Data protection policy

In order to operate effectively and, in particular, to meet the requirements of its funders, Exposure collects and processes personal information about individuals with whom it works, including young beneficiaries, adult volunteers, staff, freelance contractors, funders, clients, supporters, partners and suppliers.

The manager is Exposure’s named data protection officer, responsible for complying with data protection legislation. Exposure will treat personal information lawfully and correctly, in accordance the requirements of the Data Protection Act 1998 and the General Data Protection Regulation (GDPR) 2018.

Exposure will ensure that staff, freelance contractors and adult volunteers are aware of and abide by their responsibilities under the Act and GDPR by making them aware of this policy.

Information on young beneficiaries
Exposure collects information from young beneficiaries when they complete a registration form, on commencement, and when evaluating its services.

This information is processed, on a lawful basis, by consent of the young beneficiaries themselves, and, for those under 18, by the consent also of their parents.

Some funders require Exposure to provide reports containing certain anonymised information on its young beneficiaries.

This information may pertain to overall numbers of beneficiaries, in terms of their age, gender, disability, religious beliefs and sexual orientation, as well as how Exposure has helped beneficiaries improve their skills, confidence and employability. However, no specific personal information, on any individual beneficiary, will be shared with funders without requisite consent.

Information on staff, freelance contractors and adult volunteers
Exposure collects information on its staff, freelance contractors and adult volunteers, through these individuals providing a CV, contact details and references, and signing up to Exposure’s safeguarding policy. This information is processed, on a lawful basis, by consent.

Information on partners, suppliers and funders
Exposure collects and processes information on its partners, suppliers, charitable trusts, foundations and corporate funders for work and fundraising purposes. This information is processed, on a lawful basis, because it is either in the public domain or has been provided directly by the partners, suppliers or funders themselves.

People’s rights
Exposure will ensure that individuals, whose personal information is collected, processed and stored:

1. are clearly informed about how the information is used

2. can access the information to verify how it is used, within one month of making the request

3. can rectify any errors

4. can have the information erased, where appropriate

5. can restrict how the information is processed

6. can use the information for their own purposes

7. can object to how the information is used (eg for direct marketing of Exposure’s services).

Exposure will ensure that personal information that is no longer needed, is shredded or destroyed safely or deleted from systems appropriately.

Data that is no longer needed, whether in electronic or written format, will be retained for no more than five years prior to it being shredded or destroyed.

Data breaches
Exposure will inform the Information Commissioner’s Office within 72 hours if there is a data breach leading to the destruction, loss, alteration, or unauthorised disclosure of personal information, likely to result in a risk to the rights and freedoms of the individuals concerned.

Where a breach is likely to result in a high risk to the rights and freedoms of the individuals concerned, Exposure will notify such individuals directly.

Data protection principles
The Data Protection Act stipulates that the processing of personal information must comply with eight legally enforceable principles. The principles require that personal information will:

1. be processed fairly and lawfully

2. be obtained only for specified and lawful purposes and will not be further processed in any manner incompatible with those purposes

3. be adequate, relevant and not excessive in relation to those purposes

4. be accurate and kept up to date where necessary

5. not be kept longer than is necessary for those purposes

6. be protected by an appropriate degree of security

7. not be transferred to a country or territory outside the UK, unless that country or territory ensures an adequate level of data protection.