Data Protection, Privacy & Confidentiality Policy and Statement
Introduction
Move Momentum is required to keep certain information about its employees, trustees, volunteers, members, service users and other members of the public to enable the monitoring of performance and achievements. It is also necessary to process information so that staff can be recruited and paid, activities can be organised and legal obligations to funding bodies and the government are fulfilled.
We are committed to protecting your personal information and being transparent about what
information we hold about you. The purpose of this policy is to give you a clear explanation of how we collect and use the information collected from you directly and from third parties. We use your information following all applicable laws concerning the protection of personal information (which includes, from 25 May 2018, the General Data Protection Regulation (Regulation (EU) 2016/679) and all
related data protection legislation having an effect in the United Kingdom from time to time) and are responsible as ‘controller’ of that personal information for those laws (“Data Protection Laws“).
This policy explains:
● What information we may collect about you;
● How we may use that information;
● In what situations we may disclose your details to third parties;
● Information about how we keep your personal information secure, how we maintain it and your rights to be able to access it.
Legal basis
There are three bases under which we may process your data:
Contract purposes:
When you purchase from us, donate to us or apply to participate/volunteer in our events you are entering into a contract with us. To perform this contract, we need to process and store your data. For example, we may need to contact you by email or telephone in the case of cancellation of a class/event, to communicate information regarding the class/event/purchase, or if there are problems with your payment. We will also process and store your data if you have entered into a contract with the organisation as a third party.
Legitimate organisational interests:
In certain situations, we collect and process your data for purposes that are in our legitimate organisational interests. However, we only do this if there is no overriding prejudice against you by using your personal information in this way. We describe below all situations where we may use this basis for processing.
With your explicit consent:
For any situations where the two bases above are inappropriate, we will ask for your explicit consent before using your personal information in that specific situation.
To comply with the law, information must be collected and used fairly, stored safely and not
disclosed to any other person unlawfully. To do this, Move Momentum must comply with the
Data Protection Act 2018. In summary, this states that personal data must be:
● Obtained and processed fairly, lawfully and transparently
● Obtained for a specified and lawful purpose and not processed in any manner incompatible with that purpose
● Adequate, relevant and not excessive for that purpose
● Accurate and kept up-to-date
● Not kept for longer than necessary
● Processed in accordance with the data subject’s rights
● Kept safe from unauthorised access, accidental loss or destruction
● Not be transferred to a country. Personal data that does not have reciprocal arrangements to the UK, unless that country has equivalent levels of protection for personal data
All Move Momentum staff and volunteers who process or use any personal information must ensure that they follow these principles at all times. To ensure that this happens, Move Momentum has adopted this Data Protection, Privacy and Confidentiality policy.
Any member of staff, trustee or volunteer, who considers that this policy has not been followed in respect of personal data about him/herself, should raise the matter with the Designated Data Controller. If the matter is not resolved it should be raised as a formal grievance.
Notification of Data Held and Processed
All employees, trustees, volunteers, members, clients and other members of the public have the right to:
● Know what information Move Momentum holds and processes about them
● Know how to request access to it
● Know how to keep it up to date
● Know what Move Momentum is doing to comply with its obligations under the Act
The Data Controller and the Designated Data Controllers
Move Momentum as a Charity and a Company Limited by Guarantee is the Data Controller under the Act, and the organisation is therefore ultimately responsible for implementation. However, the Designated Data Controller will deal with day-to-day matters.
Information Held
Personal information is defined as any details relating to a living, identifiable individual. This applies to employees, trustees, volunteers, members, service users and other members of the public. Move Momentum must ensure that information relating to these people is treated correctly and with the appropriate degree of confidentiality.
Move Momentum holds personal information in respect of its employees, trustees, volunteers, service users and other members of the public. This information may include an individual’s name, postal, email and other addresses, telephone and facsimile numbers, subscription details, organisational roles and membership status. Some personal information is defined as Sensitive Data and needs to be handled with
special care.
Personal information on users, staff, trustees and volunteers will be received and held in confidence. This means that information given to us for one purpose should not be shared with a third party or used for a different purpose without the explicit consent of the individual to whom the information relates.
Only the addressee should open any incoming mail (including email) marked ‘Private’ and/or ‘Confidential’.
