Privacy Policy

Privacy information

We, Newlife the Charity for Disabled Children are the ‘controllers’ of the information which we collect about you (‘personal data’). Throughout this notice we will use the term ‘process’ which covers most things that can be done with personal data, including collection, storage and destruction of that data. Being controllers of your personal data, we are responsible for it, and this notice explains why and how we process it, as well as your data rights, including the right to access it and to object to its processing.

We are a registered charity with registration number 1170125 and our contact details are:

Address: Newlife Charity for Disabled Children, Newlife Centre, Hemlock Way, Cannock
Email: [email protected]
Telephone number: 01543 462777

Questions or concerns about how we process personal data should be sent to our Data Protection Officer, Stephen Morgan, who can be contacted on [email protected] or 01543 462777. Extension number 2037.

We hold various categories of personal data for a number of reasons. We collect this data either from you or from third parties who provide it to us. This data can include your contact details, your health information, and information about your requirements. Information about your health is considered to be a ‘special category’ of personal data under data protection law, as is information about racial and ethnic origin, information about religious beliefs, biometric data and genetic data, among others. Data protection law requires that we satisfy additional conditions if we process sensitive personal data.

We are committed to protecting your personal data, whether it is sensitive or not, and we only process data if we need to for a specific purpose, as explained below.

Purposes for which we process personal data

The following table lists the purposes for which we process personal data as well as the legal justification under data protection law which we rely on to process that data. The general purpose is for our charity to be able to continue to deliver its services and achieve its objectives.

Purpose Legal justification
Campaigning – to give children and families a voice. Newlife uses personal information from children we have helped, to demonstrate issues that families face every day. Explicit Consent (special category) – to use children’s/family personal information we will seek consent.
Working with local statutory bodies – We look to work with professionals and relevant health and local authorities when we believe that they have an obligation to provide the child with the equipment that is needed. In many cases, once an authority is aware of the child’s needs they will fund the equipment needed and be aware of the wider needs of the child and family. We share information with local statutory bodies on the basis of pursuing legitimate interests. We believe this to be in the best interests of the child and family to get equipment funded by the authority where appropriate and possible, and allowing Newlife to help more children in need. In so far as the information includes special categories of data (health data), we share this on the basis that it is necessary for the provision of health or social care, and the processing is carried out under the responsibility of health professionals.
Care Services Department
Nurse Helpline – Callers can remain anonymous, or choose to give their name/contact details. The purpose is to give information, support and care to families of disabled and terminally ill children through either phone calls, emails or nurse chat via our website. Explicit consent (special category) – we will verbally ask families, who pass on personal data, that they give permission for Newlife to store the data on a database that is viewed by internal staff only to give Newlife staff the ability to respond to the needs of a child quickly when they arise. Also if the triage team take the call, there is often a need to take information that they can then pass to professional nurses for a call back. Information is processed by nurses for the provision of health or social care.
Legal Obligation – If a safeguarding issue is highlighted then we will pass on concerns to relevant authorities including social workers and child protection teams.

Equipment services – Newlife provides equipment either as a grant or a loan through its many unique services. Equipment has the power to change children’s lives. To provide the equipment, Newlife needs to collect personal/health data to assess the child’s needs and to ensure that appropriate equipment is provided at the pace required. These services include:

  • Equipment Grant Service
  • Emergency Equipment Loan Service
  • Play Therapy Pod Service
  • Comfort Capsule Service

Legitimate Interests – Contact details including addresses are passed to third parties who deliver the equipment on behalf of Newlife to ensure that the families receive the approved equipment they applied for.

Consent – We seek consent for the following:

  • I. For families to receive information about Newlife’s services.
  • II. For a photo of the child to be provided and used to help us demonstrate the impact of Newlife’s services through media and to allow us to thank donors and show them the difference they have made.
  • III. To ask families if they will allow a fundraiser to contact them regarding supporting the charity either through volunteering or fundraising.

Explicit consent (special category) – We seek explicit consent for the following

I. To allow Newlife to pass details to a member of the Media team to contact the family regarding writing an appeal to raise awareness and funds for the equipment required through local and possibly national press.
II. To allow Newlife to pass on personal and some health information to fundraising donors and supporters (anybody who has donated to Newlife) to demonstrate the impact of equipment provision.
III. To allow Newlife staff to contact the family to get feedback on the services and equipment provided.

