Data Privacy

We take data privacy very seriously at BCWA, click on the one of the links below to see the ways we collect, store, process and protect your personal data: Download…

We take data privacy very seriously at BCWA, click on the one of the links below to see the ways we collect, store, process and protect your personal data:

Download Privacy Notice: Service Users

Download Privacy Notice: Recruitment

Download Privacy Notice: Donors

Bromley & Croydon Women’s Aid (BCWA) Privacy Policy:


BCWA is committed to handling personal information lawfully, responsibly, and securely. This Privacy Policy outlines our practices regarding personal information handling, in alignment with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

What is Personal Information?

Personal information is any information that identifies or could identify a living person. This includes but isn’t limited to:

  • Names
  • Addresses (email and physical)
  • Telephone numbers
  • Date of birth
  • Identification numbers (e.g., passport, NHS number)
  • Sensitive personal information (e.g., medical/health information, race, religion, sexual orientation)

Key Principles When Handling Personal Information

Our data handling adheres to these key principles:

  • Lawfulness, fairness, and transparency: We collect and process personal information lawfully, fairly, and transparently.
  • Purpose limitation: We collect personal information for specified, explicit, and legitimate purposes. We don’t process it for incompatible purposes.
  • Data minimisation: We collect only the personal information necessary for the stated purposes.
  • Accuracy: We take reasonable steps to ensure personal information is accurate and updated as needed.
  • Storage limitation: We store personal information only as long as necessary for the specified purposes.
  • Integrity and confidentiality (security): We have appropriate security measures to protect against unauthorised access, alteration, disclosure, or destruction of personal information.

A more detailed explanation of these principles can be found in the appendix.

Staff Responsibilities

All staff who handle personal information must:

  • Familiarise themselves with and follow this Privacy Policy.
  • Collect and process personal information only for lawful, necessary business purposes.
  • Seek consent where required.
  • Not disclose personal information to unauthorised parties.
  • Report any suspected data breaches to the Data Protection Lead or Data  Controller immediately.

Individual Rights

Under the UK GDPR, individuals have rights regarding their personal information. Staff must be aware when a data subject is making an individual rights request. Here are the types of individual rights requests that a data subject may make:

  • Right of access: Facilitate Subject Access Requests (SARs) from individuals requesting their personal information.
  • Right to rectification: Promptly update inaccurate personal information upon valid requests.
  • Right to erasure (“right to be forgotten”): Fulfil requests to delete personal information when applicable.
  • Right to restriction of processing: Limit processing upon request in certain circumstances.
  • Right to data portability: Provide data in a structured, machine-readable format upon request.
  • Right to object: Consider objections to processing, including direct marketing objections.

Staff should immediately contact Data Protection Lead if a data subject has raised an individual rights request. BCWA are required to respond back to the data subject within a short time frame from when the request has been made.

Data subjects may include employees, volunteers, donors and service users.

Data Breaches

A data breach is any incident compromising the confidentiality, security, or integrity of personal information. Examples include:

  • Unauthorised access to systems
  • Lost or stolen devices containing personal information
  • Accidental disclosure of personal information

In the event of a suspected breach, staff must:

  1. Immediately cease the activity if possible.
  2. Notify Business Support Manager
  3. Do not attempt to fix the breach yourself.

Planning New Activities

When planning activities involving personal information:

  • Embed Privacy by Design, ensuring privacy is considered early on.
  • Document processing activities in our Record of Processing Activities.
  • Conduct a Data Protection Impact Assessment (DPIA) if the activity is likely to pose a high risk to individuals.

All new activities involving personal information must be discussed with the Data Controller (CEO) and Business Support Manager to follow these steps and ensure appropriate privacy controls are implemented from the outset.

Contact Information

For questions or to exercise your data protection rights, please contact:

Business Support Manager (data protection lead)

020 8313 9303

PO Box 91159


This policy will be reviewed regularly and updated as needed.



APPENDIX 1 Explaining the Key Principles:

Lawfulness, fairness, and transparency: These three elements are interconnected.

Lawfulness refers to the requirement that any processing of personal information must have a valid and lawful basis. We identify and establish a lawful basis (or bases) for collecting and using personal information. There are six possible lawful bases for processing, depending on the purpose and the relationship with the individual. These bases include consent, contractual necessity, legal obligation, vital interests, public task, and legitimate interests. Specific conditions apply when processing sensitive data (such as health information or racial/ethnic data). If no lawful basis applies, the processing becomes unlawful and violates this principle.

Fairness entails treating individuals fairly and ensuring that processing does not unduly harm or mislead them. When handling personal information, we consider the impact on individuals and justify any adverse effects. Processing should align with reasonable expectations or be adequately explained if unexpected. Misleading practices during data collection are strictly prohibited. Transparency is key to maintaining fairness.

Transparency involves being open, honest, and clear about how personal information will be used. We comply with the transparency obligations outlined in the right to be informed (Articles 13 and 14 of the GDPR). This includes providing individuals with concise, easily accessible information about data processing. Transparency ensures that individuals understand how their data will be handled, fostering trust and accountability.

Purpose limitation:

Personal information is collected for specified, explicit, and legitimate purposes. Furthermore, it is not further processed in a manner that is incompatible with those original purposes.

This means that we always:

  • Clearly state the reasons for collecting personal information from the outset.
  • Inform individuals transparently about the intended data processing.
  • Ensure that any subsequent use or disclosure of personal information aligns with the original purpose, is fair, lawful, and transparent.

Data minimisation:

We collect and process only the minimum amount of personal information required to achieve the intended goals.

To comply with data minimisation:

  • Collect Necessary Data: We collect only the data genuinely needed for the specified purposes.
  • Fulfil Purpose: We ensure that the data collected is sufficient to fulfil those purposes effectively.
  • Regular Review: We periodically review the data held and delete anything no longer necessary.


We take every reasonable step to ensure that personal information is not incorrect or misleading with regard to any matter of fact. Compliance with this principle involves several key actions:

  • Clear Source and Status: The source and status of personal information is transparently recorded.
  • Challenges to Accuracy: When individuals challenge the accuracy of information, we carefully consider such challenges. We respond to rectification requests to update data appropriately.
  • Periodic Updates: we regularly assess whether data needs updating to fulfil its intended purpose.

Storage limitation:

Personal information is retained for no longer than is necessary for the purposes for which the personal information is processed. This is achieved through:

  • Standard Retention Periods: we apply standard retention periods wherever possible to help comply with documentation requirements.
  • Regular Review: we periodically review the data we hold and erase or anonymise it when it is no longer needed.

Integrity and confidentiality (security)

We apply appropriate security measures to protect the data we hold.

Integrity: we actively maintain the accuracy, reliability, and consistency of personal information. We prevent unauthorised or accidental alterations, ensuring that data remains true to its intended purpose.

Confidentiality: we safeguard personal information from unauthorised access, disclosure, or breaches. Only authorised individuals can access and process the data we hold of individuals.

We achieve this through:

  • Access Controls: we limit access to authorised personnel and implement role-based permissions.
  • Encryption: we protect data during transmission and storage using encryption techniques.
  • Incident Response: we are prepared to respond swiftly to any security incidents or breaches.

Latest News

News, blog,
jobs & events

Hide My Visit

24/7 National Domestic Abuse Helpline:

0808 2000 247