Artizan International Data Protection Policy Table of Contents
Artizan International Data Protection Policy............... 1 Definitions................................................................. 2 1. Introduction........................................................... 3 2. Purpose of this Policy........................................... 3 3. To Whom the Policy Applies................................ 3 4. Policy...................................................................... 3 5. GDPR Policy Principles.......................................... 4 5.1 Data Collection & Usage............................... 5 5.2 Data Quality................................................... 7 5.3 Individual’s rights.......................................... 8 5.4 Data Security, Storage and Destruction.... 10 5.5 Staff data held by AI.................................... 12 5.6 External requests for data access.............. 13 6. General staff guidelines on working practices to support the policy and principles.......................... 15 7. Responsibilities................................................... 16 Appendix 1: Accountability and Governance....... 17 Appendix 2: Registration with ICO and Data Protection Fee......................................................... 18 Document History
DefinitionsData Controller: The organisation that determines the scope and purpose of data to be collected, and the means of collection. Data Processing: Any activity involving personal data is included in GDPR, including collection, storage retrieval, organisation and filing, use, replication, dissemination, destruction or deletion. This therefore applies to both paper-based and automated systems. Data Processor: An organisation that processes data on behalf of a Data Controller. Data Protection Impact Assessment (DPIA): a process to identify and minimise the data protection risks. GDPR requires organisations to do a DPIA for any data processing likely to result in a high risk to individuals. This includes some specified types of processing. DPIA replaces the Privacy Impact Assessment (PIA) required in the Data Protection Act. For details of DPIAs, see: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/data-protection-impact-assessments/ ICO: Information Commissioner’s Office. It is the UK's independent body set up to uphold information rights, including responsibility for the enforcement of the Data Protection Act 1998, and the General Data Protection Regulation 2016. Participant(s): Any individual - usually a person with disability - attending AI craft sessions and/or workshops run by Artizan International. Personal Data: Information relating to an identifiable person who can be directly or indirectly identified by an identifier. This therefore includes name, address, email address, telephone and mobile numbers, identifier numbers, location data, bank account details, Pseudonymisation: Processing data in such a way that it can no longer identify an individual without additional information. Staff: Any person paid or unpaid who might be in a position of trust on behalf of Artizan International including director, trustees, employees, session leaders, support workers, employees, volunteers, contractors providing services. Stakeholder: Participants, staff, support workers, donors, supporters, customers, statutory organisations 1. IntroductionThe Data Protection Act 1998 (hereafter referred to as DPA), superseded by the European Union General Data Protection Regulation 2016 (hereafter referred to as GDPR), which applies throughout all EU member states from 25 May 2018, were both introduced to ensure that organisations keep personal data secure, regardless of whether data is stored electronically or on paper or other materials, and use it only for the purposes for which it was given. Individuals enjoy a number of rights regarding the way their personal information is handled, and all organisations must ensure those processing personal data on their behalf understand what they need to do and have access to appropriate support and advice. 2. Purpose of this PolicyTo set out how Artizan International (hereafter referred to as AI) will operate to ensure privacy and protection of personal data, and:
comply with DPA up to May 25 2018, and GDPR thereafter, which set out the law regarding the processing of personal data
follow good practice
protect the rights of staff, participants, customers, partners and stakeholders
be open about how AI stores and processes individuals’ data
protect AI from the risks of a data breach
It should be read in conjunction with the AI Confidentiality Policy which defines the overall approach to information confidentiality within AI. 3. To Whom the Policy AppliesThe Policy applies to all AI Staff, including contractors providing services to AI, and people or organisations working on behalf of AI. AI requires all Staff to comply with this Policy. Failure to do so will be regarded as serious misconduct and will be dealt with in accordance with AI’s disciplinary policy and procedure. 4. PolicyThis AI Data Protection Policy:-
accepts that by the nature of its work, AI processes data which is of a sensitive and personal nature
clarifies AI’s expectations of Staff with regard to the processing of personal data, (personal data means information that relates to a living individual who can be identified from the information: it also includes expressions of opinion and intention)
gives specific details about the type of information that AI keeps about its Staff and Stakeholders and the purposes for which it keeps them
sets out the duration for which data is retained by AI
sets out security measures which Staff must observe to protect data within AI.
