Welcome to the UK

Data Protection Policy

Welcome to the UK recognises the need to comply with the various laws regulating the processing of personal data. It is our desire that employees and volunteers recognise the risks involved when dealing with such information and fully understand the steps that must be taken in order to minimise such risks. It is Welcome to the UK’s policy to educate and inform employees and volunteers about the dangers of inappropriate and illegal use of the personal data they may have access to.

Welcome to the UK abides by the six guiding principles of Data Protection:

Personal data shall be:

1. processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89^[1], not be considered to be incompatible with the initial purposes (‘purpose limitation’);
3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
4. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89 subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

Whenever you are involved in processing any personal data, you must ensure that all associated procedures have been sanctioned by your manager/trustees. You must only operate within sanctioned procedures:-

• If for any reason registration of the information is withdrawn you must stop using the particular data immediately. Your manager will advise you of this.
• You must ensure that your appropriate records are maintained and safe and are only used to perform your particular job.
• You must ensure that all personal data is used, held and disclosed only for the registered purpose: you should not use any of the systems outside of this criteria.
• Information must be collected and processed in a prudent and lawful manner and should be kept up to date and accurate at all times.
• Information must not be transferred to countries outside the EU without authorisation from your Line Manager.
• The information should only be retained for the period necessary, and for the purpose for which it is held.

If you have any concerns or questions regarding the processing or use of personal data you should contact your manager as soon as possible. If in any doubt you should cease to process the information.

If you are required to use electronic equipment such as a computer or data-holding device your actions should comply with this. It is your responsibility to ensure that reasonable measures are taken to ensure the security of information contained within them. Such measures include keeping equipment in a lockable location when not in use and/or using password protection for files containing information covered by data protection legislation.

A breach of the data protection regulations or failure to adhere to Welcome to the UK’s policies could have serious repercussions for Welcome to the UK and for yourself, if you are found responsible. It may also be treated as a serious disciplinary matter and may result in the termination of your employment or time volunteering with Welcome to the UK.

If you are aware of any breech of Data Protection you must bring it to the attention of your Line Manager immediately. Any failure to do this may result in disciplinary action against you.

If you have access to or are responsible for collecting personal information that relates to any of Welcome to the UK’s clients or employees, the above guidelines should be strictly adhered to.

As a member of staff or volunteer you need to be aware that Welcome to the UK will hold details pertinent to your employment or volunteering on file as part of its personnel records. This may include sensitive information. This information may be processed for administrative or legal purposes or as required by your continued employment. This may include passing certain employment related data to third parties such as government authorities, suppliers or contractor organisations supplying services which require the use or creation of employee data (for example, payroll). Your data may also be used in emergency situations, to protect the legal interests and other rights of Welcome to the UK or in other situations where you have consented to the disclosure of such information.

The following are examples of information which may be retained by Welcome to the UK as part of its personnel records. The list is not exclusive or exhaustive:-

• References obtained during recruitment
• Details of terms of employment
• Payroll, tax and National Insurance information
• Performance information
• Details of grade and job duties
• Health records
• Absence records, including holiday records and self-certification forms
• Details of any disciplinary investigations and proceedings
• Training records
• Contact names and addresses

It should also be noted that Welcome to the UK might hold the following information about you, for which disclosure will be made only when strictly necessary for the purposes set out below:-

• Your health, for the purposes of compliance with our health and safety and our occupational health obligations
• For the purposes of personnel management and administration, for example, to consider how your health affects your ability to do your job and, if you are disabled, whether you require any reasonable adjustment to be made to assist you at work
• The administration of insurance, pension, sick pay and other related benefits in force from time to time
• In connection with unspent convictions to enable us to assess your suitability in employment for relevant roles

Welcome to the UK will endeavour to update personnel files on a regular basis. It is your responsibility to ensure that any changes in personal details are communicated in writing to Welcome to the UK immediately, or as soon after the change as is practicable; and to inform your next of kin (or whoever you give as an emergency contact) that their details may be held on a personnel file.

Service users will be made aware that that if they chose to access Welcome to the UK Facebook page or join any associated groups your information may be viewed by other users. The Facebook Page and associated groups are administered by Welcome to the UK and all posts are verified before added. Any inappropriate posts will not be shown and users may be blocked from the page altogether if not complying with the rules of Welcome to the UK.

Welcome to the UK will collect data from members to enable the coordinator to contact members and offer appropriate groups and services. Data will not be shared with any other individual or organisation unless there is a safeguarding concern or to prevent harm or criminality. This is in line with Welcome to the UK safeguarding Policy. Individuals will be made aware of how their data will be used and stored when providing it.

