Privacy policy.

1. Introduction

Surrey Deaf Children’s Society (SDCS) is committed to protecting the privacy and security of personal data in accordance with the UK General Data Protection Regulation (GDPR) and the Data Protection Act 2018. This policy sets out how we collect, use, store, and share data, and how we ensure compliance with relevant laws. It applies to all personal information collected and processed by SDCS in connection with our activities, including events, communications, safeguarding, and membership management.

2. Purpose of this Policy

The purpose of this policy is to:

  • Ensure SDCS complies with data protection law.

  • Protect the rights of our members, families, volunteers, and staff.

  • Explain how SDCS processes personal data and the safeguards we have in place.

  • Provide guidance to committee members and volunteers handling data.

3. Definitions

Personal Data – any information that identifies an individual, e.g., name, email address, or phone number.

Special Category Data – sensitive data such as health information, e.g., details of a child's deafness or other medical conditions.

Data Controller – SDCS is the Data Controller, responsible for determining how data is processed.

Data Processor – a third party who processes data on behalf of SDCS, such as a venue or IT provider.

Data Subject – the individual whose data is being collected or processed.

4. Roles and Responsibilities

The trustees have overall responsibility for ensuring compliance with data protection laws. Specific roles include:

  • Chair of Trustees: overall accountability for data protection.

  • Data Protection Lead: responsible for day-to-day data protection management, handling data access requests, and breach reporting.

  • Volunteers and Committee Members: must follow this policy and only access data necessary for their role.

5. Lawful Basis for Processing

SDCS processes personal data under one or more of the following lawful bases:

  • Consent: when families sign up for events, provide medical information, or agree to receive updates.

  • Legitimate Interest: to manage membership and organise events.

  • Legal Obligation: to comply with financial and safeguarding requirements.

6. Types of Data Collected

We may collect the following types of data:

  • Contact information: names, addresses, phone numbers, and emails.

  • Details about children: age, communication needs, health information relevant for events.

  • Emergency contacts for safeguarding purposes.

  • Financial data: membership payments, expenses, and reimbursements.

  • Records of attendance at events and activities.

7. How We Use Data

Personal data will only be used for purposes related to SDCS activities, including:

  • Organising events and providing resources.

  • Communicating with families about activities and opportunities.

  • Safeguarding children and ensuring health and safety.

  • Maintaining financial and membership records.

8. Data Storage and Security

SDCS takes data security seriously and uses appropriate technical and organisational measures to keep data safe. This includes:

  • Password-protected electronic files.

  • Secure cloud storage with access restricted to authorised individuals.

  • Locked filing cabinets for physical records.

  • Regular reviews of access rights and data storage practices.

9. Data Retention

We retain personal data only for as long as necessary:

  • Event registration forms: deleted within 18 months of the event.

  • Membership lists: reviewed annually and updated as required.

  • Financial records: kept for 7 years in line with HMRC requirements.

  • Safeguarding records: kept as required by child protection legislation.

10. Data Sharing and Third Parties

SDCS does not sell personal data and will only share it when absolutely necessary, including:

  • With event venues or medical staff to ensure safety and access needs are met.

  • When legally required, such as reporting safeguarding concerns or complying with a court order.

  • With service providers who support SDCS operations, under strict confidentiality agreements.

11. Individual Rights

Under GDPR, individuals have the following rights:

  • The right to access their personal data.

  • The right to request correction of inaccurate data.

  • The right to request deletion of data.

  • The right to restrict or object to processing.

  • The right to data portability.

  • The right to lodge a complaint with the Information Commissioner’s Office (ICO).

12. Subject Access Requests

Anyone wishing to exercise their rights should submit a request in writing to the Data Protection Lead. Requests will be acknowledged promptly and completed within one month, unless an extension is required due to complexity.

13. Data Breach Procedure

A data breach is any incident where personal data is lost, accessed without authorisation, or disclosed incorrectly. Steps for handling a breach:

  1. Report immediately to the Chair and Data Protection Lead.

  2. Investigate the breach and assess the level of risk.

  3. Notify the ICO within 72 hours if the breach is serious.

  4. Inform affected individuals if there is a high risk to their rights.

  5. Keep a record of the breach and actions taken.

14. Training and Awareness

All trustees, committee members, and volunteers handling personal data will receive training and guidance on their responsibilities under this policy.

15. Policy Review

This policy will be reviewed annually by the trustees or sooner if there are significant changes in law or SDCS activities.

16. Contact Information

For questions about this policy or data protection matters, please contact:

Data Protection Lead

Surrey Deaf Children Society

Email: governance@surreydeaf.co.uk