Privacy, Cookies, Data Protection

Data Protection

Explanatory Notes (to be read in conjunction with Policy)


From 25 May 2018, all countries in the European Union are subject to the General Data Protection Regulation (GDPR) (which replaces EU Directive 95/46/EC) and existing local law will be substantially repealed.  In the UK, the GDPR is supplemented by the Data Protection Act 2018 (DPA).  Trustees have a legal obligation to comply with the Data Protection Act.  The new law updates data protection laws making them fit for the digital age and covering cyber security as well as giving more control over use of personal data.

GDPR requires all organisations that hold personal data about individuals to have written consent from the individual to store such data.  This will be covered by the Data Protection statement in the Trust’s application form.  Current residents should be advised in writing of how their personal data is stored and that it will only be accessed by authorised persons and will not be passed to third parties without prior consent.

The Data Protection Act 2018 requires every data controller (e.g. organisation) that is processing personal data to consider whether they need to register with the ICO.  Many almshouse charities will be eligible for exemption from registration.  There is a simple questionnaire on the Information Commissioner’s Office (ICO) website which will guide you as to whether your Trust needs to register.  Go to

If your Almshouse Trust uses CCTV, it must be registered with the ICO.


Data privacy (or data protection) law gives people the right to control how their ‘personal data’ is used (any information that relates to them, such as name, contact details, allegations of criminal activity, preferences etc.) It also places obligations on organisations that use personal data.  Information may be personal data even if a person’s name is not associated with the information.

Non-compliance would be serious for the Trust. It could also lead to complaints from individuals, compensation claims, fines from regulators and bad publicity for the Trust.

The Rules

  1. Transparency.  The Trust must be transparent about the personal data that the Trust holds on individuals including describing the purposes for which the personal data is used.
  2. Collecting and Using Personal Data for Lawful purpose only.  The Trustmust only collect and use the minimum amount of personal data which is necessary in order to conform with the objects of Tiverton Almshouse Trust as set out in the Governing Document dated 10 September 2009.
  3. Privacy Impact Assessments and Privacy by Design.  Where the collection and use of personal data is likely to result in significant risks for the rights and freedoms of individuals, an assessment of the impact of the proposed collection and use on individuals should be carried out. The Trust must ensure that systems, databases and tools that collect and use personal data are designed to promote privacy protection.
  4. Ensuring data quality.   Personal data must be kept accurate and up to date.
  5. Retaining and disposing of data.  Personal data must only be kept for as long as necessary for the Trust’s purpose and it must be disposed of securely.
  6. Honouring Individuals’ rights.  The Trust must always be receptive to any queries, requests or complaints made by individuals in connection with their personal data.
  7. Taking appropriate security measures.  The Trust must always take appropriate technical and organisational security measures to protect personal data.    
  8. Using Subcontractors and Vendors (organisations from which the Trust procures services).  The Trust must ensure that the providers of services also adopt appropriate and equivalent data protection measures.
  9. Disclosure to Third parties.  The Trust may only disclose personal data to third parties with consent of the individual, where required by law or where the third party is a subcontractor/vendor that has a need to know the information to perform its services and has entered into a contract with the Trust containing the appropriate data privacy and security provisions.
  10. Safeguarding the use of special categories of data.  The Trust must only use special categories of data if it is absolutely necessary and may need to obtain explicit consent from individuals to use the special categories of data.
  11. Collecting Children’s Data.  Data pertaining to children should only be collected when strictly necessary, for example where a Trust appoints families and needs to record ages of children.

Data should be collected and processed in accordance with a data protection policy which sets out the ways in which the Trust will adhere to the requirements of the GDPR as follows:

  • information is collected only for one or more specified and lawful purposes and not processed for any other purpose
  • it is kept secure
  • it is adequate, relevant and up to date
  • it is not excessive and kept only for as long as it is needed
  • the person about which the information is held may have access to it on request.

Trustees should ensure that their staff are adequately trained in data protection matters so that they are aware how to store and process personal information.  Residents, and any individuals about whom personal information is held, should know what the Trust is doing with the information, how it will be stored securely and with whom it will be shared.

Personal data which includes sensitive information such as that listed below, would be regarded as a more serious breach if released:

  • racial or ethnic origin
  • political opinion
  • religious or other beliefs
  • trade Union membership
  • physical or mental health
  • sexual life
  • criminal proceedings or convictions.

