FoodBanked Privacy Policy v1.0
Date: 29/03/2023
Contents
1. Introduction ................................................................................................3
2. Definitions ..................................................................................................3
4. Principles of the UK-GDPR ........................................................................3
5. Lawful Processing......................................................................................4
5.1 By Consent................................................................................................ 4
5.2 By Contract................................................................................................ 4
5.3 By Legal Obligation.................................................................................... 4
5.4 Legitimate Interest ..................................................................................... 5
6. Individual Rights.........................................................................................5
6.1 The right to be informed............................................................................. 5
6.2 The right of access .................................................................................... 6
6.3 The right to rectification.............................................................................. 6
6.4 The right to erase {The right to be forgotten}............................................. 6
6.5 The right to restrict processing................................................................... 6
6.6 The right to data portability ........................................................................ 6
6.7 The right to object...................................................................................... 6
6.8 Rights in relation to automated decision making and profiling.................... 7
7. Operational Policies & Procedures – The Context......................................7
8. Personnel...................................................................................................7
8.1 Data Protection Officer............................................................................... 7
8.2 Data Controller .......................................................................................... 7
8.3 Data Processor.......................................................................................... 7
8.4 Access to Data .......................................................................................... 8
9. Collecting & Processing Personal Data......................................................8
10. Information Technology..............................................................................9
10.1 Data Protection by Design/Default ............................................................. 9
10.2 Data Processing Equipment ...................................................................... 9
10.3 Data Processing Location.......................................................................... 9
10.4 Data Backups ............................................................................................ 9
10.5 Obsolete or Dysfunctional Equipment........................................................ 9
11. Data Subjects...........................................................................................10
11.1 The Rights of Data Subjects .................................................................... 10
11.2 Rights of Access, Rectification and Erasure............................................. 10
11.3 Right of Portability.................................................................................... 11
11.4 Data Retention Policy .............................................................................. 11
12. Privacy Impact Assessment .....................................................................11
12.1 Trustees’ Data ......................................................................................... 11
12.2 Volunteers’/Members’ Data...................................................................... 11
12.3 Supporters’ & Enquirers’ Data.................................................................. 12
13. Third Party Access to Data.......................................................................12
14. Data Breach.............................................................................................12
15. How to Complain......................................................................................13
v1.0
Date: 29/03/2023
FoodBanked Privacy Policy
1. Introduction
Under the United Kingdom General Data Protection Regulations (UKGDPR) FoodBanked is
required to comply with the UK-GDPR and undertakes to do so. Throughout this policy
document, numbers prefixed by “Art:“ in brackets (eg: {Art:5}) refer to the relevant Article(s)
in the UK-GDPR, as modified by the Keeling Schedule.
2. Definitions
The definitions of terms used in this policy are the same as the definitions of those terms
detailed in Article-4 of the UK-GDPR.
Data Subject
A data subject is an identifiable individual person about whom FoodBanked holds personal
data. For the purposes of FoodBanked, the data subject will be Persons In Need (PIN) that
voluntarily sign up to the services FoodBanked provides and
3. Contact Information
Name: FoodBanked
Address: 114 Queenborough Gardens, ILFORD, IG2 6YB
Phone Number: 07846442750
E-mail: info@foodbanked.org.uk
Website: www.foodbanked.org.uk
4. Principles of the UK-GDPR
{Précised from Art:5}
The FoodBanked will ensure that all personal data that it holds will be:
a) processed lawfully, fairly and in a transparent manner in relation to individuals;
b) collected only for specified, explicit and legitimate purposes and not further
processed in a manner that is incompatible with those purposes;
further processing for archiving purposes in the public interest, scientific or
historical research purposes or statistical purposes shall not be considered to be
incompatible with the initial purposes;
c) adequate, relevant and limited to what is necessary in relation to the purposes for
which they are processed;
v1.0
Date: 29/03/2023
d) accurate and, where necessary, kept up to date; every reasonable step must be
taken to ensure that personal data that are inaccurate, having regard to the
purposes for which they are processed, are erased or rectified without delay;
e) kept in a form which permits identification of data subjects for no longer than is
necessary for the purposes for which the personal data are processed;
personal data may be stored for longer periods insofar as the personal data will be
processed solely for archiving purposes in the public interest, scientific or historical
research purposes or statistical purposes subject to implementation of the
appropriate technical and organisational measures required by the UK-GDPR in
order to safeguard the rights and freedoms of individuals; and
f) processed in a manner that ensures appropriate security of the personal data,
including protection against unauthorised or unlawful processing and against
accidental loss, destruction or damage, using appropriate technical or
organisational measures.
