As part of People’s Voice Media’s day-to-day work, we need to gather and use certain information about people we work with. This can include staff, collaborators, directors, participants, board members, project partners and community reporters and other people the organisation has a relationship with or may need to contact. This policy describes how this personal data must be collected, handled and stored to meet the organisation's data protection standards and to comply with the law.

This Data Management Policy ensures that People’s Voice Media acts as a responsible Data Controller and:

  • complies with data protection law and follows good practice
  • protects the rights of clients, staff and partners
  • is transparent about how it stores and processes individuals’ data
  • protects itself from the risks of a data breach

 

In the UK, data protection is governed by the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Everyone responsible for using personal data has to follow strict rules called ‘data protection principles’ unless an exemption applies. 

The regulations cover both written and computerised information. This policy enables us meet the requirements of these pieces of legislation. 

All People’s Voice Media staff and volunteers are required to always follow this Data Management and Information Governance Policy.  

Implementation and Quality Assurance

Implementation is immediate and this Policy shall stay in force until any alterations are formally agreed.

The Policy will be reviewed bi-annually by the Senior Leadership Team and Board of Trustees, sooner if legislation, best practice or other circumstances indicate this is necessary.  

If you have any comments or suggestions on the content of this policy please contact People’s Voice Media on enquiries@peoplesvoicemedia.co.uk or The Fort Offices, Artillery Business Park, Park Hall, Oswestry, Shropshire, SY11 4AD. 

Definitions

Processing of information – how information is held and managed.

Information Commissioner - formerly known as the Data Protection Commissioner.

Notification – formerly known as Registration.

Data Subject – used to denote an individual about whom data is held.

Data Controller – used to denote the entity with overall responsibility for data collection and management.  People’s Voice Media is the Data Controller for the purposes of the Act.

Data Processor – an individual handling or processing data

Personal data – any information which enables a person to be identified

Special categories of personal data – information under the  Regulations which requires the individual’s explicit consent for it to be held by the Charity.  

Data Protection Law

The UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 outlines that personal data must be:

  1. Processed lawfully, fairly and in a transparent manner in relation to individuals.
  2. Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Further processing for archiving purposes in the public interest, scientific or historical research or statistical purposes shall not be considered to be incompatible with the initial purposes.
  3. Adequate, relevant and limited to what’s necessary in relation to the purposes for which they’re processed.
  4. Accurate and, where necessary, kept up to date.
  5. Protected – every reasonable step must be taken to ensure that personal data that’s inaccurate, having regard to the purposes for which they’re processed, is erased or rectified without delay.
  6. Kept in a form that permits identification of data subjects for no longer than is necessary, and for the purposes for which the personal data is processed (personal).
  7. Stored for longer periods. For example, the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. This will also be subject to implementation of the appropriate technical and organisational measures required by UK GDPR in order to safeguard the rights and freedoms of individuals.
  8. Processed in a manner that ensures appropriate security of personal data. This includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
  9. Managed by a controller responsible for, and be able to demonstrate, compliance with the principles.

 

People and Responsibilities

Everyone at People’s Voice Media contributes to compliance with UK GDPR. We understand the requirements and accountability of our organisation to prioritise and support the implementation of compliance.

The Project management team is responsible for leading on compliance with regulations:

Hayley Trowbridge CEO hayley@peoplesvoicemedia.co.uk

Sarah Henderson - Project manager sarah@eoplesvoicemedia.co.uk

Kath Peters - Project manager kath@peoplesvoicemedia.co.uk

The rest of the team including freelancers, volunteers have a legal duty to follow the Data Management and Information Governance Procedure when dealing with any kind of data and information collection.

The Data Protection Officer (DPO), is the person responsible for fulfilling the tasks of the DPO. People’s Voice Medias DPO is Hayley Trowbridge CEO hayley@peoplesvoicemedia.co.uk

The minimum tasks of the DPO are to:

  • inform and advise the organisation and its employees about their obligations to comply with UK GDPR and other data protection laws
  • monitor compliance with UK GDPR and other data protection laws – including managing internal data protection activities, advising on data protection impact assessments, training staff and conducting internal audits
  • be the first point of contact for supervisory authorities and for individuals whose data is processed (employees, clients).

