Data Protection & Information Governance Policy

1. Purpose and scope

The purpose of this Data Protection & Information Governance Policy is to set out how the HEADTURNED Foundation (the Foundation) manages personal data and other information responsibly and lawfully.

This policy applies to trustees, staff, volunteers, contractors, and anyone acting on behalf of the Foundation who has access to personal data or other confidential information.

2. Relationship to our Privacy Notice

The Foundation's Privacy Notice is written for the public and explains, in accessible language, how we collect and use personal data. This policy sits behind that Notice and describes the internal standards and expectations that support it.

If there is any inconsistency between this policy and the Privacy Notice as published on our website, the published Notice will take precedence for data subjects, but we will aim to align both documents as closely as possible.

3. Definitions

• Personal data means any information relating to an identified or identifiable person.
• Special category data means more sensitive information, such as health, racial or ethnic origin, or religious beliefs, which may be subject to additional protections in law.
• Data subject means the person whose personal data is being processed.
• Processing includes any operation on personal data, such as collecting, storing, using, sharing, or deleting it.

4. Legal basis and principles

The Foundation aims to comply with applicable data protection laws. In broad terms, this means that personal data should be:

• Processed lawfully, fairly, and in a transparent manner.
• Collected for specified, explicit and legitimate purposes.
• Adequate, relevant and limited to what is necessary for those purposes.
• Accurate and kept up to date where appropriate.
• Retained only for as long as necessary, and no longer than is reasonable for the purpose.
• Processed in a manner that ensures appropriate security of the data.

5. Roles and responsibilities

Trustees have overall responsibility for ensuring that appropriate data protection arrangements are in place. Day-to-day responsibilities may be delegated to a designated data protection lead or team.

Everyone who handles personal data on behalf of the Foundation is expected to:

• Follow this policy and any related procedures or guidance.
• Take care to protect personal data from accidental loss or unauthorised access.
• Report suspected data breaches or concerns promptly.

6. Collecting and using personal data

We collect personal data for a range of purposes, such as managing donations and Gift Aid, running programmes, or responding to enquiries. For each purpose we will aim to:

• Identify an appropriate lawful basis for processing.
• Provide clear information in our Privacy Notice or relevant communications.
• Limit collection to what we genuinely need for that purpose.

7. Data minimisation and retention

We aim to keep personal data for no longer than is necessary for the purpose for which it was collected, taking account of legal, regulatory, and operational requirements. To support this, we will:

• Define retention periods for key categories of data where practical.
• Periodically review and securely delete or anonymise data that is no longer needed.

8. Security and access control

The Foundation uses a combination of technical and organisational measures to help keep personal data secure. This may include:

• Password protection and access controls for systems and devices.
• Encryption or pseudonymisation where appropriate.
• Limiting access to personal data to those who need it for their role.
• Expectations about the secure use of laptops, phones, and other devices used for Foundation business.

9. Sharing data with others

We may share personal data with trusted third parties where this is lawful and necessary, for example:

• Payment providers that process donations securely.
• Email or communications services used to send updates people have signed up to receive.
• Professional advisers or regulators where we have legal or regulatory obligations.

We aim to ensure that such third parties handle data in line with applicable law and appropriate contractual safeguards.

10. Data breaches and incidents

A data breach is a security incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. If a breach is suspected:

• It should be reported as soon as possible to the appropriate lead.
• Reasonable steps will be taken to contain and assess the incident.
• Where required, relevant regulators and affected individuals will be notified in line with legal requirements.

11. Data subject rights

People whose data we hold may have rights such as access, correction, deletion, restriction, or objection, depending on the circumstances and applicable law.

Requests to exercise these rights can be made using the contact details in our Privacy Notice. We will respond within a reasonable timeframe and in line with legal obligations.

12. Information governance and decision-making

Major projects or technology choices that involve significant personal data processing may be subject to additional review, which could include:

• Data protection impact assessments.
• Review of supplier contracts and security standards.
• Input from trustees or advisers where decisions carry higher risk or complexity.

13. Training, awareness and review

People who regularly handle personal data are expected to have appropriate awareness and, where needed, training. The Foundation may provide or signpost to training resources and guidance.

This policy and our wider data protection arrangements will be reviewed periodically and updated where necessary to reflect changes in law, guidance, or the Foundation's activities.