It is an offence for a Trust to fail to comply with its obligations under the Data Protection Act 2018.  Data protection guidance for charities is available from the website of the Information Commissioner’s Office:


Version 3
4 February 2020

Replaces Version 2 : “Data Protection & Confidentiality Policy”

Introduction  The purpose of this policy is to enable the Tiverton Almshouse Trust to comply with the law (The GDPR and DPA 2018) in respect of the data it holds about individuals. The Tiverton Almshouse Trust will ensure that the information the Trust holds about its residents, beneficiaries, employees etc. is used in accordance with the law.  The Trust will only collect and use personal data in compliance with this Policy and the Rules set out below. The Trust will: follow good practiceprotect residents, directors, staff, volunteers and other individuals by respecting their rightsdemonstrate an open and honest approach to personal data andprotect the Trust from the consequences of a breach of its responsibilities. This policy applies to all the information that we control and process relating to identifiable, living individuals including contact details, test and exam results, bank details, photographs, audio and digital recording. The Tiverton Almshouse Trust will comply with General Data Protection Regulations 2018 as follows:
Transparency           The Trust will be open and transparent in the way personal data is used and shared. There may be limited circumstances where the Trust does not have to comply with the transparency requirement but in such instances the Trust will obtain further advice from the ICO.  Individuals will be provided with information about how their personal data is collected and stored.
Collecting and Using Personal Data for Lawful purpose only           The Trust will only collect and use the minimum amount of personal data if relevant for the purpose of the Trust and where the Trust can rely on a lawful basis (or bases) and where the purposes have been identified in a privacy notice provided to individuals, for example in the Trust’s application form.  When collecting personal data from individuals the Trust will ensure that the individuals are aware of the purposes for which the personal data will be used.                        In addition, when collecting personal data, the Trust will only collect those details which are necessary for the purposes for which that personal data is being obtained. Any use of personal data will be for the identified purposes and any different or new purposes will have a lawful basis. Personal data that is not necessary for any legitimate business purpose will not be collected or accessed.                         Tiverton Almshouse Trust has identified that the Trust has a legitimate interest in keeping personal data about residents as directors must be satisfied that each resident qualifies as a beneficiary of the Trust in accordance with the Governing Document dated 10 September 2009. The Trust considers the processing and storing of such personal data is necessary to comply with the Governing Document.  All personal data, including details of residents’ next of kin, will be stored securely, data on computer will be password protected and paper copies of data will be kept in a locked filing cabinet.  Only authorised members of staff and directors will have access to personal data.
Privacy Impact Assessments and Privacy by Design          The directors consider that the use of personal data is unlikely to result in significant risks for the rights and freedoms of individuals and therefore a Privacy Impact assessment is not necessary.  The Trust will ensure that systems, databases and tools that collect and use personal data are designed to promote privacy protection.
Ensuring data quality           Processing inaccurate information can be harmful to individuals and the Trust. The main way of ensuring that personal data is kept accurate and up to date is by ensuring that the sources the Trust uses to obtain personal data are reliable. Individuals will be actively encouraged to inform the Trust should their personal data change. To ensure that personal data is accurate, it will generally be collected directly from individuals. All residents will be actively encouraged to update their contact details by notifying the Trust of any changes in their personal data.
Retaining and disposing of data           Any personal data must only be kept where there is a business or legal need to do so. When the Trust disposes of personal data, this will be undertaken in a secure manner. Documents (including paper and electronic versions and email) containing personal data will not be kept indefinitely and will always be securely deleted and destroyed once they have become obsolete or when that personal data is no longer required.  Paper based documents will be shredded on site or disposed of externally as confidential waste. Electronic data will be permanently deleted from all drives and electronic media. Computer equipment that is surplus to requirements will be disposed of securely by specialist contractors. The Trust will maintain a record of the details of the media and computer equipment that has been disposed of, when it was disposed of and how it was disposed of and by whom. Personal data will not be retained simply on the basis that it might come in useful one day without any clear view of when or why. The Trust’s data retention policy is:                        The Trust will not keep personal data for longer than is necessary.  This means that: a resident’s file will be completely destroyed after three years of the resident leaving or passing awayrecords of complaints/investigations concerning residents will be destroyed six years after the resident leaves or passes awayapplication forms for unsuccessful applicants will be destroyed three years after the date of application. directors will destroy and delete all Trust documents held within their own records twelve months after receipt, including all computer data and paper copiesdirectors personal files will be destroyed one year after ceasing to be a directorstaff personal files will be destroyed 6 years after employment ceases.
