SMHA data protection impact assessment
SMHA administrator is the data controller. We don’t need a data protection officer. Data processors are administrator, chairman, treasurer, drivers, and shop manager.
Administrator has data on clients: name, address, referral letter, some info on diagnosis, next of kin or nearest contact.
Lawful reason is legitimate interest, for welfare of client, in accordance with objects of the charity, which have been approved by the Charity Commission.
Data is kept securely in paper files and any client may see his/her file on request.
Data is deleted when client leaves, but in practice it is hard to know when client leaves as many drift in and out of the service.
Data is not shared with third parties except to protect client’s health.
Administrator, treasurer, and shop manager have some contact details of suppliers but this is not personal data and is not used for any other purpose.
Chairman has names & addresses of some clients, for pastoral care of client.
Drivers have names & addresses of clients in order to collect them from home.
Treasurer has data on staff in order to operate payroll and report to HMRC. The lawful reason is legal obligation. Data is name, address, date of birth, NI number, date of commencing employment, tax code, salary paid. It is not shared with third parties and is deleted three years after employee leaves.
Treasurer has data on trustees in order to complete annual return to Charity Commission. The lawful reason is legal obligation. The data is name, address, phone number, date of birth. It is not shared with third parties and is deleted when the trustee leaves.
Shop manager has data on volunteers helping in shop. The lawful basis is legitimate interest, for the safe running of the shop. The data is contact details.
Privacy notice to go on noticeboard and on website:
Spelthorne Mental Health Association holds data on clients in order to support them. It is held securely and not shared with third parties unless necessary to protect a client’s health.
Anyone may ask to see the data held on them and to amend or delete it.
Agreed by SMHA Executive Committee 22 May 2018