In developing this policy:-
In accordance with the GDPR, the Trustees will appoint a Data Protection Officer, a named individual reporting to the Trustees with day-to-day responsibility for ensuring and demonstrating compliance with the GDPR; see section 'Responsibilities' defining the specific responsibilities of the Trustees and the Data Protection Officer.
AI must perform and document a Data Protection Impact Assessment (DPIA), and periodically thereafter, and whenever there is a change in AI's activities, way of working, or technology usage.
5. GDPR Policy PrinciplesThe GDPR requires organisations to manage data according to 6 principles. Personal data must be:
processed lawfully (see GDPR requirements for lawful processing below), fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (‘purpose limitation’);
adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (‘storage limitation’);
processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
GDPR Article 6 states processing shall be lawful only if and to the extent that at least one of the following applies: 1. The data subject has given consent to the processing of his or her personal data for one or more specific purposes; 2. Processing is necessary for the performance of a contract to which the data subject is party, or in order to take steps at the request of the data subject prior to entering into a contract; 3. Processing is necessary for compliance with a legal obligation to which the controller is subject; 4. Processing is necessary in order to protect the vital interests of the data subject or of another natural person; 5. Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; 6. Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
AI's Data Protection Policy is designed to comply with these 6 GDPR principles and the requirements of lawful processing in the following 6 areas: 1. Data collection and usage 2. Data quality 3. Individuals’ rights 4. Data security, storage, destruction and retention 5.Staff data held by AI 6.External requests for data access These areas are covered in detail in the following pages.
5.1 Data Collection & Usage Data shall be: Processed lawfully (see previous section) and accurately, and processed only for specified and compatible purposes. Whenever AI collects personal data, (e.g. in induction packs; in staff contracts; when participants fill in forms to join a craft session; volunteers complete an application form; donors provide their contact details), it must be fully transparent and include a Privacy Notice. A Privacy Notice is a public statement of how AI applies data protection principles to processing data. It should be a clear and concise document that is accessible by individuals, and must be:
concise, transparent, intelligible and easily accessible;
written in clear and plain language, that can be easily understood by the recipient; and
free of charge.
The Privacy Notice should address the following to inform the data subject:
who is collecting the data
what data is being collected
the legal basis for processing the data
whether the data be shared with any third parties
how the information be processed
how long the data will be stored
the rights of the data subject (see section 3 below: “Individual’s rights”)
how the data subject can raise a complaint, and to whom (e.g. the Data Protection Officer)
request consent to process the personal data, and requesting explicit consent for Sensitive Personal Data (see next paragraph);
if applicable, to allow the recipient to opt out of future marketing literature and communications
5.1.2 Sensitive Personal Data Certain data is considered to be sensitive, and special rules apply to it. The categories of Sensitive Personal Data were originally defined by the DPA as:
racial or ethnic origin;
religious or philosophical beliefs;
trade union membership;
physical and mental health;
the commission or alleged commission of any offence; and
any proceedings for any offence committed or alleged to have been committed, the disposal of such proceedings or the sentence of any court in such proceedings.
To these, the GDPR has added the following:
Sensitive Personal Data should be held separately from other personal data, preferably in a locked drawer or filing cabinet. As with personal data generally, if in electronic format, it should only be kept on laptops or portable devices if the file has been encrypted and/or pseudonymised. Given the purpose of AI, participant and staff application forms may include some of these types of data. To process any Sensitive Personal Data AI must have explicit consent, over and above the general consent that applies to other personal data. AI must be absolutely clear about how the information will be used and ensure that the individual understands what they are consenting to.
5.2 Data QualityThis covers three principles. Data must be: 5.2.1 Accurate and up to date AI must ensure its data is accurate and up to date. In order to comply:
Staff members should inform AI whenever their personal information changes
there should be periodic reviews to check that participant and staff personal data is up-to-date
for other types of data, where practical, periodic reviews should be carried out to identify any mistakes and, where possible, correct them. If not possible to correct, inaccurate records must be removed.
5.2.2 Relevant and not excessive AI only collects personal data that is relevant to its purpose. If it isn't needed, don’t record it. Opinions as well as facts are covered by the DPA. Care should be taken by all Staff to record facts and not opinion. Remember, data subjects can ask to see the information held about them. 5.2.3 Keeping information no longer than necessary Under the GDPR, personal data should not be retained for any longer than necessary. Minimising data retention and having clear procedures in place to determine how and when to dispose of personal data is key to complying with the GDPR. Information (whether paper or computerised) no longer required should be destroyed in accordance with the following retention guidelines: Data Type Retention period
Statutory financial documents 6 years
Banking records 6 years
Fundraising bids 6 years
Public Sector funding bids 8 years (NB. some public sector contracts require retention for longer periods, including employment records related to the contract)
Operational records 6 years
Customer Order Information 3 years (Research shows that customers can often re-purchase after 50 months)
Whole Sale Order Information 3 years (Research shows that customers can often re-purchase after 50 months)
Participant records 6 years after attendance ceases
Employee records 6 years
Volunteer records 6 years
Staff DBS check forms Part B & C 6 months
Unsuccessful Employment or Volunteer applications 6 months
Stakeholder (e.g. Funders, Statutory organisations, donors) records 6 years 5.3 Individual’s rights Data shall be processed in accordance with the rights of the individual whose personal information is being processed. The GDPR provides the following 8 rights for individuals:
5.3.1 The right to be informed Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the GDPR. AI must provide individuals with information including: the purposes for processing their personal data, the retention periods for that personal data, and who it will be shared with, (called ‘privacy information’), and the details of transfers of the personal data to any third countries or international organisations (where applicable). AI must provide a privacy notice to individuals at the time their personal data is collected. If personal data is obtained from other sources, AI must provide individuals with privacy information within a reasonable period of obtaining the data and no later than one month. Privacy information must be concise, transparent, intelligible, easily accessible, and it must use clear and plain language. AI must bring any new uses of an individual’s personal data to their attention before you start the processing.
5.3.2 The right of access At any time, anyone can request to see the personal data AI holds about them (a subject access request). This information may be held on computer, archives, e-mails, or in paper-based files. The request may be verbal or in writing, and AI must respond within 1 month. No charge can be made for providing the data. The request should be forwarded to the Data Protection Officer, who is responsible for dealing with such requests.
5.3.3 The right to rectification The GDPR includes a right for individuals to have inaccurate personal data rectified, or completed if it is incomplete. An individual can make a request for rectification verbally or in writing, and AI have one calendar month to respond. In certain circumstances AI can refuse a request for rectification, e.g. if the request is manifestly unfounded. This right is closely linked to the data controller’s obligations under the accuracy principle of the GDPR .
5.3.4 The right to erasure The GDPR introduces a right for individuals to have personal data erased. The right to erasure is also known as ‘the right to be forgotten’. So, for example, if an individual gave their permission for their data to be held, and then changes their mind, their data should be deleted if requested. Individuals can make a request for erasure verbally or in writing, and AI has one month to respond to a request. The right is not absolute and only applies in certain circumstances. It does not apply if the data is held to comply with a legal obligation, and other circumstances specified in the GDPR.
5.3.5 The right to restrict processing Individuals have the right to request the restriction or suppression of their personal data. This is not an absolute right and only applies in certain circumstances. When processing is restricted, AI is permitted to store the personal data, but not use it. An individual can make a request for restriction verbally or in writing, and AI has one calendar month to respond to a request.
5.3.6 The right to data portability The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability. Doing this enables individuals to take advantage of applications and services that can use this data to find them a better deal or help them understand their spending habits. The right only applies to information an individual has provided to a data controller, and only applies to data processed by automated means i.e. not to paper files.
5.3.7 The right to object The GDPR gives individuals the right to object to the processing of their personal data in certain circumstances. Individuals have an absolute right to stop their data being used for direct marketing. In other cases where the right to object applies you may be able to continue processing if you can show that you have a compelling reason for doing so. AI must tell individuals about their right to object. An individual can make an objection verbally or in writing, and AI must respond within one calendar month.
5.3.8 Rights in relation to automated decision making and profiling The GDPR has provisions on automated individual decision-making (making a decision solely by automated means without any human involvement); and profiling (automated processing of personal data to evaluate certain things about an individual). Profiling can be part of an automated decision-making process. The GDPR applies to all automated individual decision-making and profiling. AI does not use automated decision-making or profiling, but if this was to change in the future, this section of the AI Data Protection Policy document would need to be further expanded .
5.4 Data Security, Storage and Destruction This covers the final principle, that data shall be kept secure. The overall design intent is to create a robust operating environment which is secure, enables privacy, transparency and oversight. These operational processes apply equally to both paper-based and electronic record keeping systems, holding Participant records, Staff records, and Stakeholder information:-
paper-based files, held securely within the office; and
electronic, or on-line data processing tools, with access to authorized users only.
Manual records are those containing information about Applicants, Participants and Staff that are not held on computer.
These files do fall within the regulations of the DPA, as they are considered relevant filing systems.
Relevant filing systems are defined as “any set of information relating to individuals to the extent that... the set is structured, either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to an individual is readily accessible”.
When not required, all manual records of personal data must be kept in locked drawers or filing cabinets.
Employees should make sure paper and printouts are not left where unauthorised people could see them, like on a printer.
Copies and data printouts should be shredded and disposed of securely when no longer required.
Files should never be left in unattended vehicles.
Computer systems and records: It is AI's policy that all computers have password-protected screen-savers and these are kept enabled. This also includes volunteers’ equipment used for AI's business and which contains data given to AI.
It is the staff member’s responsibility to safeguard information held on personal computers in the same way as paper files held at home. Such information must be transferred to AI's equipment at the earliest opportunity and deleted from personal equipment.
Any request for data to be emailed must first be appropriately authenticated. Data must not be sent without verification of who is requesting the data and the purpose for which it will be used.
Emailing personal data should be an exception and wherever possible a secure e-mail service must be used.
Personal data sent by e-mail to external addresses that would cause distress, loss or embarrassment if mislaid, wrongly directed or compromised is to be password-protected/encrypted or a secure e-mail service should be used.
Data should be protected by strong passwords that are changed regularly and never shared between employees.
If data is stored on removable media (like a CD or DVD), these should be kept locked away securely when not being used.
Data should only be stored on designated drives and servers, and should only be uploaded to an approved cloud computing services.
Servers containing personal data should [ideally] be sited in a secure location, away from general office space.
Data should be backed up frequently. Those backups should be tested regularly, in line with AI’s standard backup procedures.
Data should never be saved to laptops or other mobile devices like tablets or smart phones.
All servers and computers containing data should be protected by approved security software and a firewall.
5.5 Staff data held by AIThe GDPR regulates the way in which certain information about Staff is held and used. This section gives details about the type of information that AI keeps about its Staff and the purposes for which it keeps them. The security and storage of data has been covered previously. Throughout the period of time as a member of Staff and for as long a period as is necessary after ceasing to be a member of Staff, AI will need to keep information for purposes connected with being a member of Staff. These records may include:
Information gathered about a Staff member and any references obtained during recruitment
Volunteering Agreement / Contract of Employment / Contract for Services (as applicable)
Payroll, tax and National Insurance information (if applicable)
Details of grade and job duties
Absence records, including holiday records and self-certification forms
Details of any disciplinary investigations and proceedings
Emergency contact details
Correspondence with AI.
The information will normally be held for AI management and administrative use only, but from time to time, we may need to disclose some information we hold about Staff to relevant third parties. We may also transfer information to another Group or Organisation, solely for purposes connected with a Staff member’s career or the management of AI’s business. This must be explained when the data is being collected (see 'privacy information' in 'The right to be informed' above), and therefore agreed by the data subject. It should also be noted that AI might hold the following information about a member of Staff for which disclosure to any person will be made only when strictly necessary for the purposes set out below:
a member of staff’s health, for the purposes of compliance with our health and safety and our occupational health obligations;
for the purposes of HR management and administration, for example to consider how a member of Staff’s health affects his or her ability to do their job or workshop activity and, if the Staff member is disabled, whether they require any reasonable adjustment to be made to assist them at work, or participating in any workshop or craft session;
the administration of insurance, pension, sick pay and any other related benefits;
in connection with unspent convictions to enable us to assess suitability to be a member of Staff.
AI may also receive requests for disclosure of information from other organisations, these are covered in the next section.
5.6 External requests for data accessAI may be contacted by third parties in order to access Participant or Staff records. All requests must be forwarded to the Data Protection Officer for action. The Police If data is requested by the police, it must be confirmed that the reason for the request is that they wish to contact a named individual about a named criminal investigation (regardless of whether that individual is a suspect or witness) and that failure to release the data would prejudice the investigation. Most police forces will have their own request form which should always include a statement confirming that the information requested is used for the purposes covered in Section 29 of the DPA, a brief outline of the nature of the investigation, the person’s role in that investigation, and the signature of the investigating officer. This document must be obtained prior to the release of any information. Court Order AI may receive a request for disclosure in the form of a Court Order. Other third parties If AI is approached with a request for information about a member of staff from any other third party the following approach should be taken. AI will supply the member of Staff with all the necessary information so that the member of Staff can make an informed decision as to whether they are willing to let the information be released. Written consent from the member of Staff is required before the information can be released. A record must be kept of who made the request, what information was requested and why. There are instances where AI can proceed without consent and it approaches these requests on a case by case basis. Research purposes Occasionally a company or a funder will wish to use AI's data for research purposes. If Participants and other members of staff have given consent for the use of their data for research purposes through a Privacy Notice, usually data can be released. However, this is not always the case and advice should be sought before data is actually released. Sharing information Data can only be shared with the individual’s consent. However, there are exceptional circumstances where it may be necessary to share information without consent. Examples of these circumstances are where it is not possible to obtain consent beforehand or because it might prejudice the purposes for which the information is being disclosed. Examples are as follows:
the individual is at risk of harm, needs urgent medical treatment, or may harm someone else;
the disclosure prevents an individual committing a criminal offence that could put others at risk or place a member of Staff or any other person at risk of accusations of collusion;
if AI is ordered to provide information as part of legal proceedings;
to protect children, young people or vulnerable adults from abuse.
N.B. this is not an exhaustive list so if in doubt please contact the Data Protection Officer. AI will consider every request on a case by case basis. Collecting data or buying from third parties This refers to situations where AI could, for example, buy-in mailing lists. Confirmation should be obtained that the party providing the information has the consent of the individual to whom the information relates and a request for sight of the Privacy Notice. If this confirmation cannot be obtained the data must not be collected. AI does not sell its data. If, in future, AI intended to share any personal data with other organisations, the Privacy Notice must make this clear, and the data subject must consent to it.
6. General staff guidelines on working practices to support the policy and principles
The only people able to access data covered by this policy should be those who need it for their work.
Data should not be shared informally. When access to personal data is required, employees must request it from their line managers.
AI will provide training to all employees to help them understand their responsibilities when handling data.
Employees should keep all data secure, in accordance with AI policy .
Strong passwords must be used and they should never be shared.
Personal data should not be disclosed to unauthorised people, either within the company or externally.
Data should be regularly reviewed and updated if it is found to be out of date. If no longer required, it should be deleted and disposed of.
Employees should request help from their line manager or the Data Protection Officer if they are unsure about any aspect of data protection.
7. ResponsibilitiesEveryone who works for, or with, AI has some responsibility for ensuring data is collected, stored, handled and processed must comply this data protection policy and GDPR data protection principles. However, the following have key areas of responsibility : The Trustees are ultimately collectively responsible for ensuring data security and data privacy compliance with the GDPR, and one named Trustee will have specific responsibility to oversee this. As AI carries out its own DBS checks, the Trustees must appoint a Data Protection Officer, a named individual reporting to the Board with responsibility for ensuring and demonstrating compliance with the GDPR. It is the Trustee’s responsibility to ensure comprehensive but proportionate governance measures, such as carrying out a DPIA every 2 years and designing data privacy and protection into its processing activities. The Trustees should confirm annually that AI meets the criteria for exemption from ICO registration and payment of the annual Data Protection Fee (see Appendix 2). The Data Protection Officer is responsible for:
keeping the Trustees updated about data protection responsibilities, risks and issues;
reviewing data protection procedures and related policies, in line with an agreed schedule;
arranging data protection training and advice for the people covered by this policy;
handling data protection questions from staff and anyone else covered by this policy;
addressing external data protection queries (e.g. from journalists or media outlets);
dealing with subject access requests from individuals to see the data AI holds about them , and any other request covered by the individual's rights relating to the data held on them;
checking and approving contracts or agreements with third parties that may handle the company’s personal data;
ensuring all systems, services and equipment used for storing data meet the required security standards;
carrying out DPIAs periodically and when changes are made to systems or activities;
document records of data processing activities (see Appendix 1)
performing regular checks and scans to ensure security hardware and software is functioning properly;
ensuring any third-party services AI uses to store or process data, e.g. payroll, complies with the GDPR
approving any data protection statements attached to communications such as emails and letters;
ensure marketing initiatives abide by data protection principles.
Data Controllers and Data Processors The GDPR applies to ‘data controllers’ and ‘data processors’ (see definitions). If AI, as data controller, uses other organisations to process data (e.g. payroll) on its behalf, the GDPR places specific legal obligations on the data processor e.g. to maintain records of personal data and processing activities. However, AI, as data controller, is responsible to ensure any contract with a data processor complies with the GDPR.
Appendix 1: Accountability and GovernanceThe GDPR includes provisions that promote accountability and governance which complement the GDPR’s transparency requirements. While the principles of accountability and transparency have previously been implicit requirements of data protection law, the GDPR’s emphasis elevates their significance. Organisations are expected to put into place comprehensive but proportionate governance measures such as DPIAs and data privacy by design (see below). The accountability principle The new accountability principle requires organisations to demonstrate they comply with the principles, and states explicitly that this is their responsibility. To demonstrate that you comply you must:
Implement appropriate technical and organisational measures that ensure compliance. This may include internal data protection policies such as staff training, internal audit of processing activities, and reviews of internal HR policies.
Maintain relevant documentation on processing activities (see below).
Where appropriate, appoint a Data Protection Officer.
Implement measures that meet the principles of data protection by design and data protection by default. Measures could include: data minimisation, pseudonymisation, transparency, allowing individuals to monitor processing, creating and improving security features on an ongoing basis, and using DPIAs when appropriate.
Records of processing activities Article 30 requires organisations to document their data processing activities. AI, as a smaller organisation with less than 250 employees, is only required to maintain records of activities related to higher risk processing such as:-
Processing personal data that could result in a risk to the rights and freedoms of individual; or
Processing of special categories of data or criminal convictions and offences.
Description of the categories of individuals and categories of personal data.
Categories of recipients of personal data.
Details of transfers to third countries including documentation of the transfer mechanism safeguards in place.
Description of technical and organisational security measures.
Appendix 2: Registration with ICO and Data Protection FeeOrganisations are required to register with ICO and pay an annual Data Protection Fee, unless otherwise exempted. AI is exempt from registration and fee, as it currently meets the following conditions (see: https://ico.org.uk/for-organisations/register/faqs): “You do not have to register if organisation was established for not-for-profit making purposes and does not make a profit or if your organisation makes a profit for its own purposes, as long as the profit is not used to enrich others. You must:
only process information necessary to establish or maintain membership or support;
only process information necessary to provide or administer activities for people who are members of the organisation or have regular contact with it;
only share the information with people and organisations necessary to carry out the organisation’s activities. Important - if individuals give you permission to share their information, this is OK (you can still answer ‘yes’); and
only keep the information while the individual is a member or supporter or as long as necessary for member/supporter administration.”
If at any stage in the future AI should no longer meet the conditions of these exemptions, then it must register and pay the appropriate annual fee. Failure to do so will result in a Civil Monetary Penalty. The Trustees should therefore review annually whether AI still qualifies for exemption.
Document history:Version Date Author Reviewer Summary of Changes Issue Date
0.1 15/05/18 E Waters S Hart First draft 18/05/18
1.1 30/1/20 E Waters
Changed charity name from Craft Aid International to Artizan International, and minor typographical changes.
1.2 18/10/21 S Davis S Hart E Waters Reviewed Policy and additional documents. Updated some retention details