Honouring Individuals’ rights             The Trust will reply to queries and complaints from individuals about how the Trust uses their personal data within 30 days. Individuals are entitled by law (by making a request) to be supplied with a copy of any personal data held about them (including both electronic and paper records). Individuals are also entitled to know the logic involved in decisions made about them. An individual also has the right to seek erasure of their data and to request portability of their data i.e. that the Trust provides their data to them in a structured, commonly used and machine-readable format. Where the Trust receives a request from an individual exercising their legal right to control their personal data, the Trust will respond promptly. If a valid request concerns a change in that individual’s personal data, such information will be rectified or updated, if appropriate to do so.
Taking appropriate security measures             Personal data will be kept secure. Technical, organisational, physical and administrative security measures (both computer system and non-computer system related steps) are necessary to prevent the unauthorised or unlawful processing or disclosure of personal data, and the accidental loss, destruction of, or damage to personal data. The Trust will monitor the level of security applied to personal data and take into account current standards and practices. As a minimum the Trust will ensure that: Personal files for residents, directors, and employees are kept in a locked filing cabinet at all times with access only by authorised staff.Applications for accommodation are kept in a locked filing cabinet at all times with access only by authorised staff.Directors’ details are kept in a locked filing cabinet with access only by the Chief Executive.Electronic files containing personal data are password protected and passwords will be changed on a regular basis.Backed up electronic data is held securely on an alternative site or when off‐site it is encrypted, password protected and will only be accessed by named staff.If any personal data is taken from the office (e.g. to work at home) the personal data will be held securely at all times whilst in transit and at the location where held.   Any suspicion of any data security breach should be reported immediately to the Chief Executive.  When the Trust becomes aware of a breach, protective measures will be taken to effectively mitigate the consequences of the breach.
Using Subcontractors and Vendors             Under EU data protection law, where a provider of a service has access to personal data (e.g. as a payroll provider) the Trust will impose strict contractual obligations dealing with the purposes and ways personal data may be used and the data security of that information.  These are third parties who act as processors (i.e. only holding the personal data according to the Trust’s instructions) and this will include telecare companies that provide services to the Trust (Housing Benefit and Government offices are not vendors). The Trust will carry out appropriate due diligence on any potential third party to which personal data is being provided and ensure that the third party’s Data Privacy Policy is adequate. The Trust will always enter into a written contract with any Vendor that deals with personal data being provided by the Trust.  The contract will meet the requirements under the GDPR Article 28.
Disclosure to Third parties             At times, the Trust may disclose personal data to vendors, contractors, service providers and other selected third parties. Prior to disclosing personal data to these parties, the Trust will take reasonable steps to ensure that: (i) the disclosure of personal data is appropriate; (ii) the recipient of such information is identified; and (iii) where appropriate or required by law, the third party is contractually committed to complying with this Policy and/ or the Trust’s instructions concerning the use of personal data as well as implementing appropriate security measures to protect personal data, limiting further use of personal data, and complying with applicable laws. In certain circumstances, the Trust may be required to disclose personal data to third parties when required by law, when necessary to protect the Trust’s legal rights, or in an emergency situation where the health or security of an individual is endangered. Prior to such disclosures, the Trust will take steps to confirm that the personal data is disclosed only to authorised parties and that the disclosure is in accordance with this Policy and applicable law.
Safeguarding the use of special categories of data             Special categories of data is information revealing an individual’s racial or ethnic origin, political opinions, religious or other beliefs, trade union membership, processing of genetic data or biometric data (for the purpose of uniquely identifying an individual), health and sex life or sexual orientation. Since this information is more intrusive, the Trust will only use it where absolutely necessary and often with the explicit consent of the individual affected. The Trust will only hold and make available special categories of data on an individual without their explicit consent if the Trust have another lawful basis under applicable law. This may be the case, for example, where the Trust holds information about an individual’s health where this is necessary to exercise any obligation conferred by law on us in connection with the Trust. For residents and beneficiaries the Trust may also collect and use their special category data where: Our use of their personal data is to provide support for a particular disability or medical conditionOur use of their personal data is necessary for providing confidential counselling, advice or support Our use of their personal data is necessary for protecting an individual from negligence or physical, mental or emotional harmOur use of their personal data is necessary for the purpose of protecting the economic well-being of an individual at economic risk and is of health data   The Trust will always assess whether special categories of data are essential for the proposed use and will only collect special categories of data when it is absolutely necessary in the context of the organisation.  