top of page

General Data Protection Regulation (GDPR)

The Data Protection Act

The Data Protection Act 2018 controls how your personal information is used by organisations, businesses or the government.

The Data Protection Act 2018 is the UK’s implementation of the General Data Protection Regulation (GDPR) and everyone responsible for using personal data has to follow strict rules called "data protection principles".

 

This policy describes how this data must be collected, handled and stored to comply with the General Data Protection Regulations (GDPR). This data protection policy ensures that Legacy Youth Care Limited (LYC):

  • Protects the rights of its members and supporters

  • Complies with data protection law and follows good practice

  • Is open about how it stores and processes individual’s data

  • Protects itself from a data breach

Data Protection Law

The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy for all individuals in the European Union and describes how organisations must collect, handle and store personal information. These rules apply whether data is stored electronically, on paper and on other material. To comply with the law, personal information must be collected and used fairly, stored safely and not disclosed unlawfully. Legacy Youth Care Limited p (LYC) recognises and understands that the consequences of failure to comply with the requirements of GDPR may result in:

  • Criminal and civil action

  • Fines and damages

  • Personal accountability and liability

  • Loss of confidence in the integrity of LYC’s systems and procedures

  • Irreparable damage to LYC’s reputation

LYC may also consider taking action where members do not comply with GDPR.

Roles and Responsibilities 

This policy applies to all members or anyone involved in the activities of LYC.

This policy applies to all personal and sensitive data processed on computers, stored in paper files and on other material. This can include:

  • Names of individuals

  • Email addresses

  • Telephone numbers

  • Any other personal information relating to individuals

Legacy Youth Care Limited (LYC) is the Data Controller and will determine what data is collected and how it is used. The LYC's Committee, are responsible for the secure, fair and transparent collection of and use of data by LYC. Any questions relating to the collection or use of data should be directed to the Data Protection Officer. Everyone who has access to data as part of LYC has a responsibility to ensure that they adhere to this policy.

 

Data Protection Principles

a) We fairly and lawfully process personal data in a transparent way.

Legacy Youth Care Limited (LYC) will only collect data where lawful and where it is necessary for the legitimate purposes of the group.​​ 

Lawful basis for processing this date: Consent (see ‘How we get consent’).

a) We only collect and use personal data for specific, explicit and legitimate purposes and will only use the data for those specified purposes. When collecting data, LYC will always provide a clear and specific privacy statement explaining to the subject why the data is required and what it will be used for.

b) We ensure any data collected is relevant and not excessive.

Legacy Youth Care Limited (LYC) will not collect and store more data than the minimum information required for its intended purpose. LYC needs to collect telephone numbers and email addresses from site members in order to be able to contact them with replies.

c) We ensure data is accurate and up-to-date

LYC will ask members to check and update their data on an annual basis. Any individual will be able to update their data at any point by contacting the site administrator on website@thebettermeantgroup.com.

d) We ensure data is not kept longer than necessary

Legacy Youth Care Limited (LYC) will keep records for no longer than is necessary in order to meet the intended use for which it was gathered (unless there is a legal requirement to keep records for a longer period).

The storage and intended use of data will be reviewed in line with LYC’s Data Protection and Retention Policy. When the intended use is no longer applicable (e.g. contact details for a member who has left the group) the data will be deleted within a reasonable period unless the member has consented to their contact details being retained for the purpose of informing them of future LYC news.

f) We keep personal data secure

  • Legacy Youth Care Limited (LYC) will ensure that data it holds is kept secure

  • Electronically held data will be held within a password-protected and secure environment. Passwords for electronic data files will be re-set each time an individual with data access leaves their role / position

  • Physically-held data will be stored securely

  • Access to data will only be given to relevant committee members where it is clearly necessary for the running of the group.  The Data Protection Officer will decide in what situations this is applicable.

Individuals’ Rights

Where Legacy Youth Care Limited (LYC) collects, holds and uses an individual’s personal data, that individual has the following rights over that data. LYC will ensure its data processes comply with those rights and will make all reasonable efforts to fulfil requests from an individual in relation to those rights.

Right to be informed: whenever Legacy Youth Care Limited (LYC) collects data it will provide a clear and specific privacy statement explaining why it is being collected and how it will be used.

Right of access: individuals can request to see the data LYC holds on them and confirmation of how it is being used. Requests should be made in writing to the Data Protection Officer and will be complied with within one month. Where requests are complex or numerous this may be extended to two months.

