top of page


Data protection Policy

  1. Purpose

This policy establishes the guidelines by which information is collected and stored by The Offshoot Foundation. The Offshoot Foundation needs to keep certain information about its staff, members and users of its services to enable it to monitor its effectiveness and to meet appropriate safeguarding guidance.

This policy is to be read in conjunction with the Confidentiality/Information sharing and DBS policies and procedures.

  1. Persons Affected

Staff of The Offshoot Foundation

Service users of The Offshoot Foundation

  1. Policy

To comply with the law, General Data Protection Regulations 25/5/18, information must be collected and used fairly, stored safely and not disclosed to any other person unlawfully. In summary personal data must be;

  • Obtained and processed fairly and lawfully

  • Obtained for a specified and lawful purpose and not to be processed in a manner incompatible with that purpose

  • Adequate, relevant and not excessive for that purpose

  • Accurate and up to date

  • Not be kept for longer than necessary

  • Processed in accordance with the data subjects rights

  • Kept safe from unauthorised access, accidental loss or destruction

  • Will not be transferred outside of the European Economic Area, unless that country has equivalent levels of data protection

All staff who process any personal information must ensure that they adhere to these principles at all times.

Any member of staff who considers that this procedure has not been followed should raise it with the Chief Executive. If the matter is not resolved it should be raised as a grievance. Any user of the services should follow the complaints procedure.


All individuals have the right to;

  • Know what information The Offshoot Foundation hold and processes about them and its purpose

  • Know how to gain access to this information

  • How top keep the information up to date

  • Know what The Offshoot Foundation is doing to comply with data protection legislation

The Offshoot Foundation hold personal information in respect of its staff, members, users and other members of the public. The information held may include an individuals name, postal, e-mail and other addresses, telephone. This information is held and we only contact people with their permission via the method they request to enable us to meet the needs of our users and organisational business.

Unauthorised or inappropriate disclosure may be a disciplinary matter, and could be considered a matter of gross misconduct ion some instances.

Security Statement

The Offshoot Foundation has taken measures to guard against unauthorised or unlawful processing of personal data and against accidental loss, destruction or damage.

This includes:

  • Adopting an information security policy (this document is our policy)

  • Taking steps to control physical security (projects and staff records are all kept in a locked filing cabinet)

  • Putting in place controls on access to information (password protection on files and server access)

  • Establishing a business continuity/disaster recovery plan The Offshoot Foundation takes regular back-ups of its computer data files and this is stored away from the office at a safe location)

  • Training all staff on security systems and procedures

  • Detecting and investigating breaches of security should they occur

Working from home

  • The Offshoot Foundation keeps note of which staff take work home with them.

  • If working on something at home and at work try to keep both sets of information pretty much up to date

  • Home computers should have records removed once project/work records no longer needed at home

  • Staff agree to try to keep work taken home relatively secure, to return all work related material upon the completion /termination of their contract; and organization should be informed if information have got into wrong hands

Special funding tracking requirements and data protection

  • Try not to keep more than project/tracking requires

  • The more information kept the more secure it should be kept

  • If publishing volunteers’ details, tell them

  • Take extra care if records include sensitive data

  • Just keep personal data as long as necessary under funding rules

  • Don’t keep surplus information.

When communicating information electronically additional care must be taken to ensure that only the intended recipient(s) receive the information.

Personal and sensitive information will be discussed in suitably confidential environments. All staff must be aware of the difficulties of ensuring confidentiality in open spaces and must respect any confidential information inadvertently overheard.

Disposal of information

Personal and sensitive material will be shredded. Particular care will be taken to delete information from computer hard drives when disposing of the computer or passing it to another member of staff.

We can supply you with the following document:

Privacy Information Notice for Employees and other Workers

  1. Definitions

Personal information: any details relating to a living, identifiable individual. This applies to staff, members and users of The Offshoot Foundation. It also applies to various members of the public such as job applicants and visitors.

Sensitive information: this is defined by the Act as that relating to ethnicity, political opinions, religious beliefs, trade union membership, physical and mental health, sex life, criminal proceedings or convictions. The person about whom the data is being kept must give express consent to the processing of such data, except where the data processing is required by law for employment purposes or to protect the vital interests of a third party.

Data Protection Policy: About Us
bottom of page