This policy and procedure has been adopted by Disability Equals Ability through its Board of Trustees, which remains responsible for its review and approval.
1. Aims of Policy
This policy explains how Disability Equals Ability manages personal information. It outlines the rights of individuals (data subjects) about whom we hold information and details our responsibilities for obtaining, handling, processing, storing, and destroying personal data lawfully and securely.
The policy aims to:
Safeguard the individuals about whom we hold information by ensuring it is managed appropriately.
Ensure Disability Equals Ability complies with its legal obligations under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
2. Introduction
The UK GDPR applies to organisations holding and using personal information, whether held electronically or in structured manual filing systems.
An organisation that collects and uses personal data is called a Data Controller. The individual to whom the data relates is called a Data Subject.
UK GDPR is based on the rights of the Data Subject to know what data is held about them and how it will be used. The regulation sets out principles so personal data is:
Processed lawfully, fairly, and transparently.
Collected for specified, explicit, and legitimate purposes.
Adequate, relevant, and limited to what is necessary.
Accurate and, where necessary, kept up to date.
Kept only for as long as is necessary.
Processed securely to ensure appropriate security.
Disability Equals Ability is the Data Controller, responsible for determining the purpose and means of processing personal data.
This policy should be read alongside our Privacy Notices, which provide specific details on how we process data for different groups (e.g., service users, staff, volunteers).
3. Scope of Policy
This policy applies to all individuals for whom we process personal data, including:
Employees, volunteers, and trustees.
Service users, beneficiaries, and their families/carers.
Members, donors, and supporters.
Contractors and suppliers.
It applies to current and former relationships (e.g., ex-employees, past service users). All such individuals are considered Data Subjects under this policy.
This policy covers the entire data lifecycle: collection, maintenance, use, sharing, and secure destruction.
4. Data Protection Principles
We recognise that personal data must be processed in accordance with the seven UK GDPR principles. Data shall be:
Processed lawfully, fairly, and transparently.
Collected for specified, explicit, and legitimate purposes.
Adequate, relevant, and limited to what is necessary.
Accurate and, where necessary, kept up to date.
Kept only for as long as is necessary.
Processed in a manner that ensures appropriate security.
We are accountable for complying with these principles.
5. Definitions
Personal Data: Information relating to an identifiable living individual. This includes names, contact details, identification numbers, and online identifiers. It can also include expressions of opinion or intentions regarding the individual.
Special Category Data: This is more sensitive personal data requiring a higher level of protection. It includes data revealing:
Racial or ethnic origin.
Political opinions.
Religious or philosophical beliefs.
Trade union membership.
Genetic or biometric data (where used for ID purposes).
Health data.
Sex life or sexual orientation.
We may process special category data, particularly concerning health and disability to deliver our services and support our staff, as detailed in our Privacy Notices and in strict compliance with the law.
Processing: Any operation performed on personal data, including collection, recording, storage, use, sharing, and destruction.
6. Lawful Basis for Processing
We will only process personal data where we have a valid lawful basis, such as:
Performance of a Contract: To deliver services or manage employment.
Legal Obligation: To comply with the law (e.g., reporting to regulators, HMRC).
Legitimate Interests: For purposes where our interests are not overridden by the individual’s rights (e.g., administrative management, fraud prevention).
Vital Interests: To protect someone’s life.
Public Task: For our functions as a charity.
Consent: Where we have clear, specific, and freely given consent (this is less common for our core activities).
We do not use automated decision-making or profiling.
7. Data Sharing
We may share personal data with trusted third-party organisations only where necessary and lawful to do so, for example:
With statutory bodies (e.g., local authorities, safeguarding teams, Ofsted/CQC if applicable) where legally required.
With partner charities or service providers to deliver support (under strict data sharing agreements).
With our professional advisors (e.g., accountants, insurers, IT support).
We require all third parties to protect data in accordance with the law and only process it for the specified purpose. A list of key data processors is in Appendix 1.
We will not transfer personal data outside the UK unless to a country deemed ‘adequate’ by the UK, or with appropriate safeguards in place (e.g., Standard Contractual Clauses).
8. Responsibilities
Board of Trustees: Has ultimate responsibility for this policy and compliance.
