Tel: 01789 267520

Our Confidentiality and Data Protection Policy and Practice

We hope this policy will help you understand more about how we comply with the General Data Protection Regulations (GDPR) 2018:

1. Protecting Individual Privacy

We believe that respecting and protecting a person’s privacy is of the utmost importance. We apply the principles of the new General Data Protection Regulations (GDPR) that comes in to effect on 25th May 2018, the Freedom of Information Act 2000 and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) across all our activities.

The GDPR principles apply across all our activities. How we implement these principles varies depending on the activity e.g. the provision of an information and support service; a fundraising initiative; the recruitment and supervision of employees and volunteers; Trustee business. Team managers are responsible for their implementation and monitoring and report to the Board as required.

The GDPR principles and how we practice them follow:

1. Processed lawfully, fairly and transparently

We must have legitimate grounds for collecting and using personal data and be transparent about how the information will be used. People’s personal data must be handled only in ways they would reasonably expect us to use it. This includes giving individuals clear statements about how we use and protect their information. Individuals have a right to ask for a copy of the information we hold about them in our records. Please see:

Appendix 1 Our Privacy Notices
Appendix 2 Obtaining Consent
Appendix 3 Support Services Practice

2. Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.

We must be clear why we are collecting personal data and what we intend to do with it. We must ensure that if we wish to use or disclose the personal data for any purpose which is different or additional to the original purpose, then the new use is agreed as fair by the owner of the information and/ or a senior colleague. Please see:

Appendix 1 Our Privacy Notices
Appendix 4 What information do we share, when and how?

3. Adequate, relevant and limited to what is necessary

Any personal data we hold about an individual must be sufficient for the purpose for which we hold it. We must not hold more information than we need. Please see:

Appendix 1 Our Privacy Notices
Appendix 3 Support Services Practice

4. Accurate and, where necessary, kept up to date

We must take reasonable steps to ensure that personal data obtained is correct and not misleading and consider whether or when it is necessary to update the information. Please see:

Appendix 1 Our Privacy Notices
Appendix 3 Support Services Practice
Appendix 5 Your rights over your information

5. Retained for as long as necessary. Can be archived for statistical purposes but must protect the rights of the individual  

We must keep under review the length of time we hold personal data. This may be for longer in some cases than others depending on the purpose for which the data was obtained. We must regularly review personal data and delete in a secure way information that is no longer needed. 

Individuals may at any time request that their personal information is removed. Such requests should be responded to promptly. All database entries should be deleted in a secure manner and hard copy information should be shredded. Please see:

Appendix 1 Our Privacy Notices
Appendix 6 How long are records kept?

6. Processed in an appropriate manner to maintain security. Ensures against loss, damage or destruction

We must have appropriate security systems and practices that prevent personal data we hold being accidentally or deliberately compromised. Please see:

Appendix 7 Our Security Systems and Practices (link coming soon)

2. Controlling and Processing Data

Under the General Data Protection Regulations (GDPR) 2018, organisations must identify who controls and who processes the data.

Our Data Controllers determine what data / information to collect and how to collect it. At SMA Support UK, these decisions are made on behalf of our trustees by the Managing Director and the managers of the Support Services and Fundraising Teams.

Our Data Processors process the data on behalf of the controllers.  At SMA Support UK, all staff process data / information that will enable them to carry out their duties. What they process will depend on their role.  Data is stored on a secure server run by BlackBaud, who are an industry recognised IT support organisation. Blackbaud run the system and provide security and updates so that our database system works effectively.  They are also data processors.

You can see a summary of what data we hold, where it came from, where it is stored, who it is shared with and what we do with it in:

Appendix 8 Data Flow Analysis (link coming soon)
Appendix 9 Data Flow Diagram (link coming soon)

3. Protecting the interests of SMA Support UK

Employees and trustees must not disclose to any un-authorised person any confidential information about the interests or business of the charity, its staff, trustees, beneficiaries, funders or other partners.

