General Data Protection Regulation
The General Data Protection Regulation  (GDPR) is a regulation in EU law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA). It also addresses the transfer of personal data outside the EU and EEA areas. The GDPR aims primarily to give control to individuals over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
In the UK the Data Protection Act 2018 is the law that implements GDPR.
Introduction
Valleys Kids is committed to maintaining personal information in a manner, which meets the requirements of the Data Protection Act 2018 and will take all reasonable steps to ensure that personal data is kept secure against unauthorised access, loss, disclosure or destruction. Individual’s privacy is important to Valleys Kids and promise to respect individual’s personal information; information will be collected lawfully and in accordance with the Data Protection Act 2018.
Data Protection Principles
In order to respect the individual’s privacy, Valleys Kids manage personal data in accordance with the Data Protection Act’s seven ‘Data Protection Principles’, namely:
- Personal data shall be processed fairly and lawfully.
- Personal data shall be obtained only for one or more specified and lawful purposes and shall not be further processed in any manner incompatible with that purpose or those purposes.
- Personal data shall be adequate, relevant, and not excessive in relation to the purpose or purposes for which they are processed. Personal data shall be accurate and, where necessary, kept up to date.
- Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
- Personal data should be secure and in a system that permits the easy identification of the DATA Subject.
- Organisations are responsible for complying with the GDPR and must be able to demonstrate compliance.
When anyone provides personal data Valleys Kids Privacy notice will be available on request and/or via our web site. (See Appendix 1)
The Purpose for Collecting Data
Valleys Kids will use individual personal information to:
- Confirm, update and improve our records of users of our provision;
- Assess and statistical analysis the appropriateness of our services;
- Analyse and develop our relationships with our volunteers and with our service users;
- Keep records of supporters who make financial contributions to Valleys Kids and to keep them informed of new initiatives undertaken by Valleys Kids;
- Maintain accurate HR records for all staff so that their personal details are up to date for tax and legal purpose e.g. tax records and contracts of employment.
Sensitive Information
Some of the personal information Valleys Kids require from may be sensitive information (such as information about health or criminal convictions) about you. Valleys Kids will not use sensitive information about individuals except for the specific purpose for which it was provided.
Rights of the individual
Individuals have rights to their data and Valleys Kids will respect and comply with these to the best of its ability. (See Appendix 2)
Subject Access Request
Valleys Kids recognises that if anyone they hold personal data for e.g. service users, supporters or staff, may request to see that information at any time. This request may by via email, letter or verbally.
If a request is received it:
- must be passed immediately to the Director of Programmes.
- processed within one month of receipt.
Keeping Records Accurate.
Staff and service users are asked to notify us of any change in personal data e.g. change of address or contact number/s for legal requirements and emergency contact situations. Details for service users and staff will be checked regularly and up dated as necessary.
Registration
Valleys Kids has up to date Data Protection registration with the Information Commissioner’s Office in line with the Data Protection Act 2018.
Appendix 1 – Valleys Kids Privacy Notice
VALLEYS KIDS COMMITMENT TO YOUR PRIVACY
Valleys Kids manages all information that we have in ways that we understand to be compliant with the underlying principles of the General Data Protection Regulation (GDPR). 

However, we continue to work to make those provisions more visible and easier to understand for all those who we work with.
Why we collect your data
We want to provide our supporters and members with the best possible service.  The information we collect helps us do this, as well as allowing us to communicate what we do and how that helps the people we work with.
How we collect your data
We do this in a number of ways, including where you share information with us, when you attend events with us, send us a donation, or when we receive a referral from another agency. We treat your information with the utmost care and take appropriate steps to protect it.
When we’ll share your data
We do not share your data with anyone else unless you have given your specific consent and it’s for a specific purpose.
Know your rights
You have many rights regarding your personal data.  These include seeing what data we hold and updating your information.
If you have any questions or if you need clarification on any aspect of our Data Protection Policy and the information, we hold about you please contact the Director of Programmes via email info@valleyskids.biz or phone on 01443 420870
Appendix 2 – Rights of the Individual
1. Right to be informed
Providing privacy notices which are concise, transparent, intelligible and easily accessible, free of charge, that are written in clear and plain language, particularly if aimed at children.
2. Right of access
Enabling individuals to access their personal data and supplementary information Allowing individuals to be aware of and verify the lawfulness of the processing activities – See Subject Access Request
3. Right to rectification
We must rectify or amend the personal data of the individual if requested because it is inaccurate or incomplete.
This must be done without delay, and no later than one month. This can be extended to two months with permission from the DPO.
4. Right to erasure
We must delete or remove an individual’s data if requested and there is no compelling reason for its continued processing.
5. Right to restrict processing
We must comply with any request to restrict, block, or otherwise suppress the processing of personal data.
We are permitted to store personal data if it has been restricted, but not process it further. We must retain enough data to ensure the right to restriction is respected in the future.
6. Right to data portability
We must provide individuals with their data so that they can reuse it for their own purposes or across different services.
We must provide it in a commonly used, machine-readable format, and send it directly to another controller if requested.
7. Right to object
We must respect the right of an individual to object to data processing based on legitimate interest or the performance of a public interest task.
We must respect the right of an individual to object to direct marketing, including profiling. We must respect the right of an individual to object to processing their data for scientific and historical research and statistics.
8. Rights in relation to automated decision making and profiling
We must respect the rights of individuals in relation to automated decision making and profiling.
Individuals retain their right to object to such automated processing, have the rationale explained to them, and request human intervention.