Data Protection Officer (DPO): The Chief Executive Officer acts as the DPO, responsible for overseeing implementation, providing advice, and acting as the point of contact for data subjects and the Information Commissioner’s Office (ICO).
All Staff & Volunteers: Are responsible for:
Collecting, storing, and handling personal data in line with this policy.
Only accessing data needed for their role.
Reporting data breaches immediately.
Following the security instructions below.
9. Data Security Instructions
General:
Be vigilant about keeping personal data secure.
Only share data internally with those who need it for their role.
Never share data externally without authorisation from your line manager or the DPO.
Keep data accurate and up to date.
Avoid making unnecessary copies.
Do not remove hard copies of personal data from designated secure areas without authorisation.
Anonymise data for use in the community where possible.
Dispose of physical documents containing personal data via confidential shredding bins only.
Avoid being overheard when discussing personal data.
Electronic Devices & Communication:
Use strong passwords (see Appendix 2) and change them periodically.
Always lock devices when unattended.
Do not save personal data to personal devices (e.g., home computers, USB sticks) without explicit authorisation.
Use charity-approved, secure cloud storage (e.g., OneDrive, SharePoint) – not local drives or USB sticks.
Be cautious in online meetings; avoid naming individuals unnecessarily.
Use password protection or encrypted email when emailing sensitive personal data to external recipients.
10. Data Retention
We will not keep personal data for longer than is necessary. Our standard retention periods are:
Employee & Volunteer Records:
Main personnel files: 6 years after employment/engagement ends.
Core identity data (name, role, dates): Retained indefinitely for historical reference.
Health & Safety records (accidents, RIDDOR): 40 years.
Sickness absence records: 6 years after employment ends.
Parental leave records: 18 years from child's birth.
Service User & Beneficiary Records (Adults):
Case files and support records: 8 years after the end of service provision.
Core identity data (name, date of birth, dates of service): Retained indefinitely for safeguarding and historical purposes.
Records of significant incidents: 20 years from the date of the incident.
Records of minor incidents: 10 years from the date of the incident.
Service User & Beneficiary Records (Children/Young People under 18):
Case files and support records: Until the individual’s 25th birthday (or 26th if they were 17 when the service ended).
Core identity data: Retained indefinitely as above.
Incident records: As per adult timings from the date of the incident.
At the end of the retention period, data will be securely destroyed (shredded or electronically deleted).
11. Rights of Data Subjects
Individuals have the right to:
Be informed about how we use their data (via Privacy Notices).
Access their personal data (Subject Access Request – see below).
Rectification of inaccurate or incomplete data.
Erasure (‘right to be forgotten’) in certain circumstances.
Restrict processing in certain circumstances.
Data portability (to receive and reuse their data).
Object to processing based on legitimate interests or for direct marketing.
Rights relating to automated decision-making and profiling (we do not do this).
Lodge a complaint with the Information Commissioner’s Office (ICO).
To exercise any of these rights, individuals should contact the Data Protection Officer.
Subject Access Requests (SARs): Individuals have the right to request a copy of their data. We will respond within one month, free of charge. Requests should be made in writing to the DPO. Our full SAR procedure is available separately.
12. Reporting Data Breaches
A personal data breach is a security incident leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
All staff and volunteers must report any suspected breach immediately to the Data Protection Officer (CEO).
The DPO will assess the breach. If it is likely to result in a risk to people’s rights and freedoms, we are legally required to report it to the ICO within 72 hours. We will also notify affected individuals without undue delay if the risk is high.
13. Review
This policy will be reviewed by the Board of Trustees at least every two years or in response to significant legal or operational changes.
This policy was formally adopted by the Board of Trustees of Disability Equals Ability on: March 2026
Appendix 1: Key Data Processors
Disability Equals Ability uses the following third-party organisations (processors) to help deliver our services. All operate under data processing agreements.
Relating to all individuals (General Operations):
Microsoft Corporation (UK):and Google Cloud-based storage, email, and office applications (Microsoft 365).
Donor/Case Management System: Central database for managing beneficiary and donor information.
Your IT Support Provider: Managed IT support and security services..
Relating to employees and volunteers
Relating to service users and beneficiaries:
Local Authorities : For statutory reporting, service delivery partnerships, and safeguarding.
Ofsted / Care Quality Commission (CQC):.
