Microtia results in underdeveloped ear(s) and impacts hearing
Data Retention Policy
Updated January 2020
This data retention policy applies to Microtia UK (referred to as “us/we/our”).
Introduction
This policy sets out the obligations of Microtia UK and the basis upon which we shall retain, review and destroy data held by us, or within our custody or control. This policy applies to our entire organisation including our officers, employees, agents and sub-contractors and sets out what the retention periods are and when any such data may be deleted. This policy does not form part of any employee’s contract of employment and we may amend it at any time.
Objectives
It is necessary to retain and process certain information to enable our organisation to operate. We may store data in the following places:
our own servers;
any third-party servers;
email accounts;
desktops;
employee-owned devices;
backup storage; and/or
our paper files.
This policy applies equally to paper, electronic media and any other method used to store personal data. The period of retention only commences when the record is closed.
We are bound by various obligations under the law in relation to this and therefore, to comply with the law, information must be collected and used fairly, stored safely and not disclosed to any other person unlawfully in respect of their personal data under the General Data Protection Regulation (“the Regulation”).
The Regulation defines “personal data” as any information relating to an identified or identifiable natural person (a data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
This Policy sets out the procedures that are to be followed when dealing with personal data and how we aim to comply with the Regulation in so far as it is possible. In summary, the Regulation states that all personal data shall be:
processed lawfully, fairly, and in a transparent manner in relation to the data subject;
collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed;
accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which they are processed, is erased or rectified without delay;
kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the Regulation in order to safeguard the rights and freedoms of the data subject;
processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
The Fourth and Fifth Data Protection Principles require that any data should not be kept longer than necessary for the purpose for which it is processed and when it is no longer required, it shall be deleted and that the data should be adequate, relevant and limited for the purpose in which it is processed.
With this in mind, this policy should be read in conjunction with our other policies which are relevant such as our Data Protection Policy and IT Security Policy.
Security and Storage
All data and records are stored securely to avoid misuse or loss. We will process all personal data we hold in accordance with our IT Security Policy.
We will put in place procedures and technologies to maintain the security of all personal data from the point of collection to the point of destruction. Personal data will only be transferred to a data processor if there is agreement by them to comply with those procedures and policies, or if there are adequate measures in place.
Examples of our storage facilities are as follows:
· Encryption, Authentication and Password protected files;
· Secure Cloud storage;
We will maintain data security by protecting the confidentiality, integrity and availability of the personal data, defined as follows:
(a) Confidentiality means that only people who are authorised to use the data can access it.
(b) Integrity means that personal data should be accurate and suitable for the purpose for which it is processed.
(c) Availability means that authorised users should be able to access the data if they need it for authorised purposes. Personal data should therefore be stored on Microtia UK central computer system instead of individual PCs.
Retention Policy
Data retention is defined as the retention of data for a specific period of time and for back up purposes.
We shall not keep any personal data longer than necessary but acknowledge that this will be dependent on the different types of documents and data that we have responsibility for. As such, our general data retention period shall be for a period of 7 years. Our specific data retention periods are set out below:
General
Type of data (Both paper and electronic format)
Type of data subject
Sensitive Personal Data?
Purpose of processing
Type of recipient to whom personal data is transferred
Retention period
Data accuracy and minimisation review date
Planning Strategy
Staff, investors, contractors
No
Development of organisation which identifies priorities
Trustees and internal staff
7 years
Potential business contacts (suppliers, partners, recruitment agencies etc) personal data – name, email address, telephone numbers, job role
Business contacts
No
To facilitate contractual arrangements and communications
Trustees, Internal staff and external consultants (where it needs to be shared)
12 months from the day of last contact
Business contacts (suppliers, partners, recruitment agencies etc) personal data – name, email address, telephone numbers, job role
Business contacts
No
To facilitate contractual obligations and reporting to contacts
Trustees, Internal staff and external consultants (where it needs to be shared)
2 months from the date the relationship ends
Contracts executed as a deed
Contracting parties/witnesses
No
legal requirement for the contract to be valid
Trustees, Internal staff, external consultants
Thirteen years after expiry or termination
General Contracts
Contracting parties
No
Compliance with contractual obligations and limitation periods
Trustees, Internal staff, external consultants
Seven years after expiry or termination
Contracts relating to buildings
Contracting parties
No
Compliance with contractual obligations and limitation periods
Trustees, Internal staff
Sixteen years after expiry or termination
Name
Email address
Address
Fundraisers participants
No
To send fundraising items to the participant
Trustees, Directors and
Internal staff
1 year
Name
Email address
Telephone number
Subscribers to website
No
To supply information about fundraising activities and community events, and to send invites
Trustees, Directors and Internal staff
until unsubscribed
Name
Email address
Individuals who made a donation to Microtia UK
No
To supply information about fundraising activities and community events
Trustees and internal staff
12 months
Payment details – for orders only
Name
Email address
Purchasers of items from Microtia UK online shop
No
To process order and payment
To supply information about fundraising activities and community events
Trustees and internal staff
1 year
Name
Address
Email address
Telephone number
Age and Date of birth – for sports events
Events participants
No
To send invites
Trustees and internal staff
1 year
Name
Address
Email address
Telephone number
Loan of Aftershokz participants
No
To loan the item
Trustees and internal staff
1 year
Name
Address
Email address
Telephone number
Charity box holders
No
To loan the items with agreement to transfer money raised
Trustees and internal staff
6 months after returning the charity box
Employee and Contractor Data
Type of data (Both paper and electronic format)
Type of data subject
Sensitive Personal Data?
