Donate Menu

Data Protection Policy

1. Introduction, purpose and scope of the policy

Toybox is committed to protecting the rights of individuals in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This policy outlines how we collect, process, store and protect personal data.

1.1 Purpose of policy:

For Toybox to function we need to gather and process certain data about individuals; this includes supporters, suppliers, business contacts, employees, volunteers and other stakeholders who Toybox has a relationship with or may need to contact. Toybox values its supporters and strives to protect personal data. This policy supports Toybox to achieve this as well as to meet legal requirements.

This policy provides the following:

  • Explanation as to what type of personal data Toybox keeps and the reasons for this as well as how Toybox keeps individuals informed about the personal data it holds about them
  • An outline of the measures Toybox will take to ensure that the gathering, processing, storing and deleting of data will meet legal requirements and how it follows good practice
  • By ensuring Toybox protects the rights’ of employees, volunteers, supporters, suppliers, business contracts and other stakeholders
  • Assistance for employees and persons associated with Toybox to understand the risks associated with data processing and to avoid and manage data breaches
  • Explanation as to under what circumstances Toybox will disclose data and to whom, including how information requests will be handled
  • Clarification on who has responsibilities for data protection within Toybox

1.2 Scope of policy:

This policy applies to all employees, volunteers, trustees, overseas partners, consultants and third-party service providers handling personal data on Toybox's behalf. This policy covers all personal data processed by or on behalf of Toybox, whether it is held electronically or on paper.

2. Responsibilities

2.1 Trustees

The Trustees will provide leadership, resources and are responsible for ensuring this policy is fit for purpose and complied with, so Toybox meets its legal obligations.

2.2 Leadership Team

The leadership team is responsible for ensuring this policy (and any related policies and procedures) are implemented consistently with clear lines of authority. And will ensure the Data Protection Officer is fulfilling their responsibilities.

2.3 Data Protection Officer

Toybox has a designated a person as the Data Protection Officer (DPO). The DPO is responsible for advising on and assessing Toybox's compliance with GDPR and Data Protection Act, making recommendations to improve compliance. Toybox's DPO is Naomi Lewis, and she can be contacted at [email protected]

2.4 The Director of Marketing and Fundraising

The Director of Marketing and Fundraising is responsible for monitoring and implementing any data changes which have an impact on Toybox fundraising activities; Approving any data protection statements attached to communications to supporters; addressing any data protection queries from journalists or media contacts; and where necessary, working with other employees to ensure marketing initiatives abide by data protection legislation.

2.5 All staff

Individuals are expected to ensure any data they engage with in their work follows this policy and any related policies and procedures. They are also responsible for immediately reporting any potential breaches of data protection.

3. Data Processing

Toybox is committed to processing personal data using the data protection principles outlined in the UK GDPR

  • Lawfulness, fairness and transparency: we will always process data within legislation and be transparent about what we are doing

  • Purpose limitation: We will collect data for specified, legitimate purposes and not process it in a manner that is incompatible with those purposes

  • Data minimisation: We will only collect the data we need

  • Accuracy: We will keep data accurate and up to date

  • Storage limitation: We will not keep data for any longer than necessary

  • Integrity and confidentiality: Data will be kept safe and secure

  • Accountability: We will be responsible for our data procesing activities and will demonstrate compliance where and when necessary

4. Lawful basis for processing personal data

The UK GDPR identifies six lawful bases for the processing of data. Toybox will always ensure that at least one of them is relevant before processing personal data:

  • Consent: the individual has given clear consent for Toybox to process their personal data for a specific purpose

  • Contract: the processing is necessary for a contract Toybox has with the individual, or because they have asked us to take specific steps before entering into a contract.

  • Legal obligation: the processing is necessary for us to comply with the law (not including contractual obligations).

  • Vital interests: the processing is necessary to protect someone’s life.