Legitimate Interest of not for profit body

We share information with local statutory bodies on the basis of pursuing legitimate interests. We believe that in some cases this is in the best interests of the child and family to get equipment funded by the authority.

All data provided will be stored on a secure database, with limited access internally. We will only share this data with other persons externally if we are legally obliged to do so, if we have consent, or to enable us to deliver the equipment requested.

Communications
Website – to demonstrate Newlife’s purpose and impact to supporters, families, donors, stakeholders, volunteers etc.

Explicit consent (special category) – to use children and families personal and health data to demonstrate need (when appealing for fundraising support) and to demonstrate impact.

We seek separate permission from any data subject who is featured on the website.

Social Media – to communicate privately and publically as required. To provide up-to date information to demonstrate Newlife’s impact and purpose.

Legitimate Interests – Newlife requires personal information (including contact details) to respond to any enquiries/requests etc. We will ensure that private messages sent to us via social media are responded to in private.

Explicit Consent – We will seek consent if we want to post on social media regarding any data subject’s personal/health data.

Marketing emails – where individuals have expressed an interest in receiving information about the work of the charity, its services and how to support Newlife, we will email them electronic newsletters and updates where applicable. Consent – We will only email individuals who have given opt-in consent to allow us to send information and updates. Each department will seek verbal or written consent prior to any action taken.
Corporate Services
Managing stock donor relationships – We receive stock from hundreds of stock donors including high street stores, manufacturers, supermarkets, designer labels etc. We co-ordinate stock donations, arrange collection through external transport companies and manage the relationships with the donors sending them updates and we are legally obliged to send them annually a ‘duty of care’ letter.

Legal – we are legally obliged to process data that enables us to send the ‘duty of care’ letter annually to report on how we have used the stock they have donated. We store company data on our stock relationship database.

Contract – we contact and store data that relates to the collection and management of stock in line with the donor requirements.
Consent – we will seek consent if we are publicising the relationship with the donor in any external publication, website, and correspondence.

Facilities
Health & Safety & Risk assessments – When a member of the public, member of staff or volunteer are involved in an accident we will complete an accident form (or near miss form if applicable) to collect relevant data. We will also complete risk assessments for above categories when required (e.g. pregnancy, health issues raised through a doctors fit-note/return to work etc.)

Legal – we are required to complete an accident form/near miss form when an incident occurs. We are required if the incident is serious to contact the Health Safety Executive (HSE) and RIDDOR.

Explicit Consent – we will seek consent from the individual to obtain a fit note where appropriate and to facilitate the right working conditions and/or return to work. This data will only be processed by the People team and Facilities team who complete Health & Safety assessments and the relevant manager.

CCTV – We have CCTV for security purposes within our stores. Signs are up within all stores explaining their purpose. Legal – we only store CCTV images for 28 days. We share these with the police when requested to do so or if a criminal act has occurred within any of our stores.
Contracts – We set-up a number of service contracts to provide services to Newlife including cleaning, Gas/electric, post, waste disposal, gardening/window cleaning services, deliveries of stock and supplies. We have a designated contact for each and set-up a contract to manage what is expected Legitimate Interest – It is in Newlife’s and the contractors best interests to have a direct contact for each contractor. We will add in conditions to the contracts to ensure that all contractors are GDPR compliant where they are processing data as part of the contract.
Finance

Banking and tracking of income

We bank and track all income that is donated or raised on behalf of Newlife. This includes online giving, giving through third parties (such as Just Giving) and all donations received either by hand, by post, or direct to our bank account. We track all donations received via internal spreadsheets and ensure all restricted income is used for the purpose intended. We input all donors onto SAGE database and if relevant onto Raisers Edge, a fundraising relationship database.

Legal – we have a duty to ensure all financial records are available to audit purposes annually. We also are legally obliged to retain all financial records for at least six years in case of inspection by HMRC.

