top of page


GDPR Policy 

This policy sets out how Halifax Society for the Blind will implement requirements of and comply with Regulation (EU) 2016/679 (more commonly known as the General Data Protection Regulation “GDPR”) 

From 25 May 2018, the GDPR (and any UK national law seeking to implement its provisions) regulates the protection of individual’s personal data, replacing the Data Protection Act 1998 (DPA). Many of the core data protection principles remain the same as under the DPA, but there are significant enhancements that need to be addressed to comply with the GDPR. 

Policy Statement 

Halifax Society for the Blind (HSB) is committed to the protection of the rights and freedoms of individuals in accordance with the provisions of the GDPR. It will comply fully with the requirements of the GDPR and will follow procedures to ensure that all persons who have access to any personal data held by or on behalf of HSB are fully aware and abide by their duties and responsibilities under the legislation. 

HSB will ensure all personal information is processed properly however it is collected, retained, used or otherwise processed; on paper, in computer records or recorded by any other means. Accurate, proportionate and up to date records are kept to ensure a good framework of support and supervision for volunteers and employees, and to comply with employment, charity and company legal requirements. 

To operate efficiently HSB processes’ information about its staff and about people with whom it works. These may include current, past and prospective employees, volunteers, trustees and donors. Clients, volunteers and employees are made aware that the organisation retains a record of HSB’s contacts or work with them, and that anyone can request access to records held about them.  

  1. Definitions

For the purpose of this policy the following definitions shall apply: 

“Personal data/information” 

Any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as names, addresses, telephone numbers, job titles, date of birth, salary, ID numbers, location data, online identifiers, genetic data or biometric data. 

The GDPR lists “special categories of personal data” which includes: 

  • Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership; 

  • Genetic and biometric data; and 

  • Data concerning health, a natural person’s sex life or  

  • Orientation 


 “Personal data breach” 

Any breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. 

For example, loss or theft of data or equipment, unauthorised access either by a member of staff or third party, human error (such as accidental deletion or alteration of data), unforeseen circumstances (such as fire or flood) or deliberate attacks on IT systems (such as hacking, viruses or phishing scams). 


Processing includes anything done with personal data whether or not by automated means such as: 

  • Collecting, storing 

  • Organising, structuring 

  • Using, disclosing 

  • Erasing, destroying 


     2. GDPR Data Protection Principles 

HSB will comply with the data protection principles of the GDPR to ensure all personal data is: 

  • Processed lawfully, fairly and in a transparent manner; 

  • Obtained for specified, explicit and legitimate purposes only; 

  • Only processed in a way that is compatible with the purpose(s) for which it was collected; 

  • Adequate, relevant and limited to what is necessary for the relevant purpose. 

  • Accurate and up to date; 

  • Kept for no longer than is necessary for the purpose(s) for which data is processed. 

  • Processed in accordance with the data subject’s rights under the GDPR; 

  • Kept secure and protected against unauthorised or unlawful processing, and against accidental loss, destruction or damage; and 

  • Not transferred outside of the United Kingdom without appropriate safeguards and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.# 


    3. Governance 

    4. The Board of Trustees 

HSBs compliance with the GDPR is the overall responsibility of the Board of Trustee’s (“the Board”). 

The Board will review and certify a GDPR compliance statement for use with third parties, regulatory bodies and clients. 

    5. Data Protection Lead 

The Board will appoint a named person as a Data Protection Lead who shall: 

  • Inform and advise HSB and its employees who carry out processing of their obligations pursuant to the GDPR 

  • Monitor compliance with the GDPR, including the assignment of responsibilities, awareness-raising and training of employees, trustees and volunteers involved in processing operations, and the related audits. 

  • Oversee, and provide advice when requested on the annual process of reviewing data protection impact assessments (“DPIA”)- more detail on DPIAs is set out below. 

  • Oversee progress with the action log and risk register 

  • Co-operate with and act as the key contact point for Information Commissioner’s Office (“ICO”) on issues relating to Halifax Society for the Blind’s data processing, including personal data breaches and any necessary DPIA consultations. 