  • Public task: the processing is necessary to perform a task in the public interest or for official functions, and the task or function has a clear basis in law.

  • Legitimate interest: the processing is necessary for Toybox’s legitimate interest or the legitimate interest of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.

  • Special Category Data – in addition to the six categories there is a Special Category Data. This is personal data which is more sensitive and needs more protection.

4.1 Toybox’s approach to consent

Toybox will ensure that consent is freely given, specific, informed and unambiguous. A positive opt-in is required. Consent cannot be inferred by silence, pre-ticked boxes or inactivity. Toybox defines a positive opt-in as: contractual agreements, a verbal or written opt-in recorded on the Customer Relationship Management system. Consent for stakeholders will be recorded in the following systems:

  • Supporters = Customer Relationship Management system

  • Employees = HR online system

  • Volunteers and trustees = Restricted access folders on the Toybox server

Although not required by law as Toybox’s partners are outside of the EU, we will also gather consent from partners for the processing of their data.

Consent will remain in place until withdrawn with the exception of items which need to be erased as per the current legal guidelines.

This policy applies to all data that Toybox holds relating to identifiable individuals. This includes the following types of personal data:

  • Names of individuals

  • Postal addresses

  • Email addresses

  • Telephone numbers

  • Any other information relating to individuals

4.2 Toybox’s approach to children’s personal data

Toybox must ensure that we obtain parental permission prior to engaging with any child under the age of 13 For children between the ages of 13 and 18 we will encourage them to inform their parents or guardians concerning their engagement with Toybox and their sharing of data with us.

4.3 Data accuracy

It is the responsibility of all employees to ensure that data is kept as accurate and up to date as possible. Once data is updated, the old data must be removed. Data will be held in as few places as possible to avoid unnecessary additional data sets that may not have been updated.

5. Data Subject Rights

An individual’s rights regarding their data are:

  • The right to be informed
  • The right of access to data information
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • The right not to be subject to automated decision-making including profiling.

The Toybox Privacy Statement for Supporters gives more detailed information to supporters on how Toybox will protect an individual’s data.

6. Data Transfer

Where Toybox uses third party organisations to process its data it will only do so where the organisation:

  • Can provide sufficient guarantees about the security measures they operate
  • Guarantees to only act on the instructions of Toybox
  • Signs a data processing contract stating full compliance with the UK GDPR.

If data is transferred outside the UK, Toybox will ensure appropriate safeguards such as Standard Contractual Clauses (SCCs) are implemented

7. Data Security Procedures

Toybox will apply secure data storage and sharing processes. These include the following:

  • All physical and electronic records are securely stored with encryption and access controls.
  • Supporter data on paper documents will be securely stored and not removed from the office
  • Computers will be locked when unattended.
  • Annual Cybersecurity audit and accreditation.
  • Annual employee Data Protection training will be undertaken.
  • Personal data will not be shared formally or informally with any unauthorised person.

All staff must follow the Electronic Data Security policy including the Code of Conduct as a means to ensure data protection. This covers all aspects of use of IT systems, software and equipment, use of passwords, secure storage of equipment, internet usage, remote access, and indecent or obscene material. There is also an e-mail policy with guidance on how a breach should be handled.

Third parties to whom data is being sent (always sent electronically) must sign the Toybox Data Protection and Security Policy as well as the Data Processing Agreement before any data is transmitted.