We will ensure that personal information is kept secure. We will allow individuals access to information held about them and, where appropriate, correct it or erase it. We will take security measures to prevent unauthorised or accidental access to, alteration, disclosure or loss and destruction of information.
Databases must be password protected and access restricted to relevant staff.
We must prevent loss through fire, flood or other disaster. Backup files should be held. Files, ‘hard’ or ‘soft’, will be cleared of personal or sensitive information, e.g. disciplinary, that is no longer required.
Processing of Personal Information
All staff and volunteers who process or use any personal information are responsible for ensuring that:
● Any personal information which is held is kept securely
● Personal information is not disclosed either orally or in writing or otherwise to any unauthorised third party
Staff and volunteers should note that unauthorised disclosure will usually be a disciplinary matter and may be considered gross misconduct.
Personal information should be:
● Kept in a secure physical location e.g. locked cabinet.
● Teachers are required to keep some information about students on them – they will ensure that this is kept safe and no one else can access this information.
● If the information is computerised, it will be in a database that is password-protected.
● Any devices used for work purposes will be password-protected and only the authorised person will have access to that device.
If personal information is collected by telephone, callers should be advised what the information will be used for and what their rights are according to the Act.
Security of your personal information
We have appropriate security measures in place to prevent personal information from being accidentally lost or used or accessed in an unauthorised way. We limit access to your personal information to those who have a genuine business need to know it. Those processing your personal information will do so only in an authorised manner and are subject to a duty of confidentiality.
Personal or confidential information should not be discussed in public areas. All staff should be aware of
the difficulties of ensuring confidentiality in an open area and respect the confidential nature of any information inadvertently overhead.
Any notes taken during or after an interview should be relevant and appropriate. It is recommended that such notes should be filed legibly and coherently and that information notes be retained for a short period (1 year) in a secure place, before being shredded.
We will always store your digital information on secure servers. Unfortunately, however, the transmission of information via the internet is not completely secure. Although we will do our best to protect your information, we cannot guarantee the security of your information transmitted to our website or otherwise to our servers (such as by email). Any such transmission is at your own risk. Once we have
received your information, we will use strict procedures and security features to try to prevent unauthorised access.
We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
Your rights to your personal information
Under the Data Protection Laws, you have a number of important rights free of charge. In summary, those include rights to:
● Fair processing of information and transparency over how we use your use personal information;
● Access to your personal information and to certain other supplementary information that this Privacy Policy is already designed to address;
● Require us to correct any mistakes in the information which we hold;
● Require the erasure of personal information concerning you in certain situations;
● Receive the personal information concerning you that you have provided to us, in a structured, commonly used and machine-readable format and have the right to transmit those data to a third party in certain situations;
● Object at any time to processing of personal information concerning you for direct marketing;
● Object to decisions being taken by automated means which produce legal effects concerning you or similarly significantly affect you;
● Object in certain other situations to our continued processing of your personal information; and otherwise restrict our processing of your personal information in certain circumstances.
For further information on each of those rights, including the circumstances in which they apply, see the Guidance from the UK Information Commissioner’s Office (ICO) on individuals’ rights under the General Data Protection Regulation.
If you would like to exercise any of those rights, please:
● Email, call or write to Amanda Watkinson, our Data Protection Officer;
● Let us have enough information to identify you;
● Let us have proof of your identity and address; and
● Let us know the information to which your request relates.
Third parties
There are certain circumstances under which we may disclose your personal information to third parties.
These are as follows:
● To our service providers who process data on our behalf and through our instruction. In these
cases, we require that these third parties comply strictly with our instructions and with Data Protection Laws, for example around the security of personal data.
● Where we are under a duty to disclose your personal information to comply with any regulatory or legal obligation. This includes when there is a safeguarding risk. (See Safeguarding Policy for more details.)
● In reports which are shared with funders, The Charity Commission and other organisations which support or work with us.
Information given to us will only be shared with a third party with permission from the individual unless in the case where information is anonymised. Consent will be sought from the individual preferably in writing. In the case of users, such written permission should be obtained using a standard form where possible.
However, personal information may be shared with a third party without consent where:
● There is a perceived risk to life; or
● There is a perceived likelihood of harm.
● There is a statutory requirement.
We must inform Social Services and/or the Police if we believe someone is being neglected or abused, or at immediate risk of harm resulting from neglect or abuse. As stated in our Safeguarding Policy.
