Data Protection and Data Security Policy
Help Bristol’s Homeless mission is to change the face of homelessness in Bristol.
The information you provide will be held under the Data Protection Act 1998. We will do all we can to protect your privacy and to make sure any personal information you share with us is stored securely.
We value and respect everyone who connects with us. Our aim is to be as clear as possible about how and why we use the information you give us. If your questions are not fully answered by the information here, please contact us. we are happy to help. Email email@example.com
Data Protection and Data Security Policy
Statement of policy and purpose of Policy
1. Help Bristol’s Homeless Charity (HBH) is committed to ensuring that all personal information
handled by us will be processed accordingly to legally compliant standards of data protection and
2. The purpose is of this policy is to help us achieve our data protection and data security aims by:
a. notifying our staff including volunteers of the types of personal information that we may hold
about them and what we do with that information;
b. ensuring staff understand our rules and the legal standards for handling personal information
relating to staff and others: and
c. clarifying the responsibilities and duties of staff in respect of data protection and data security.
3. This is a statement of policy only and does not form part of your contract of employment. We may
amend this policy at any time, in our absolute discretion.
Who is responsible for data protection and data security?
4. Maintaining appropriate standards of data protection and data security is a collective task shared
between us and you. This policy and the rules contained in it apply to all staff of HBH, irrespective
of seniority, tenure and working hours, including all employees, directors and officers, consultants
and contractors, casual or agency staff, trainees, homeworkers and fixed-term staff and any
volunteers (referred to as Staff).
5. The board of directors of HBH has overall responsibility for ensuring that all personal information
is handled in compliance with the law and has appointed the Administration assistant as the Data
Protection Officer with day-to-day responsibility for data processing and data security.
6. All Staff have personal responsibility to ensure compliance with this policy, to handle all personal
information consistently with the principles set out here and to ensure that measures are taken to
protect the data security. Managers have special responsibility for leading by example and
monitoring and enforcing compliance.
7. Any breach of this policy will be taken seriously and may result in disciplinary action.
What personal information and activities are covered by this policy?
8. This policy covers personal information:
a. which relates to a living individual who can be identified either from that information in
isolation or by reading it together with other information we possess;
b. is stored electronically or on paper in a filing system;
c. in the form of statements of opinion as well as facts;
d. which relates to Staff (present, past or future) or to any other individual whose personal
information we handle or control;
e. which we obtain, hold or store, organise, disclose or transfer, amend, retrieve, use, handle,
process, transport or destroy.
What personal information do we process about Staff and what do we do with it?
9. We collect personal information about you which:
a. you provide or we gather before or during your employment or engagement with us;
b. is provided by third parties, such as references or information from suppliers or another party
that we do business with; or
c. is in the public domain.
10. The types of personal information that we may collect, store and use about you include records
relating to your:
a. home address and contact details as well as contact details for your next of kin;
b. recruitment (including your application form or cv, any references received and details of your
c. pay records, national insurance number and details of your taxes and any employment benefits
such as pension and health insurance (including details of any claims made);
d. any sickness absence or medical information provided;
e. religious or philosophical beliefs (eg specific dietary or holiday requirements);
f. information about your race, colour, nationality, or ethnic or national origins;
g. sexual orientation, where this is disclosed to us (eg through providing details of your spouse or
partner for the administration of benefits);
h. telephone, email, internet, fax or instant messenger use;
i. performance and any disciplinary matters, grievances, complaints or concerns in which you are
11. We will use information to carry out our business, to administer your employment or engagement
and to deal with any problems or concerns you may have including:
a. Staff Address Lists: to compile and circulate lists of home address and contact details, to
contact you outside working hours.
b. Sickness records: to maintain a record of your sickness absence and copies of any doctor’s
notes or other documents supplied to us in connection with your health, to inform your
colleagues and others of that you are absent through sickness, as reasonably necessary to
manage your absence, to deal with unacceptably high or suspicious sickness absence, to inform
reviewers for appraisal purposes of your sickness absence level, to publish internally
aggregated, anonymous details of sickness absence levels.
c. Monitoring IT systems: to monitor your use of e-mails, internet, telephone and fax, computer
or other communications or IT resources.
d. Disciplinary, grievance or legal matters:in connection with any disciplinary, grievance, legal,
regulatory or compliance matters or proceedings that may involve you.
e. Performance Reviews: to carry out performance reviews.
f. Equal Opportunities Monitoring: to conduct monitoring for equal opportunities purposes and
to publish anonymised, aggregated information about the breakdown of HBH workforce.