All data will be stored on an encrypted electronic device and any paper forms will be stored in a secure location. Data will be stored on our CharityLog cloud based database – only those trained in both data protection and the system will have access to the data it contains. CharityLog data is stored within the UK only. Welcome to the UK will request information from users to ensure that held data is accurate and on annual basis will check this with service users. All information will be kept for 3 years following the last attendance in any Welcome to the UK activity. This data will only be used in an anonymised form to provide information to justify any grants received and charitable status. At the end of use all data will be destroyed securely.

Linked Policies

• Equality and diversity
• Safeguarding

Contact details

If an individual requests more information or has a query about their privacy and security, they should contact Amarilda Sinani (Data Processor) Founder and CEO of Welcome to the UK on 07398884141 or email ilda.stafa@welcome2theuk.com. The Data Controller is Aline Clayson (Chair).

Statement

We are committed to reviewing our policy and good practise annually. We will ensure staff and volunteers are made aware of any updates to this policy and good practice in data protection. This policy was created on 18th July 2023. This policy will be reviewed annually, checked against changes in legislation and guidance and presented to trustees for approval. Next review date: June 2026.

Aline Clayson

4th June 2025

Welcome to the UK

Data Breach Management Procedure   Policy Statement

As an organisation which processes personal data, every care is taken to protect personal data and to avoid a data protection breach. This policy outlines the measures the Welcome to the UK takes against unauthorised or unlawful processing or disclosure and against accidental loss, destruction of or damage to personal data.  

In the event of data being lost or shared inappropriately, Welcome to the UK will take appropriate action to minimise any associated risk as soon as possible. This procedure applies to all personal and sensitive data held by our organisation and all staff, Trustees, volunteers and contractors, referred to herein after as 'staff'.  

This Data Breach Procedure document forms part of Welcome to the UK’s Data Protection Policy and all staff are made aware of these procedures through induction, supervision and ongoing training.  

Purpose

It is a regulatory requirement under GDPR for Welcome to the UK to have consistent and effective governance and control arrangements to protect the personal data that we hold. This Data Breach Procedure sets out the course of action to be followed by all staff in the event of a real or potential data protection breach.  

Definition of Data Breach  

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes.  

A personal data breach can be broadly defined as a security incident that has affected the confidentiality, integrity or availability of personal data. In summary, there will be a personal data breach whenever any personal data is lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable, for example, when it has been encrypted by ransomware, or accidentally lost or destroyed.  

Personal data breaches can include:  

• Loss or theft of personal data and/or equipment on which data is stored  
• Access by an unauthorised third party
• Deliberate or accidental action (or inaction) by a controller or processor
• Sending personal data to an incorrect recipient
• Computing devices containing personal data being lost or stolen
• Alteration of personal data without permission
• Loss of availability of personal data  
• Hacking attack  
• Cyber attack  
• Equipment failure  
• Human error  
• Unforeseen circumstances such as a fire or flood  
• Flawed data destruction procedures.  

Aim of Data Breach Management Procedure Policy

The aim of this policy is to ensure a standardised and consistent approach is followed when responding to data breaches to enable us to:

• Report data breaches without delay to the Data Protection Manager
• Identify incidents of data breaches quickly and investigate them properly and in a timely manner  
• Record and document all incidents and report them to the CEO, Trustees and the Data Protection Manager/DPO  
• Assess the severity and impact of the data breach to determine whether it is necessary to inform the Data Subject(s) and ICO according to the GDPR guidance  
• Take action which is proportionate, consistent and transparent to prevent further damage  
• Regularly monitor and review all data breach incidents and potential situations that may lead to a data breach to identify improvements in policies, procedures and control mechanisms to remove or mitigate risk of further repetition.  

Reporting a Data Breach  

As soon as any member of staff, volunteer or trustee discovers or receives a report of a data breach, they must inform the Data Protection Manager as soon as possible and without delay. If the breach occurs or is discovered outside normal organisation working hours, then notification should begin as soon as is practicable.  

An emailed report can be submitted to the Data Protection Manager at ilda.stafa@welcome2theuk.com in the first instance and should include accurate details of the incident.  

An initial assessment of the data breach by the Data Protection Manager will include completion of the Data Breach Record form to ascertain as much information as possible about the incident in order to fully assess the impact of the data breach and determine actions required.  

