Policies / Data Protection

Responsible handling of personal data and sensitive information.

This policy explains how HEADTURNED Foundation approaches personal data, confidentiality, information security, and information governance as part of its wider commitment to trust and accountability.

View policies Read privacy policy

Purpose and scope

Data protection is part of the Foundation’s responsibility to handle information with care.

This policy sets out how HEADTURNED Foundation approaches personal data, confidential information, information security, and responsible information governance.

It applies to trustees, staff, volunteers, contractors, advisers, partners, suppliers, and anyone acting on behalf of the Foundation who may access, handle, store, share, or make decisions about personal data or confidential information.

This policy supports, but does not replace, the public Privacy Policy. The Privacy Policy explains to website users how personal information is collected and used.

Data protection sits alongside the wider legal, privacy, governance, and policy framework.

Privacy Policy

Explains how personal information is collected, used, stored, and protected on the public website.

Cookie Policy

Explains how cookies and similar technologies are used on the website.

Governance

Explains how the Foundation approaches stewardship, oversight, and responsible decision-making.

Policies Overview

Brings together the trust, compliance, and governance policies that support the Foundation website.

Definitions

Clear information governance starts with clear definitions.

Personal data: information relating to an identified or identifiable person.
Special category data: more sensitive personal information, such as health information, racial or ethnic origin, religious beliefs, biometric data, or other protected categories under applicable law.
Data subject: the person whose personal data is being processed.
Processing: any action involving personal data, including collecting, storing, viewing, using, sharing, changing, deleting, or archiving it.
Confidential information: information that is not public and should be protected because of its sensitivity, purpose, legal status, commercial relevance, safeguarding relevance, or trust implications.

Principles and lawful basis

Personal data should be processed lawfully, fairly, transparently, and securely.

The Foundation aims to comply with applicable data protection law and to apply recognised data protection principles in a proportionate way.

personal data should be processed lawfully, fairly, and transparently;
information should be collected for specified, explicit, and legitimate purposes;
collection should be limited to what is necessary for the relevant purpose;
information should be accurate and kept up to date where appropriate;
information should be kept only for as long as reasonably necessary;
information should be handled with appropriate security; and
processing should be supported by an appropriate lawful basis.

Roles and responsibilities

Everyone handling information on behalf of the Foundation must take care.

Trustees have overall responsibility for ensuring that appropriate data protection and information governance arrangements are in place. Day-to-day responsibilities may be delegated to an appropriate lead, adviser, or operational contact as the Foundation develops.

Anyone handling information is expected to:

follow this policy and any related procedures;
collect and use personal data only where necessary and appropriate;
protect information from accidental loss, unauthorised access, misuse, alteration, or disclosure;
use secure systems, devices, passwords, and access controls;
report suspected data breaches, security incidents, or information governance concerns promptly; and
treat sensitive, safeguarding, partnership, financial, legal, and personal information with appropriate confidentiality.

Collection and use

Personal data should only be collected and used where there is a clear purpose.

The Foundation may collect and use personal data for purposes such as responding to enquiries, managing contact forms, handling donations or contributions, managing collaboration enquiries, supporting safeguarding or complaints processes, administering events, or meeting legal and governance duties.

For each purpose, we aim to:

identify an appropriate lawful basis;
provide clear information through privacy notices or relevant communications;
collect only what is genuinely needed;
restrict access to people or providers who reasonably need it;
keep information secure and avoid unnecessary duplication; and
review whether the information is still needed over time.

Retention and security

Information should be retained only where needed and protected throughout its lifecycle.

Personal data should be kept only for as long as reasonably necessary for the purpose it was collected, including to meet legal, accounting, safeguarding, governance, reporting, dispute-resolution, or operational requirements.

Where practical, key categories of information should have appropriate retention periods. Information that is no longer needed should be securely deleted, anonymised, archived, or otherwise handled in line with applicable requirements.

Security measures may include access controls, password protection, secure devices, controlled sharing, encryption or pseudonymisation where appropriate, supplier checks, limited permissions, and secure handling of confidential records.

Sharing and suppliers

Information should only be shared where necessary, lawful, and proportionate.

The Foundation may share personal data or confidential information with trusted third parties where this is lawful and necessary.

payment providers, banking providers, and donation processing services;
website, hosting, security, analytics, form, and email providers;
professional advisers, including legal, accounting, compliance, insurance, technical, or safeguarding advisers;
regulators, statutory bodies, law enforcement, courts, or competent authorities where required or permitted by law; and
delivery partners or operational providers where necessary for a specific project, event, process, or service.

Where service providers process personal data for us, we aim to ensure appropriate safeguards, contracts, security expectations, and data handling requirements are in place.

Breaches and rights

Data incidents and rights requests should be handled promptly and responsibly.

A data breach is a security incident that leads to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

Suspected breaches, security incidents, unauthorised access, loss of devices, misdirected messages, or inappropriate data sharing should be reported promptly to the appropriate lead or responsible contact.

People whose data we hold may have rights to access, correct, delete, restrict, object to, or receive a copy of certain personal information, depending on the circumstances and the law that applies. Requests should be handled in line with the public Privacy Policy.

Governance and review

Major information decisions should be reviewed where the risk or complexity justifies it.

Projects, systems, suppliers, forms, platforms, or activities involving significant personal data processing may require additional review.

data protection impact assessments where appropriate;
review of supplier contracts and security standards;
review of collection fields, lawful basis, retention, and privacy notices;
input from trustees, advisers, or specialists where decisions carry higher risk; and
additional controls for safeguarding, financial, sensitive, confidential, or high-risk information.

This policy will be reviewed periodically and updated where necessary to reflect changes in law, guidance, technology, providers, Foundation structure, or operational activity.

Appointing strategic legal and accountancy partners