Data Protection Policy 

The Sleep Better Community CIC

DATA PROCESSING AGREEMENT

Feb 2025 

 

Contents

1. Introduction and scope

2. Definitions

3. Data protection principles

4. Basis for processing personal information

5. Sensitive personal information

6. Data Protection Impact Assessments (DPIAs)

7. Documentation and records

8. Sharing your personal data

9. Your obligation

10. Individual right

11. Subject access requests

12. Information security

13. Data breaches

14. Consequences of failing to comply

 

1. Introduction and scope

1.1 The Sleep Better Community CIC (TSBC) obtains, keeps, and uses personal information(also referred to as data) about job applicants, members, current and former staff for a number of specific lawful purposes as set out in the organisations data protection privacy notices. TSBC is a ‘data controller’ for the purposes of your personal data. We are committed to complying with all our data protection legal obligations

regarding how we obtain, handle, process or store personal data.

1.2 For the purposes of this policy, staff includes employees, workers, consultants,

contractors, volunteers etc. If you fall into one of these categories, you are a ‘data

subject’ for the purposes of this policy. You should read this policy alongside your

contract of employment, our Privacy Notice, IT policy and any other notice we

issue to you from time to time in relation to your data.

1.3 This policy is non-contractual, and we may amend it at any time. This policy sets

out how we comply with our data protection obligations and seek to protect

personal information relating to our workforce and members. Its purpose is also to

ensure that staff understand and comply with the rules governing the collection,

use and deletion of personal information to which they may have access in the

course of their work.

 

2. Definitions 

Criminal Records

Information  means personal information relating to criminal  convictions and offences, allegations, proceedings, and related security measures.

Data Breach  means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal information.

Data Subject means the individual to whom the personal information relates.

Personal

Information (Sometimes known as personal data) means information  

relating to an individual who can be identified (directly indirectly)  from  that information. It could also include any express of opinion about the person and an indication of the intentions or use of others in respect of that person. It applies to data stored electronically, on paper or other materials, but does not include anonymised data.        

Processing

Information means obtaining, recording, organising, storing, amending, retrieving, disclosing and/or destroying information, or using or doing anything with it.

Pseudonymised  means the process by which personal information is processed in such a way that it cannot be used to identify an individual without the use of additional information, which is kept separately and subject to technical and organisational measures to ensure that the personal information cannot be attributed to an identifiable individual.

Sensitive Personal Information (sometimes known as ‘special categories of personal data or sensitive personal data) means personal information about an individual’s race, ethnic origin, political opinions, religious or philosophical beliefs, trade union membership (or non-membership), genetics information, biometric information (where used to identify an individual) and information concerning an individual’s health, sex life or sexual orientation.

3. Data protection principles

3.1 TSBC will comply with the following data protection principles when processing personal information.

Your personal information will be:

• processed fairly, lawfully, and transparently

• collected and processed only for specified, explicit and legitimate purposes

• adequate, relevant, and limited to what is necessary for the purposes for which it is processed

• accurate and kept up to date

• any inaccurate data must be deleted or rectified without delay

• not kept for longer than is necessary for the purposes for which it is processed securely.

4. Basis for processing personal information

4.1 ‘Processing’ the data that we hold includes collection, recording, organisation, structuring or storage, adapting, retrieving, disseminating, aligning, and also removing or erasing it.

4.2 We will process your personal data if it is needed to perform the contract of employment (or services) between us or to comply with any legal obligation, or if it is necessary for our legitimate interests. The Privacy Notice covers the reasons for

collecting and processing your data, and when and who we share it with. We can

process your personal data for these purposes without your knowledge or consent.

4.3 However, we will not use your personal data for an unrelated purpose without telling you about it and the legal basis that we intend to rely on for processing it. We will only process special categories of your personal data in certain situations in accordance with the law. We do not take automated decisions about you using your personal data or use profiling in relation to you.

5. Sensitive personal information

 5.1 TSBC may from time to time need to process sensitive personal information. We will only process sensitive personal information if we have a lawful basis for doing so; and if one of the special conditions for processing sensitive personal information applies,

e.g.:

• the data subject has given explicit consent

•  the processing is necessary for the purposes of exercising the employment law

 rights or obligations of the organisations or the data subject

• the processing is necessary to protect the data subject’s vital interests, and the

 data subject is physically incapable of giving consent

• processing relates to personal data which are manifestly made public by the data subject

• the processing is necessary for the establishment, exercise or defence of legal  claims

• the processing is necessary for reasons of substantial public interest.