When information has been passed on under the circumstances stated above, i.e. disclosure without consent, copies of written records must be kept including dates, times, methods of contact and persons spoken to.
To the best of our knowledge, understanding and belief your personal information will not otherwise be transferred outside of the EEA or to any country not approved by the European Commission.
Collecting Information
We collect personal data concerning our employees, trustees, volunteers, members, service users and other members of the public to enable us to provide services and activities. Parental consent is sought concerning any person under 18 engaging with Move Momentum’s services. Move Momenuum requires new participants to complete a free trial from and then a registration form to collect most of this information, we are not able to provide our service to any partcipants who have not completed this form unless it is being provided through a third party who maintains responsibility for your safety. Move Momentum may request you complete other forms that will collect additional data.
For students; Move Momentum staff (including teachers, assistants and office roles), trustees and volunteers where appropriate will be able to access your general information for the reasons previously stated. For staff; other Move Momentum staff, volunteers and trustees will be able to access your information for the reasons stated above. Any staff information of a sensitive nature will only be accessed by management or trustees.
The individual concerned must agree that they understand and give permission for the declared processing to take place, or it must be necessary for the legitimate business of Move Momentum.
Marketing communications
We aim to communicate with you about the work we do in ways that you find relevant, timely and respectful. To do this we use data that we have stored about you, such as what events you have booked for in the past, as well as any preferences you may have told us about. We use our legitimate organisational interest as the legal basis for communications by post, telephone and email.
In the case of postal mailings, you may object to receiving these at any time using the contact details at the end of this policy.
In the case of email, we will allow you to opt out of receiving them the first time you create your account with us. If you do not opt out, we will provide you with an option to unsubscribe in every email that we subsequently send you, or you can alternatively use the contact details at the end of this policy.
In the case of phone calls, these will not be used for marketing purposes and will only be used for contract purposes previously stated.
We may also contact you about our fundraising initiatives by email, or post based on our legitimate organisational interest.
Website links
Our website, may from time to time, contain links to and from partners’, advertisers’, affiliates’ and social network sites. If you follow a link to any of these websites, please note that these sites have their own privacy policies and that we do not accept responsibility or liability for those policies. Please check those privacy policies before you submit any personal data to those websites as they may not be on the same
terms as ours.
Other processing activities
In addition to marketing communications, we also process personal information in the following ways that are within our legitimate organisational interests:
● To allow us to improve our services;
● We may analyse data we hold about you to ensure that the content and timing of
communications that we send you are as relevant to you as possible. We may analyse data we hold about you to identify and prevent fraud;
● We may use your data in our reporting which is a requirement of our funders and the Charity
Commission. This will be anonymised unless you have given specific consent for us to use your data in this manner;
● We may take photos and/or film at classes, shows and other events which you attend and use these for promotional purposes. We will however seek express consent for any photos/filming if you are identifiable in the photo/video. We will actively seek consent from participants, volunteers and parents/guardians where appropriate. Where consent has not been given there may still be occasions when staff need to take a photograph/video during a class for choreographic or safety reasons, however, in this instance, these will not be shared publicly and will be kept securely as stated in this policy.
In all the above cases we will always keep your rights and interests at the forefront to ensure these reasons are not overridden by your interests or fundamental rights and freedoms. You have the right to object to any of this processing at any time. If you wish to do this, please use the contact details at the end of this
policy. Please bear in mind that if you object this may affect our ability to carry out the tasks above that are for your benefit.
Publication and Use of Move Momentum’s Information
Move Momentum aims to make as much information public as is legally possible. In particular information about Move Momentum’s staff, trustees and members will be used in the following circumstances:
- Move Momentum may obtain, hold, process, use and disclose information in connection with the administration, management and business activities of Move Momentum, including making and keeping lists of members and other relevant organisations
- Move Momentum may publish information about Move Momentum and its staff and trustees including lists of these people
- Move Momentum may confirm to any third party whether or not any person is a member of the organisation
- Move Momentum may provide approved organisations with lists of names and contact details of members or other relevant organisations, only where the members or other relevant organisations have given their consent
- Names of, and a means of contacting staff and trustees, will be made available internally and externally where appropriate
Sensitive Information
Sensitive information is defined by the Act as that relating to ethnicity, political opinions, religious beliefs, trade union membership, physical or mental health, sex life, criminal proceedings or convictions. The person about whom this data is being kept must give express consent to the processing of such data, except where the data processing is required by law for employment purposes or to protect the vital
interests of the person or a third party. Any sensitive information collected for impact reporting purposes will be anonymous and optional, both of which will be clearly stated.
