Data Protection Policy and Procedures

1          Intended audience

This document is intended to be used by:

  • The 3H Foundation trustees
  • The 3H Foundation managers
  • The 3H Foundation employees
  • The 3H Foundation volunteers

Other key stakeholders include:

  • The Charity Commission
  • The beneficiaries of the services provided by The 3H Foundation

2          Amendments to the document

This document will be reviewed on a 3 yearly basis by The 3H Foundation to ensure continual compliance with current legislation and standards and for observing relevant Codes of Practice to measure service performance and to identify any areas for potential improvement, unless requested as part of, or pre-requisite to, any Service Improvement Plan (SIP)

3          Approval and sign-off

This section identifies who within The 3H Foundation has approved this document contents and commits on behalf of each party to the working practices and support levels contained therein. This document covers the provision of the The 3H Foundation Group Holiday Programme, Grant Programme, TeensPLUS Programme and Carer Support Programme.

By signing this document, the trustees nominated agree to commit to the responsibilities identified in this document. The document can be signed with an electronic signature or by typing in the names of the Chair and Deputy Chair as long as accompanied by an email confirming approval of the policy. The emails relating to the approval will be held in the office along with the electronic signatures. The date of approval should be included in the Approval box on the Document Control Sheet and should be the date when both approvals have been received.

4          Scope

The scope of this document is in the context of The 3H Foundation complying with the requirements of its regulatory bodies in relation to the services it provides as follows:

  • The The 3H Foundation Governance Strategy
  • The The 3H Foundation Service Asset and Configuration Management (SACM)
  • The The 3H Foundation Change Management
  • The The 3H Foundation Continuous Service Improvement

4.1      Services within The The 3H Foundation Group Holiday Programme

  • The The 3H Foundation Grant Programme
  • The The 3H Foundation TeensPLUS Programme
  • The The 3H Foundation Carer Support Programme

5          Purpose of document

The 3H Foundation (referred to in this document as 3H) provides the services as detailed in section 4.1 above. The personal data that 3H processes to provide these services relates to its beneficiaries, donors, and other individuals as necessary, including staff and volunteers.   

With this policy, we ensure that we gather, store and handle data fairly, transparently and with respect towards individual rights. 3H ensures that good data protection practice is embedded in the culture of our staff and our organisation. 

This policy also covers E-Safety which means a safe and responsible use of technology including texting and gaming devices. The evolution of the internet has increased the danger it can impose. E-safety is as much about online security as online behaviour. The rise of social media and internet-based applications increases the risks to financial, personal and emotional safety. This policy will provide 3H with sound guidelines to enable secure use of all information and IT equipment.

This policy sets out 3H’s commitment to ensuring that any personal data, including special category personal data, which 3H processes, is carried out in compliance with data protection law, and meets the requirements of: 

The UK Data Protection Act 2018 

The General Data Protection Regulation (GDPR) 

The Privacy and Electronic Communications Regulation (PECR) 

The Computer Misuse Act 1990

 All Trustees, Managers, Employees and Volunteers at 3H should ensure they fully understand the importance of meeting these requirements. 

6          Data Protection Principles

There are six Data Protection Principles defined in the GDPR.  These require that all personal data be: 

  • Processed in a lawful, fair, and transparent
  • Collected only for specific, explicit, and limited purposes
  • Adequate, relevant, and limited to what is necessary.
  • Accurate and up to date
  • Kept for no longer than necessary (retention)
  • Handled with appropriate security and confidentiality

We are committed to upholding the data protection principles.  All personal data under our control must be processed in accordance with these principles. 

7          Lawful Processing

3H must meet one of the following six lawful bases defined in the GDPR, when processing personal data

  • Where we have the consent of the data subject
  • Where it is our legitimate interests (not overridden by the rights of the data subject)
  • Where it is necessary to meet a legal obligation
  • Where necessary to fulfil a contract, or pre contractual obligation
  • Where we are protecting someone’s vital interests.
  • Where we are fulfilling a public task, or acting under official authority

Any special category data (sensitive data) must be further processed in line with the specified conditions.

Where processing is based on consent, the data subject has the option to easily withdraw their consent.

Where electronic direct marketing communications are being sent, the recipient should have the option to opt-out in each communication sent, this choice should be recognised by us.

8          Data Minimisation Control

  1. Data Protection processes will be regularly reviewed to ensure that personal data collected and processed is kept to a minimum.


  1. We will keep the personal data that we collect use and share to the minimum amount required to be adequate for its purpose.


  1. Where we do not have the legal obligation to retain some personal data, we will consider whether there is a business need to hold it.


  1. We will retain personal data only for as long as it is necessary to meet its purpose. Our Data held will be reviewed annually and destroyed as appropriate.


  1. In the case of sharing personal data with any third party, only the data that is necessary to fulfil the purpose of sharing will be disclosed.

9          Data Protection Accountability

  1. All trustees, managers, employees, volunteers, or other parties who will be handling personal data on behalf of 3H Fund will be appropriately trained and supervised where necessary.
  2. The collection, storage, use and sharing of data will be regularly reviewed by the Charity Manager.
  3. We will adhere to relevant codes of conduct where they have been identified and discussed as appropriate.
  4. Where there is likely to be high risk to individuals due to a processing activity, or we require clarity on processing or retention of any data we will undertake a Data Protection assessment and/or consult the Information Commissioners Office (ICO).