 

As data controller, People’s Voice Media is required to comply with the principles of good information handling. These principles require the Data Controller to:

 

  1. Process personal data fairly, lawfully and in a transparent manner.
  2. Obtain personal data only for one or more specified and lawful purposes and to ensure that such data is not processed in a manner that is incompatible with the purpose or purposes for which it was obtained.
  3. Ensure that personal data is adequate, relevant and not excessive for the purpose or purposes for which it is held.
  4. Ensure that personal data is accurate and, where necessary, kept up-to-date.
  5. Ensure that personal data is not kept for any longer than is necessary for the purpose for which it was obtained.
  6. Ensure that personal data is kept secure.
  7. Ensure that personal data is not transferred to a country outside the European Economic Area unless the country to which it is sent ensures an adequate level of protection for the rights (in relation to the information) of the individuals to whom the personal data relates.

All team members should abide by these principles. 

Scope Of Personal Information To Be Processed

1. The data we process, includes:

  • names of individuals
  • email addresses
  • telephone numbers
  • online identifiers
  • postal addresses of individuals
  • any other information relating to individuals

 

2. The majority of our data comes from people that we work with. This includes, 

  • staff including freelancers
  • volunteers
  • board members
  • partners
  • community reporter trainees and other trainees
  • community reporters
  • people who come our events
  • people who sign up to our mailer

We are actively committed to minimising data collection (i.e. collecting the least information needed) as part of our work.

Consent

 

People’s Voice Media must record people’s explicit consent to storing certain information (known as ‘personal data’ or ‘special categories of personal data’) on file. This consent must be informed and be obtained in an accessible manner for the individual who is giving their consent. 

For the purposes of the Regulations, personal and special categories of personal data covers information relating to:

 

  • The racial or ethnic origin of the Data Subject.
  • Their political opinions.
  • Their religious beliefs or other beliefs of a similar nature.
  • Whether he/she is a member of a trade union.
  • Their physical or mental health or condition.
  • Their sexual life.
  • The commission or alleged commission by him/her of any offence
  • Online identifiers such as an IP address
  • Name and contact details
  • Genetic and/or biometric data which can be used to identify an individual

 

It should also be noted that where it is not reasonable to obtain consent at the time data is first recorded and the case remains open, retrospective consent should be sought at the earliest appropriate opportunity.

If personal and/or special categories of personal data need to be recorded for the purpose of service provision and the service user refuses consent, the case should be referred to the Chief Executive for advice.

There are more detailed guidelines about how to obtain consent in the Data Management and Information Governance Procedure 

Unlawful Disclosure Of Personal Information

People's Voice Media recognise that:

 

  • It is an offence to disclose personal information ‘knowingly and recklessly’ to third parties.
  • It is a condition in all our work that all people for whom we hold personal details sign a consent form allowing us to hold such information.
  • People may also consent for us to share personal or special categories of personal information with other agencies on a need to know basis.

Security measures

We have put the following measures in place to protect the personal information that we store from breach.

Technical infrastructure considerations and measures that we have in place to ensure compliance, are:

  • security software and firewalls
  • encryption, the use of secure Virtual Private Networks (VPN)
  • log-in restricted access and two step authentications

We also have measures, such as: 

  • protocols for safe transfer of data in transit by using password protected Google Drive and wetransfer exchanges
  • protocols for password management
  • data back-up using Dropbox and external hard drives
  • procedure for a data sharing and data breach

All procedures for the above can be found in People’s Voice Media’s Data Management and Information Governance Procedure. 

Information Commissioner’s Office (ICO)

 

Further information on data protection: https://ico.org.uk 

 

If you believe that your data has been inappropriately or unlawfully processed your can make a complaint via the ICO here: https://ico.org.uk/make-a-complaint/ 

 

Supporting Documents:

 

 

This document was produced by Kath Peters (Project Manager) on 10th October 2024 and then approved by Hayley Trowbridge (CEO) on 10th December 2024

 

Next Review Due: 31st December 2026.