Thrive Autism – Data Protection Policy

Thrive Autism, Charity Registration Number: 1215310

1. Introduction and Purpose

Thrive Autism is committed to protecting the privacy and rights of individuals in relation to their personal data. We are dedicated to respecting the privacy of everyone we work with, including supporters, donors, beneficiaries, volunteers, staff, and members of the public.

This policy ensures that the charity complies with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. It is designed to meet the high standards and expectations set out in guidance from the Charity Commission and the Fundraising Regulator.

The primary objectives of this policy are to:

• Define the types of personal data collected by the charity.
• Explain how and why this data is used for charitable activities and internal administration.
• Outline the lawful bases for processing data.
• Establish technical and organisational measures to keep data safe.
• Protect and uphold the rights of individuals under UK GDPR.
• Key Definitions

• Personal data: Any information that can identify a living individual. This includes names, addresses, email addresses, phone numbers, donation or fundraising records, communication preferences, event participation details, volunteer roles and availability, records of support/charitable services provided, and identifiable images or testimonials.
• Special categories of personal data: Sensitive information that requires a higher level of protection, such as health information. This is only processed where strictly necessary.
• Processing: Any operation or set of operations performed on personal data, such as collection, recording, organisation, structuring, storage, adaptation, retrieval, use, disclosure, or erasure.
• Data Subject: The living individual to whom the personal data relates.
• Data Controller: The organisation (Thrive Autism) that determines the purposes and means of the processing of personal data.
• Data Processor: A third party that processes personal data on behalf of the Data Controller (e.g., a payroll provider or cloud storage service).
• Scope and Applicability

This policy applies to all trustees, staff, and volunteers who process personal data on behalf of Thrive Autism. The categories of individuals whose data is processed include:

• Donors and supporters.
• Volunteers.
• Staff and trustees.
• Beneficiaries and service users.
• Members of the public who contact the charity.
• The Data Protection Principles

Thrive Autism adheres to the seven core principles of UK GDPR. Personal data shall be:

1. Processed lawfully, fairly, and in a transparent manner.
2. Collected for specified, explicit, and legitimate purposes (purpose limitation).
3. Adequate, relevant, and limited to what is necessary (data minimisation).
4. Accurate and, where necessary, kept up to date (accuracy).
5. Kept in a form which permits identification of data subjects for no longer than is necessary (storage limitation).
6. Processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage (integrity and confidentiality).
7. The data controller shall be responsible for, and be able to demonstrate compliance with, the above principles (accountability).
8. Lawful Bases for Processing

Personal data is only processed when a valid lawful basis exists. Thrive Autism relies on the following four primary bases:

5.1 Consent Consent is used where individuals have actively agreed to the processing. This applies to email marketing subscriptions and the sharing of personal stories or images for promotional purposes. Individuals have the right to withdraw their consent at any time.

5.2 Legal Obligation This basis is used when processing is required by law. This includes processing Gift Aid claims for HMRC, maintaining financial records for audit purposes, and fulfilling regulatory reporting requirements to the Charity Commission.

5.3 Legitimate Interests Processing is conducted under this basis when it is necessary for the charity’s legitimate purposes and does not override the rights of the individual. This includes:

• Supporter stewardship and direct fundraising communications by post or phone.
• Internal administration, including the management of volunteer roles and records of support provided. A legitimate interests assessment is conducted where required to ensure the balance of interests.

5.4 Contract This basis is used where processing is necessary to fulfil an agreement, such as employment contracts or formal volunteer arrangements.

• Fundraising and Communications Standards

Thrive Autism is committed to ethical standards in all fundraising activities:

• We strictly comply with the Code of Fundraising Practice.
• We respect individual communication preferences and provide clear opt-out options in every communication.
• We check relevant suppression lists, such as the Fundraising Preference Service (FPS), before conducting campaigns.
• We never sell personal data to third parties.
• Data Security and Retention

7.1 Technical and Organisational Measures We take all reasonable measures to protect personal data, including:

• Secure storage for both digital and paper records.
• Restricting access to data to authorised personnel only.
• Ensuring the use of password protection, secure software, and encryption.
• Performing regular backups and reviews of data handling practices.

7.2 Data Retention Personal data is retained only for as long as necessary to meet legal, regulatory, and operational needs. For example, financial records are typically kept for six years to comply with HMRC requirements. Once the retention period expires, data is securely deleted or destroyed in accordance with our internal data retention arrangements.

• Individual Rights

Under UK GDPR, individuals have the following rights:

• Access: The right to request a copy of the personal data held about them.
• Rectification: The right to request the correction of inaccurate or incomplete data.
• Erasure/Deletion: The right to request the deletion of data where there is no compelling reason for its continued processing.
• Restricting processing: The right to “block” or suppress the processing of their data.
• Data portability: The right to obtain and reuse their personal data for their own purposes across different services.
• Objecting to processing: The right to object to processing based on legitimate interests or direct marketing.
• Withdrawing consent: The right to withdraw previously given consent at any time.
• Third Parties and Data Sharing

Thrive Autism shares personal data with third parties only when necessary and with a valid lawful basis. This includes sharing with:

• HMRC for Gift Aid purposes.
• Vetted service providers (e.g., IT support, payment processors) acting strictly on our instructions.
• Law enforcement or regulatory bodies where required by law or safeguarding obligations. We ensure that appropriate data-processing agreements or contracts are in place with all third-party processors to guarantee data security.
• Data Breaches and Complaints

10.1 Breach Procedures A response plan is in place to manage data breaches. Significant breaches that pose a risk to the rights and freedoms of individuals will be reported to the Information Commissioner’s Office (ICO) within 72 hours. We will also notify affected individuals and the Charity Commission where required.

10.2 Complaints If an individual is dissatisfied with how their data is handled, they should contact the charity in the first instance:

• Address: [Insert Address]
• Email: [Insert Email]
• Phone: [Insert Number]

Individuals also have the right to lodge a complaint with the Information Commissioner’s Office (ICO) if they remain unsatisfied.

1. Roles, Governance and Review

• Board of Trustees: Holds overall responsibility for ensuring the charity complies with UK GDPR and the Data Protection Act 2018.
• The Chair: Acts as the designated person overseeing data protection and serves as the primary point of contact for data protection inquiries and Subject Access Requests (SARs).
• Staff and Volunteers: Are responsible for following this policy, attending relevant training, and signing confidentiality agreements.
• Review: This policy will be reviewed annually to ensure it remains compliant with legislation and best practice guidance.
• Version Control and Approval

Approval Date:

Version History

1. Version control starts at 1.0 once the Policy & Procedure has been approved (please use 0 prior to approval)

|

*Version control starts at 1.0 once the Policy & Procedure has been approved (please use 0 prior to approval)