Section 2 — Organisation Data Protection Policy and Procedure


The Strettons Mayfair Trust (SMT) needs to collect personal information about people with whom it deals in order to carry out its business and provide its services. Such people include clients, employees (present, past and prospective), volunteers, members, suppliers and other business contacts. 

The General Data Protection Regulations 2016 and Data Protection Act 2018 defines ‘personal data’ as any information relating to a living identified or identifiable natural person (a data subject). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. The information includes name, address, email address, date of birth, private and confidential information, sensitive information. In addition, we may occasionally be required to collect and use certain types of such personal information to comply with the requirements of the law. No matter how it is collected, recorded and used (e.g. on a computer or other digital media, on hardcopy, paper or images, including CCTV) this personal information must be dealt with properly to ensure compliance with the General Data Protection Regulations 2016 (GDPR) and the Data Protection Act 2018 (DPA18)

SMT is committed not only to the letter of the law, but also to the spirit of the law and places high importance on the correct, lawful and fair handling of all personal data, respecting the legal rights, privacy and trust of all individuals with who it deals. 

SMT is committed to providing a confidential service to its users. No information given to us will be shared with any other organisation or individual without the data subject’s prior consent/agreement. 

For the purpose of this policy, confidentiality relates to the transmission of personal, sensitive or identifiable data about individuals or organisations which comes into the possession of SMT through its work. 

SMT holds personal data about its staff, users, members etc. which will only be used for the purposes for which it was gathered and will not be disclosed to anyone outside the organisation without prior permission. 

All personal data will be dealt with sensitively and in the strictest confidence internally and externally. 

Data Protection Principles

SMT fully supports and complies with the principles of GDPR which are summarised below: 

  1. Personal data shall be processed fairly and lawfully and in a transparent manner in relation to the data subject.
  2. Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes.
  3. Personal data held must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed. 
  4. Personal data must be accurate, complete and kept up to date. Every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without delay.
  5. Personal data shall not be kept for longer than necessary for the purposes for which it was ed. Personal data may be stored for longer periods if it will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to implementation of the appropriate technical and organisational measures required by GDPR and DPA18 in order to safeguard the rights and freedoms of the data subject.
  6. Personal data shall be processed in a manner that ensures appropriate security of the personal data including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage using appropriate technical or organisational measures.
  7. Personal data shall not be transferred outside the European Economic Area (EEA) unless there is adequate protection.
  8. A copy of personal data, which is not covered by an exemption, will be supplied to an individual on request, within 1 month of that request. 

Information covered by GDPR and DPA18

DPA18’s definition of “personal data” covers any data that can be used to identify a living individual. Anonymised or aggregated data can be used, providing the anonymisation or aggregation has not been done in a reversible way. Individuals can be identified by various means including their name and address, telephone number or Email address etc. Sensitive personal data is data related to: 

The Rights of Data Subjects

Lawful, Fair and Transparent Data Processing

GDPR and DPA18 seek to ensure that personal data is processed lawfully, fairly, and transparently, without adversely affecting the rights of the data subject. SMT must identify its lawful basis for processing of personal data shall be lawful if at least one of the following applies; 

Role and Responsibilities of SMT 

SMT will carry out Data Protection Impact Assessments (DPIA) for any and all new projects and/or new uses of personal data. 

Keeping Data Subjects Informed

SMT will provide Privacy information to every data subject where personal data is collected directly from the data subject. It will provide this information at the time of collection. 

SMT will provide Privacy information where personal data is obtained from a third party, to the data subject within the prescribed time scales. 

Privacy information must include:

Employee and Volunteer Responsibilities

All employees and volunteers must: 


Compliance with the policies and procedures laid down in this document will be monitored via Internal Audit.

The organisation will monitor this policy to ensure it meets statutory and legal requirements including the GDPR, DPA18, Childrens Act, Rehabilitation of Offenders Act and Prevention of Terrorism Act.

Existing and new employees and volunteers will be introduced to the Data Protection Policy and Procedure via induction and training.

They will be asked to sign their name to confirm they have read and understood the policy and procedure. 

Statistical Recording

SMT is committed to effective statistical recording of the use of its services in order to monitor usage and performance. All statistical records given to third parties, such as to support funding applications or monitoring reports for the local authority shall be produced in anonymous form, so individuals cannot be identified. 

Third party information, including information acquired verbally and subsequently recorded, can only be shared with clients with the explicit consent of the originator of that information. Consent should be in writing and specify exactly whom that information can be shared with. It may not always be possible to disclose to clients all information kept on file. This particularly applies to third party information, in the event that the agency or individual has not given us permission, or because an individual could be put at risk by sharing information. 

Version2017.7, 2018.2, 2018.10, 2020.04
This policy was adopted by the Secretary on20.3.19
Signed (Secretary)
This document was adopted by the Chief Officer20.3.19
Signed (Chief Officer)
This procedure shall be reviewed at intervals ofANNUALLY By CJT