Data Protection Policy

PHOTO-2026-02-21-12-02-16

Data Protection Policy Legislation

This policy is based on the following legislation and guidance:

  • General Data Protection Regulation 2018
  • Data Protection Act 2018
  • Education Act 2002 (ss175 and 157)
  • Children Act 2004 (s10 (2))
  • Education (Pupil Information) (England) Regulations 2005 (Regulation 5)

Aims

Natural Networks aims to ensure that all personal data collected about staff, volunteers, participants, and visitors is collected, stored, and processed in accordance with the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA 2018). This policy applies to all personal data, whether in paper or electronic format.

Definitions

Personal Data
Any information relating to an identified or identifiable individual. This may include:

  • Name (including initials)
  • Identification number
  • Location data
  • Online identifier (e.g., username)
  • Physical, physiological, genetic, mental, economic, cultural, or social identity factors.

Special Categories of Personal Data
More sensitive personal data requiring additional protection, including information about an individual’s:

  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetics
  • Biometrics (e.g., fingerprints, retina/iris patterns)
  • Health (physical or mental)
  • Sex life or sexual orientation

Processing
Any operation performed on personal data, such as collecting, recording, organising, storing, adapting, retrieving, using, disseminating, erasing, or destroying. Processing can be automated or manual.

Data Subject
The identified or identifiable individual whose personal data is held or processed.

Data Controller
Natural Networks, as the organisation that determines the purposes and means of processing personal data.

Data Processor
A person or body (other than an employee of the data controller) who processes personal data on behalf of the data controller.

Personal Data Breach
A security breach leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data.

Roles and Responsibilities

This policy applies to all staff, volunteers, and external organisations or individuals working on behalf of Natural Networks. Non-compliance with this policy may result in disciplinary action.

Data Protection Officer (DPO)
The DPO is responsible for:

  • Overseeing the implementation of this policy.
  • Monitoring compliance with data protection law.
  • Developing related policies and guidelines.

For training courses, the lead trainer will act as the DPO.

All Staff and Volunteers
Staff and volunteers are responsible for:

  • Collecting, storing, and processing personal data in accordance with this policy.
  • Informing the organisation of any changes to their personal data (e.g., change of address).
  • Contacting the DPO in the following circumstances:
    • Questions about data protection law or this policy.
    • Concerns about compliance with this policy.
    • Uncertainty about lawful bases for processing personal data.
    • Assistance with consent, privacy notices, data subject rights, or international data transfers.
    • Suspected or actual data breaches.
    • New activities that may impact individuals’ privacy rights.
    • Contracts or sharing personal data with third parties.

Data Protection Principles

The GDPR is based on the following principles. Personal data must be:

  1. Processed lawfully, fairly, and transparently.
  2. Collected for specified, explicit, and legitimate purposes.
  3. Adequate, relevant, and limited to what is necessary.
  4. Accurate and, where necessary, kept up to date.
  5. Kept for no longer than necessary.
  6. Processed securely to ensure appropriate protection.

Collecting Personal Data

Natural Networks will only process personal data where one of the following lawful bases applies:

  1. To fulfil a contract with the individual or take steps at their request before entering into a contract.
  2. To comply with a legal obligation.
  3. To protect the vital interests of the individual (e.g., to save a life).
  4. For the legitimate interests of Natural Networks or a third party (provided the individual’s rights and freedoms are not overridden).
  5. With the individual’s freely given, clear consent.

Sharing Personal Data

Natural Networks will not normally share personal data with third parties but may do so where:

  • There is a safety risk to staff, volunteers, or others.
  • Necessary to liaise with other agencies (with consent, where required).

Personal data will also be shared with law enforcement and government bodies where legally required, including for:

  • Crime prevention or detection.
  • Apprehension or prosecution of offenders.
  • Tax assessment or collection.
  • Legal proceedings.
  • Safeguarding obligations.
  • Research and statistical purposes (with anonymised data or consent).

Subject Access Requests and Individual Rights

Individuals have the right to make a subject access request (SAR) to:

  • Confirm whether their personal data is being processed.
  • Access a copy of their data.
  • Obtain details about the purposes of processing, categories of data, recipients, storage periods, and sources of data.
  • Be informed about any automated decision-making and its consequences.

SARs must be submitted in writing (by letter or email) to the DPO and include:

  • Name of the individual.
  • Correspondence address.
  • Contact number and email address.
  • Details of the information requested.

Staff must immediately forward any SARs to the DPO.

Photographs and Videos

As part of its activities, Natural Networks may take photographs or record videos of individuals. Written consent will be obtained before using such materials for communication, marketing, or promotional purposes. The intended use of the photographs or videos will be clearly explained.

Data Security and Storage

Natural Networks will protect personal data from unauthorised access, alteration, processing, disclosure, loss, or damage. Measures include:

  • Keeping paper-based records and portable electronic devices (e.g., laptops, hard drives) under lock and key.
  • Ensuring confidential papers are not left exposed.
  • Using strong passwords (at least 8 characters, including letters and numbers) for electronic devices.
  • Encrypting portable devices and removable media (e.g., laptops, USB drives).

Disposal of Records

Personal data that is no longer needed or is inaccurate will be securely disposed of. Methods include shredding or incinerating paper records and overwriting or deleting electronic files. Third-party disposal services may be used, provided they comply with data protection laws.

Review Date

This policy will be reviewed on 01/01/2027.

Follow Us

Facebook Instagram

Upcoming Sessions

Heart of BS13

Knowle West

Redcliffe