5.2 Before processing any sensitive personal information, staff must notify their manager or the CEO of the proposed processing so that they may assess whether the processing complies with the criteria noted above.

5.3 Sensitive personal information will not be processed until the individual has been properly informed (by way of a privacy notice or otherwise) of the nature of the processing, the purposes for which it is being carried out and the legal basis for it.

5.4 We will not carry out automated decision-making (including profiling) based on

any individual’s sensitive personal information.

6. Data Protection Impact Assessments (DPIAs)

6.1 Where processing is likely to result in a high risk to an individual’s data protection rights (e.g. where the organisation is planning to use a new form of technology), we will, before commencing the processing, carry out a DPIA to assess:

• whether the processing is necessary and proportionate in relation to its purpose

• the risks to individuals

• what measures can be put in place to address those risks and protect personal  information.

6.2 During the course of any DPIA, we will, where appropriate, seek the views of employees (this may be a representative group) and any other relevant stakeholders.

7. Documentation and records

7.1 We will keep written records of processing activities which are high risk, i.e. which may result in a risk to individuals’ rights and freedoms or involve sensitive personal information or criminal records information, including:

7.2 As part of our record of processing activities we document, or link to documentation, on:

• information required for privacy notices

• records of consent

• controller-processor contracts

• the location of personal information

• DPI As records of data breaches.

7.3 We may document our processing activities in electronic form so we can add, remove and amend information easily. 

8. Sharing your personal data

8.1 Sometimes we might share your personal data with our business partners, contractors and agents in order to carry out our obligations under our contract withyou or for our legitimate interests; these parties are required to hold data legally and confidentially. These parties are detailed in your Privacy Notice.

8.2 We do not send your personal data outside the European Economic Area. If this changes, you will be notified of this and the protections which are in place to protect the security of your data will be explained.

9. Your obligation

9.1 Everyone who works for, or on behalf of TSBC has some responsibility for ensuring data is collected, stored and handled appropriately, in line with this policy and our IT policy.

9.2 You should only access personal data covered by this policy if you need it for the

work you do for, or on behalf of, the organisation and only if you are authorised to do so. You should only use the data for the specified lawful purpose for which it was obtained and follow the following principles:

• do not share personal data informally; keep it secure and don’t share it with

unauthorised people

• regularly review and update personal data which you have to deal with. update us if your own contact details change

• do not make unnecessary copies or keep personal data; dispose of any copies securely

• consider anonymising data or using separate keys/codes so that the data subject cannot be identified

• do not transfer personal data out of the European Economic Area except in compliance with the law and with authorisation of the person responsible for data in the organisation

• lock drawers and filing cabinets; do not leave papers with personal data lying about

• do not take personal data away from organisation premises without authorisation

• ask for help from the person responsible for data in the organisation if you are unsure about data protection or the IT policy, or if you notice any areas we can improve upon.

10. Individual right

10.1 The law provides clear rights with regard to your data protection; a full list can be found on the Information Commissioner’s Office website (www.ico.org.uk). You (in

common with other data subjects) have the following rights in relation to your personal information:

• to be informed about how, why and on what basis that information is processed—see the organisations data protection privacy notices

• to obtain confirmation that your information is being processed and to obtain access to it and certain other information, by making a subject access request—see section Subject access requests below

• to have data corrected if it is inaccurate or incomplete

• to have data erased if it is no longer necessary for the purpose for which it was

originally collected/processed, or if there are no overriding legitimate grounds for

the processing (this is sometimes known as ‘the right to be forgotten’)

• to restrict the processing of personal information where the accuracy of the information is contested, or the processing is unlawful (but you do not want the data to be erased), or where the employer no longer needs the personal

information but you require the data to establish, exercise or defend a legal claim

• to restrict the processing of personal information temporarily where you do not

think it is accurate (and the employer is verifying whether it is accurate), or where you have objected to the processing (and the employer is considering whether the organisation’s legitimate grounds override your interests). If you wish to exercise any of the rights as set out above, please contact the CEO.

11. Subject access requests

11.1 Data subjects have the right to request access to their personal data processed by us. Such requests are called subject access requests (SARs). When a data subject makes an SAR, we will usually take the following steps:

• log the date on which the request was received (to ensure that the relevant timeframe of one month for responding to the request is met)

• confirm the identity of the data subject who is the subject of the personal data. for example, we may request additional information from the data subject to confirmtheir identity

• search databases, systems, applications and other places where the personal data which are the subject of the request may be held

• confirm to the data subject whether or not personal data of the data subject making the SAR are being processed.