Managing expenditure and invoices

We track all expenditure that is spent on behalf of Newlife. We have an internal control system (including use of purchase orders) to authorise payment. We also have a ‘four eyes’ approach for senior management to authorise cheques/online payments. All expenditure is logged on SAGE database.

Legal – we have a duty to ensure all financial records are available to audit purposes annually. We also are legally obliged to retain all financial records for at least six years in case of inspection by HMRC.

Payroll and Any Other Expenditure (AOEs)

While it is the People Team who co-ordinate payroll with an external payroll facilitator, on the amount to be paid, finance are securely emailed the report from the facilitator and then upload this for online payment which is signed off by executive team members.

Legal – we have a duty to ensure all financial records are available to audit purposes annually. We are also legally obliged to retain all financial records for at least six years in case of inspection by HMRC.
Fundraising
Donor Acquisition – all those who express an interest to support Newlife.

We manage all data related to individuals who are interested in how they can help Newlife through fundraising (offers of support). These are logged on our fundraising relationship database; Raisers Edge. All events, sponsorship forms, and fundraising activity information and data are manged within the Fundraising department and stored on Raisers Edge. Once funds are raised or donated these are banked, tracked through internal spreadsheets and databases.
Consent – we won’t contact the donor/fundraiser to give them more information about the work of Newlife without their consent. To allow us to process expressions of interest to support Newlife, we do store data on our fundraising relationship database, Raisers Edge.

Donor Retention – all those who have raised funds or donated to Newlife.

We do notify all donors/fundraisers to let them know we have received their funds and if they are restricted we comply with legislation that states we need to inform them where their restricted donations have been spent. We log all donors’ data on our fundraising relationship database.

Legal – we have a duty to ensure all financial records are available to audit purposes annually. We are also legally obliged to retain all financial records for at least six years in case of inspection by HMRC. We will not process data outside of this requirement without the consent of the data subject. To allow us to process donations/funds raised and ongoing support for Newlife we do store data on our fundraising relationship database, Raisers Edge.

Consent – we won’t contact the donor/fundraiser to give them more information about the work of Newlife without their consent.

Newlife Local – This can be found on our main website at www.newlifecharity.co.uk/local. The map on the website breaks down data into 104 counties with each county having their own page giving figures and examples of the local need. Included could be family stories of children who have been helped and appeals to help raise funding for children in need. We also include ‘fundraising heroes’ stories which highlight the efforts of local people in the county in raising funds for disabled and terminally ill children. Finally we include any press coverage for the county within the page.

We do notify all donors/fundraisers to let them know we have received their funds and if they are restricted we comply with legislation that states we need to inform them where their restricted donations have been spent. We log all donors’ data on our fundraising relationship database.

Explicit Consent – we will not feature any family stories/appeals for funds without the explicit consent from the child or family. Consent is required from the family via our equipment applications forms before the Media team can speak to a family. Consent is then also sought by the media team to feature the story.

Consent – we will not feature personal data from any individual who has donated or raised funds for Newlife without theirconsent. This will be sought from the Fundraising team.

Governance/Compliance and Administration
Incoming/outgoing post – We receive and send out mail daily. Mail sent in is opened securely within an open office environment and date stamped before being processed and sent to the relevant individual/department.

Legitimate Interests – we process the mail that is sent to us and it is opened securely and is then forwarded to the intended recipient only.

All sent mail, is collected directly by Royal Mail.

Governance/Compliance and Administration
Trustees personal details – We receive, process and store personal details of our trustees including contact details and biographical information so that we can contact where appropriate and share information when it is pertinent to do so.

Legitimate Interests – we need to process details of all mentioned to arrange meetings, send papers/information and contact when required.

Consent – we will not share personal data with others without the consent of the data subject unless there is a legal obligation or duty.

Correspondence from any data subject including complaints, requests, or any matter related to a data subject’s rights.
A data subject has rights in relation to how we process and store their personal data. Any requests or complaints in reference to the above will be processed in line with Newlife’s data protection policy.

We also receive complaints or requests for information that do not relate to the processing of data, but our day to day activity as a charitable incorporated organisation.

Legal – we have a duty to ensure that the rights of a data subject are met and to ensure that we are in all cases fairly and lawfully processing data. We also have a legal duty to investigate all complaints that relate to an unlawful activity.