Note: This list is indicative and must be updated as third-party contracts change.
Appendix 2: Password Security Guidelines
Creating and managing strong passwords is a critical part of our data security.
DO:
Create long, strong passwords: Use at least 12 characters. Combine uppercase (A-Z) and lowercase (a-z) letters, numbers (0-9), and symbols (!@#$%^&*).
Use a passphrase: A sequence of random words is often stronger and easier to remember than a complex short password (e.g.,
PurpleTiger$JumpedHigh!).Use a password manager: Consider using a reputable password manager to generate and store unique passwords for all your accounts.
Use different passwords: Never reuse the same password for multiple accounts, especially for work, email, and banking.
Change passwords periodically: Follow organisational guidance, especially if a breach is suspected.
Lock your device: Always lock your computer, phone, or tablet when you step away.
Enable Multi-Factor Authentication (MFA): Where available (e.g., Microsoft 365), always enable MFA for an extra layer of security.
DON'T:
Use easily guessable information: Avoid names of family, pets, birthdays, or common words like "password123".
Use simple keyboard patterns: Such as "qwerty" or "123456".
Write down passwords visibly: If you must note a password, store it securely (e.g., in a locked drawer or a secure password manager), never on a sticky note on your monitor.
Share your passwords: Do not share your work passwords with anyone, including colleagues. The IT team will never ask for your password via email.
Enter passwords on public or untrusted computers: Avoid logging into work accounts on library, café, or hotel computers.
Use the "Remember Password" function on shared or public browsers.
Example of a strong passphrase: Coffee:Beans=2024Shiny!
Policy Adoption & History
V Version
Date Adopted
Summary of Changes
Approved By
1.0
March 2025
I Initial policy adopted from foundation documents, tailored for Disability Equals Ability and UK GDPR.
Board of Trustees
For more information, or to exercise your data rights, please contact:
The Data Protection Officer
Disability Equals Ability
the GATEWAY | 85-101 Sankey Street | Warrington | Cheshire | WA1 1SR
info@disabilityequalsability.org.uk
01925 246800
To complain to the regulator:
Information Commissioner’s Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
www.ico.org.uk
This policy and procedure has been adopted by Disability Equals Ability through its Board of Trustees, which remains responsible for its review and approval.
1. Aims of Policy
This policy explains how Disability Equals Ability manages personal information. It outlines the rights of individuals (data subjects) about whom we hold information and details our responsibilities for obtaining, handling, processing, storing, and destroying personal data lawfully and securely.
The policy aims to:
Safeguard the individuals about whom we hold information by ensuring it is managed appropriately.
Ensure Disability Equals Ability complies with its legal obligations under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
2. Introduction
The UK GDPR applies to organisations holding and using personal information, whether held electronically or in structured manual filing systems.
An organisation that collects and uses personal data is called a Data Controller. The individual to whom the data relates is called a Data Subject.
UK GDPR is based on the rights of the Data Subject to know what data is held about them and how it will be used. The regulation sets out principles so personal data is:
Processed lawfully, fairly, and transparently.
Collected for specified, explicit, and legitimate purposes.
Adequate, relevant, and limited to what is necessary.
Accurate and, where necessary, kept up to date.
Kept only for as long as is necessary.
Processed securely to ensure appropriate security.
Disability Equals Ability is the Data Controller, responsible for determining the purpose and means of processing personal data.
This policy should be read alongside our Privacy Notices, which provide specific details on how we process data for different groups (e.g., service users, staff, volunteers).
3. Scope of Policy
This policy applies to all individuals for whom we process personal data, including:
Employees, volunteers, and trustees.
Service users, beneficiaries, and their families/carers.
Members, donors, and supporters.
Contractors and suppliers.
It applies to current and former relationships (e.g., ex-employees, past service users). All such individuals are considered Data Subjects under this policy.
This policy covers the entire data lifecycle: collection, maintenance, use, sharing, and secure destruction.
4. Data Protection Principles
We recognise that personal data must be processed in accordance with the seven UK GDPR principles. Data shall be:
Processed lawfully, fairly, and transparently.
Collected for specified, explicit, and legitimate purposes.
Adequate, relevant, and limited to what is necessary.
Accurate and, where necessary, kept up to date.
Kept only for as long as is necessary.
