCWA) Privacy Policy Introduction BCWA is committed to handling personal information lawfully, responsibly, and securely. This Privacy Policy outlines our practices regarding personal information handling,…
Bromley & Croydon Women’s Aid (BCWA) Privacy Policy
BCWA is committed to handling personal information lawfully, responsibly, and securely. This Privacy Policy outlines our practices regarding personal information handling, in alignment with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
Personal information is any information that identifies or could identify a living person. This includes but isn’t limited to:
Our data handling adheres to these key principles:
A more detailed explanation of these principles can be found in the appendix.
All staff who handle personal information must:
Under the UK GDPR, individuals have rights regarding their personal information. Staff must be aware when a data subject is making an individual rights request. Here are the types of individual rights requests that a data subject may make:
Staff should immediately contact Data Protection Lead if a data subject has raised an individual rights request. BCWA are required to respond back to the data subject within a short time frame from when the request has been made.
Data subjects may include employees, volunteers, donors and service users.
A data breach is any incident compromising the confidentiality, security, or integrity of personal information. Examples include:
In the event of a suspected breach, staff must:
When planning activities involving personal information:
All new activities involving personal information must be discussed with the Data Controller (CEO) and Business Support Manager to follow these steps and ensure appropriate privacy controls are implemented from the outset.
For questions or to exercise your data protection rights, please contact:
Business Support Manager (data protection lead)
020 8313 9303
PO Box 91159
This policy will be reviewed regularly and updated as needed.
Lawfulness, fairness, and transparency: These three elements are interconnected.
Lawfulness refers to the requirement that any processing of personal information must have a valid and lawful basis. We identify and establish a lawful basis (or bases) for collecting and using personal information. There are six possible lawful bases for processing, depending on the purpose and the relationship with the individual. These bases include consent, contractual necessity, legal obligation, vital interests, public task, and legitimate interests. Specific conditions apply when processing sensitive data (such as health information or racial/ethnic data). If no lawful basis applies, the processing becomes unlawful and violates this principle.
Fairness entails treating individuals fairly and ensuring that processing does not unduly harm or mislead them. When handling personal information, we consider the impact on individuals and justify any adverse effects. Processing should align with reasonable expectations or be adequately explained if unexpected. Misleading practices during data collection are strictly prohibited. Transparency is key to maintaining fairness.
Transparency involves being open, honest, and clear about how personal information will be used. We comply with the transparency obligations outlined in the right to be informed (Articles 13 and 14 of the GDPR). This includes providing individuals with concise, easily accessible information about data processing. Transparency ensures that individuals understand how their data will be handled, fostering trust and accountability.
Purpose limitation:
Personal information is collected for specified, explicit, and legitimate purposes. Furthermore, it is not further processed in a manner that is incompatible with those original purposes.
This means that we always:
Data minimisation:
We collect and process only the minimum amount of personal information required to achieve the intended goals.
To comply with data minimisation:
Accuracy:
We take every reasonable step to ensure that personal information is not incorrect or misleading with regard to any matter of fact. Compliance with this principle involves several key actions:
Storage limitation:
Personal information is retained for no longer than is necessary for the purposes for which the personal information is processed. This is achieved through:
Integrity and confidentiality (security)
We apply appropriate security measures to protect the data we hold.
Integrity: we actively maintain the accuracy, reliability, and consistency of personal information. We prevent unauthorised or accidental alterations, ensuring that data remains true to its intended purpose.
Confidentiality: we safeguard personal information from unauthorised access, disclosure, or breaches. Only authorised individuals can access and process the data we hold of individuals.
We achieve this through: