top of page

Data Protection Policy 2022


Data Protection Policy


Policy Statement

Play Inclusion Project needs to collect and use personal information about staff, volunteers, children, young people, parents and carers and any other individuals that come into contact with the company.  This personal information must be collected and dealt with appropriately, whether it is collected on paper, stored in a computer database, or recorded on other material and there are safeguards to ensure this under the General Data Protection Regulations (GDPR).


This policy is intended to ensure that personal information is dealt with correctly and securely and in accordance with GDPR, and other related legislation.  It ensures that Play Inclusion Project:


  • Complies with data protection law and follows good practice

  • Protects the rights of staff, volunteers, service users and partners

  • Is open about how it stores and processes individual’s data

  • Protects itself from the risks of a data breach


All staff involved with the collection, processing and disclosure of personal data will be aware of their duties and responsibilities by adhering to these guidelines.


What is Personal Information?


The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. 

This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier, reflecting changes in technology and the way organisations collect information about people.

The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. This could include chronologically ordered sets of manual records containing personal data.

What is sensitive Personal Data?


Sensitive personal data (‘special categories of personal data’ under the General Data Protection Regulation) includes any information that reveals your racial or ethnic origin, religious, political or philosophical beliefs, genetic data, biometric data for the purposes of unique identification, trade union membership, or information about your health/sex life. Generally, we try not to collect or process any sensitive personal information about you, unless authorised by law or where necessary to comply with applicable laws

Data Protection Law


The general data protection regulation (GDPR) is a new EU law that will come into effect on 25 May 2018 to replace the current Data Protection Act. It's the biggest overhaul of data protection legislation for over 25years and will introduce new requirements for how organisations process personal data.


All personal data must be processed lawfully, fairly and in a transparent manner.  It must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.  It must be adequate, relevant and limited to what is necessary in relation to the purpose for which it is processed.  It must be accurate and, where necessary, kept up to date and kept in a form which permits identification of data subjects for no longer than is necessary for the purpose for which the data is processed, including protection against unauthorised or unlawful processing.


Data Protection Principles


To comply with the law personal data must be processed according to 6 data protection principles: must be collected and used fairly, stored safely and not disclosed unlawfully.


  1. Personal data shall be processed fairly, lawfully and transparently

  2. Personal data shall be collected only for specific legitimate purposes

  3. Personal data shall be adequate, relevant and limited to what is necessary

  4. Personal data shall be kept accurate and up to date

  5. Personal data processed for any purpose shall not be kept for longer than is necessary 

  6. Personal data shall be kept secure i.e. protected by appropriate security, integrity and confidentiality.

Play Inclusion Project regards the lawful and correct treatment of personal information as very important to successful working, and to maintaining the confidence of those with whom we deal.  

Play Inclusion Project will, through appropriate management and strict application of criteria and controls:

  • Observe fully conditions regarding the fair collection and use of information

  • Meet its legal obligations to specify the purposes for which information is used

  • Collect and process appropriate information, and only to the extent that it is needed to fulfill its operational needs or to comply with any legal requirements

  • Ensure the quality of information used

  • Ensure that the rights of people about whom information is held, can be fully exercised under GDPR. These include: 

    • The right to access information we hold about you

    • The right to correct and update the information we hold

    • The right to have your information erased 

    • The right to object to the processing of your data

    • The right to ask us to stop contacting you with direct marketing

    • The right to data portability

    • The right to object to automated decision making

    • The right to complain

  • Take appropriate technical and organisational security measures to safeguard personal information

  • Ensure that personal information is not transferred abroad without suitable safeguards

  • Treat people justly and fairly whatever their age, religion, disability, gender, sexual orientation or ethnicity when dealing with requests for information

  • Set out clear procedures for responding to requests for information

Data collection

Under GDPR there are strict rules in place for obtaining consent.  

  • Consent must be freely given, specific, informed and unambiguous

  • A request for consent must be intelligible and in clear plain language

  • Silence, pre-ticked boxes and inactivity no longer suffice as consent

  • Consent can be withdrawn at any time

  • Consent for online services from a child under 13 is only valid with parental consent

  • Organisations must be able to evidence consent

Play Inclusion Project will ensure that data is collected within the boundaries defined in this policy. This applies to data that is collected in person, or by completing a form.

When collecting data, Play Inclusion Project will ensure that the individual/service user:

  1. Clearly understands why the information is needed 

  2. Understands what it will be used for and what the consequences are should the individual/service user decide not to give consent to processing

  3. As far as reasonably possible, grants explicit written consent, 

  4. Is, as far as reasonably practicable, competent enough to give consent and has given so freely without any duress

  5. Has received sufficient information on why their data is needed and how it will be used


Play Inclusion Project may share data with other agencies such as the local authority, funding bodies and other voluntary agencies.

The individual/service user will be made aware in most circumstances how and with whom their information will be shared.  There are circumstances where the law allows the company to disclose data (including sensitive data) without the data subject’s consent.   

These are:

  1. Carrying out a legal duty or as authorised by the Secretary of State 

  2. Protecting vital interests of an individual/service user or other person

  3. The individual/service user has already made the information public

  4. Conducting any legal proceedings, obtaining legal advice or defending any legal rights  

  5. Monitoring for equal opportunities purposes – i.e. race, disability or religion

  6. Providing a confidential service where the individual/service user’s consent cannot be obtained or where it is reasonable to proceed without consent: e.g. where we would wish to avoid forcing stressed or ill individuals/service users to provide consent signatures.

Data Storage

Information and records relating to individuals/service users will be stored securely and will only be accessible to authorised staff and volunteers.

Information will be stored for only as long as it is needed or required statute and will be disposed of appropriately.

It is the Play Inclusion Project’s responsibility to ensure all personal and company data is non-recoverable from any computer system previously used within the organisation, which has been passed on or sold to a third party.

The following guidelines apply to data that is usually stored electronically but has been printed out for some reason:

  • When not required, paper or files should be kept in a locked drawer or filing cabinet

  • Staff should ensure paper and printouts are not left where unauthorised people could see them e.g. on printers

  • Data printouts should be shredded and disposed of securely when no longer required.

When data is stored electronically it must be protected from unauthorised access, accidental deletion and malicious hacking attempts:

  • Data should be protected by strong passwords which are never shared and changed regularly

  • Data stored on removeable media must be kept locked away when not in use

  • Data should be backed up frequently and backups tested regularly

  • All servers and computers containing data should be protected by approved security and a firewall

Staff Guidelines

  • The only people able to access data covered by this policy should be those who need it for their work

  • Data should not be shared informally.  When access to confidential is required, employees can request it form the Charity Manager.

  • Staff should keep all data secure, by taking sensible precautions and following the guidelines below

  • When working with personal data, staff should ensure their computer screens are always locked when left unattended.

  • In particular; strong passwords should be used and never shared

  • Personal data should not be disclosed to unauthorised people, wither within the company or externally

  • Data should be reviewed regularly and updated, if it is found to be out of date or no longer required it should be deleted and disposed of.

  • Staff should never save copies of personal data to their own personal computers.

  • Staff should request help from the Charity Manager if they are unsure about any aspect of data protection.

Data access and accuracy

The law requires Play Inclusion Project to take reasonable steps to ensure data is kept up to date and accurate.

It is the responsibility of all staff working with personal data to take reasonable steps to ensure it is kept accurate and as up to date as possible.


  • Data will be held in as few places as necessary, staff should not create any unnecessary data sets

  • Data should be updated as inaccuracies are discovered e.g. if a volunteer cannot be reached on their stored telephone number it should be removed from the database

  • Staff should check information held is up to date every 12 months

All individuals who are the subject of personal data held by the company are entitled to:

  • Ask what information is held about them and why

  • Ask how to gain access to it

  • Be informed as to how to keep it up to date

  • Be informed how the company is meeting it’s data protection obligations

In addition, Play Inclusion Project will ensure that:

  • Everyone processing personal information understands that they are contractually responsible for following good data protection practice

  • Everyone processing personal information is appropriately trained to do so

  • Everyone processing personal information is appropriately supervised

  • Anybody wanting to make enquiries about handling personal information knows what to do

  • It deals promptly and courteously with any enquiries about handling personal information

  • It describes clearly how it handles personal information

  • All staff are aware that a breach of the rules and procedures identified in this policy may lead to disciplinary action being taken against them

This policy will be updated as necessary to reflect best practice in data management, security and control and to ensure compliance with any changes or amendments made to the General Data Protection regulations.

bottom of page