Data Protection Policy


Friends & Families of Special Children recognises that the Data Protection Act 2018 places responsibilities on staff and volunteers who deal with personal information stored or processed within any medium (paper, computer, tape etc). Friends & Families of Special Children is committed to ensure that it always acts lawfully when using such data, does not abuse this privilege and places the protection of the individual at the centre of its thinking.

Friends & Families of Special Children need to keep certain information about its employees, volunteers and services users to allow it, for example, to provide information and advice; monitor and evaluate service performance; recruit and pay staff; comply with statutory and legal obligations to funding bodies and Government; regulate the use of facilities; administer finance and ensure adherence to health & safety and other legally enforceable compliance issues. In order to comply with the law such information must be collected and used fairly, stored safely and securely and not disclosed unlawfully to any third party. This policy enables Friends & families of Special Children and its employees and volunteers to operate effectively and lawfully within the Data Protection Act 2018.

Staff are reminded that, as part of their terms and conditions of employment, they agree to work within Friends and Families Of Special Children’s policies and procedures. Failure to do so may result in disciplinary action, up to and including termination of employment or, if subcontracted or seconded, to the cancellation of the service agreement. Volunteers must also work within this policy.


We will:

  • seek to ensure that all those within the scope of this policy understand and comply with all current Data Protection legislation relevant to their roles.
  • Put effective systems in place for monitoring and evaluating Data Protection policy.
  • address concerns where it fails to meet these standards 


  1. The Chair of Trustees, who is the Data Protection Controller under the Data Protection Act 2018, retains overall responsibility for the implementation of this policy.
  2. The Administrator, who is the Designated Data Controller, is responsible for collection, storage, processing and good practice will also review & updating this policy.
  3. Trustees/Directors and Line Managers are responsible for implementing this policy.
  4. All staff & volunteers are required to adhere to this policy. 



All Friends & Families of Special Children staff and volunteers will process data appropriate to the requirements of the Data Protection Act 2018, will protect it and prevent disclosure to unauthorised third parties.

Project Co-ordinators and Line Managers:

All co-ordinators and line managers will ensure that staff and volunteers are aware of data protection and understand their obligations.

All Staff and Volunteers: 

  • Ensure that consent for the processing of personal data is obtained.
  • Ensure that express consent for the processing of sensitive data is applicable
  • Ensure opinions and intentions are based on fact and can be backed up with evidence
  • Ensure that procedures are reviewed and amended so that only authorised personnel have access to personal data, that data is held securely and not held for longer than is necessary
  • Ensure knowledge of the procedure for a subject access request, so that data subjects may be advised of that procedure
  • Do not transfer data out of the European Economic Area unless consent of the data subject has been expressly obtained for this purpose
  • Include an appropriate data protection clause on all recruitment, questionnaires and any other data collection literature and such legal contracts and correspondence with third parties/service providers who may be processing data
  • If in any doubt about any point, contact the Designated Data Controller. 

All data will :

  • be obtained and processed fairly and lawfully;
  • be obtained for a specified and lawful purpose and shall not be processed in any manner incompatible with that purpose;
  • be adequate, relevant and not excessive for that purpose;
  • be accurate and kept up to date;
  • not be kept longer than is necessary for that purpose
  • be kept safe from unauthorised access, accidental loss or destruction;
  • not be transferred to a country outside the European Economic Area unless that country has equivalent levels of protection for personal data. 


The designated Data Controller will put effective monitoring and evaluation of data protection practices in place and will ensure that all new staff and volunteers receive appropriate training in the requirements and practices of the Data Protection Act 2018 within the probation period for the appointment. There will be an ongoing training programme for existing staff and volunteers. Training will cover :

  • Data Protection principles
  • Sensitive and non-sensitive information
  • Consent
  • Disclosure
  • Monitoring procedures

Continued effective legal use of data will be supported by :

  • inclusion of this policy in hard and electronic compilation of Guild policies
  • reiteration of legal responsibilities to staff annually
  • service co-ordinators and line managers will monitor policies and practices within their areas of responsibility and conformity.



  • The Human Rights Act 1998
  • Freedom of Information Act 2000
  • Electronic Communications Act 2000
  • Telecommunications [(Lawful Business Practice) (Interception of Communications)] Regulations 2001


  • The Data Protection Act 2018 – an introduction