    6. All employees, trustees and volunteers 

    7. It is the responsibility of all employees, trustees and volunteers to adopt this policy and to conduct themselves with integrity and in a way, which considers the rights and freedoms of clients at all times. Every individual has a critical role to play in the correct processing ad control of personal data and sensitive categories of data. In particular, they are required to: 

  • Familiarise themselves with the provisions of the GDPR and ensure they understand their individual responsibilities (including but not limited to keeping personal data and other confidential information secure) and to seek guidance from their line manager if they are unclear as to the application of the GDPR to their role. 

  • Read and comply with this policy and attend all training sessions in relation to data protection as relevant to their role. 

  • Ensure any information they provide in connection with their employment/ engagement is accurate and up to date informing HSB of any changes to information they have provided, e.g., Changes of address or changes to the bank or building society account to which the individual is paid (if applicable) 


  • Reporting security risks and personal data breaches in accordance with this policy and the GDPR policy.  


     8. Training 

All employees, trustees and volunteers must receive data protection training. Training will include but not be limited to the storage and handling of information, how to identify personal data and personal data breaches and the obligations imposed by the GDPR and this policy. Evidence of this training will be kept for three years. Refresher training should be provided for existing staff. 


     9. Confidentiality 

HSB recognises that the legitimate use of confidential information (including personal data) underpins our service. All information about clients is treated as confidential, to be shared only as necessary in support of the volunteer and to assist the client. HSB ensures that personal and operationally sensitive information is maintained confidentially and in line with the GDPR. Any disclosure of confidential information (including personal data) about a client to another person for the purpose of assisting the client is only undertaken with the expressed permission of the client, except to protect the welfare of a an adult or child at risk or in very limited and extremely rare circumstances where a person is suspected of a disclosable offence [1] or terrorism.  

[1] Disclosable offence: drug trafficking; drug money laundering. 

     10. Consent 

Consent is one of the lawful bases to process an individual’s personal data. 

Consent means offering individuals real choice and control over their personal information. All data subjects must actively and knowingly opt-in or consent. They must be made aware of what they are opting in for, what it will be used for and the length of time for which it will be kept. 

Consent must be: 

  • Given freely, specific, informed and unambiguous 

  • By a statement or by clear affirmative action signifying agreement to the processing of personal data relating to him/her (by means of an “opt in” as opposed to an “opt out” action) 

  • Verifiable e.g. records of how and when consent was given should be kept 


For special categories of personal data, in addition to the above, the consent must be “explicit”. The data subject should sign an express written “opt-in” consent statement which clearly lays out what is being collected, why, what it will be used for and how long it will be kept. HSB is likely to be processing such categories of data and so we must ensure that “explicit” consent is obtained before processing.  

Consent for Children 

Children need attention when HSB is collecting and processing their personal data because, among other considerations, they, may be less aware of the risks involved. If under 16, consent must be given by the holder of parental responsibility (this may be subject to change as data protection laws and guidance evolve from time to time). 

Consent at the initial visit (referred or self-referral) 

At the initial visit consent must be sought from the client to share general information about the kind and level of support HSB is providing 


  • With the referrer 

  • With funders, where necessary 

  • With other agencies working with the client for the benefit of the client 

  • For anonymised case studies 


Consent records 

HSB will always keep records to demonstrate a data subject’s consent. Such records shall be kept for no longer than strictly necessary for compliance with a legal obligation or for the establishment, exercise or defence of legal claims. 

Right to withdraw consent  

Individuals have the right to withdraw consent at any time and must be informed of this before giving consent. Consent should also be reviewed from time to time and refreshed if anything changes concerning the processing of the data subject’s personal data. At the point of withdrawal, if HSB has no other lawful basis justifying the processing of the personal data, the data shall be deleted or anonymised. 

7 Process 

HSB actively manages the personal data which is collected, retained or otherwise processed through an annual review cycle.  


     10.1 Data Protection Impact Assessments 

HSB will identify all the areas where we process personalised information (processing activities). A register of information flows should be held and DPIAs must be carried out annually for all processing activities. A DPIA must also be carried out when any new technologies are introduced to the organisation and whenever a new processing activity is likely to result in a high risk to the rights and freedoms of individuals. 