5. Lawful Processing
{Précised from Art:6}
FoodBanked will obtain, hold and process all personal data in accordance with the UK-
GDPR for the following lawful purposes. In all cases the information collected, held
and processed will include Contact Information (as defined in 0 above).
5.1 By Consent
People who are interested in, and wish to be kept informed of, the activities of
FoodBanked:
a) Subject to the person’s consent, this may include information selected and
forwarded by FoodBanked on activities by other organisations which are relevant
to those of FoodBanked.
Note: this will not involve providing the person’s personal data to another
organisation.
b) The information collected may additionally contain details of any particular areas
of interest about which the person wishes to be kept informed.
c) The information provided will be held and processed solely for the purpose of
providing the information requested by the person.
5.2 By Contract
People who sell goods and/or services to, and/or purchase goods and/or services from
FoodBanked.
The information collected will additionally contain details of:
a) The goods/services being sold to, or purchased from FoodBanked;
b) Bank and other details necessary and relevant to the making or receiving of
payments for the goods/services being sold to, or purchased from FoodBanked.
The information provided will be held and processed solely for the purpose of
managing the contract between FoodBanked and the person for the supply or
purchase of goods/services.
5.3 By Legal Obligation
People where there is a legal obligation on FoodBanked to collect, process and share
information with a third party – eg: the legal obligations to collect, process and share
with Law Enforcement where there is danger to life.
v1.0
Date: 29/03/2023
The information provided will be held, processed and shared with others solely for the
purpose meeting FoodBanked’s legal obligations.
5.4 Legitimate Interest
Volunteers, Including Trustees
In order to be able to operate efficiently, effectively and economically, it is in the
legitimate interests of FoodBanked to hold such personal information on its volunteers
and trustees as will enable the FoodBanked to communicate with its volunteers on
matters relating to the operation of FoodBanked, eg:
the holding of meetings;
providing information about FoodBanked’s activities – particularly those activities
which, by their nature, are likely to be of particular interest to individual
volunteers/trustees;
organising regular community outreach sessions which includes but not limited to
the distribution of food and drink;
seeking help, support and advice from volunteers/trustees, particularly where they
have specific knowledge and experience;
ensuring that any particular needs of the volunteer/trustee are appropriately and
sensitively accommodated when organising meetings and other activities of
FoodBanked.
6. Individual Rights
Note: The following clauses are taken primarily from the guidance provided by the Office of the
Information Commissioner,
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-be-
informed/
6.1 The right to be informed
{Précised from Arts: 12-14}
When collecting personal information FoodBanked will provide to the data subject free
of charge, a Privacy Policy written in clear and plain language which is concise,
transparent, intelligible and easily accessible containing the following information:
Identity and contact details of the controller
Purpose of the processing and the lawful basis for the processing
The legitimate interests of the controller or third party, where applicable
Categories of personal data;
(Not applicable if the data are obtained directly from the data subject)
Any recipient or categories of recipients of the personal data
Details of transfers to third country and safeguards
Retention period or criteria used to determine the retention period
The existence of each of data subject’s rights
The right to withdraw consent at any time, where relevant
The right to lodge a complaint with a supervisory authority
The source the personal data originates from and whether it came from publicly
accessible sources
(Not applicable if the data are obtained directly from the data subject)
v1.0
Date: 29/03/2023
In the case of data obtained directly from the data subject, the information will be
provided at the time the data are obtained.
In the case that the data are not obtained directly from the data subject, the
information will be provided within a reasonable period of FoodBanked having
obtained the data (within one month), or, if the data are used to communicate with the
data subject, at the latest, when the first communication takes place; or if disclosure to
another recipient is envisaged, at the latest, before the data are disclosed.
6.2 The right of access
{Précised from Art:15}
The data subject shall have the right to obtain from the controller confirmation as to
whether or not personal data concerning him/her are being processed, and, where that
is the case, access to his/her personal data and the information detailed in
FoodBanked’s Privacy Policy:
6.3 The right to rectification
{Précised from Art:16}
The data subject shall have the right to require the controller without undue delay to
rectify any inaccurate or incomplete personal data concerning him/her.
6.4 The right to erase {The right to be forgotten}
{Précised from Art:17}
Except where the data are held for purposes of legal obligation (5.3) or public task the
data subject shall have the right to require the controller without undue delay to erase
any personal data concerning him/her.
Note: This provision is also known as “The right to be forgotten”.
6.5 The right to restrict processing
{Précised from Art:18}
Where there is a dispute between the data subject and the Controller about the
accuracy, validity or legality of data held by FoodBanked the data subject shall have
the right to require the controller to cease processing the data for a reasonable period
of time to allow the dispute to be resolved.
