Peterborough Council for Voluntary Service (PCVS) is committed to complying fully with the General Data Protection Regulation (GDPR) and related laws. This policy outlines our responsibilities in protecting personal data collected and processed for operational purposes, covering employees, volunteers, clients, suppliers, and other stakeholders.
Core Principles
PCVS processes personal data lawfully, fairly, and transparently, ensuring:
Data is collected for legitimate, specific purposes and not processed incompatibly with those purposes.
Data is accurate, relevant, and limited to what is necessary.
Data is retained only as long as necessary and securely stored.
Data subjects’ rights are respected, including rights to access, rectify, or erase data.
Date will be processed in accordance with the rights of data subjects under this
Roles and Responsibilities
Data Protection Officer (DPO): The DPO oversees data protection compliance, provides training, addresses queries, communicates relevant information to the Trustee Board, checks and approves any contracts with third parties that handle company data, and ensures adherence to this policy.
Staff and Volunteers: Must follow this policy and notify the DPO of any potential breaches or data processing queries.
Privacy Notice
This policy should be read in conjunction with the PCVS Privacy Notice document.
Processing Personal Data
PCVS ensures all data processing meets at least one legal basis (e.g., consent, contract necessity, legal obligation). Sensitive data is processed only with explicit consent or under lawful exemptions.
Data Security
Personal data is stored securely (e.g., password protection, locked cabinets).
Access is restricted to authorised individuals only.
Physical and digital data is securely disposed of when no longer required.
Cloud storage, devices, and systems used for data must be approved and regularly monitored by the DPO.
Clear desk policy meaning no personal data is left unattended on desks.
Computer screens sited so that information cannot be seen by unauthorised individuals.
Data Retention and International Transfers
Data is retained only as long as necessary for its purpose, as outlined in PCVS retention guidelines.
Personal data is not transferred outside the European Economic Area (EEA) without appropriate safeguards and explicit consent.
Fair and Lawful Processing
PCVS processes personal data lawfully and fairly in accordance with GDPR. Personal data is processed only with a valid legal basis, such as consent, contract necessity, compliance with a legal obligation, protection of vital interests, public interest, or legitimate interests.
Rights of Individuals:
Individuals have the following rights regarding their personal data:
Right of Access: Individuals may request a copy of the personal data held about them.
Right to Rectification: They can request correction of inaccurate or incomplete data.
Right to Erasure (Right to Be Forgotten): Individuals can request the deletion of their personal data when no longer necessary for the purpose collected.
Right to Restrict Processing: They can request to limit the processing of their data in certain circumstances.
Right to Data Portability: Individuals can request their data be transferred to another organization in a structured, commonly used, and machine-readable format.
Right to Object: They can object to processing based on legitimate interests or for direct marketing.
Rights Related to Automated Decision-Making and Profiling: They can request human intervention or challenge decisions made solely by automated means.
Process for Exercising Rights:
Individuals may submit their requests in writing to the DPO via email or post.
PCVS will verify the identity of the requester to ensure data security.
Requests will be acknowledged within five working days and fulfilled within one month, unless complex circumstances arise, in which case the deadline may be extended by two months with prior notification.
These rights ensure transparency and accountability in our data processing practices while protecting the privacy and integrity of personal information.
Data Breaches
A data breach occurs when there is a security incident that leads to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. This includes both digital and physical data.
Examples of Data Breaches
Loss or theft of devices containing personal data (e.g., laptops, USB drives).
Unauthorised access to systems or databases.
Sending personal data to the wrong recipient.
Hacking, malware, or ransomware attacks.
Disposal of personal data in an insecure manner.
PCVS is committed to minimising the risk of data breaches and handling any incidents swiftly and effectively in line with GDPR requirements. All breaches must be reported to the Data Protection Officer (DPO) immediately.
Consequences of Non-Compliance
This policy is not part of the formal contract of employment, but it is a condition of all employment contracts that employees will follow the rules and polices created by PCVS
Failure to report or manage a data breach appropriately may result in:
Regulatory penalties: The ICO can impose fines up to £17.5 million or 4% of global turnover for severe breaches.
Reputational damage: Loss of trust from stakeholders and clients.
Internal disciplinary action for staff or volunteers involved in the breach.
Contact for Data Protection Queries: DPO: Kirsteen McVeigh (CEO) Email:[email protected]