Right of rectification: individuals can request that their data be updated where it is inaccurate or incomplete. Any requests for data to be updated will be processed within one month.

Right to object: individuals can object to their data being used for a particular purpose. LYC will always provide a way for an individual to withdraw consent in all marketing communications. Where LYC receives a request to stop using data, LYC will comply unless it has a lawful reason to use the data for legitimate interests or contractual obligation.

Right to erasure: individuals can request for all data held on them to be deleted. The LYC Data Retention Policy  will ensure data is not held for longer than is reasonably necessary in relation to the purpose it was originally collected. If a request for deletion is made, LYC will comply with the request unless there is a lawful reason to keep and use the date for legitimate interests or there is a legal requirement to keep the data.

Right to restrict processing: individuals can request that their personal data be "restricted" – that is, retained and stored but not processed further (e.g. if they have contested the accuracy of any of their data, LYC will restrict their data while it is verified).

Unauthorised Contact

Personal data is never shared on any pages of Legacy Youth Care Limited and anyone doing this will be in breach of GDPR and the Data Protection Act 2018.

How we get consent

Legacy Youth Care Limited (LYC) may collect data from consenting supporters for marketing purposes (e.g. to promote activities and events). Any time data is collected for this purpose, LYC will provide:

  • A method for users to show their positive and active consent to receive these communications (e.g. a "tick box")

  • A clear and specific explanation of what the data will be used for (e.g. "Tick this box if you would like LYC to send you email updates with details of new events").

Data collected will only ever be used in the way described and consented to (e.g. LYC will not give out email data to third parties). Every communication will contain a method through which the recipient can withdraw their consent (e.g. an "Unsubscribe" link in an email).  Opt-out requests such as this will be processed in 14 days.

 

*   *   *   *   *   *   *   *   *   *   *   *   *   *   *   *   *   *   *   *   *   *   *   *   *   *   *   *   *   *   *   *   *   *   

Data Retention Policy

Introduction

This policy sets out how Legacy Youth Care Limited (LYC) will approach data retention and establishes processes to ensure LYC does not hold data for longer than in necessary. It forms part of LYC’s Data Protection Policy.

Regular Data Review

A regular review of all data will take place to establish if LYC still has good reason to keep and use the data held at the time of the review.  As a general rule a data review will be held every 2 years.

Data to be reviewed

  • Data on digital documents (e.g. spreadsheets, databases) stored on personal devices held by committee members

  • Data stored on third part online services (e.g. Dropbox, Facebook groups)

  • Physical data stored at the homes of committee members.

Who the review will be conducted by

The review will be conducted by the Data Protection Officer with other committee members to be decided upon at the time of the review.

How data will be deleted

  • Physical data will be destroyed safely and securely, including shredding.

  • All reasonable and practical efforts will be made to remove data stored digitally.

    • Priority will be given to any instances where data is stored in active lists (e.g. where it could be used) and to sensitive data.

    • Where deleting the data would mean deleting other data that Legacy Youth Care Limited (LYC) has a valid lawful reason to keep (e.g. on old emails) then the data may be retained safely and securely but not used.

 

Statutory requirements

Data stored by Legacy Youth Care Limited may be retained based on statutory requirements for storing data other than on data protection regulations.  This might include but is not limited to:

  • Records of email communications

  • Employment enquiry

  • Communications sent via "Contact us" page.

Other Data Retention Procedures: personal data

  • When a person leaves Legacy Youth Care Limited (LYC) and all administrative tasks relating to their connection with the LYC have been completed, any potentially sensitive data held on them will be deleted

  • Unless consent has been given, data will be removed from all email mailing lists

  • All other data will be stored safely and securely and reviewed as part of the next two-year review.

Mailing list data

  • If an individual opts out of a mailing list their data will be removed as soon as is practically possible

  • All other data will be stored safely and securely and reviewed as part of the next two-year review.

Your rights

Under the Data Protection Act 2018, you have the right to find out what information the government and other organisations store about you. These include the right to:

  • be informed about how your data is being used

  • access personal data

  • have incorrect data updated

  • have data erased

  • stop or restrict the processing of your data

  • data portability (allowing you to get and reuse your data for different services)

  • object to how your data is processed in certain circumstances

You also have rights when an organisation is using your personal data for:

  • automated decision-making processes (without human involvement)

  • profiling, for example to predict your behaviour or interests.

bottom of page