Brixton Community Based GDPR Policy

This policy applies to all staff and volunteers of Brixton Community Based.

Introduction 

The purpose of this policy is to enable Brixton Community Based to comply with the UK General Data Protection Regulation and the Data Protection Act 2018, follow good practice in handling personal data, protect staff, volunteers, clients and other individuals, and safeguard the organisation against data breaches and reputational risk. 

Brixton Community Based recognises its responsibility to uphold the rights of data subjects and to process personal data lawfully, fairly and transparently. Personal data will only be collected when necessary, retained securely and used for specific and legitimate purposes.

Summary of Key Principles 

Personal data must be processed lawfully, fairly and transparently, collected for specified and legitimate purposes, adequate and limited to what is necessary, accurate and kept up to date, retained no longer than necessary, and processed securely.

Brixton Community Based is the Data Controller and all processing is conducted according to these principles.

Definitions 

Personal data refers to any information relating to an identified or identifiable individual.  Special category dataincludes sensitive personal data such as health, ethnicity, religious belief or sexual orientation. 
Processing includes the collection, storage, retrieval, disclosure, erasure and destruction of data. 
A data subject is any individual whose data Brixton Community Based processes. 
The Data Controller is Brixton Community Based. 
A Data Processor is a third party acting on behalf of Brixton Community Based. 
The Data Protection Officer is the person responsible for compliance with data protection.

Responsibilities 

Trustees hold overall accountability for data protection compliance. 

The Data Protection Officer is currently Louise Hay and is responsible for briefing the board, reviewing policies, handling access requests, approving third-party contracts, supporting training and managing any data breaches. 

All staff and volunteers must follow Brixton Community Based’s procedures and accept this policy as part of their role.

Confidentiality 

Data protection aligns with Brixton Community Based’s Confidentiality Policy. Personal data will only be shared with third parties when lawful and with consent unless legal exemptions apply. All staff and volunteers are required to sign a confidentiality declaration at induction.

Security 

Personal data must be stored securely, in locked cabinets or password-protected systems, accessed only by authorised individuals and destroyed securely when no longer needed. Paper records must be shredded when obsolete and screens displaying personal data must be kept confidential.

Data Accuracy and Retention 

Personal data will be corrected when found to be inaccurate and updated promptly. Data will be held in as few locations as necessary. Retention periods will follow Brixton Community Based’s schedule and archived records will be securely stored and reviewed.

Subject Access and Individual Rights 

Under the UK General Data Protection Regulation, individuals have the right to access, rectify or erase their data, object to processing, request restriction or portability. Requests must be made in writing and handled within one calendar month. Identity will be verified before any data is released.

Transparency 

Brixton Community Based ensures data subjects are informed about the purpose of collection, data use, and their rights. Information is provided in privacy notices in client forms, staff terms and volunteer packs.

Consent 

Consent must be freely given, specific and informed. It will be documented and can be withdrawn at any time. Special category data requires explicit consent. Verbal consent may be accepted in specific services if logged. Data subjects may opt out of specific uses, including marketing.

Direct Marketing 

Brixton Community Based uses opt-in procedures and informs individuals how data may be used in marketing. The organisation does not sell or purchase mailing lists.

Training and Awareness 

All staff and volunteers receive data protection guidance at induction and ongoing learning through training and team discussions.

Policy Review 

This policy will be reviewed annually or sooner if legislation changes or a data breach occurs.

Privacy Notice 

The privacy statement is shared with clients when signing up for services or activities and includes details of data collection, use, rights and contact information for the Data Protection Officer. It is available on the Brixton Community Based website and by request.

I have read and understood this policy.

Signed (staff member or volunteer): 

Date:

Policy Review
Approved by Board of Trustees: August 2025 Next Review Due: August 2026