Disposal of Confidential Material
Sensitive material should be shredded. Particular care should be taken to effectively delete information from computer hard drives if a machine is to be disposed of, or passed onto another member of staff.
Data Breach Notification Procedure
In the event of a data breach, for example, any lost or stolen data, the Data Protection Officer must be informed as soon as physically possible, with an Incident Report Form needing to be completed and sent to the DPO within 2 working days. It is then the DPO’s responsibility to complete a GDPR report within 1 working week from the date of receiving the report form.
Staff Responsibilities
All staff are responsible for checking that any information they provide to Move Momentum in connection with their employment, is accurate and up to date. Staff have the right to request any personal information that is being kept about them either on a computer or in manual filing systems by contacting the manager. Staff should be aware of and follow this policy, seeking further guidance where necessary.
Duty to Disclose Information
There is a legal duty to disclose certain information, namely information about:
● Child abuse, which will be disclosed to relevant agencies/police per our Safeguarding Policy
● Drug trafficking, money laundering, acts of terrorism or treason, serious assault, or murder, will be disclosed to the police.
Retention of Data
Move Momentum will keep some forms of information for longer than others. Because of storage problems, information about clients cannot be kept indefinitely, unless there are specific requests to do so. General information about clients will be kept for a minimum of 3 years after they have used services unless required to do so by other statutory bodies.
Move Momentum will also need to retain information about staff. In general, all information will be kept for six years after a member of staff leaves the organisation. Some information, however, will be kept for much longer, for example, if required by funders. This will include information necessary with respect to pensions, taxation, potential or current disputes or litigation regarding employment, and information required for job references. A full list of information with retention times is available from Amanda Watkinson.
How to complain
We hope that our Data Protection Officer can resolve any query or concern you raise about our use of your information. You may also use our complaints procedure.
The Data Protection Laws also give you the right to lodge a complaint with a supervisory authority, in particular in the European Union (or European Economic Area) state where you work, normally live or where any alleged infringement of data protection laws occurred. The supervisory authority in the UK is the Information Commissioner who may be contacted at https://ico.org.uk/concerns/ or by telephone: 0303 123 1113.
Please contact our Designated Data Controller if you have any questions about this Policy or the information, we hold about you. To contact, please send an email to [email protected]
or write to Move Momentum, UNIT 12, Winnall Valley Road, Winchester SO23 0LD.
Designated Data Controller
Amanda Watkinson –
07780917725 – [email protected]
We are committed to reviewing our Privacy, Data Protection & Confidentiality Policy & Statement annually to ensure it complies with current legislation. This policy was last reviewed and approved by the Board of Trustees on 10/01/24.
DATA PROTECTION STATEMENT
Sharing Information with others
● Sometimes we have to confirm or share information with other organisations. If we need to do this,
we will make it clear to you on the forms you complete
● We will draw up an agreement with the organisation that we need to share information when
appropriate. This is to ensure that both parties understand why the information is being passed on
and what use can be made of it. In some cases, a third-party organisation such as a funding
body may draw up the agreement.
Information quality
● We will ensure that the information about you is accurate and up-to-date when we collect or use it. You can help us with this by keeping us informed of any changes to the information we hold about you.
Information security
● We will keep information about you in a secure manner
● We will protect your information against unauthorised change, damage, loss or theft
Keeping information
● We will hold information about you only for as long as the law says. After this, it will be disposed of securely and properly
Openness
● We will tell you on request what kinds of information we hold and what we do with it.
Access and correctness
● Whenever possible, we will let you see the information we hold about you and correct it if it is wrong
In general
● We will comply with the Data Protection Act 1998 and any subsequent legislation on information
Handling and privacy
● We will do this through Move Momentum’s Data Protection Policy and we will help you with any questions or problems that you may have
● If we cannot help you, we will give you advice on where you can access the relevant information
Our Commitment
● We will only collect information that is necessary
● We will be fair in the way we collect information about you
● We will tell you who we are and what we intend to do with the information about you
● Where practicable, we will collect information directly from you
● If we collect information about you from someone else, we will make sure you know that we have done this, whenever possible.