A non-exhaustive list of the information which SMA Support UK considers confidential, unless such information is already legitimately in the public domain, includes information held in relation to:

  • Funding applications, grant applications, joint ventures, project initiatives, strategic plans etc.
  • Finances
  • Security arrangements
  • Individual salaries or other confidential information relating to contracts of employment.

When employees or trustees leave SMA Support UK, they must immediately return any files, documents reference books and other papers relating directly or indirectly to the charity or its staff, beneficiaries, funders or other partners. Any emails and electronic documents relating to the organisation should be deleted from personal computers.

Employees and trustees must be particularly alert to requests from the press or other media and should refer such requests to the Managing Director, Support Services Manager or Chair of Trustees before disclosing any information in response to such enquiries.

Confidential and sensitive information is restricted to those who need the information in the course of their work for the organisation. Any restricted information must not be disclosed to anyone else, whether inside or outside the charity. Restricted information, whether communicated orally, electronically or in writing should always be identified as ‘Confidential’ and where appropriate ‘for (recipient’s) eyes only. Such information might include:

  • Proposals or plans for the future
  • Special forthcoming events or projects before they have been announced
  • Financial and statistical information
  • Sensitive business information
  • Sensitive personal information
  • Information relating to employees, volunteers and staff including applicants for positions, leavers or joiners prior to any public announcement.

4. Summary of General Rules – Staff, Trustees and Volunteers

All employees and trustees are required NOT to:

  • Leave confidential information (in paper or electronic form) where it is easily visible in the office or elsewhere. THINK PRIVACY!
  • Use computer software or programmes or any electronic equipment unless they are authorised by SMA Support UK
  • Give any press interviews or statements on or off the record without first discussing this with the Managing Director or Chair of the Board
  • Write personal letters on SMA Support UK’s headed paper or under SMA Support UK’s banner
  • Discuss with others the business of other service users, volunteers, staff, trustees or funders except as strictly required by their job.
  • Conduct confidential conversations (including over the phone) where they may be overheard

Employees and trustees, whether paid or unpaid, who leave the charity will continue to be bound by their obligations of confidentiality even after the termination of their SMA Support UK post, whatever the reason.

Nothing in this policy will prevent an individual from making a ‘protected disclosure’ within the meaning of the Public Interest Disclosure Act 1998 (i.e. a legitimate, good faith ‘whistleblowing’ disclosure)

Breaches of this policy by employees will be dealt with through the SMA Support UK’s disciplinary procedures. Breaches by trustees will be dealt with under the process laid down in the trustee code of conduct.

Any Volunteers are carefully recruited and receive training and support appropriate for their role. This includes the topics of confidentiality and boundaries. They know not to share the personal details of the person / family they are supporting, nor the contents of any conversations and Emails, nor to leave any confidential information (in paper or electronic form) where it is easily visible.  They know that this applies during their time as a volunteer and thereafter as well. They know to always check that they have the person’s specific permission before they discuss or do anything on their behalf.  If they have any doubts, they know to ask the appropriate staff member for guidance – the Support Services Shared Experiences Coordinator / Fundraising Team.  

All volunteers also know that safeguarding of children and adults at risk takes priority over confidentiality. 

5. Making our confidentiality and data protection policy known

  • All staff and trustees are given a copy of this policy and, where appropriate, any relevant implementation guidelines, when they join the Trust. They have an opportunity for discussion with their manager or mentor.
  • Anyone visiting our website can read a short summary of how this policy impacts on them when they read our Privacy Notices.  

Appendix 1 Our Privacy Notices

Appendix 2 Obtaining consent

Appendix 3 Support Services Practice

Appendix 4 What information do we share, when and how?

Appendix 5 Your rights over your information

Appendix 6 How long are records kept?

Appendix 7 Our Security Systems and Practices (link coming soon)

Appendix 8 Data Flow Analysis (link coming soon)

Appendix 9 Data Flow Diagram (link coming soon)


Last reviewed and updated March 2018.

In this section