10       Procedures

All trustees, management, staff, and volunteers must comply with these procedures for processing and handling personal data.

  • Always treat people’s personal information with integrity and confidentiality.
  • Know what the data protection principles are and apply them.
  • Store hard copies securely in a locked box, drawer, or cabinet.
  • Use your encrypted USB drives to store and transfer data where needed.
  • You have an organisational email address and remote access. Use it rather than send data to your personal email.
  • Be alert to cyberattacks and report suspicious emails or calls
  • Report losses of data or devices as soon as possible.
  • Before sending direct marketing, check if we have consent and it is appropriate.
  • Beware of autocomplete on email. Check you are sending to the right address.
  • Ensure your personal device has appropriate security measures if using it for work-related activity.
  • Take care when connecting to public Wi-Fi connections, as these may not be secure.
  • Please ask if you have any questions.
  • Destroy any confidential data in the appropriate confidential waste bins.

11       Data on personal devices/Accounts

The board of trustees and some members of staff may be required to use their own devices and with regards to the trustees their own email accounts.

All the data protection principles apply in the same manor to these devices and accounts.

All devices used must be protected with an anti-virus software and some manor of 2nd factor authentication.

Any hard copies of documents that are printed away from the office by either a colleague or a trustee should be destroyed appropriately.

The majority of documents sent to trustees are retained, as relevant on the office shared drive, and therefore can be deleted after use.

Documents being sent to the trustees personal email accounts from the office should be password protected where appropriate and possible.

12       Rights of Data Subjects

Under data protection laws, data subjects have certain rights, and we will uphold these rights. 

Right to be informed – The right to be told how their personal data is used in clear and transparent language

Right of access – The right to know and have access to the personal data we hold about them.

Right to data portability – The right to receive their data in a common and machine-readable electronic format.

Right to be forgotten – The right to have their personal data erased.

Right to rectification – The right to have their personal data corrected where it is inaccurate for incomplete.

Right to object – The right to complain and to object to processing

Right to purpose limitation – The right to limit the extent of the processing of their personal date.

Right related to automation decision-making and profiling – The right not to be subject to decisions without human involvement.

13       Reporting of Data Breaches

  1. A personal data protection breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.


  1. All members of staff should be vigilant and able to identify a suspected personal data breach which could include
  • Loss or theft of devices or data, including information stored on a USB device or paper.
  • Hacking or other forms of unauthorised access to a device, email account, or the network.
  • Disclosing of personal data to the wrong person, through wrongly addressed emails, or bulk emails that inappropriately reveal other recipient details.
  • Alterations or destruction of personal data without permission.


  1. Where a member of staff discovers or suspects a personal data breach, this should be reported to the Charity Manager as soon as possible.


  1. Where there is a likely risk to individual’s rights and freedom, the Charity Manager will report the breach to the Trustees and the ICO within 72 hours of being aware.


  1. The Charity Manager will also inform those individuals without undue delay.


  1. A record must be kept of all personal data breaches reported and followed up with appropriate measures and improvements to reduce the risk of reoccurrence.

14       E-Safety Principles

3H is committed to the following principles 

  • Providing a safe environment for Trustees, staff, volunteers, and guests.
  • Having a process in place that helps ensure risks and hazards are monitored, kept to the minimum possible and reviewed.
  • Remain aware of the three key areas when online – Content, Contact and Conduct.

15       E-Safety Accountability

Overall accountability for e-safety arrangements within 3H rests with the board of trustees, however they delegate the process and procedure management of this to the charity manager.

Access to the IT systems is controlled by user IDs, passwords, 2nd Factor authentication and programme-based security.

16       E-Safety Responsibilities

To ensure a safe and legally compliant online presence all persons employed and/or associated with 3H must follow the key areas.

  • Content: Content refers to any form of illegal, dangerous, harmful, or inappropriate content that is accessed digitally. In the context of the workplace, this can refer to employees using work on computers to access inappropriate or illegal sites or content. It can also simply refer to the misuse of company equipment, even using work time and the internet to do personal things like check social media.
  • Contact: Contact is mainly an e-safety issue when it comes to children, but it is an issue that also affects adults quite often. This has to do with any communication that is happening online. While online, there is the risk of coming into contact with a stranger or a person who is posing as another person.
  • Conduct: Conduct refers to the nature of the exchanges happening online during contact. Bullying and harassment can take place online, especially with the ease of anonymity. This is a serious issue, and if it takes place in the workplace, it becomes a business issue that must be addressed.

To protect all persons associated with 3H, the following responsibilities will need to be adhered to.

Trustee Responsibilities

3H Trustees will be responsible for supporting and if necessary, questioning the actions of the Charity Manager with regards to e-safety and acceptable usage.

Charity Manager Responsibilities

Within 3H the Charity Manager, supported by the trustees, will have the responsibility for:

  • Developing systems and structures which ensure that the charity remains safe in the cyber environment.
  • Auditing and revising the services policies and procedures to ensure 3H meets the obligations required from relevant legal documents.
  • Providing training for staff and trustees in relation to e-safety to be carried out annually.
  • Swiftly investigate any possible breeches of security.

Employee and Volunteer Responsibilities

In addition to section 10 – Individuals must not:

  • Send unprotected sensitive data with authorisation.
  • Use the internet in any way that is considered detrimental to 3H
  • Download any software from the internet without prior approval.
  • Leave equipment or media unattended in public places whilst away from the office and information should be protected at least by a password.