Processed in a manner that ensures appropriate security.
We are accountable for complying with these principles.
5. Definitions
Personal Data: Information relating to an identifiable living individual. This includes names, contact details, identification numbers, and online identifiers. It can also include expressions of opinion or intentions regarding the individual.
Special Category Data: This is more sensitive personal data requiring a higher level of protection. It includes data revealing:
Racial or ethnic origin.
Political opinions.
Religious or philosophical beliefs.
Trade union membership.
Genetic or biometric data (where used for ID purposes).
Health data.
Sex life or sexual orientation.
We may process special category data, particularly concerning health and disability to deliver our services and support our staff, as detailed in our Privacy Notices and in strict compliance with the law.
Processing: Any operation performed on personal data, including collection, recording, storage, use, sharing, and destruction.
6. Lawful Basis for Processing
We will only process personal data where we have a valid lawful basis, such as:
Performance of a Contract: To deliver services or manage employment.
Legal Obligation: To comply with the law (e.g., reporting to regulators, HMRC).
Legitimate Interests: For purposes where our interests are not overridden by the individual’s rights (e.g., administrative management, fraud prevention).
Vital Interests: To protect someone’s life.
Public Task: For our functions as a charity.
Consent: Where we have clear, specific, and freely given consent (this is less common for our core activities).
We do not use automated decision-making or profiling.
7. Data Sharing
We may share personal data with trusted third-party organisations only where necessary and lawful to do so, for example:
With statutory bodies (e.g., local authorities, safeguarding teams, Ofsted/CQC if applicable) where legally required.
With partner charities or service providers to deliver support (under strict data sharing agreements).
With our professional advisors (e.g., accountants, insurers, IT support).
We require all third parties to protect data in accordance with the law and only process it for the specified purpose. A list of key data processors is in Appendix 1.
We will not transfer personal data outside the UK unless to a country deemed ‘adequate’ by the UK, or with appropriate safeguards in place (e.g., Standard Contractual Clauses).
8. Responsibilities
Board of Trustees: Has ultimate responsibility for this policy and compliance.
Data Protection Officer (DPO): The Chief Executive Officer acts as the DPO, responsible for overseeing implementation, providing advice, and acting as the point of contact for data subjects and the Information Commissioner’s Office (ICO).
All Staff & Volunteers: Are responsible for:
Collecting, storing, and handling personal data in line with this policy.
Only accessing data needed for their role.
Reporting data breaches immediately.
Following the security instructions below.
9. Data Security Instructions
General:
Be vigilant about keeping personal data secure.
Only share data internally with those who need it for their role.
Never share data externally without authorisation from your line manager or the DPO.
Keep data accurate and up to date.
Avoid making unnecessary copies.
Do not remove hard copies of personal data from designated secure areas without authorisation.
Anonymise data for use in the community where possible.
Dispose of physical documents containing personal data via confidential shredding bins only.
Avoid being overheard when discussing personal data.
Electronic Devices & Communication:
Use strong passwords (see Appendix 2) and change them periodically.
Always lock devices when unattended.
Do not save personal data to personal devices (e.g., home computers, USB sticks) without explicit authorisation.
Use charity-approved, secure cloud storage (e.g., OneDrive, SharePoint) – not local drives or USB sticks.
Be cautious in online meetings; avoid naming individuals unnecessarily.
Use password protection or encrypted email when emailing sensitive personal data to external recipients.
10. Data Retention
We will not keep personal data for longer than is necessary. Our standard retention periods are:
Employee & Volunteer Records:
Main personnel files: 6 years after employment/engagement ends.
Core identity data (name, role, dates): Retained indefinitely for historical reference.
Health & Safety records (accidents, RIDDOR): 40 years.
Sickness absence records: 6 years after employment ends.
Parental leave records: 18 years from child's birth.
Service User & Beneficiary Records (Adults):
Case files and support records: 8 years after the end of service provision.
Core identity data (name, date of birth, dates of service): Retained indefinitely for safeguarding and historical purposes.
Records of significant incidents: 20 years from the date of the incident.
Records of minor incidents: 10 years from the date of the incident.
Service User & Beneficiary Records (Children/Young People under 18):
Case files and support records: Until the individual’s 25th birthday (or 26th if they were 17 when the service ended).