Purpose of processing
Type of recipient to whom personal data is transferred
Retention period
Data accuracy and minimisation review date
Job Applicants who don’t go on to be employees/consultants – name, email address, telephone numbers, job role
Job applicants
No
To facilitate pre-contractual discussions and written communications
Internal staff and Trustees
Within a month of the job being filled unless consent given to keep details on record. Then 12 months
Review every month to ensure data deleted/shredded
Employees personal data – name, email address, telephone numbers, postal address, passport number, drivers’ license number, date of birth, references
Held permanently or until the risk of any civil claims or criminal prosecutions have expired
Corporate Governance Data
Type of data (Both paper and electronic format)
Type of data subject
Sensitive Personal Data?
Purpose of processing
Type of recipient to whom personal data is transferred
Retention period
Data accuracy and minimisation review date
Various internal charity governance documents
Trustees, meeting subjects, others
Yes
Legal obligation
Trustees, Internal staff
Life of the charity
Register of Trustees
Trustees
No
Legal obligation
Trustees, Internal staff
Life of the charity
Accounting and Finance
Type of data (Both paper and electronic format)
Type of data subject
Sensitive Personal Data?
Purpose of processing
Type of recipient to whom personal data is transferred
Retention period
Data accuracy and minimisation review date
Accounting, tax and finance records, including ledgers, audit reports, financial statements, bank statements, expense records, cash receipts, invoices, petty cash
staff, contractors, finance
No
Financial recording
Accountants/payroll, trustees, internal staff
Seven years from the end of any assessment period
Data Subject Rights
Type of data (Both paper and electronic format)
Type of data subject
Sensitive Personal Data?
Purpose of processing
Type of recipient to whom personal data is transferred
Retention period
Data accuracy and minimisation review date
Data Subject Access Request
Data Subject making the request
Yes (proof of ID)
Legal obligation of organisation
Trustees, Internal staff, external consultants, ICO (in event of complaint)
Information regarding access request held for 6 months
Data Subject Restriction, Correction, Portability, Objection or Deletion Request
Data Subject making the request
Yes (proof of ID)
Legal obligation of organisation
Trustees, Internal staff, external consultants, ICO (in event of complaint)
Information regarding restriction, correction, portability, objection or deletion request held for 6 months
From time to time, it may be necessary to retain or access historic personal data under certain circumstances such as if we have contractually agreed to do so or if we have become involved in unforeseen events like litigation or disaster recoveries.
If data category is not listed in this data retention policy, it is likely that it should be classed as disposable information that may be discarded or deleted at the discretion of the user once it has served its temporary useful purpose, such as duplicates of originals, preliminary documents, spam or junk mail. However, if you are unsure, please contact Microtia UK – info@microtiauk.org
Destruction and Disposal
Upon expiry of our retention periods, we shall delete confidential or sensitive records categorised as requiring high protection and very high protection, and we shall either delete or anonymise less important documents.
Our trustees are responsible for the continuing process of identifying the records that have met their required retention period and supervising their destruction. The destruction of confidential, financial, and personnel-related records shall be securely destroyed electronically or by shredding if possible. Non-confidential records may be destroyed by recycling.
Reporting Policy Breaches
We are committed to enforcing this policy as it applies to all forms of data. If you feel that you or someone else may have breached this policy, you should report the incident immediately to your supervisor or the manager at the next level above your direct supervisor.
