Data Protection Policy

1. Purpose

This policy sets out how Patheway Health CIC collects, uses, stores, and protects personal data in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Scope

This policy applies to all staff, advisory board members, volunteers, contractors, and third parties who process personal data on behalf of the Community Interest Company.

3. Data Protection Principles

We adhere to the UK GDPR principles. Personal data must be:

• Processed lawfully, fairly, and transparently
• Collected for specified, explicit, and legitimate purposes
• Adequate, relevant, and limited to what is necessary
• Accurate and kept up to date
• Retained only as long as necessary
• Processed securely

4. Lawful Bases for Processing

We will only process personal data where there is a lawful basis, including:

• Consent
• Contract
• Legal obligation
• Vital interests
• Public task
• Legitimate interests

5. Types of Data We Process

We may collect and process:

• Personal details (name, address, email, phone number)
• Financial information (donations, Gift Aid details)
• Volunteer and employee records
• Sensitive (special category) data where necessary (e.g., health or safeguarding information)

6. How We Use Personal Data

We use personal data to:

• Deliver community health services
• Manage staff and volunteers
• Process donations and Gift Aid
• Communicate with supporters
• Meet legal and regulatory obligations

7. Data Subject Rights

Individuals have the right to:

• Access their personal data
• Request correction or deletion
• Restrict or object to processing
• Data portability
• Withdraw consent at any time

Requests should be made to: help@pathewayhealthcic.org

8. Data Security

We implement appropriate technical and organisational measures to protect personal data, including:

• Secure storage systems
• Access controls
• Encryption where appropriate
• Staff training on data protection

9. Data Retention

Personal data will only be kept for as long as necessary. A retention schedule will define how long different types of data are stored.

10. Data Sharing

We may share data with:

• Service providers (e.g., IT, payment processors)
• Regulators and authorities where required
• Professional advisers

All third parties must comply with data protection requirements.

11. Data Breaches

Any data breach must be reported immediately to the Data Protection Lead. We will assess and, where required, report breaches to the ICO within 72 hours.

12. Roles and Responsibilities

• Directors: Overall responsibility for compliance
• Data Protection Lead: Oversees data protection practices
• Staff/Volunteers: Must follow this policy and report concerns

13. Training

All staff and volunteers will receive appropriate data protection training.

14. Policy Review

This policy will be reviewed annually or when there are changes in legislation.