A DPIA should contain: 

  • A description of the processing operations and the purposes, including where applicable, the legitimate interests pursued by the controller. 

  • An assessment of the necessity and proportionality of the processing in relation to the purpose 

  • An assessment of the risks to the individuals 

  • The measures in place to address risk, including security and to demonstrate compliance 

Note: A DPIA can address more than one project 


      10.2 Action log 

HSB shall create and maintain (and the Data Protection Lead shall oversee the maintenance of) an action log. The action log shall include the information flow, the action to be taken, estimated date for completion and the responsible person or persons for this action. 

       10.3 Risk Register 

Each DPIA will identify the risks inherent in the personal data being held and processed. These risks will be collated into a summary risk register, noting the planned mitigations and links to the action log.  


        10.4 Registration 

HSB shall ensure we have obtained all authorisations and registrations and provided all notifications necessary under the data protection legislation in order to lawfully carry out our data processing activities. 


         10.5 Subject Access Requests 

Individuals have the right to access their personal data and supplementary information, amongst other things to allow such individuals to be aware of and verify the lawfulness of the processing. 

Any such request should be made in writing to the Chief Officer/ Chair of the Trustees. If HSB receives an access request, they must provide information without delay and at the latest within one month of receipt (free of charge). If requests are complex or numerous, this can be extended by a further two months, but the individual must be informed within one month of the receipt of the request and explain why the extension is necessary.  

HSB must verify the identity of the person making the request, using “reasonable means”. 

Information and records relating to service users will be stored securely and will only be accessible to authorised staff and volunteers. 

Information will be stored for only as long as it is needed or required under statute and will be disposed of appropriately thereafter. 

If an employee would like a copy of any information held on him/her they should notify their line manager. If he/she believes that any information held about him/her is incorrect or incomplete, then he/ she should write to their line manager as soon as possible setting out the information which he/she believes needs correction. 


           10.6 Accuracy 

HSB will endeavour to ensure that all personal data held in relation to data subjects is accurate and kept up to date. Data subjects must notify HSB of changes in information held about them. Data subjects have the right to have personal data rectified without undue delay if it is inaccurate or incomplete. 

            10.7 Erasure  

Individuals have the right to request that any of their personal data held by HSB be erased (right to be forgotten). The broad principle underpinning this right is to enable an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing. 

HSB may refuse the request in limited circumstances, including for public health purposes in the public interest and the exercise or defence of legal claims.  

HSB must pay special attention to requests relating to children’s personal data. This is because a child may not have been fully aware of the risks involved in the processing at the time of consent.  


To the extent that HSB has disclosed any personal data to any third parties, it shall inform such parties about the request for erasure, unless it is impossible or involves disproportionate effort to do so.  

7.8 Personal Data Breach 

All employees, trustees and volunteers must report, and co-operate in the resolution of all personal data breaches in accordance with this section 7.8 and the flow chart at Appendix 1. This shall also include where a data protection control has failed but has not resulted in a breach (a ‘near miss). 

HSB (when acting in its capacity as data controller) is obliged under the GDPR to notify the ICO of all personal data breaches within 72 hours of becoming aware of the breach, unless the breach in question is unlikely to result in a risk to the rights and freedoms of the individuals. We must internally record all breaches (including the facts relating to the breach, its effects and the remedial action taken), regardless of whether the breach is such that it needs to be notified to the ICO.  

It is therefore very important that all employees, trustees and volunteers notify the Data Protection Lead (or Chair if Trustees if the Data Protection Lead is not available) in accordance with the timescales set out in the flowchart at Appendix 1. Such a report should include a description of the nature of the breach including where possible, the categories and approximate number of affected individuals, the categories of data and the approximate amount of personal data affected. 


The breach must be investigated, and any relevant protective action taken, to prevent the breach from escalating or being repeated. 

If a breach is likely to result in a high risk to the rights and freedoms of individuals, we must directly notify all those individuals affected by the breach without undue delay. This should not be done by any employee, trustee or volunteer without first notifying the Data Protection Lead (or in their absence the Chair). 

bottom of page