Legitimate Interests – if we receive requests for information or a complaint we will look to either meet the request or investigate the complaint in line with our complaints procedure. This is in the interests of the data subject

Surveys – To ensure that Newlife is providing an exceptional service and that the equipment provided continues to meet the needs of the disabled child and their family, we look to contact some families via phone or email once the equipment has been provided to get feedback and ask questions related to their experiences and views on issues facing their child and family. This is usually done within six months of the equipment being provided. Explicit consent – we will only contact the family to complete the survey if they have given us consent to do so. This is done through the equipment application forms.
I.T
Emails – While emails are assigned to personal individual users, the I.T team has access to all accounts. They routinely check to ensure these have not been compromised/hacked and to maintain where necessary. Contract – Employees are required to ensure I.T can access and service email accounts as and when required
Infrastructure – To facilitate and support the day to day running of the organisation, the I.T team can access information relating to all processing of data referred to within this privacy notice. Legal obligation/duty under data protection legislation to ensure security – to ensure that data is not hacked or accidentally or deliberately lost/deleted/misused the I.T team support the processing of all data
Media Team

To contact data subjects

We do ask those who benefit from our services, including families of disabled children and medical researchers whether they would be happy to speak to a member of our Media team.

We can also ask other data subjects affiliated with Newlife if they are willing to speak to the Media team, including; volunteers, fundraisers, customers, stock donors and staff.

Consent/Explicit consent – our Media team will not contact data subjects regarding potential press activity without the consent of the data subject. This will be sought by the department that the data subject has given data to.

To share personal details with press.

Explicit Consent – we will not share personal details with press for a media story or other purpose without the consent of the data subject.
Medical Research
Contact details of researchers – We process and store email addresses of those researchers who want to be emailed details of our research application process each year. This information is not shared with any other party. Consent – we only email details to researchers using email addresses provided after consent has been given by the data subject.
Research application process – Newlife funds medical research as part of our charitable aims. Our Research grants look into what is causing and what could prevent devastating birth defects from occurring and ultimately aims to fund research that can provide treatments. Researchers can apply for funding through our application process, our full grants (up to £120k) are peer reviewed and then authorised by trustees. Our start-up grants (up to £15k) are reviewed and authorised by our Medical Director and another trustee. Contract – To process any application, we need personal details of the applicant, including contact details and a C.V. This is processed by our Research Administration team, our Medical Director and then forwarded to the Medical Panel and trustees for decisions on which applications to fund. We would not share this data with anyone else without the consent of the data subject unless there is a legal obligation or duty.
Medical Panel – Our Medical Panel evaluate and score the full research grant applications received for each year. We store personal data including contacts for each member of the panel to enable us to contact them and pay any travel expenses necessary. Consent – we store data on the agreement of each panel member. We will not share this with anyone else without the consent of the data subject unless there is a legal obligation or duty.
People Team
Candidates/Employees/ex-employees
-We receive applications for vacant posts within the charity. These are scored against a matrix and interviewed before a decision is made on the successful candidate. The employee’s personal data is then processed and stored within a secure database. Any unsuccessful candidate’s personal data is deleted after six months of a decision being made.
Contract – For candidates/employees, we need to collect personal data to facilitate decision making, to contact the candidate or employee and to ensure a level of service is provided (e.g. all medical requirements are met).
Volunteers
We receive application forms for volunteer posts within the charity. These are reviewed and interviews are done by the volunteer manager and/or the People team before an appointment is made. Volunteer’s personal data is secured on a secure database.
Legitimate Interests. Newlife requires personal details to facilitate volunteering. Volunteering for Newlife is beneficial for those who agree to volunteer and it helps Newlife too.
Candidates/Employees/ex-employees
-We receive applications for vacant posts within the charity. These are scored against a matrix and interviewed before a decision is made on the successful candidate. The employee’s personal data is then processed and stored within a secure database. Any unsuccessful candidate’s personal data is deleted after six months of a decision being made.
Contract – For candidates/employees, we need to collect personal data to facilitate decision making, to contact the candidate or employee and to ensure a level of service is provided (e.g. all medical requirements are met).
Payroll
Newlife uses a third party payroll specialist to manage our payroll. All timesheets are inputted onto a secure database and sent securely to our payroll provider. After they have completed payroll the details are sent securely to our Finance team who administer payment via BACs once checked and authorised.

