General Data Protection Regulations Policy



Introduction

Clwyd Special Riding Centre (CSRC) is compliant with current Data Protection Law. The General Data Protection Regulations (GDPR) comes in to force on 25th May 2018. To ensure compliance the CSRC Centre Manager has completed the GDPR training course, implemented the initial ’12 step guide’ set by the Information Commissioners Office (ICO) and undertaken an audit of the data held.


CSRC Board of Trustees

The policy and the implementation of the GDPR policy is the responsibility of the Board of Trustees. Responsibilities are the allocation of a Data Protection Officer, ensuring the monitoring of data collection, training and awareness, data process contacts, sub processors, breach notification, right of access, retention and disposal, restrict process and data portability.


Data Protection Officer

Data Protection Officers are responsible for overseeing data protection strategy and implementation to ensure compliance with GDPR requirements. They are the point of contact for issues relating to data and GDPR – the CSRC Data Protection Officer is the Centre Manager.


Monitoring of Data Collection

That the information required to provide an appropriate and effective service is monitored and any amendments or additions required are approved by the Board.


Training and Awareness
CSRC provides training to all relevant staff and volunteers who are in contact with data as part of session delivery.

Data Process Contacts
Data will not be available to any person other than those immediately involved with the delivery of service to the said beneficiary.

Sub – Processors
There will be NO outsourcing of data to sub processors.

Breach Notification
Any individual involved in a breach of data will be notified immediately. All necessary action will be undertaken as advised by the ICO.

Right of Access

Every individual has a right to access their individual file. Individuals must make that request in writing to the Data Protection Officer at CSRC. The file will be made availablewithin 78 hours of receipt of request.


Right to rectification and data quality

Individuals have a right to information being altered or updated and this will be accommodated by CSRC. CSRC have a duty to ensure data remains accurate and up to date. A review of data will occur on a 6 monthly basis as standard and as necessary upon request. Right to retention and disposal A review of data will occur on a 6 monthly basis as standard and as necessary upon request. The entire data will be reviewed and files no longer required will be confidentially disposed of. All requests for disposal will be verified and activated within 72 hours.

Right to restrict processing
NO data held by CSRC is processed externally. No personal data is used by CSRC. Only data figures are used for monitoring, tracking and funding applications. Right to data portability Individuals have the right to have their personal information forwarded in an electronic format following verified request. Data Protection Principles Lawful Basis CSRC holds information about beneficiaries, volunteers and staff that is contained with the application form only. Everything CSRC does with records about individuals will have an acceptable legal basis. There are 6 of these in total with 1 – 4 relevant to CSRC. Consent from the individual (or someone authorised to consent on their behalf) Where it is necessary in connection with a contract between CSRC and the individual Where it is necessary because of a legal obligation Where it is necessary in an emergency, to protect an individuals’ ‘vital interests’. Where it involves the exercise of a public function – i.e. most activities of most government, local government and other public bodies Where it is necessary in our legitimate interests, as long as those are not outweighed by the interests of the individual At NO other time will information be shared with a third party. Personal Information Beneficiaries The Individual File holds the following data to ensure the beneficiary is assigned to the appropriate service and is monitored in terms of development. No information is obtained that is not essential to the delivery of service. The information held is:- Personal and contact details – for file reference and emergency contact Date of birth and gender – to be allocated into an appropriate group Detail of additional need – for appropriate service delivery Weight and Height – for horse assessment purposes Consent details – for parents/guardians of those under 18 years of age or proven capacity issues. Consent – On the Application Form there will be a box to tick, sign and date stating consent has been given for the data to be held whilst the individual attends CSRC and 3 years upon leaving if an adult and 3 years after the age of 18 if a child.

Data Flow
There are 3 additional RDA Groups at CSRC - Wrexham Carriage Driving Group, Dyffryn Ceiriog Group and Hope Mountain Group and STAR Hippotherapy. CSRC manages the Enquiries, Application Form, Assessment, Waiting List and jointly works with the RDA Groups and STAR Hippotherapy on the allocation of beneficiaries into the most appropriate groups and sessions. The beneficiary file will then be held in a locked DATA Protection compliant filing cabinet allocated to that Group at CSRC. To ensure best practice the 3 RDA Groups adhere the CSRC Policy and CSRC adheres to the RDA Policy. STAR Hippotherapy adheres to CSRC Policy. Personal Information – Volunteers The information held is:- Personal and contact details – for file reference and emergency contact Date of birth and gender – to be allocated into an appropriate group Detail of additional need – for support needs DBS – details for DBS completion Consent details – for parents/guardians of those under 18 years of age or proven capacity issues. Two (2) references Consent – On the Volunteers Application Form there will be a box to tick, sign and date stating consent has been given for the data to be held for the term of volunteering and 3 years upon leaving. Personal Information – Staff Team The information held is:- Full application form including - Personal Details, qualifications, work history, personal statement DBS – details for DBS completion Two (2) references Consent – On the Offer of Employment Letter there will be a box to tick, sign and date stating consent has been given for the data to be held for the entire employment and 3 years upon leaving. Personal Information – Supporters The information held is – Contact details Support given Consent – All current supporters have received a letter referencing the GDPR Policy and Privacy Statement. Source of information held All information held is supplied by the individual, beneficiary or parent/guardian/carer. NO additional information is sought from third parties by CSRC. GDPR 2018/CSRC