12. We confirm that that for the purposes of the Data Protection Act 1998, HBH is a Data Controller
of the personal information in connection with your employment. This means that we determine
the purposes for which, and the manner in which, your personal information is processed.
13. If you consider that any information held about you is inaccurate then you should tell your line
manager or the Data Protection Officer and, if we agree that the information is inaccurate then we
will correct it. If we do not agree with the correction then we will note your comments.
14. We will take reasonable steps to ensure that your personal information is kept secure, as
described later in this policy and in general, we will not disclose your personal information to
others outside HBH. However, we may need to disclose personal information about Staff:
a. for the administration of your employment and associated benefits e.g. to the providers of our
pension or insurance schemes; or
b. to comply with our legal obligations or assist in a criminal investigation or to seek legal or
professional advice in relation to employment issues, which may involve disclosure to our
lawyers, accountants or auditors and to legal and regulatory authorities, such as HM Revenue
c. to other parties which provide products or services to us.
15. By providing your personal information to us, you consent to the use of your personal
information (including any sensitive personal data) in accordance with this policy.
Data Protection Principles
16. Staff whose work involves using personal data relating to Staff or others must comply with this
policy and with the eight legal data protection principles which require that personal information
a. Processed fairly and lawfully. We must always have a lawful basis to process personal
information. In most (but not all) cases, the person to whom the information relates (the
Subject) must have given consent. The Subject must be told who controls the information (us),
the purpose(s) for which we are processing the information and to whom it may be disclosed.
b. Processed for limited purposes and in an appropriate way. Personal information must not
be collected for one purpose and then used for another. If we want to change the way we use
personal information we must first tell the Subject.
c. Adequate, relevant and not excessive for the purpose.
d. Accurate. Regular checks must be made to correct or destroy inaccurate information.
e. Not kept longer than necessary for the purpose. Information must be destroyed or deleted
when we no longer need it. For guidance on how long particular information should be kept,
contact the Data Protection Officer.
f. Processed in line with Subjects’ rights. Subjects have a right to request access to their
personal information, prevent their personal information being used for direct-marketing,
request the correction of inaccurate data and to prevent their personal information being used in
a way likely to cause them or another person damage or distress.
g. Secure. See further information about data security below.
h. Not transferred to people or organisations situated in countries without adequate
17. Some personal information needs even more careful handling. This includes information about a
person’s racial or ethnic origin, political opinions, religious or similar beliefs, trade union
membership, physical or mental health or condition or sexual life or about criminal offences. Strict
conditions apply to processing this sensitive personal information and the Subject must normally
have given specific and express consent to each way in which the information is used.
18. We must all protect personal information in our possession from being accessed, lost, deleted or
damaged unlawfully or without proper authorisation through the use of data security measures.
19. Maintaining data security means making sure that:
a. only people who are authorised to use the information can access it;
b. information is accurate and suitable for the purpose for which it is processed; and
c. authorised persons can access information if they need it for authorised purposes. Personal
information therefore should not be stored on individual computers but instead on our central
20. By law, we must use procedures and technology to secure personal information throughout the
period that we hold or control it, from obtaining to destroying the information.
21. Personal information must not be transferred to any person to process (eg while performing
services for us on or our behalf), unless that person has either agreed to comply with our data
security procedures or we are satisfied that other adequate measures exist.
22. Security procedures include:
a. Physically securing information. Any desk or cupboard containing confidential information
must be kept locked. Computers should be locked with a password or shut down when they are
left unattended and discretion should be used when viewing personal information on a monitor
to ensure that it is not visible to others.
b. Controlling access to premises. Staff should report to security if they see any person they do
not recognised in an entry-controlled area.
23. Telephone Precautions.Particular care must be taken by Staff who deal with telephone enquiries
to avoid inappropriate disclosures. In particular:
a. the identity of any telephone caller must be verified before any personal information is
b. if the caller’s identity cannot be verified satisfactorily then they should be asked to put their
query in writing;
c. do not allow callers to bully you into disclosing information. In case of any problems or
uncertainty, contact the Data Protection Officer.
24. Methods of disposal. Copies of personal information, whether on paper or on any physical
storage device, must be physically destroyed when they are no longer needed. Paper documents
should be shredded and CDs or memory sticks or similar must be rendered permanently
Subject access requests
25. By law, any Subject (including Staff) may make a formal request for information that we hold
about them, provided that certain conditions are met. The request must be made in writing. A fee is
payable by the data subject for provision of this information. In some circumstances it may not be possible to release the information about the Subject to them eg if it contains personal data about
26. Any member of staff who receives a written request should forward it to the Data Protection