Contract – To ensure that staff are paid in line with their contract, we need personal data on where payment should be directed to.

Legitimate Interests – we share data with our third party payroll provider to ensure an efficient process for all our staff

Legal – we have a duty to ensure all financial records are available for audit purposes. We are also legally obliged to retain all financial records for at least six years in case of inspection by HMRC. We will not process data outside of this requirement.

Pension
Newlife uses a third party pension specialist to manage pensions for staff who have opted in.
Consent – staff are given the option to opt-in to a work based pension. If they opt-in a deduction is made from their four-weekly salary and Newlife as an organisation also make a four-weekly contribution. Pension Information is emailed to the Newlife People team from our payroll provider. This data is processed and stored in Newlife’s pension file on our server and then uploaded to our external pension provider; Peoples Pension.
Medical cash plan
Newlife provides a health cash benefit through a medical cash plan to selected staff based on banding and long service.
Consent – Staff complete a form which is emailed by the People team to Medicash. Once enrolled any claims are managed by Medicash. The employee will liaise directly with them.
Attachment of Earnings (AOEs) –
Newlife is approached by external organisations such as councils and housing associations to deduct mortgage or rent payments directly from an individual’s salary.
Consent – These payments are only ever authorised and deducted after consent has been given by the member of staff.
Retail
Customer membership
Customer membership is voluntary in all stores except for the Cannock Superstore (which is mandatory due to the conditions of the Superstore lease). We require some personal data to set-up a new membership and the new member is presented with a card which is presented when they purchase items at the till.

Contract (for Cannock Superstore only) – To shop in the Superstore it is a condition of the lease of the property that all customers have to be a member. Therefore all customers sign up to receive a Style Card which requires some personal data. This is renewed annually and costs £2 per person each year. The customer presents their Style Card at the tills every time they want to make a purchase. If customers want to be informed about special events being held then they give consent verbally when becoming a member and is recorded on the EPOS database. This allows the Newlife Marketing team to contact them. Members can unsubscribe from emails and change preferences if they wish.

Consent – For all other stores, it is not compulsory to have a Style Card to shop in the stores. Customers who choose to have a style card provide personal data so that we can contact them to make them aware of special events held within each store. Each customer pays £2 for each Style Card and this is renewed annually.

Accidents –
When a member of the public, member of staff or volunteer are involved in an accident we will complete an accident form (or near miss form if applicable) to collect relevant data.
Legal – we are required to complete an accident form/near miss form when an incident occurs. We are required if the incident is serious to contact the Health Safety Executive (HSE) and RIDDOR.
Online sales –

Newlife has an eBay account to sell some items.
Legitimate Interests – To send the items for delivery, we require customer postal details.
Warehouse

 

 

 

Delivery of Play Therapy Pods (on behalf of Care Services Team)

To deliver Play Therapy Pods to families with disabled children, the Warehouse team arrange deliveries with external couriers. These deliveries are recorded on a Google live sheet which is shared with external couriers. Once the delivery has been made the data is taken off/no longer visible to the courier.
Legitimate Interests – to enable Newlife to provide the service requested by the family we need to share personal data with third party couriers to deliver the equipment.

Some personal data which we process is required for us to be able to enter into or perform a contract with you. This has been specified above. If we do not process that information we would not be able to provide the services that Newlife offers.

The list above is not necessarily exhaustive and there may be other purposes for which we collect and use your data. We will inform you about such additional purposes when we collect the data or soon after if we collect it from a third party.

The following is a list of the personal data which we receive from third parties.

Data Source
We receive personal data and Health data from Professionals who support equipment grant or loan applications. This comes in via our equipment grant and loan application forms or via phone calls with professionals to facilitate the application process.
Equipment suppliers and professionals assess the specific piece of equipment needed and provide Newlife with a quote. This comes in via email, phone or by the post to facilitate the application process
Attachment of Earnings (AoE’s) from local councils etc.… Newlife is approached by external organisations such as councils and housing associations to deduct mortgage or rent payments directly from an individual’s salary. We only do this with the consent of the individual.

