Data protection

Contents

  1. Principles

  2. Responsibility

  3. Practical action

  4. Communications

  5. Consent

  6. Data cleaning and maintenance

1. Principles

CA Plus only uses data in the achievement of our charitable objectives. We hold data for organisations and also personal data for individuals. In practice this involves maintaining data that is required in the delivery of services and support to client organisations.  Data is also maintained whilst potential clients are considering using our services. Some individuals provide personal data, for example their email address, if they wish to go on our contact list.

CA plus fully supports the basic principles of data protection:

  • Personal data shall be processed fairly and lawfully

  • Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.

  • Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

  • Personal data shall be accurate and, where necessary, kept up to date.

  • Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

  • Personal data shall be processed in accordance with the rights of data subjects under the UK General Data Protection Regulation (UK GDPR), tailored by the Data Protection Act 2018.

  • Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

  • Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

2. Responsibility

Responsibility for this policy and its implementation rests with the Chief Executive. CA Plus is not required to appoint a Data Protection Officer.

All staff, volunteers and trustees are expected to act with appropriate care and attention and comply with the procedures and general principles of this policy.

3. Data storage

The following list is not exhaustive and circumstances may arise where processes and procedures are not explicit. A degree of common sense is expected, and where necessary, this policy can be amended at any time by the Trustees.

CiviCRM
This is the main system for storing client data. It is an online system, with access restricted to CA Plus staff via username and password protection and our technical support provider Circle Interactive. Circle Interactive ensures data is backed up and stored securely under our service contract.

Physical files

Physical files relating to CA Plus staff are kept in a locked filing cabinet within our offices. Key held by the Payroll Manager. Current physical client payroll files are stored in the payroll office. No physical files containing personal data shall be taken off site without the client’s consent.

Other client files (e.g. accounts) do not usually contain any personal data. Any data held whilst working on the file, e.g. bank statements or payroll information is shredded once the work is completed.

Digital files

Microsoft Office 365
All client organisations have a unique data folder within the Office 365 system. These digital files are stored online, where username and login is required, with access restricted to CA plus staff and, when required, our IT support provider.

CA Plus personnel files are also within Office 365 with access restricted to the Payroll Manager and CEO.

With remote access facilities and using Office 365, it is rare that any personal data needs to be taken off site in digital form.  Client files for accounts, working papers, backups of client accounting records etc. may occasionally be stored on data sticks temporarily. Any data stick used for this purpose will be password protected.

Sage
For payroll clients, data is stored within Sage payroll software where username and login is required. Each client has a separate company file which will contain personal data. Access is restricted to CA Plus staff and, when required, our IT support provider and Sage support staff. These files are backed up online and to a server located in the CA Plus office.

Digita by Thompson Reuters
For accounts production, some personal data may be stored in Digita, e.g. names and addresses of client trustees. Each client has a separate company file which will contain personal data. Access is restricted to CA plus staff. These files are backed up to a server, within the CA Plus office. Thomson Reuters have provided a commitment under GDPR. This is saved in the CA Plus policies and procedures folder alongside this policy.

QuickBooks by Intuit
Many clients use this system. Data files are not held by CA Plus but by Intuit who provide the software. Our own accounting records are in QuickBooks and do contain names, addresses, email addresses and phone numbers of clients and suppliers. Access to the QuickBooks file is restricted to CA Plus staff.

Intuit have provided a commitment under GDPR . This is saved in the CA Plus policies and procedures folder alongside this policy.

Office access

Access to our own offices is restricted by secure doors. It is restricted to CA Plus staff, invited visitors and the NCVS premises and cleaning staff.

No visitors shall be left unattended in the two main office areas.

4. Communications

Clients sending data to CA Plus are responsible for the security of their own data until it reaches the control of CA Plus.

The only personal data sent externally by CA Plus is Payroll information, e.g. payslips. This is usually done using our secure encryption email service. This also allows clients to reply to these emails thus encrypting their own data transfers.
Clients may request payroll information (payslips) are sent by post rather than email.

Communication with clients will be either:

  • In delivery or services.

  • In response to a request for information, e.g. about potential services.

  • As part of a general mailing for which the individual has subscribed.

5. Consent

Personal data is only held for 2 reasons:
1. The data is required in order to deliver the service that the client has requested.
2. The data is stored automatically in CiviCRM if the individual has signed up for our regular newsletter.

Unsubscribe is possible at any time and an unsubscribe link is on all bulk emails.

No personal data will be shared with anyone outside of CA Plus, unless required by a relevant statutory authority or under our reporting obligations, for example to the Charity Commission.

The CA Plus Privacy Policy is on our website and available to clients on request.

All service agreements contain clauses on confidentiality and data management.
 

6.  Data cleansing and maintenance

All staff have a responsibility to ensure data maintained is accurate on the systems they use.

On CiviCRM, if a staff member is alerted to a change, they are to ensure this is entered e.g. a new phone number. The CSC continually monitors CIVI to ensure data integrity

At least once a year, all individual contacts on CiviCRM will be asked via a web form to confirm the accuracy of data we hold and their communication preferences.

Archived physical files stored offsite are destroyed after 6 years. Digital files of ex clients, within Sage or Office 365, are not deleted.