Brixton Community Based Staff and Volunteer Handbook:  GDPR

Purpose 

This handbook explains how Brixton Community Based staff and volunteers must handle personal data lawfully, securely and respectfully, in line with the UK General Data Protection Regulation and the Data Protection Act 2018.

Your Responsibilities 

·       Follow Brixton Community Based’s Data Protection Policy 

·       Understand what data you access and why 

·       Collect and store data securely 

·       Only share data with proper authority 

·       Delete or archive data when no longer needed 

·       Refer any data breaches or requests to the Data Protection Officer

What Counts as Personal Data 

·       Names, addresses and contact details 

·       Medical or accessibility information 

·       Emergency contact information 

·       Participation records for workshops or events 

·       DBS reference numbers 

·       Safeguarding or incident logs

Handling Data Safely 

·       Lock paper records and protect electronic files with secure passwords 

·       Do not leave documents on shared drives or desktops 

·       Shred physical documents when no longer needed 

·       Avoid naming individuals in public or shared updates 

·       Only access information required for your role

Sharing Data 

You may only share personal information: 

·       With staff who need it for service delivery or safeguarding 

·       With external agencies if the individual has given written or verbal consent 

·       Where there is a legal duty to report (such as a safeguarding or police referral)

Never share data: 

·       With friends, family or unauthorised staff 

·       Via personal email or social media 

·       Without knowing who the recipient is


 

Why Data Is Kept 

Brixton Community Based retains personal data to: 

·       Monitor programme participation and outcomes 

·       Meet funder reporting requirements 

·       Support safeguarding and wellbeing 

·       Respond to complaints, legal queries or audits 

·       Manage volunteer training and DBS records

Suggested Data Retention Periods

Data Type

Retention Period

Notes

Emergency contact and medical info

Duration of engagement

Deleted post-programme unless risk-related

Participation records

2 years

For reporting, planning, engagement analysis

Incident logs or safeguarding reports

5 years minimum

Required for legal, safeguarding or insurance audits

DBS reference numbers

Until renewal or departure

No copies of certificates retained

Volunteer applications and interview notes

1 year

Deleted unless applicant joins BCB

 

Accessing Data 

Individuals may request to see data held about them. Requests must be forwarded to the Data Protection Officer and should not be handled personally.

What to Do If Something Goes Wrong 

If you lose a record, send information to the wrong person or see a potential breach, report it immediately. Do not try to hide it or solve it yourself.

Consent and Marketing 

Brixton Community Based only collects data with consent and informs participants how it will be used. Individuals can opt out of communications at any time.

Further Guidance 

You will receive data protection information at induction. You may also be asked to confirm your understanding as part of your volunteer agreement or contract.

Contact for Concerns 

Data Protection Officer: Louise Hay 

Louise@fineart.co.uk

Document Review
Approved by Board of Trustees: July 2025 next review: July 2026