Core identity data: Retained indefinitely as above.
Incident records: As per adult timings from the date of the incident.
At the end of the retention period, data will be securely destroyed (shredded or electronically deleted).
11. Rights of Data Subjects
Individuals have the right to:
Be informed about how we use their data (via Privacy Notices).
Access their personal data (Subject Access Request – see below).
Rectification of inaccurate or incomplete data.
Erasure (‘right to be forgotten’) in certain circumstances.
Restrict processing in certain circumstances.
Data portability (to receive and reuse their data).
Object to processing based on legitimate interests or for direct marketing.
Rights relating to automated decision-making and profiling (we do not do this).
Lodge a complaint with the Information Commissioner’s Office (ICO).
To exercise any of these rights, individuals should contact the Data Protection Officer.
Subject Access Requests (SARs): Individuals have the right to request a copy of their data. We will respond within one month, free of charge. Requests should be made in writing to the DPO. Our full SAR procedure is available separately.
12. Reporting Data Breaches
A personal data breach is a security incident leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
All staff and volunteers must report any suspected breach immediately to the Data Protection Officer (CEO).
The DPO will assess the breach. If it is likely to result in a risk to people’s rights and freedoms, we are legally required to report it to the ICO within 72 hours. We will also notify affected individuals without undue delay if the risk is high.
13. Review
This policy will be reviewed by the Board of Trustees at least every two years or in response to significant legal or operational changes.
This policy was formally adopted by the Board of Trustees of Disability Equals Ability on: March 2026
Appendix 1: Key Data Processors
Disability Equals Ability uses the following third-party organisations (processors) to help deliver our services. All operate under data processing agreements.
Relating to all individuals (General Operations):
Microsoft Corporation (UK):and Google Cloud-based storage, email, and office applications (Microsoft 365).
Donor/Case Management System: Central database for managing beneficiary and donor information.
Your IT Support Provider: Managed IT support and security services..
Relating to employees and volunteers
Relating to service users and beneficiaries:
Local Authorities : For statutory reporting, service delivery partnerships, and safeguarding.
Ofsted / Care Quality Commission (CQC):.
Note: This list is indicative and must be updated as third-party contracts change.
Appendix 2: Password Security Guidelines
Creating and managing strong passwords is a critical part of our data security.
DO:
Create long, strong passwords: Use at least 12 characters. Combine uppercase (A-Z) and lowercase (a-z) letters, numbers (0-9), and symbols (!@#$%^&*).
Use a passphrase: A sequence of random words is often stronger and easier to remember than a complex short password (e.g.,
PurpleTiger$JumpedHigh!).Use a password manager: Consider using a reputable password manager to generate and store unique passwords for all your accounts.
Use different passwords: Never reuse the same password for multiple accounts, especially for work, email, and banking.
Change passwords periodically: Follow organisational guidance, especially if a breach is suspected.
Lock your device: Always lock your computer, phone, or tablet when you step away.
Enable Multi-Factor Authentication (MFA): Where available (e.g., Microsoft 365), always enable MFA for an extra layer of security.
DON'T:
Use easily guessable information: Avoid names of family, pets, birthdays, or common words like "password123".
Use simple keyboard patterns: Such as "qwerty" or "123456".
Write down passwords visibly: If you must note a password, store it securely (e.g., in a locked drawer or a secure password manager), never on a sticky note on your monitor.
Share your passwords: Do not share your work passwords with anyone, including colleagues. The IT team will never ask for your password via email.
Enter passwords on public or untrusted computers: Avoid logging into work accounts on library, café, or hotel computers.
Use the "Remember Password" function on shared or public browsers.
Example of a strong passphrase: Coffee:Beans=2024Shiny!
Policy Adoption & History
V Version
Date Adopted
Summary of Changes
Approved By
1.0
March 2025
I Initial policy adopted from foundation documents, tailored for Disability Equals Ability and UK GDPR.
Board of Trustees
For more information, or to exercise your data rights, please contact:
The Data Protection Officer
Disability Equals Ability
the GATEWAY | 85-101 Sankey Street | Warrington | Cheshire | WA1 1SR
info@disabilityequalsability.org.uk
01925 246800
To complain to the regulator:
Information Commissioner’s Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
www.ico.org.uk