6.6 The right to data portability
{Précised from Art:20}
Where data are held for purposes of consent or contract (5.1 or 5.2) the data subject
shall have the right to require the controller to provide him/her with a copy in a
structured, commonly used and machine-readable format of the data which he/she has
provided to the controller, and have the right to transmit those data to another
controller without hindrance.
6.7 The right to object
{Précised from Art:21}
a) The data subject shall have the right to object, on grounds relating to his or her
particular situation, at any time to processing of personal data concerning him/her
which is based Public Task or Legitimate Interest, including profiling based on
those provisions. The controller shall no longer process the personal data unless
the controller demonstrates compelling legitimate grounds for the processing
which override the interests, rights and freedoms of the data subject or for the
establishment, exercise or defence of legal claims.
v1.0
Date: 29/03/2023
b) Where personal data are processed for direct marketing purposes, the data
subject shall have the right to object at any time to processing of personal data
concerning him/her for such marketing, which includes profiling to the extent that it
is related to such direct marketing.
c) Where the data subject objects to processing for direct marketing purposes, the
personal data shall no longer be processed for such purposes.
d) At the latest at the time of the first communication with the data subject, the right
referred to in paragraphs a) and d) shall be explicitly brought to the attention of the
data subject and shall be presented clearly and separately from any other
information.
6.8 Rights in relation to automated decision making and profiling
{Précised from Art:22}
Except where it is: a) based on the data subject’s explicit consent, or b) necessary
for entering into, or performance of, a contract between the data subject and a data
controller; the data subject shall have the right not to be subject to a decision based
solely on automated processing, including profiling, which produces legal effects
concerning him/her or similarly significantly affects him/her.
7. Operational Policies & Procedures – The Context
FoodBanked holds just a small amount of non-sensitive data on a small number of
people.
The Trustees understand and accept their responsibility under the UK General Data
Protection Regulation (UK-GDPR) to hold all personal data securely and use it only for
legitimate purposes with the knowledge and approval of the data subjects.
By the following operational policies and procedures the Trustees undertake to uphold
the principles and requirements of the UK-GDPR in a manner which is proportionate to
the nature of the personal data being held by FoodBanked. The policies are based on
the Trustees’ assessment, in good faith, of the potential impacts on both FoodBanked
and its data subjects of the personal data held by FoodBanked being stolen, abused,
corrupted or lost.
8. Personnel
8.1 Data Protection Officer
In the considered opinion of the Trustees the scope and nature of the personal data
held by FoodBanked is not sufficient to warrant the appointment of a Data Protection
Officer. Accordingly, no Data Protection Officer is appointed.
8.2 Data Controller
The Board of Trustees is the Data Controller for FoodBanked.
8.3 Data Processor
The Board of Trustees will appoint at least 1 and not more than 5 of its number, or
other appropriate persons, to be the Data Processors for FoodBanked.
v1.0
Date: 29/03/2023
FoodBanked will not knowingly outsource its data processing to any third party (eg:
Google G-Suite, Microsoft OneDrive) except as provided for in the section “Third Party
Access to Data”.
See 9. Below for details on our Data Processor.
8.4 Access to Data
FoodBankedshall have access to the personal data held by the Data Processor.
9. Collecting & Processing Personal Data
FoodBanked collects a variety of personal data commensurate with the variety of
purposes for which the data are required in the pursuit of its charitable objects.
All personal data will be collected, held and processed in accordance with the relevant
Data Privacy Notice provided to data subjects as part of the process of collecting the
data.
A Data Privacy Notice will be provided, or otherwise made accessible, to all persons
on whom FoodBanked collects, holds and processes data covered by the UK-GDPR.
The Data Privacy Notice provided to data subjects will detail the nature of the data
being collected, the purpose(s) for which the data are being collected and the subject’s
rights in relation to FoodBanked’s use of the data and other relevant information in
compliance with the prevailing UK-GDPR requirements.
We currently collect and process the following information:
First and Last Name, Ethnicity, Contact Number, Full Address, Email contacts, Dietary
needs, Employment, Housing status and Financials including details of Benefits claimed
The information is collected and processed via ‘Typeform’, who is our Data Processor.
How we get the personal information and why we have it:
The data collected by FoodBanked is mainly provided directly by data subjects for the
following reasons:
A PIN will fill in the online form to request FoodBanked’s services.
FoodBanked uses the information data subjects have provided in order to identify those that
are in need of FoodBanked’s charitable services and to deliver those services in line with
FoodBanked’s objectives.