Recipient of personal data which we process

We may, on occasion, share personal data with third parties. These can be contractors acting on our behalf, or separate data controllers in which case we will only share the data if we are permitted to do so by law.

Recipients Personal data we may share
Pay Academy Pay Academy are our third party pay providers. They process our payroll for us so receive financial data, names and contact details. They ensure a smooth and efficient process occurs for our staff.
Medicash – Medical cash plans. Newlife provides a benefit to employees in the form of a medical cash plan. Initial employee contact details are provided and the employee then registers and providers personal data with our provider.
People’s Pension. Newlife uses a third party pension specialist to manage pensions for staff who have opted in. People’s Pension are our third party pension providers. We share financial data, contact details of the individual to facilitate an efficient service
The Detective Agency manages/hosts the Newlife website When data subjects give consent to provide personal data that they agree can go on our website, we share this data to facilitate this process.
EPOS systems provide the equipment and back systems for our customer membership and tills within all stores The Names and contact details provided by our customers are stored on the EPOS systems.
Specialist Disability Equipment providers Newlife uses specialist equipment providers to provide the equipment needed by disabled and terminally ill children. These providers receive personal data sent by a family to Newlife, so they can ensure the child receives the right piece of equipment and then deliver the equipment. They require contact details, health information and addresses to provide this service.
We look to work with professionals and relevant health and local authorities when we believe that they have an obligation to provide the child with the equipment that is needed. We can share information with local statutory bodies on the basis of pursuing legitimate interests. We believe this to be in the best interests of the child and family to get equipment funded by their authority.
RIDDOR/HSE If a serious accident occurs on any sites which we operate in, we have a legal duty to report this.
Cross Products. Newlife uses a third party to create and manage our internal databases which hold personal data. Our provider accesses, repairs and develops our databases when required. Personal data is only viewed when required to facilitate the above.

Transfers of personal data outside the European Union

We endeavour to only store personal data in and transfer it to jurisdictions where it will afforded an adequate level of protection or when we are able to provide appropriate safeguards and ensure that your rights as a data subject can be enforced.

Some jurisdictions are considered by the European Commission to afford an adequate level of protection in which case no additional safeguards need to be put in place for the data to be transferred there.

Records Retention Schedule

Retention Policy Statement

The retention schedule complies with statutory, legal and governance best practice requirements. Newlife endeavours not to keep data longer than is necessary. Data that is no longer required is deleted including both hard data and electronic data. The retention schedule is reviewed across the organisation annual, and updated as required.

tr>Emergency Equipment Loan Order Confirmation formElectronic/paper7 yearstr>Play Therapy Pod Application formElectronic/paper7 years

