Introduction

1. These Data Protection Guidelines apply to all Frenkel Topping Charitable Foundation employees, trustees, contractors, secondees and other workers (“colleagues”). They set out your key obligations when accessing or working with personal data on our behalf together with guidance on specific situations and answers to frequently asked questions.
2. You must always read and adhere to these guidelines and our Data Protection Policy for your work for/with Fletchers Foundation. Read both documents when you start working with us and refer to them as needed and at least annually to refresh your understanding of what is expected of you.

Why is this Important

1. A personal data breach can have serious consequences for affected individuals, including financial loss, discrimination, reputational damage, and emotional distress. Individuals therefore expect to entrust their personal data to organisations that will secure it and use it lawfully.
2. The UK Data Protection Act 2018 and the General Data Protection Regulation (“GDPR”) provide individuals with specific rights in respect of their personal data and require organisations that collect and use personal data to meet specific obligations.
3. If Frenkel Topping Charitable Foundation fails to meet its obligations, it is likely to damage our reputation and impact upon our relationship with our members. It may also result in a fine or other regulatory action.
4. Adhering to our Data Protection Policy and following the guidance in this Code of Conduct will help reduce the risk of a personal data breach. It will also help protect the rights of individuals whose personal data we hold, including your own personal data.

Personal Data

1. Personal data is information that can be used to identify someone directly or indirectly, whether on its own or when put together with other information. Common examples of personal data include a name, address, data of birth, contact details, identification number (e.g., national insurance or payroll number), location data (e.g., vehicle or device tracking data), online identifiers (e.g., IP or MAC address), photographs, recordings, and factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
2. Some of the personal data we process can be more sensitive in nature and therefore requires a higher level of protection. These include criminal offence and conviction data and what GDPR refers to as the ‘special categories of personal data’.
3. The special categories of personal data cover information about race, ethnicity, political opinions, religious or philosophical beliefs and trade union membership; also, genetic data, biometric data used for unique identification (e.g., fingerprints or facial recognition data), health data and information about a person’s sex life or sexual orientation.
4. Personal Data for Frenkel Topping Charitable Foundation covers data on employees, trustees, grant applicants (successful and not successful), suppliers and etc.

Golden Rules for Handling Personal Data

If you work with or have access to personal data, even if it seems to be basic information (such as a name, an email address or a telephone number or an employee working at a member organisation), we expect you to follow these ‘golden rules’:

Things you must always do

1. You must always handle all types of personal data with care, even information that is already publicly available elsewhere.
2. Do not share any personal data with any colleague who does not normally have access to it or with any third party without authorisation.
3. Double-check the recipient’s email address before emailing any personal data, to avoid sending it to the wrong person. An email sent to the wrong person (often caused by email auto-complete) is the most common cause of a data breach.
4. Always password protect or (if possible) encrypt any document or file containing higher volumes of, or more sensitive, personal data before you send them by email. Remember to send the password separately, ideally using a different method.
5. If you are sharing personal data in a spreadsheet with authorisation, make sure unauthorised personal data is not hidden in the document because it has been filtered or because cells or worksheets have been hidden or grouped.
6. Set strong passwords for systems you can access that store personal data. Do not use words or phrases which can be easily guessed and do not write your password down and leave it visible to others (such as on a ‘post-it note’ on your monitor).
7. Lock away physical copies (such as paper files) of personal data if you leave your desk unattended, even if you will only be away temporarily.
8. Always lock your computer and screen if you leave your computer unattended for any reason, even if you will only be away temporarily.
9. At the end of each working day, lock away physical copies of personal data and shut down or lock your computer.
10. If you print or photocopy personal data, ensure you have collected all your documents when you are finished and have not left personal data on the printer or copier.

Things you must never do

1. Do not remove physical copies of personal data from the office without authorisation.
2. Do not share your passwords to any of our systems with anyone at any time. If a colleague is going to cover your absence or requires access to assist with a project, they must request access and be authorised with their own credentials.
3. Do not download or export copies of personal data from any of our systems without authorisation.
4. Do not transfer personal data to any device which belongs to you personally or which is shared with other people (such as a shared family device) or transfer or upload personal data to any personal file sharing, storage, communication service (such as your personal email, Dropbox, Google Drive or other personal cloud service).
5. Do not share any personal data with any third party without authorisation. If you are unsure whether personal data can be shared, check first with the Company Secretary (or delegated authority in the Company Secretary’s absence).

Data Subject Rights – What to Do

1. Individuals have specific rights regarding the personal data that we collect and hold about them as follows:
2. The right to be informed
3. The right of access
4. The right to rectification
5. The right to erasure (also known as the ‘right to be forgotten’)
6. The right to restrict processing
7. The right to data portability
8. The right to object
9. Rights with respect to automated decision-making and profiling
10. A data subject can ask to exercise their rights at any time and may ask to do so by any means, including email, telephone, social media, or letter. Not all rights apply in all cases, but there are strict timescales for responding to all requests.
11. If Frenkel Topping Charitable Foundation receives a request from an individual to exercise their right, the Director of the Foundation should be notified immediately. This must include details of the request and contact details for responding to the individual.

Reporting Personal Data Breaches

1. A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access to personal data held by Fletchers Foundation.
2. A personal data breach can be accidental or deliberate. There are three main types of breach, as follows:
3. Confidentiality Breach: Inappropriate access to or disclosure of personal data
4. Availability Breach: losing control of access to personal data or inappropriate deletion
5. Integrity Breach: Inappropriate alterations to personal data

Examples of personal data breaches include:

1. Access (deliberate or accidental) to personal data by an unauthorised person.
2. Computing devices or removable storage containing personal data being lost or stolen.
3. Sending personal data to incorrect recipients.
4. Altering personal data without permission.
5. Downloading or exporting personal data for personal or unauthorised use.
6. Accidental or deliberate destruction of personal data without authorisation.
7. Ransomware attacks which encrypt personal data and render it unavailable.
8. Cyber-attacks which lead to personal data being stolen.
9. Depending on the risk to individuals affected by the data breach, we may need to notify the Information commissioner’s Office (the “ICO”) of the breach within 72 hours of becoming aware of it. We may also need to inform affected data subjects without undue delay.
10. It is therefore very important that all potential and actual data breaches are reported as soon as you become aware of them by contacting the Manager of the Foundation, who will then let the board of trustees know.
11. Even if you are not sure if a breach has occurred, you must report it as set out above. In all cases, reporting the potential breach must happen without delay because of the 72-hour deadline for informing the ICO in some cases.

Training

Frenkel Topping Charitable Foundation via Frenkel Topping Group provides data protection training to all personnel during induction as well as ongoing refresher training every 2 years. We know you are busy and have lots to remember, but it is essential that you pay attention to all training and ask questions if you are unsure about your responsibilities.

Disclosure and Destruction of Data

If anyone has any queries about how we use this data or would like us to destroy what we can stored about them, they can get in touch using via our website enquiries@frenkeltopping.co.uk or write to us at Frenkel Topping Charitable Foundation, 15 Carolina Way, Salford, Manchester, M50 2ZY

If they are not satisfied with how we respond to their concern, you have the right to make a complaint to the Information Commissioner’s Office (ICO).