FoodBanked may share this information with other charities that may be able to provide
additional assistance to the data subject where FoodBanked may not or to Law Enforcement
agencies where there is a legal obligation to do so or the need to protect life.
Under the UK General Data Protection Regulation (UK GDPR), the lawful bases
FoodBanked relies on for processing personal data are:
(a) Data subject consent.
(b) Contractual obligation.
(c) We have a legal obligation.
v1.0
Date: 29/03/2023
10. Information Technology
10.1 Data Protection by Design/Default
Inasmuch as:
a) none of FoodBanked’s volunteer Trustees are data protection professionals;
b) it would be a disproportionate use of charitable funds to employ a data protection
professional, given the scale and nature of the personal data held by the
FoodBanked;
the Trustees will seek appropriate professional advice commensurate with its data
protection requirement whenever:
c) they are planning to make significant changes to the ways in which they process
personal data;
d) there is any national publicity about new risks (eg: cyber attacks);
e) any material changes to the UK-GDPR are proposed or have been made;
which might adversely compromise FoodBanked’s legitimate processing of personal
data covered by the UK-GDPR.
Personal data will never be transmitted electronically (eg: by e-mail) unless securely
encrypted.
10.2 Data Processing Equipment
The scale and nature of the personal data held by FoodBanked is not sufficient to
justify FoodBanked purchasing dedicated computers for the processing of personal
data.
Whilst the data will be processed on the ‘Typeform’ to which the Data Processors have
access. All interim working data transferred to such computers/laptops for processing
will be deleted once processing has been completed.
10.3 Data Processing Location
Data Processors shall only process FoodBanked’s personal data in a secure location,
and not in any public place, eg: locations whether the data could be overlooked by
others, or any removable data storage devices would be susceptible to loss or theft.
Computers/laptops in use for data processing will not be left unattended at any time.
10.4 Data Backups
To protect against loss of data by accidental corruption of the data or malfunction of a
removable data storage device (including by physical damage), all FoodBanked’s
personal data shall be backed up periodically and whenever any significant changes
(additions, amendments, deletions) are made to the data.
Backup copies of the data shall be held in separate secure locations which are not
susceptible to common risks (eg: fire, flood, theft).
As far as is reasonably practical, all files containing personal data covered by the UK-
GDPR will be encrypted by the use of NCH-Meo, Kaspersky Vault or other comparable
software.
The encryption keys will be held securely in a location which is separate from the data
storage media.
10.5 Obsolete or Dysfunctional Equipment
(Disposal of Removable Storage Media)
v1.0
Date: 29/03/2023
Equipment used to hold personal data, whether permanently or as interim working
copies, which come to the end of their useful working life, or become dysfunctional,
shall be disposed of in a manner which ensures that any residual personal data held
on the equipment cannot be recovered by unauthorised persons.
Inasmuch as:
a) this will be a relatively infrequent occurrence;
b) techniques for data recovery and destruction are constantly evolving;
c) none of the Trustees have relevant up-to-date expert knowledge of data cleansing;
equipment which becomes obsolete or dysfunctional shall not be disposed
immediately. Instead it will be stored securely while up-to-date expert advice on the
most appropriate methods for its data cleansing and disposal can be sought and
implemented.
11. Data Subjects
11.1 The Rights of Data Subjects
In compliance with the UK-GDPR, FoodBanked will give data subjects the following
rights.
These rights will be made clear in the relevant Data Privacy Notice provided to data
subjects:
the right to be informed;
the right of access;
the right to rectification;
the right of erasure {LO} (Also referred to as “The right to be forgotten”)
the right to restrict processing;
the right to data portability; {LO} {LI}
the right to object; {SC} {Co} {LO}
the right not to be subjected to automated decision making, including profiling.
The above rights are not available to data subjects when the legal basis on which
FoodBanked is holding & processing their data are:
{SC} Subject Consent;
{Co} Contractual obligation
{LO} Legal Obligation
{LI} Legitimate Interest
11.2 Rights of Access, Rectification and Erasure
Data subjects will be clearly informed of their right to access their personal data and to
request that any errors or omissions be corrected promptly.
Such access shall be given and the correction of errors or omissions shall be made
free of charge provided that such requests are reasonable and not trivial or vexatious.
There is no prescribed format for making such requests provided that:
a) the request is made in writing, signed & dated by the data subject (or their legal
representative);
b) the data claimed to be in error or missing are clearly and unambiguously
identified;
v1.0
Date: 29/03/2023
c) the corrected or added data are clear and declared by the subject to be complete
and accurate.
It will be explained to subjects who make a request to access their data and/or to have
errors or omissions corrected, or that their data be erased, that, while their requests
will be actioned as soon as is practical there may be delays where the appropriate
volunteers or staff to deal with the request do not work on every normal weekday.