Cookies are used to ensure that we give you the best experience on our website. By continuing to use our site, you are agreeing to our use of cookies. Accept and closeRead more
Privacy & Cookies Policy
Privacy Overview
This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
Data Retention Policy
Updated January 2020
This data retention policy applies to Microtia UK (referred to as “us/we/our”).
Introduction
This policy sets out the obligations of Microtia UK and the basis upon which we shall retain, review and destroy data held by us, or within our custody or control. This policy applies to our entire organisation including our officers, employees, agents and sub-contractors and sets out what the retention periods are and when any such data may be deleted. This policy does not form part of any employee’s contract of employment and we may amend it at any time.
Objectives
It is necessary to retain and process certain information to enable our organisation to operate. We may store data in the following places:
This policy applies equally to paper, electronic media and any other method used to store personal data. The period of retention only commences when the record is closed.
We are bound by various obligations under the law in relation to this and therefore, to comply with the law, information must be collected and used fairly, stored safely and not disclosed to any other person unlawfully in respect of their personal data under the General Data Protection Regulation (“the Regulation”).
The Regulation defines “personal data” as any information relating to an identified or identifiable natural person (a data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
This Policy sets out the procedures that are to be followed when dealing with personal data and how we aim to comply with the Regulation in so far as it is possible. In summary, the Regulation states that all personal data shall be:
The Fourth and Fifth Data Protection Principles require that any data should not be kept longer than necessary for the purpose for which it is processed and when it is no longer required, it shall be deleted and that the data should be adequate, relevant and limited for the purpose in which it is processed.
With this in mind, this policy should be read in conjunction with our other policies which are relevant such as our Data Protection Policy and IT Security Policy.
Security and Storage
All data and records are stored securely to avoid misuse or loss. We will process all personal data we hold in accordance with our IT Security Policy.
We will put in place procedures and technologies to maintain the security of all personal data from the point of collection to the point of destruction. Personal data will only be transferred to a data processor if there is agreement by them to comply with those procedures and policies, or if there are adequate measures in place.
Examples of our storage facilities are as follows:
· Encryption, Authentication and Password protected files;
· Secure Cloud storage;
We will maintain data security by protecting the confidentiality, integrity and availability of the personal data, defined as follows:
(a) Confidentiality means that only people who are authorised to use the data can access it.
(b) Integrity means that personal data should be accurate and suitable for the purpose for which it is processed.
(c) Availability means that authorised users should be able to access the data if they need it for authorised purposes. Personal data should therefore be stored on Microtia UK central computer system instead of individual PCs.
Retention Policy
Data retention is defined as the retention of data for a specific period of time and for back up purposes.
We shall not keep any personal data longer than necessary but acknowledge that this will be dependent on the different types of documents and data that we have responsibility for. As such, our general data retention period shall be for a period of 7 years. Our specific data retention periods are set out below:
General
Email address
Address
Internal staff
Email address
Telephone number
Email address
Name
Email address
To supply information about fundraising activities and community events
Address
Email address
Telephone number
Age and Date of birth – for sports events
Address
Email address
Telephone number
Address
Email address
Telephone number
Employee and Contractor Data
internal staff,
payroll managers, accountants
Corporate Governance Data
Accounting and Finance
Data Subject Rights
From time to time, it may be necessary to retain or access historic personal data under certain circumstances such as if we have contractually agreed to do so or if we have become involved in unforeseen events like litigation or disaster recoveries.
If data category is not listed in this data retention policy, it is likely that it should be classed as disposable information that may be discarded or deleted at the discretion of the user once it has served its temporary useful purpose, such as duplicates of originals, preliminary documents, spam or junk mail. However, if you are unsure, please contact Microtia UK – info@microtiauk.org
Destruction and Disposal
Upon expiry of our retention periods, we shall delete confidential or sensitive records categorised as requiring high protection and very high protection, and we shall either delete or anonymise less important documents.
Our trustees are responsible for the continuing process of identifying the records that have met their required retention period and supervising their destruction. The destruction of confidential, financial, and personnel-related records shall be securely destroyed electronically or by shredding if possible. Non-confidential records may be destroyed by recycling.
Reporting Policy Breaches
We are committed to enforcing this policy as it applies to all forms of data. If you feel that you or someone else may have breached this policy, you should report the incident immediately to your supervisor or the manager at the next level above your direct supervisor.