Call Us 07717 858315

Data Protection Policy

Date Adopted: August 2025

Review Date: July 2026

1. Purpose

To ensure Lighthouse Dementia Support complies with the UK General Data Protection Regulation (UK GDPR) and protects the personal data of all individuals connected to the charity, including beneficiaries, carers, staff, volunteers, and donors.

2. Scope

This policy applies to:

  • Trustees
  • CEO and staff
  • Volunteers
  • Contractors and service providers
  • Anyone handling personal data on behalf of the charity

3. Definitions

  • Personal Data: Any information relating to an identifiable individual (e.g. name, address, health details)
  • Special Category Data: Sensitive data such as health, ethnicity, or religious beliefs
  • Data Subject: The individual whose data is being processed
  • Data Controller: The person responsible for determining how and why personal data is processed
  • Data Processor: Anyone who processes data on behalf of the controller

4. Data Protection Principles

Lighthouse Dementia Support will ensure that personal data is:

  • Processed lawfully, fairly, and transparently 
  • Collected for specified, legitimate purposes 
  • Adequate, relevant, and limited to what is necessary 
  • Accurate and kept up to date 
  • Stored securely and only for as long as necessary 
  • Processed in a way that ensures appropriate security 
  • Not transferred outside the UK without safeguards

5. Lawful Basis for Processing

We will only process personal data where a lawful basis applies, including:

  • Consent (e.g. for newsletters)
  • Contract (e.g. employment agreements)
  • Legal obligation (e.g. safeguarding)
  • Legitimate interests (e.g. service delivery)
  • Vital interests (e.g. medical emergencies)

6. Individual Rights

Data subjects have the right to:

  • Access their personal data
  • Request correction or deletion
  • Object to processing
  • Withdraw consent at any time
  • Lodge a complaint with the ICO
  • Requests must be responded to within one month.

7. Data Security

Personal data will be stored securely (e.g. password-protected files, locked cabinets)

Access will be restricted to authorised personnel

Paper records will be shredded when no longer needed

Devices used for charity work must have up-to-date antivirus and security software

8. Data Breaches

Any suspected breach must be reported immediately to the CEO or designated trustee

Serious breaches will be reported to the Information Commissioner’s Office (ICO) within 72 hours

A breach log will be maintained and reviewed annually

9. Data Sharing and Third Parties

Personal data will not be shared with third parties without consent, unless legally required

Contracts with data processors (e.g. payroll providers) will include GDPR compliance clauses

No data will be transferred outside the UK without appropriate safeguards

10. Training and Awareness

All trustees, staff, and volunteers will receive basic GDPR training

New starters will be briefed during induction

Refresher training will be provided annually or when policies change

11. Retention and Disposal

Personal data will be retained only as long as necessary for its purpose

A Data Retention Schedule will guide disposal timelines

Data will be securely deleted or destroyed when no longer needed

12. Data Controller

The CEO will act as the Data Controller, or a designated trustee if the CEO is unavailable.

13. Policy Review

This policy will be reviewed annually or sooner if regulations change.
 

We need your consent to load the translations

We use a third-party service to translate the website content that may collect data about your activity. Please review the details in the privacy policy and accept the service to view the translations.