Our Data Protection Policy

Data Protection Policy, Central Eurasian Partners, adopted 17/3/18




Aims of this Policy

Central Eurasian Partners UK (CEPUK) needs to keep certain information on its trustees, supporters, employees, volunteers and members of its supported partner organisations to carry out its day to day operations, to meet its objectives and to comply with legal obligations.

The organisation is committed to ensuring any personal data will be dealt with in line with the Data Protection Act 1998 and the General Data Protection Regulation. To comply with the law, personal information will be collected and used fairly, stored safely and not disclosed to any other person unlawfully.

The aim of this policy is to ensure that everyone handling personal data is fully aware of the requirements and acts in accordance with data protection procedures. This document also highlights key data protection procedures within the organisation.

This policy covers trustees, employees, volunteers and third parties who may collect personal data used by CEPUK.



In line with the Data Protection Act 1998 and GDPR principles, CEPUK will ensure that personal data will:

  • Be obtained fairly and lawfully and shall not be processed unless certain conditions are met
  • Be obtained for a specific and lawful purpose
  • Be adequate, relevant but not excessive
  • Be accurate and kept up to date
  • Not be held longer than necessary
  • Be processed in accordance with the rights of data subjects
  • Be subject to appropriate security measures
  • Not to be transferred outside the European Economic Area (EEA)

The definition of ‘Processing’ is obtaining, using, holding, amending, disclosing, destroying and deleting personal data. This includes some paper based personal data as well as that kept on computer.

We follow Data Guardianship principles:

  • Accountability: those handling personal data follow publicised data principles to help gain public trust and safeguard personal data.
  • Visibility: Data subjects should have access to the information about themselves that an organisation holds. This includes the right to have incorrect personal data corrected and to know who has had access to this data.
  • Consent: The collection and use of personal data must be fair and lawful and in accordance with the requirements of GDPR
  • Access: Everyone should have the right to know the roles and groups of people within an organisation who have access to their personal data and who has used this data.
  • Stewardship: Those collecting personal data have a duty of care to protect this data throughout the data life span.
Type of information processed CEPUK processes the following personal information:

·        Supporter contact information, including name, address, telephone number, email address, nature of relationship, sources of contact (e.g. introduced by partner X)

·        Donor details including contact details as above, information required for gift aid claims, donation history

·        Employee information including contact details, references, bank account and payroll information, supervision and assessment notes

·        Members of partner organisations, including contact details and bank account details where financial support is provided

·        Trustee details including contact details, meeting notes, references and communications relating to trusteeship

·        Other personal details in line with the principles above.

Personal information is kept in the following forms:

·        Paper records

·        Email communications

·        Electronic records, including spreadsheets and word-processed documents

Groups of people within the organisation who will process personal information are:

·        Trustees

·        Employees and volunteers with specific delegated authority from trustees

Notification to the Information Commissioner The needs we have for processing personal data are recorded on the public register maintained by the Information Commissioner.  We notify and renew our notification on an annual basis as the law requires.

If there are any interim changes, these will be notified to the Information Commissioner within 28 days.

The name of the Data Controller within our organisation as specified in our notification to the Information Commissioner  is Katherine Hillcoat



Overall responsibility for personal data in CEPUK rests with the trustees who are responsible for:.

  • understanding and communicating  obligations under the Data Protection legislation
  • identifying potential problem areas or risks
  • producing clear and effective procedures
  • mantaining registration with the ICO

All persons who process personal information must ensure they not only understand but also act in line with this policy and the data protection principles.

Policy Implement-ation

To meet our responsibilities we will:

  • Ensure any personal data is collected in a fair and lawful way;
  • Explain why it is needed at the start;
  • Ensure that only the minimum amount of information needed is collected and used;
  • Ensure the information used is up to date and accurate;
  • Review the length of time information is held;
  • Ensure it is kept safely;
  • Ensure the rights people have in relation to their personal data can be exercised

We will ensure that:

  • Everyone managing and handling personal information is trained to do so.
  • Anyone wanting to make enquiries about handling personal information, whether a trustee, member of staff or, volunteer knows what to do;
  • Any disclosure of personal data will be in line with our procedures.
  • Queries about handling personal information will be dealt with swiftly and politely.


