1. Purpose and Scope
Technology Books for Children is committed to handling personal data responsibly and lawfully. This policy explains how we collect, use, store, and protect personal data in line with the UK Data Protection Act and the UK General Data Protection Regulation (UK GDPR).
This policy applies to anyone working on behalf of the charity, including trustees, paid staff, volunteers, temporary workers, and contractors. Everyone has a responsibility to ensure that data is managed in accordance with this policy.
- Accountability and Oversight
A designated Data Protection Lead will be responsible for monitoring data protection within the organisation. This includes:
- Keeping up to date with changes in data protection law.
- Handling any incidents or data breaches.
- Ensuring training and guidance is available to all individuals with access to personal data.
- Overseeing any requests from individuals concerning their personal data.
- Key Definitions
- Personal Data: Information that can identify a living individual (e.g. name, phone number, email address).
- Sensitive Personal Data: Information such as racial or ethnic origin, health details, or religious beliefs.
- Processing: Any activity involving data, including collecting, storing, sharing, or deleting it.
- Data Subject: The individual whose data is being processed.
- Data Controller: The organisation (in this case, Technology Books for Children) that determines why and how personal data is processed.
- Data Processor: A person or organisation that processes data on behalf of the controller.
- Consent: Permission that is freely given, specific, informed and capable of being withdrawn at any time.
- Principles of Data Protection
Technology Books for Children follows six key principles in line with UK GDPR. Personal data must be:
- Processed lawfully, fairly, and transparently
We will always have a legal reason for collecting and using personal data. Where consent is needed, it will be sought clearly and explicitly. - Collected for clear and legitimate reasons
We will explain why we are collecting data and only use it for that specific purpose. - Limited to what is necessary
We will only collect data we truly need and no more. - Accurate and kept up to date
Every effort will be made to correct or update inaccurate data promptly. - Kept no longer than needed
Data will be held for as long as necessary to fulfil its original purpose and then securely deleted or destroyed. - Stored securely
We will use suitable technical and organisational measures to protect personal data from unauthorised access, loss, or damage. This includes password-protected systems, physical storage in locked cabinets, and restricted access where appropriate.
- Individual Rights
We respect the rights of all individuals whose data we hold. These include:
- The right to be informed about how their data is used.
- The right to access their personal data.
- The right to correct inaccurate or incomplete data.
- The right to have their data erased in certain circumstances.
- The right to restrict or object to processing.
- The right to data portability (transferring data to another organisation).
- The right to withdraw consent at any time.
Requests regarding personal data should be directed to the Data Protection Lead via our contact form.
- Use of Images and Video
Photographs and videos may be considered personal data. We will:
- Seek permission before capturing identifiable individuals in photos or video.
- Obtain written consent when using images of individuals or small groups, especially children or vulnerable adults.
- Explain how the images will be used and provide an option to opt out.
- Take special care when using images online or in the media.
- Avoid using images where consent has not been clearly provided.
- Ensure that imagery taken for one purpose is not reused for another without renewed consent.
- Data Security Measures
To reduce the risk of data loss or unauthorised access, we:
- Use secure, encrypted systems for storing personal data.
- Regularly update antivirus and firewall software.
- Protect sensitive files with strong passwords.
- Limit data access to only those who need it.
- Train all personnel in basic data security and cyber awareness.
Paper records are kept in locked storage, and electronic records are regularly backed up using secure methods.
- Data Retention
We do not retain personal data indefinitely. Where possible, retention periods are documented. For example:
- Financial and accounting records may be kept for up to 6 years for legal compliance.
- Volunteer or staff records are reviewed annually.
- Personal data that is no longer required will be securely destroyed.
- Data Breach Response
A data breach includes any loss, theft, or unauthorised access of personal data, whether accidental or deliberate.
If a breach occurs:
- It will be reported immediately to the Data Protection Lead.
- An internal investigation will be carried out to identify the cause and any risks.
- Steps will be taken to reduce harm and prevent recurrence.
- Where required, the Information Commissioner’s Office (ICO) will be notified within 72 hours.
- Affected individuals will be informed where there is a risk to their rights and freedoms.
- Contact and Complaints
If you have any concerns or questions about how Technology Books for Children handles data, or if you wish to make a request under your data rights, please get in touch using the contact form on our website.
- Review and Approval
This policy will be reviewed every two years or earlier if changes to data protection law require it. Any updates will be approved by the Board of Trustees.
Version Control – Approval and Review
Version No | Approved By | Approval Date | Main Changes | Review Period |
1.0 | Trustees | July 2024 | Initial draft approved | Bi-Annual |
2.0 | Trustees | July 2025 | Wording updated | Bi-Annual |