Department Name of Document Medium Maximum Retention Perio Notes
Care Services Nurse Service contact form Electronic/paper 7 years Industry guidelines recommend that all data
Nurse Helpline Triage form Electronic/paper 7 years related to Health records should be kept for 7 years
Equipment Grant application form Electronic/paper 7 years
Photo Electronic/paper 7 years
Equipment Grant assessment and scoring form Electronic/paper 7 years
Equipment Grant Offer Letter Electronic/paper 7 years
Supplier Ordering form Electronic/paper 7 years
Emergency Equipment Loan application form Electronic/paper 7 years
Emergency Equipment Loan Interview sheet Electronic/paper 7 years
Emergency Equipment Loan verbal agreement Electronic/paper 7 years
Emergency Equipment Loan Authorisation form Electronic/paper 7 years
Emergency Equipment Loan Equipment agreement form Electronic/paper 7 years
Play Therapy Pod Offer Letter Electronic/paper 7 years
Play Therapy Pod Authorisation form Electronic/paper 7 years
Campaigns Letters/Briefings to MP’s/Clinical Commissioning Groups/Local Authorities and schools Electronic/paper 7 years Industry guidelines recommend that all data
Confidential Intervention records Electronic/paper 7 years related to Health records should be kept for 7 years
Multi Agency Safeguarding Hub referrals Electronic/paper 7 years related to Health records should be kept for 7 years
Database Records Electronic/paper 7 years
Medical Research All Medical Research application forms Electronic/paper Successful applicants for 7 years, unsuccessful applicants for 6 months
All C.Vs for Research applicants Electronic/paper Successful applicants for 7 years, unsuccessful applicants for 6 months
List of all emails who want to receive research information Electronic/paper Consent is given by individual and retained for length of period agreed by researcher
Medical Panel scoring record Electronic/paper 3 years
Summary sheet of all applications received for Medical Panel Electronic/paper 3 years
Start-up research grant approval forms Electronic/paper 7 years
All Medical Research Offer letters Electronic/paper 7 years
Acceptance/decline forms for all grants Electronic/paper 7 years
All queries for each research grant Electronic/paper 7 years
Database records for each research grant Electronic/paper 7 years
Fundraising Direct Donation forms (cash/cheque Electronic/paper 7 years We are legally obliged to keep financial records/VAT forms for at least 6 years
Retrospective Donation forms (via bank) Electronic/paper 7 years We are legally obliged to keep financial records/VAT forms for at least 6 years
Online Donation forms Electronic/paper 7 years We are legally obliged to keep financial records/VAT forms for at least 6 years
Donor Stewardship letters Electronic/paper 7 years
Grand draw raffle tickets Electronic/paper 7 years We are legally obliged to keep financial records/VAT forms for at least 6 year
Sponsor forms Electronic/paper 7 years We are legally obliged to keep financial records/VAT forms for at least 6 year
Material order forms Electronic/paper 7 years
Online express emails Electronic/paper 7 years
‘Don’t be a stranger’ Opt- in forms Electronic/paper 7 years
Donor records on Raisers Edge relationship database Electronic/paper 7 years We are legally obliged to keep financial records/VAT forms for at least 6 years
Consent forms for events and volunteering Electronic/paper 7 years
Communications and Marketing Customer Surveys Electronic/paper 3years
Staff images Electronic/paper Length of employment
Marketing data on those who opt-in to regular contact Electronic/paper Consent is given by individual and retained for length of period agreed by data subject
Images and data for website Electronic/paper Consent is given by individual and retained for length of period agreed by data subject
Facilities Drivers Licence/passport information of staff Electronic/paper Length of employment
CCTV images Electronic 28 days
Accident and Investigation forms Electronic/paper 7 years Industry guidelines recommend that all data
Near-miss and dangerous incident forms Electronic/paper 7 years
Any RIDDOR/HSE referrals Paper