Application (or other) forms used to collect special categories of data will include suitable and explicit wording expressing the individual’s consent when the Trust are collecting explicit consent. Consent must be demonstrable. Therefore, if it is collected verbally it will be recorded in such a form as to prove that the requisite information was provided to the individual and their response was able to be verified. Where consent is not relied upon, the Trust will take steps to ensure that there is another lawful basis under applicable law for the collection and use of such information.  In certain circumstances, the Trust may be required to consult with the Information Commissioner’s Office about the proposed use of such special categories of data.
Data Storage and processingTiverton Almshouse Trust recognises that data is held about: ResidentsDirectorsStaffLeaseholdersTenants   This information is always stored securely and access is restricted to those who have a legitimate need to know.  We are committed to ensuring that those about whom we store data understand how and why we keep that data and who may have access to it.  We do not transfer data to third parties without the express consent of the individual concerned. Archived records are stored securely and the Trust has clear guidelines for the retention of information as set out in Point 5 above.
Rights of individuals  All individuals who come into contact with Tiverton Almshouse Trust have the following rights under the DPA: a right of access to a copy of their personal dataa right to object to processing that is likely to cause or is causing damage or distressa right to prevent processing for direct marketinga right to object to decisions being taken by automated meansa right, in certain circumstances, to have inaccurate personal data rectified, blocked, erased or destroyed anda right to claim compensation for damages caused by a breach of the DPA.   The directors recognise their overall responsibility for ensuring that the Trust complies with its legal obligations.  A trustee, (chair), or the Chief Executive is responsible as follows
Roles and Responsibilitiesbriefing directors on Data Protection responsibilitiesreviewing Data Protection and related policiesadvising other staff on Data Protection issuesensuring that Data Protection induction and training takes placenotification handling subject access requests. All directors, staff and volunteers are required to read, understand and accept any policies and procedures that relate to the personal data they may handle in the course of their roles. Significant breaches of these policies will be handled under disciplinary procedures.
Key risks to the safety of data control and processThe directors have identified the following potential key risks: breach of confidentiality (information being given out inappropriately)individuals being insufficiently informed about the use of their datamisuse of personal information by staff or volunteersfailure to up-date records promptlypoor IT security anddirect or indirect, inadvertent or deliberate unauthorised access. The directors will review the Trust’s procedures regularly, ensuring that the Trust’s records remain accurate and consistent and in particular: IT systems will be designed, where possible, to encourage and facilitate the entry of accurate datadata on any individual will be held in as few places as necessary and directors and staff will be discouraged from establishing unnecessary additional data setseffective procedures will be in place so that relevant systems are updated when information about an individual changes.
Subject Access Requests  Any individual who wants to exercise their right to receive a copy of their personal data can do so by making a Subject Access Request, (‘SAR’) to the Chief Executive.  The request must be made in writing and the individual must satisfy the Chief Executive of their identity before receiving access to any information. A SAR must be answered within 30 calendar days of receipt by the Trust.
Collecting and using personal data  The Tiverton Almshouse Trust typically collects and uses personal data in connection with the provision of (objects of the Trust).  The Trust collects personal data mainly in the following ways: by asking applicants for accommodation to complete paper formsby asking residents to give staff information verbally.   The Tiverton Almshouse Trust will: not use any of the personal data it collects in ways that have unjustified adverse effects on the individuals concernedbe transparent about how it intends to use the data and give individuals appropriate privacy notices when collecting their personal datahandle people’s personal data only in ways they would reasonably expect not do anything unlawful with the data.
Keeping Data Secure  The Tiverton Almshouse Trust will take all appropriate measures to prevent unauthorised or unlawful processing of personal data and to protect personal data against loss, damage or destruction.  This means that: personal files for residents, directors, and employees and applications for accommodation will be kept in a locked filing cabinet at all times with access only by authorised staffdirectors’ details will be kept in a locked filing cabinet with access only by the Chief Executiveelectronic files containing personal data will be password protected and passwords will be changed on a regular basisbacked up electronic data will be held securely on an alternative site or when off‐site it will be encrypted, password protected and only accessed by named staffif any data is taken from the office (e.g. to work at home) the data must be held securely at all times whilst in transit and at the location the data is held.
More informationFull information about the Data Protection Act, its principles and definitions can be found at This Policy has been approved for issue by the board of directors of Tiverton Almshouse Trust