GDPR - GENERAL DATA PROTECTION REGULATIONS

Introduction
Clwyd Special Riding Centre (CSRC) is compliant with current Data Protection Law. The General Data Protection Regulations (GDPR) came into force on 25th May 2018.

CSRC Board of Trustees
The policy and the implementation of the GDPR policy is the responsibility of the Board of Trustees. Responsibilities are the allocation of a Data Protection Officer, ensuring the monitoring of data collection, training and awareness, data process contacts, sub processors, breach notification, right of access, retention, and disposal, restrict process and data portability.

Data Protection Officer
Data Protection Officers are responsible for overseeing data protection strategy and implementation to ensure compliance with GDPR requirements. They are the point of contact for issues relating to data and GDPR – the CSRC Data Protection Officer is the Centre Manager.

Monitoring of Data Collection
That the information required to provide an appropriate and effective service is monitored and any amendments or additions required are approved by the Board.

Training and Awareness
CSRC provides training to all relevant staff and volunteers who are in contact with data as part of session delivery.

Data Process Contacts
Data will not be available to any person other than those immediately involved with the delivery of service to the said beneficiary.

Sub-Processors
There will be NO outsourcing of data to sub-processors.

Breach Notification
Any individual involved in a breach of data will be notified immediately. All necessary action will be undertaken as advised by the ICO.

Right of Access
Every individual has a right to access their individual file. Individuals must make that request in writing to the Data Protection Officer at CSRC. The file will be made available within 78 hours of receipt of request.

Right to rectification and data quality
Individuals have a right to information being altered or updated and this will be accommodated by CSRC. CSRC has a duty to ensure data remains accurate and up to date. A review of data will occur on a six-monthly basis as standard and as necessary upon request.

Right to retention and disposal
A review of data will occur on a six-monthly basis as standard and as necessary upon request. Data will be reviewed, and files no longer required will be confidentially disposed of. All requests for disposal will be verified and activated within 72 hours.

Right to restrict processing
NO data held by CSRC is processed externally. No personal data is used by CSRC. Only data figures are used for monitoring, tracking and funding applications.

Right to data portability
Individuals have the right to have their personal information forwarded in an electronic format following verified request.

Data Protection Principles
The six GDPR Principles are:
1. Whatever you do with people’s information has to be fair and legal. This includes making sure that they know what you are doing with the information about them. CSRC ensures compliance by: CSRC has produced a Privacy Statement which states that what we do with information is fair and legal.

2. When you obtain information you must be clear why you are obtaining it, you must then use it only for the original purpose. CSRC ensures compliance by: Your information will only be used by CSRC to determine the most appropriate service to your needs.

3. You must hold the right information for your purposes: it must be adequate, relevant and limited to what is necessary. CSRC ensures compliance by: Only relevant information will be held.

4. Your information must be accurate and, where necessary, up to date. CSRC ensures compliance by: All information is accurate and up to date. This will be reviewed on a six-monthly basis.

5. You must not hold information longer than is necessary. CSRC ensures compliance by: Information is destroyed three years after file closure for adults and for children the files are destroyed three years over the age of 18 years.

6. You must have appropriate security to prevent your information from being lost, damaged or getting into the wrong hands. CSRC ensures compliance by: All data is kept as per guidelines in fireproof lockable cabinets.

Lawful Basis
CSRC holds information about beneficiaries, volunteers and staff that is contained with the application form only.

Everything CSRC does with records about individuals will have an acceptable legal basis.

There are 6 of these in total with 1 – 4 relevant to CSRC:

1. Consent from the individual (or someone authorised to consent on their behalf).
2. Where it is necessary in connection with a contract between CSRC and the individual.
3. Where it is necessary because of a legal obligation.
4. Where it is necessary in an emergency, to protect an individuals’ ‘vital interests’.
5. Where it involves the exercise of a public function – i.e., most activities of most government, local government and other public bodies.
6. Where it is necessary in our legitimate interests if those are not outweighed by the interests of the individual.

At NO other time will information be shared with a third party.

Personal Information Beneficiaries
The Individual’s File holds the following data to ensure the beneficiary is assigned to the appropriate service and is monitored in terms of development. No information is obtained that is not essential to the delivery of service. The information held is:
• Personal and contact details – for file reference and emergency contact
• Date of birth and gender – to be allocated into an appropriate group
• Detail of additional need – for appropriate service delivery
• Weight and Height – for horse assessment purposes
• Consent details – for parents/guardians of those under 18 years of age or proven capacity issues.
• Consent – On the Application Form there will be a box to tick, sign and date stating consent has been given for the data to be held whilst the individual attends CSRC and three years upon leaving if an adult and three years after the age of 18 if a child.
• Another consent section asks for permission for photographs to be taken.

Data Flow
PARTICIPANT ENQUIRY FORM > APPLICATON FORM > ASSESSMENT > INDIVIDUAL FILE.

In addition to CSRC’s own RDA Group there are three other groups who operate from the Centre - Hope Mountain RDA Group, and Spirit Hippotherapy. CSRC manages the Enquiries, Application Form, Assessment, Waiting List, Volunteers and jointly works with Hope Mountain RDA Group, and Spirit Hippotherapy on the allocation of beneficiaries into the most appropriate groups and sessions. The beneficiary file will then be held in a locked DATA Protection compliant filing cabinet allocated to that Group at CSRC. To ensure best practice, all the above adhere the CSRC Policy and CSRC adheres to the RDA Policy. Spirit Hippotherapy adheres to CSRC Policy.

Personal Information – Volunteers
Volunteer: VOLUNTEER ENQUIRY FORM > APPLICATON FORM > INDUCTION > INDIVIDUAL FILE & RDA GREEN CARD.

The information held is:
• Personal and contact details – for file reference and emergency contact.
• Date of birth and gender – to be allocated into an appropriate group.
• Detail of additional need – for support needs.
• DBS – details for DBS completion.
• Consent details – for parents/guardians of those under 18 years of age or proven capacity issues.
• Two (2) references.

Consent – On the Volunteers Application Form there will be a box to tick, sign and date stating consent has been given for the data to be held for the term of volunteering and three years upon leaving. Another consent section asks for permission for photographs to be taken.

Personal Information – Staff Team
The information held is:
• Full application form including - Personal details, qualifications, work history, personal statement.
• DBS – details for DBS completion.
• Two (2) references.
• Consent – On the Offer of Employment Letter there will be a box to tick, sign and date stating consent has been given for the data to be held for the entire employment and three years upon leaving.

Personal Information – Supporters
The information held is:
• Contact details
• Support given
• Gift Aid (if granted)

Consent – All current supporters receive a letter referencing the GDPR Policy and Privacy Statement.

Source of information held
All information held is supplied by the individual, beneficiary, or parent/guardian/carer. NO additional information is sought from third parties by CSRC.

GDPR 2024/CSRC