Data Protection Policy

PEEK is committed to protection and respecting our team members and children, young people and families personal data. PEEK complies fully with the necessary requirements under the Data Protection Act 2018 and the EU General Data Protection Regulation (“GDPR”).  

This policy sets out how PEEK handles the personal data of our participants and families, team members, board trustees, volunteers, stakeholders, funders, and other third parties.

Protecting the confidentiality of personal data is a critical responsibility that we take seriously at all times. If PEEK fails to comply with the relevant data protection law, then we may be subject to substantial sanctions, including potential fines of up to 4% of annual turnover, as well as significant reputational damage. 

This policy applies to all team members, including temporary and sessional team members, volunteers and trustees. All should read, understand and comply with this policy.  This policy sets out what PEEK expects from you to ensure that PEEK complies with the relevant data protection legislation.  Any breach of this policy may result in disciplinary action. 

If you require further information about this policy, please contact us.

  • The data protection principles set out the main responsibilities which apply to PEEK when processing personal data in compliance with GDPR. These principles are:

    • Fairness/transparency – PEEK only use or store personal data in a fair, lawful and transparent manner;

    • Purpose limitation – PEEK only process personal data for specific stated purpose;

    • Data minimisation – PEEK only collects and processes necessary personal data;

    • Accuracy – PEEK ensures personal data is accurate and up to date;

    • Storage limitation – PEEK only retains/stores personal data for as long as is necessary;

    • Integrity and confidentiality – PEEK keeps personal data secure at all times.

  • PEEK processes a range of personal data.  The categories of personal data can be summarised as follows:

    • Participant and family details

    • Team members details

    • Volunteers including board members

    • Stakeholders i.e. partner organisations, schools, etc.

    • Funders

  • When PEEK processes personal data, we must do so on the basis of one of the lawful grounds set out in the GDPR. The legal process is set out in our Privacy Policy.

    Whenever PEEK processes personal data, it must be clear which legal basis is being relied on. All new data processing activities should be subject to a data protection privacy impact assessment.

  • PEEK does not share your personal information with any third parties unless there is a legal requirement to do so. Where appropriate, PEEK will notify the relevant person(s) if data has been shared.

  • PEEK only retains personal data for so long as it is necessary in connection with the purposes for which it was collected and in line with the Records Retention Policy.

  • Under the GDPR, individuals have the right to make the following types of request regarding the personal data we have about them:

    • Right of access (subject access requests) – the right to request a copy of the personal data PEEK has concerning an individual and supporting explaining how the personal data is used.

    • Right of rectification – the right to request that PEEK rectify inaccurate personal data concerning and individual.

    • Right of erasure (right to forgotten) – the right to request that PEEK erase all personal data concerning an individual.

    • Right to restrict processing – the right to, in some situations, request PEEK do not use an individual’s personal data they have provided (e.g. if they believe it to be inaccurate).

    • Right to object – the right to object to certain processing of his/her personal data (unless PEEK has overriding compelling legitimate grounds to continue processing) and the right to object to direct marketing.

    • Rights relating to automated decision making – the right to object/opt-out of automated decision making that significantly affects an individual.

    • Right to data portability – the right to, in some situations, request PEEK to port an individual’s data to the individual or a new provider in machine readable format.

    In certain circumstances, PEEK will be exempt from responding to certain requests

    Where you receive a communication from any individual which seeks to exercise any rights in relation to personal data, you must immediately notify Emma Hill, Head of Operations and follow instructions.

  • PEEK has a duty to report data breaches to the Information Commissioner’s Office and in certain circumstances, to the individuals as well.  This policy sets out how we will respond to data and cyber breaches.  It applies in situation where there is an actual, potential or suspected data breach.

  • A data breach occurs where there is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

    Examples of a breach involving the loss of personal data could include loss of a PEEK laptop containing personal information; loss of paper copies of personal data.

  • If you think a personal data breach has occurred or is likely to occur you must act immediately and contact the Head of Operations and notify your line manager. This should be treated as a priority.  An email with the details of the potential breach should be sent along with a telephone call to ensure the email has been read and acknowledged.  

    The information in the email should include the following details to the extent you know them:

    • Details of the actual, potential or suspected breach and how it occurred or may occur

    • If a breach has occurred, the time and data that the breach was discovered and if the incident is ongoing

    • The types of data breached e.g. participant details, staff details

    • The number of individuals the information relates to

    • What steps have been taken or proposed to take to address the breach or potential breach 

    In no circumstances should you delay reporting the breach if you do not have all the information.

  • The Head of Operations will make an initial determination of whether or not there has been a data breach after considering the facts provided. If it is likely there has been a breach, the Head of Operations will notify the Chief Executive and they will coordinate an investigation.

    • The investigation should include the following:

    • When did the breach occur?

    • What is the nature of the breach?

    • What is the source of the breach?

    • What categories and numbers of individuals and data records are subject to the breach?

    • What are the likely consequences of the breach?

    • What is the severity of the potential impact of the breach on the individuals concerned?

    • What steps can be put in place to mitigate the impact and stop any further breaches?

    Any investigation should be completed within 24hours.

    A written record should be kept of the investigation even if the incident is not a breach.

  • PEEK should notify the ICO once it is aware of a data breach that is likely to results in a risk to rights and freedoms of individuals. This should be done within 72 hours of discovering the breach and is the responsibility of the Head of Operations.

  • PEEK should notify individuals once it is aware of a data breach that is likely to result in a high risk to their rights and freedoms of individuals. 

    This should be done following any investigation and is likely to take place over the phone, face to face or via letter.

  • PEEK will maintain any documentation of all personal data breaches including decisions taking during the investigation.

  • If you have questions regarding this policy, please contact PEEK’s designated Data Protection Officer – the Head of Operations.

  • This policy may be changed from time to time and you will be notified. The policy will be reviewed annually.

Appendix 1

Data Protection Breach

Practical Steps

  • Do contact the Head of Operations with any data protection/privacy concerns, issues or queries.

  • Do not ignore correspondence from individuals which relates to, or which may relate to personal data.

  • Do notify the Head of Operations immediately if a communication is identified as being a request to exercise data protection rights.

  • Do remain vigilant and check whether personal data is being stored securely. ALL Child Protection paperwork should be place in a sealed envelope and passed to the Child Protection Officer (Head of People and Programmes).

  • Do not copy data or store personal data outside of the PEEK systems unless this is strictly necessary.

  • Do ensure any portable hardware you use for work purposed is password protected and the contents are encrypted.

  • Do ensure personal data sent via your PEEK email, or otherwise, is protected.

  • Do ensure any personal data extracted from the systems and stored locally is stored securely and subject to password protection and encryption.

  • Do not discuss confidential matters or details about particular individuals unless this is necessary for the purpose of your role.

  • Do remain vigilant and notify your line manager on discovery of anything suspicious/unusual regarding the way in which their systems are functioning.

  • Do not ignore any incidents/suspected incidents.

  • Do implement the processes set out in the data breach policy.

  • Do not store PEEK Participants personal data in personal folders unless strictly necessary.

  • Do regularly delete personal data from your personal folders, if you are unsure what can be deleted contact the Head of Operations.

  • Do check PEEK forms are FULLY completed by parents/carers before it is input to the systems.

  • Do inform Head of Operations if any of your own personal data is out of date or inaccurate

  • Do ensure all PEEK paperwork is securely stored off site through lockable (Padlock or coded) boxes/rucksacks.