Data Protection Policy

This policy is based on the following legislation and guidance:

  • General Data Protection Regulation (UK GDPR) 2018
  • Data Protection Act 2018
  • Education Act 2002 (ss175 and 157)
  • Children Act 2004 (s10(2))
  • Education (Pupil Information) (England) Regulations 2005 (Regulation 5)

Aims

Natural Networks aims to ensure that all personal data collected about staff, volunteers, participants, and visitors is collected, stored, and processed in accordance with UK GDPR and the Data Protection Act 2018. This policy applies to all personal data, whether in paper or electronic format.

Definitions 

Personal Data – Any information relating to an identified or identifiable individual, e.g., name, ID number, location data, online identifiers, physical, genetic, mental, economic, cultural, or social factors.

Special Categories of Personal Data – Sensitive data requiring additional protection, e.g., racial/ethnic origin, political opinions, religious/philosophical beliefs, trade union membership, genetics, biometrics, health, sex life, sexual orientation.

Processing – Any operation performed on personal data, e.g., collecting, recording, storing, retrieving, using, sharing, erasing.

Data Subject – The individual whose personal data is held or processed.

Data Controller – Natural Networks, which determines purposes and means of processing personal data.

Data Processor – A person or body (other than an employee) who processes personal data on behalf of the data controller.

Personal Data Breach – Any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. 

Roles and Responsibilities

 

This policy applies to all staff, volunteers, freelance practitioners, and external organisations working on behalf of Natural Networks. Non-compliance may result in disciplinary action.

Data Protection Officer (DPO)

The DPO is responsible for:

  • Implementing this policy
  • Monitoring compliance with data protection law
  • Developing related policies and guidelines
    For training courses, the lead trainer will act as the DPO.

All Staff and Volunteers

Staff and volunteers are responsible for:

  • Collecting, storing, and processing personal data in accordance with this policy
  • Informing the organisation of any changes to their personal data
  • Contacting the DPO for:
    • Questions about this policy or GDPR
    • Guidance on lawful bases for processing
    • Assistance with consent, privacy notices, data subject rights, or international transfers
    • Reporting suspected or actual data breaches
    • Any new activities impacting individual privacy

Data Protection Principles

Personal data must be:

  1. Processed lawfully, fairly, and transparently
  2. Collected for specified, explicit, and legitimate purposes
  3. Adequate, relevant, and limited to what is necessary
  4. Accurate and kept up to date
  5. Kept no longer than necessary (see Retention below)
  6. Processed securely, protecting against unauthorised access, loss, or damage

Collecting Personal Data

Natural Networks will only process personal data where one of the following lawful bases applies:

  1. To fulfil a contract or steps prior to a contract
  2. To comply with a legal obligation
  3. To protect vital interests
  4. For legitimate interests (where rights of individuals are not overridden)
  5. With freely given, informed, and specific consent

Consent – Consent for children under 13 must be obtained from a parent or legal guardian. All consent will be documented and can be withdrawn at any time.

Sharing Personal Data

Data will only be shared when:

  • There is a safety risk to staff, volunteers, or participants
  • Necessary to liaise with other agencies (with consent if required)
  • Required by law, e.g., law enforcement, safeguarding, tax, or legal proceedings

Third-Party Processors – Any external organisation handling data on behalf of Natural Networks must have a written contract ensuring GDPR compliance.

International Transfers – Any transfer of personal data outside the UK will comply with UK GDPR requirements, including standard contractual clauses or equivalent safeguards.

Retention of Records

Personal data will be retained only as long as necessary for the purpose it was collected. Retention periods will be determined for each type of data:

  • Staff and volunteer records: 6 years after leaving
  • Participant records: 6 years after participation (or longer if required by law)
  • Photographs/videos: up to 3 years unless consent specifies otherwise
  • Accident/incident reports: 25 years (safeguarding requirements)

Subject Access Requests and Data Subject Rights

Individuals have rights under UK GDPR, including:

  • Accessing their personal data (SAR)
  • Rectification of inaccurate data
  • Erasure (right to be forgotten)
  • Restriction of processing
  • Objection to processing
  • Data portability
  • Withdraw consent at any time

SARs must be submitted in writing to the DPO with: name, contact details, and requested information. Staff must forward all SARs immediately to the DPO.

Data Protection Impact Assessments (DPIA)

High-risk processing (e.g., children’s data, online systems, video recording) will be subject to a DPIA to assess and mitigate risks to individuals’ privacy.

Photographs and Videos

Written consent will be obtained before using images/videos for communications or marketing. Intended use will be clearly explained.

Data Security and Storage

Natural Networks will protect personal data by:

  • Locking paper records and portable devices
  • Using strong passwords and encryption for electronic devices
  • Ensuring confidential materials are not exposed
  • Monitoring third-party processors’ security compliance

Personal Data Breaches

Any suspected or actual data breach must be reported to the DPO immediately.

  • Breaches posing risk to individuals will be reported to the Information Commissioner’s Office (ICO) within 72 hours.
  • Affected individuals will be informed where there is a high risk to their rights.

Disposal of Records

Data no longer needed or inaccurate will be securely destroyed:

  • Paper: shredded or incinerated
  • Electronic: securely deleted or overwritten
    Third-party disposal services must comply with GDPR.

Training and Accountability

All staff, volunteers, and freelance practitioners will receive GDPR training relevant to their role. Compliance with this policy will be monitored and reviewed regularly.

 

Review Date

This policy will be reviewed on 01/01/2027.

 

Upcoming Dates

Click here to see upcoming dates

Follow Us

Facebook Instagram