7 years
Finance Direct Donation forms (cash/cheque Electronic/paper 7 years We are legally obliged to keep financial records/VAT forms for at least 6 years
Retrospective Donation forms (via bank) Electronic/paper 7 years
Online Donation forms Electronic 7 years
Expense forms Electronic/paper 7 years
Business mile claim forms Electronic/paper 7 years
Private mile declaration forms Electronic/paper 7 years
BACS request and confirmation forms Electronic 7 years
New supplier forms Electronic/paper 7 years
Monthly Credit Card Statements Electronic/paper 7 years
Audit reports and minutes Electronic/paper 10 years Meetings and resolutions involving board of directors/trustees should be kept for 10 years
Governance & administration Complaints log Electronic/paper 3 years
Medical Directors Contract Electronic/paper 3 years
Family Surveys Electronic/paper 3 years
Medical Panel details Electronic Updated annually
Trustee information Electronic Length of trustee service
All Data subject request forms Electronic 3 years
Visitor logs and non-disclosure forms Electronic 3 years
Post books Paper 3 years
Trustee minutes Electronic/paper 10 years Meetings and resolutions involving board of directors/trustees should be kept for 10 years
Media team Photos of disabled children/families Electronic/paper 10 years Consent is given by individual and retained for length of period agreed by data subject
Press releases with family stories sent to journalists Electronic/paper 10 years Consent is given by individual and retained for length of period agreed by data subject
Family stories to feed into donor reports Electronic/paper 10 years Consent is given by individual and retained for length of period agreed by data subject
Feature articles sent to Journalists Electronic/paper 10 years Consent is given by individual and retained for length of period agreed by data subject
People Team Application forms for potential employees and volunteers Electronic/paper 6 years Legally obliged to keep employment contracts for 6 years after leaving
Interview notes Electronic/paper 6 years for successful candidates 6 Months if not successful
New Starter forms Electronic/paper 6 years of leaving
P45 forms Electronic/paper 6 years of leaving
Induction paperwork Electronic/paper 6 years of leaving
Required information forms Electronic/paper 6 years of leaving
Pension Opt-in forms/letters Electronic/paper 6 years of leaving
Car permits Electronic/paper 6 years of leaving
Offer of employment letters Electronic/paper 6 years of leaving
Photocopy of Passport Electronic/paper 6 years of leaving
Staff I.D photo Electronic/paper 6 years of leaving
Medicash benefit forms Electronic/paper 6 years of leaving
Policy agreement forms Electronic/paper 6 years of leaving
Probation reviews Electronic/paper 6 years of leaving
Absence request forms Electronic/paper 6 years of leaving
Training request and verification forms Electronic/paper 6 years of leaving
Disciplinary actions Electronic/paper Upon expiry
Investigations, file notes and Grievances Electronic/paper 6 years of leaving
Personality Profiling results Electronic/paper 6 years of leaving
References Electronic/paper 6 years of leaving
Doctors notes Electronic/paper 6 years of leaving
Change of details forms for staff & volunteers Electronic/paper 6 years of leaving
General correspondence Electronic/paper 6 years of leaving
Certificates and awards Electronic/paper 6 years of leaving
Volunteer enquiry forms Electronic/paper 6 years of leaving
Volunteer agreements Electronic/paper 6 years of leaving
People Team database entries Electronic/paper 6 years of leaving
Corporate Services Duty of Care statements Electronic/paper 3 years
Duty of Care Letters Electronic/paper 3 years
Interim reports Duty of Care statements Electronic/paper 3 years
Thank you letters Duty of Care statements Electronic/paper 3 years
Confidential Corporate Contact forms Electronic/paper 3 years
Supplier Control Database Electronic/paper 3 years of no longer supporting Newlife
Contact details of donors and potential donors Electronic/paper Consent is given by individual and retained for length of period agreed by data subject
Sales Customer details including contact information. This only applies to style card members. Electronic/paper Consent is given by individual and retained for length of period agreed by data subject
Corporate Services Duty of Care statements Electronic/paper 3 years
EBay customer information Electronic/paper 7 years We are legally obliged to keep financial records/VAT forms for at least 6 years
Corporate Services Duty of Care statements Electronic/paper 3 years

We are required by law not to process personal data for longer than is necessary for the purpose for which we process it. Some retention periods are based on legal requirements while others take into account practical needs to keep the data.

Once the applicable retention period expires, unless we are legally required to retain the data or there are important and justifiable reasons why we should keep it, we will securely delete the data.

Your rights

Under data protection law you are afforded various rights as a data subject. These include the right to:

    • access your personal data which we hold;
    • request us to rectify inaccurate data or, in some cases depending on the purpose of the processing, data which is outdated or incomplete;
    • in certain cases, such as when the data is no longer required or its processing can no longer be justified, require us to erase your personal data;
    • restrict the processing of your data;
    • object to certain data processing, such as data processing for marketing purposes or when the data processing is based on legitimate or public interests and we do not have compelling legitimate grounds to continue the processing;
    • Data portability, which means that if we process data by automated means and on the basis of your consent or contractual necessity, you can obtain a copy of your data in a commonly used electronic form.

      There are various conditions and limitations which apply to the above rights and not all of them may apply in all circumstances. For example, if we need to process your personal data to perform a contract with you, you may not ask us to delete that data.

      You also have a right to withdraw consent, at any time, when we process data on the basis of your consent, in which case we will cease to process that data. However, this does not affect the validity of anything which we would have done before you withdraw consent.

      More information about your rights can be obtained from our Data Protection Officer who can be contacted on [email protected]co.uk or 01543 462777. Extension number 2037. Please contact our Data Protection Officer if you wish to exercise your rights.

      You may lodge a complaint with the Information Commissioner’s Office on https://ico.org.uk.