Managing a Data Breach  

Step 1: Containment and Recovery  

1. The Data Protection Manager will ascertain the severity of the breach, whether any personal data is involved and whether the breach is still occurring.  
2. If the breach is still occurring, the Data Protection Manager will establish what steps need to be taken immediately to minimise the effect of the breach and contain the breach from further data loss (e.g. alert Welcome to the UK’s IT Technical support, restricting access to systems or close down a system etc).  
3. The CEO and/or Data Protection Manager will consider and implement appropriate steps required to recover any data loss where possible and limit damage caused (e.g. use of backups to restore data; changing passwords etc.)  
4. The Data Protection Manager will inform the Chair of Trustees if the severity and likely impact of the breach deems it necessary to inform the ICO of the breach. At the same time, depending on the nature of the breach, the Data Protection Manager may seek expert or legal advice and/or the Police if it is believed that illegal activity has occurred or likely to occur.  
5. Where a significant breach has occurred, the CEO and/or Data Protection Lead will inform the ICO within 72 hours of the discovery of the breach (see Notifications below).  
6. The decision taken as to the reasons why a data breach is either reported or not reported is documented by the Data Protection Manager.  
7. All the key actions and decisions are fully documented and logged in our Data Security Breach Log.  

Step 2: Assessment of Risk  

Further actions may be needed beyond immediate containment of the data breach. To help Welcome to the UK to determine the next course of action, an assessment of the risks associated with the breach is undertaken to identify whether any potential adverse consequences for individuals are likely to occur and the seriousness of these consequences. The Data Protection Manager will consider the points arising from the following questions:  

1. What type and volume of data is involved?  
2. How sensitive is the data? Could the data breach lead to distress, financial or even physical harm?
3. What events have led to the data breach? What has happened to the data?  
4. Has the data been unofficially disclosed, lost or stolen? Were preventions in place to prevent access/misuse? (e.g. encryption)  
5. How many individuals are affected by the data breach?  
6. Who are the individuals whose data has been compromised?  
7. What could the data tell a third party about the individual? Could it be misused regardless of what has happened to the data?  
8. What actual/potential harm could come to those individuals? E.g. physical safety; emotional wellbeing; reputation; finances; identity theft; one or more of these and other private aspects to their life  
9. Are there wider consequences to consider?  
10. Are there others that might advise on risks/courses of action (such as banks if individual’s bank details have been affected by the breach)?    

Step 3: Notification of Breaches  

If the severity and likely impact of the breach warrants notifying the ICO, then we will notify the ICO within 24 hours of becoming aware of the essential facts of the breach (through the ICO’s online portal at https://report.ico.org.uk/security-breach/).  This notification will include at least:  

• Our organisation name and contact details  
• The date and time of the breach (or an estimate)  
• The date and time we discovered it  
• Basic information about the type of breach  
• Basic information about the personal data concerned.  

As we undertake a full investigation of the details of the breach, within 3 days of the initial notification, we will further provide the ICO with full details of the incident, the number of individuals affected and its possible effect on them, the measures taken to mitigate those effects, and information about our notification to the individuals affected.  

There may be instances when the nature of the breach and the individual(s) affected may necessitate notifying third parties such as regulatory bodies, agencies, professional bodies as part of the initial containment.  

If the breach is likely to adversely affect the personal data or privacy of our members, staff, volunteers and/or trustees, we will notify them of the breach without unnecessary delay if we cannot demonstrate that the data was encrypted (or made unintelligible by a similar security measure). We will inform them of:  

• The estimated date of the breach  
• A summary of the incident  
• The nature and content of the personal data  
• The likely effect on the individual(s)  
• Any measures we have taken to address the breach  
• How those affected can mitigate any possible adverse impact  

Step 4: Evaluation and Response  

When Welcome to the UK’s response to a data breach has reached a conclusion, the Data Protection Manager will undertake a full review of both the causes of the breach and the effectiveness of the response. The full review is reported to the Trustee Board for information and discussion as soon as possible after the data breach has been identified.  

If through the review, systematic or ongoing problems associated with weaknesses in internal processes or security measures have been identified as a cause of the data breach, then appropriate action plans will be drafted, actioned and monitored to rectify any issues and implement recommendations for improvements. The Governing Board will be party to discussions regarding action plans and be able to monitor progress against the actions appropriately.  

If a breach warrants a disciplinary investigation, legal advice will be sought through Human Resources channels.  

Implementation of these Procedures  

The Data Protection Manager will ensure that staff are aware of these procedures for reporting and managing data breaches. Data Protection training for all staff is mandatory, including new employees and all staff will undertake refresher training annually.  

If staff have any queries or questions relating to these procedures, they should discuss this with the Headteacher and/or Data Protection Manager.  

Complaints about our Data Breach Management Procedure

If an individual or Data Subject affected by a data breach believes that a data breach has not been dealt with properly, a complaint should be made to Welcome to the UK through our normal complaints procedure. If following the conclusion of the complaints procedure within the charity, the individual or Data Subject is still dissatisfied, then a complaint can be made directly to the Information Commissioner’s Office (ICO) at https://ico.org.uk/concerns.

This policy was created on 18th July 2023. This policy will be reviewed annually, checked against changes in legislation and guidance and presented to trustees for approval. Next review date: June 2026.

Aline Clayson

4th June 2025