11.2 If personal data of the data subject are being processed, we shall provide the data subject with the following information in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in writing or by other (including electronic) means:

• the purposes of the processing

• the categories of personal data concerned

• the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients overseas

• where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period

• the existence of the right to request rectification or erasure of personal data or

 restriction of processing of personal data or to object to such processing

• the right to lodge a complaint with the Information Commissioner’s Office (ICO)

 1• where the personal data are not collected from the data subject, any available

 information as to their source

• the existence of automated decision-making and meaningful information about the logic involved, as well as the significance and the envisaged consequences of

 such processing for the data subject.

 

11.3 We shall also, unless there is an exemption, provide the data subject with a copy of the personal data processed by us in a commonly used electronic form (unless the data subject either did not make the request by electronic means or has specifically requested not to be provided with the copy in electronic form) within one month of receipt of the request. If the request is complex, or there are a number of requests, we

may extend the period for responding by a further two months. If we extend the period

for responding we shall inform the data subject within one month of receipt of the request and explain the reason(s) for the delay.

11.4 Before providing the personal data to the data subject making the SAR, we shall review the personal data requested to see if they contain the personal data of otherdata subjects. If they do, we may redact the personal data of those other data subjects prior to providing the data subject with their personal data, unless those other data subjects have consented to the disclosure of their personal data.

11.5 If the SAR is manifestly unfounded or excessive, for example, because of its repetitive character, we may charge a reasonable fee, taking into account the administrative costs of providing the personal data, or refuse to act on the request.

11.6 If we are not going to respond to the SAR we shall inform the data subject of the reason(s) for not taking action and of the possibility of lodging a complaint with the ICO.

12. Information security

12.1 Information may be held at our offices and third-party agencies, service providers, representatives and agents and in cloud based IT services.

12.2 The organisation will use appropriate technical and organisational measures to keeppersonal information secure, and in particular to protect against unauthorised or unlawful processing and against accidental loss, destruction or damage. These may include:

1• making sure that, where possible, personal information is pseudonymised or

encrypted

• ensuring the ongoing confidentiality, integrity, availability and resilience of processing systems and services

• ensuring that, in the event of a physical or technical incident, availability and access to personal information can be restored in a timely manner

• a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

12.3 Where the organisation  uses external organisations to process personal information on its behalf, additional security arrangements will be implemented in contracts with those organisations to safeguard the security of personal information. Before any new agreement involving the processing of personal information by an external organisation is entered into, or an existing agreement is altered, the relevant staff must seek approval of its terms by the CEO.

13. Data breaches

13.1 A data breach may take many different forms, for example:

  loss or theft of data or equipment on which personal information is stored 

•  unauthorised access to or use of personal information either by a member of staff or third party

•   loss of data resulting from an equipment or systems (including hardware and software) failure

•   human error, such as accidental deletion or alteration of data

•  unforeseen circumstances, such as a fire or flood

•  deliberate attacks on IT systems, such as hacking, viruses or phishing scams; and blagging’ offences, where information is obtained by deceiving the organisation which holds it.

13.2 TSBC will:

• make the required report of a data breach to the Information Commissioner’s Office    without undue delay and, where possible within 72 hours of becoming aware of it, if it is likely to result in a risk to the rights and freedoms of individuals

• notify the affected individuals if a data breach is likely to result in a high risk to their rights and freedoms and notification is required by law.

14. Consequences of failing to comply

14.1 TSBC takes compliance with this policy very seriously. Failure to comply with the policy puts individuals whose personal information is being processed at risk, carries significant civil and criminal sanctions for the individual and the organisation and may, in some circumstances, amount to a criminal offence by the individual.

14.2 Because of the importance of this policy, an employee’s failure to comply with any requirement of it may lead to disciplinary action under our procedures, and this

action may result in dismissal for gross misconduct. If a non-employee breaches this policy, they may have their contract terminated with immediate effect. If you have any questions or concerns about anything in this policy, do not hesitate to contact the CEO.

15. Review

15.1 We will review, and if necessary update, this policy in accordance with our data protection obligations. The CEO is responsible for reviewing this policy. You should direct any questions in relation to this policy or data protection to this person and address any written requests to them.

Approved by the Board of Trustees: 

 

Signature: CEO Date: Feb 25