Where a data subject requests that their data be rectified or erased the Data Controller
will ensure that the rectifications or erasure will be applied to all copies of the subject’s
personal data including those copies which are in the hands of a Third Party for
authorised data processing.
11.3 Right of Portability
FoodBanked will only provide copies of personal data to the subject (or the subject’s
legal representative) on written request.
FoodBanked reserves the right either:
a) to decline requests for portable copies of the subject’s personal data when such
requests are unreasonable (ie: excessively frequent) or vexatious;
or
b) to make a reasonable charge for providing the copy.
11.4 Data Retention Policy
Personal data shall not be retained for longer than:
a) In the case of data held by subject consent:
the period for which the subject consented to FoodBanked holding their data;
b) in the case of data held by legitimate interest of FoodBanked:
the period for which that legitimate interest applies. For example: in the case of
data subjects who held a role, such as a volunteer, with the FoodBanked the
retention period is that for which FoodBanked reasonably has a legitimate interest
in being able to identify that individual’s role in the event of any retrospective
query about it;
c) in the case of data held by legal obligation:
the period for which FoodBanked is legally obliged to retain those data.
FoodBanked shall regularly – not less than every 6 months – review the personal data
which it holds and remove any data where retention is no longer justified. Such
removal shall be made as soon as is reasonably practical, and in any case no longer
than 20 working days after retention of the data was identified as no longer justified.
12. Privacy Impact Assessment
12.1 Trustees’ Data
The volume of personal data is generally very low – less than 5 individuals
The sensitivity of the data is low-moderate: the most sensitive data being date of birth,
names and addresses;
The risk of data breach is small as the data are rarely used, with the majority of the
data being held for a combination of legal obligation and legitimate interest.
Overall impact: LOW
12.2 Volunteers’/Members’ Data
The volume of personal data is low – less than 20 individuals
The sensitivity of the data is low: the most sensitive data being name, e-mail address,
v1.0
Date: 29/03/2023
and address;
The risk of data breach is small – primarily the accidental disclosure of names & e-mail
addresses.
Overall impact: LOW
12.3 Supporters’ & Enquirers’ Data
The volume of personal data is low-moderate.
The sensitivity of the data is low: the most sensitive data being name, e-mail address,
and address;
The risk of data breach is small – primarily the accidental disclosure of names & e-mail
addresses.
Overall impact: LOW
13. Third Party Access to Data
Under no circumstance will FoodBanked share with, sell or otherwise make available
to Third Parties any personal data except where it is necessary and unavoidable to do
so in pursuit of its charitable objects as authorised by the Data Controller.
Whenever possible, data subjects will be informed in advance of the necessity to share
their personal data with a Third Party in pursuit of FoodBanked’s objectives.
Before sharing personal data with a Third Party, FoodBanked will take all reasonable
steps to verify that the Third Party is, itself, compliant with the provisions of the UK-
GDPR and confirmed in a written contract. The contract will specify that:
The FoodBanked is the owner of the data;
The Third Party will hold and process all data shared with it exclusively as
specified by the instructions of the Data Controller;
The Third Party will not use the data for its own purposes;
The Third Party will adopt prevailing industry standard best practice to ensure that
the data are held securely and protected from theft, corruption or loss;
The Third Party will be responsible for the consequences of any theft, breach,
corruption or loss of the FoodBanked’s data (including any fines or other penalties
imposed by the Information Commissioner’s Office) unless such theft, breach,
corruption or loss was a direct and unavoidable consequence of the Third Party
complying with the data processing instructions of the Data Controller
The Third Party will not share the data, or the results of any analysis or other
processing of the data with any other party without the explicit written permission
of the Data Controller;
The Third Party will securely delete all data that it holds on behalf of the
FoodBanked once the purpose of processing the data has been accomplished.
The FoodBanked does not, and will not, transfer personal data out of the UK.
14. Data Breach
In the event of any data breach coming to the attention of the Data Controller the
Trustees will immediately notify the Information Commission’s Office.
In the event that full details of the nature and consequences of the data breach are not
immediately accessible (eg: because Data Processors do not work on every normal
weekday) the Trustees will bring that to the attention of the Information
Commissioner’s Office and undertake to forward the relevant information as soon as it
becomes available.
v1.0
Date: 29/03/2023
15. How to Complain
If you have any concerns about our use of your personal information, you can make a
complaint to us info@foodbanked.org.uk
You can also complain to the ICO if you are unhappy with how we have used your data.
The ICO’s address:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Helpline number: 0303 123 1113
ICO website: https://www.ico.org.uk