8. Data Archiving, Retention and Disposal

Data will only be retained for as long as is necessary and will be determined by the following:

  • Information that needs to be kept by law
  • Information that has ongoing business value
  • Information that is of archival value

9. Data protection, risk mitigation and breaches

This policy helps to protect Toybox from some very real data security risks, including: - Safe storage and sharing of data to mitigate the risk of information being accessed by unauthorised individuals

  • Breaches of confidentiality, e.g. information being given out inappropriately

  • Failing to offer choice, e.g. all individuals should be free to choose how Toybox uses data relating to them

  • Reputational damage, e.g. Toybox could suffer if hackers successfully gained access to personal data

9.1 Data storage and sharing

Toybox will apply secure data storage and sharing processes. These included the following: - Personal data will be stored on secure servers that are backed up and tested regularly

  • Paper documents are always kept in locked draws and not taken out of the office

  • Computers will be locked when unattended

  • Personal data will not be shared formally or informally with any unauthorised person

9.2 Data archiving, retention and disposal

Toybox has clear guidance on:

  • What information should be retained and for how long

  • Who is responsible

  • How to dispose of records

Data will only be retained for as long as is necessary and will be determined by the following:

  1. Information that needs to be kept by law - Certain pieces of legislation set out types of information that should be kept and how long they should be kept for.

  2. Information that has ongoing business value - This is information that is of value to Toybox, which is needed for both day to day activities and longer term strategic planning.

  3. Information that is of archival value - Most information is scheduled to be retained for six or seven years. This is because of a concept known as the liability period, and is particularly relevant where we hold a contract with either a supplier or where we have provided a service to another organisation.

Toybox has quality archiving processes that enable the organisation to use knowledge to make better decisions and have records available to show how decisions were made in case the organisation is required to produce justification.

Employees will create, use, manage and preserve all records in accordance with all statutory requirements including the Freedom of Information Act 2000. Directors will be accountable for ensuring that depositing and disposing of archive records happens effectively within their business area as well as ensuring that legislative requirements are being applied. Responsibility for records created by or for Board members lies with the CEO. Toybox may decide to retain data for less than the legal requirements if the data value is reduced, as this also saves storage costs.

The retention period will be computed from the end of the financial year to which the records relate. All documents will then be destroyed confidentially. Toybox will be provided with a certificate to say that the records have been securely shredded. More detail is given in the separate Data Archiving, Retention and Disposal Policy and Guidance for each type of data.

9.3 Data Breaches

A data breach is a security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorised to do so. This includes breaches that are the result of both accidental and deliberate causes.

All data breaches must be reported to the DPO immediately who will notify the ICO within 72 hours of becoming aware of a data breach with the essential facts. Where a breach is likely to adversely affect the personal data of individuals, Toybox will follow the procedures as outlined in the policy link below.

10. The right to access to information (Subject Access Requests)

All individuals who are the subject of personal data held by Toybox are entitled to:

  • Ask what information Toybox holds about them
  • The reason for Toybox to hold the information
  • Whether it has been giving to another other organisation or people

Individuals have the right of access to personal information held about them under the GDPR and any individual wishing to access the personal information Toybox holds on them should send a description of the information they want to see and proof of their identity in writing to the Toybox Data Protection Officer. Toybox will not charge to provide this information, unless it is excessive, repetitive or requesting copies of the same data.

Toybox will then collate the data and provide a written copy to the individual within one month of receipt of the request. Data will include data in manual records as well as digital data, including backup data and mailing lists. The data will be provided along with an explanation of that information where it cannot be easily understood. If the applicant agrees a copy can be emailed to them. Toybox will include information on where the personal data was obtained from and who else the information may have been given to. If there are any inaccuracies identified by the applicant, Toybox will remove them.

Exemptions

The GDPR allows for some exemptions for when data does not need to be provided, even if requested. The following are those exemptions that may be relevant to Toybox:

  • If the data is linked to a criminal investigation

  • Data that is processed for organisational management forecasting and planning

  • Confidential references that Toybox gives in connection with education, training or employment for current or previous staff

Also if a third party requests information concerning the individual then Toybox will not usually release that information unless the individual expressly consents. And if the records would disclose information about another individual who has not given permission for the information to be released, then it does not have to be released.

11. Monitoring and Review

This policy will be reviewed every two years or after a significant change in operations, the law or a significant incident, whichever is sooner. Additionally, the DPO will carry out regular reviews of the compliance to this policy.