Training and awareness raising about Data Protection in this organisation will take the form of periodic communication with volunteers, staff and trustees.  New joiners will receive a copy of this policy.
Gathering and checking information Before personal information is collected, we will consider:

·        The purpose for collecting the information

·        How the information will be kept secure and confidential

·        How the information will be used

·        How the information will be kept accurate

·        Who will have access to the data outside CEPUK (if anyone)


Our privacy notice will inform people whose information is gathered about the following:

What information we collect

How we use the information

Contact channels we may use

How people can update, change, remove or see the information we hold about them.

We will take the following measures to ensure that personal information kept is accurate:

·        We will advise people how they can update, change or remove their personal information via our privacy notice.

·        We will process all changes as quickly as possible

·        We will periodically review the personal information we hold and consider whether we need to contact people to confirm that their details are up to date.


Personal sensitive information will not be used apart from the exact purpose for which permission was given.

Retention periods CEPUK will ensure that information is kept according to the following retention periods guidelines


·        3 years after last contact with supporter or donor, or request for no contact (suppression notice)


·        At least 3 years after the end of the financial year in which the last donation was made, or longer if required by HMRC legislation or guidelines

Staff and Volunteers

·        Personnel records -6 years after employment/volunteering ceases, (slimmed down format after 2 years)

·        Application forms and interview notes (unsuccessful candidates)- 6 months

·        Letters of reference – 6 years from the end of employment

·        Redundancy details -6 years from the date of redundancy

·        Parental leave – 5 years from birth/adoption or 18 if child receives a disability allowance

·        Accident books, accident records/reports – 3 years

·        Assessments under health & safety regulations-  Permanently

·        Income tax, NI returns, income tax records and correspondence with IR –  At least 3 years after the end of the financial year to which they relate

·        Statutory maternity pay records and calculations –  At least 3 years after the end of the financial year to which they relate

·        Statutory sick pay records and calculations –  At least 3 years after the end of the financial year to which they relate

·        Wages and salary records – 6 years

·        Employee joining/new starter form – 6 years after employment ceases

Data Security


The organisation will take steps to ensure that personal data is kept secure at all times against unauthorised or unlawful loss or disclosure. The following measures will be taken:

Physical records (normally paper) will be retained in a locked container under the control of a trustee or other person delegated by the trustees and disposed of by the use of shredding machine or other permanent, secure destruction.  This includes all copies of original records. If records are transported, they will remain under the control of a trustee or other delegated person.  Where personal records are sent by post they will normally be sent by recorded delivery.

Electronic records will be protected by a secure password

The Board and trustees are accountable for compliance of this policy. A trustee could be personally liable for any penalty arising from a breach that they have made.

Any unauthorised disclosure made by a volunteer may result in the termination of the volunteering agreement.

Procedure in case of a breach When a breach of data protection occurs, consideration will be given to reviewing practices. In addition, CEPUK will consider whether the breach should be reported to the Information Commissioner.
Subject Access Requests


Anyone whose personal information we process has the right to know:

  • What information we hold and process on them
  • How to gain access to this information
  • How to keep it up to date
  • What we are doing to comply with the Act.

They also have the right to prevent processing of their personal data in some circumstances and the right to correct, rectify, block or erase information regarded as wrong.

Individuals have a right to access certain personal data being kept about them on computer and certain files.  Any person wishing to exercise this right should apply in writing to the trustees at the CEP mailing address.  one of the trustees.

We may make a charge of £10 on each occasion access is requested.

We may also require proof of identity before access is granted.

Queries about handling personal information will be dealt with swiftly and politely.

We will aim to comply with requests for access to personal information as soon as possible, but will ensure it is provided within the 40 days required by the Act from receiving the written request.



This policy will be reviewed at intervals of three years to ensure it remains up to date and compliant with the law.