Role of the Board of Trustees
The Board of Trustees is responsible for the well-being of its members and share information about members. At present, the Board of Trustees includes professionals from deaf education. The information shared helps to identify the support required by members and can then offer initiatives such as transport, outreach projects and mentoring programmes. The Chair is the Senior Information Risk Owner and, at board level, oversees policies, culture and investigates complaints.
Role of the Data Controller
The Data Controller at Lollipop is the Service Manager. The Data Controller controls what data is collected, what it is used for and what to share. The Data Controller also ensures the data is up to date and is therefore the Information Asset Owner (IAO).
Role of the Data Processors
The Data Processors are the Office Administrator and the Activities Coordinator. They will process data under the instruction of the Data Controller.
Lollipop’s Eight Data Protection Principles are:
- Personal data must be processed fairly and lawfully
- Personal data must only be processed for one or more specified and lawful purposes
- Personal data must be adequate, relevant and not excessive for the stated purpose
- Personal data must be accurate and, where necessary, kept up to date
- Personal data must not be kept for longer than necessary to fulfil the lawful purpose
- The rights of individuals under the Data Protection Act (2002) and GDPR (2018) must be complied with
- There must be appropriate technical and organisational measures in place to ensure the security of the personal data
- Personal data must not be transferred to countries or territories outside the EEA without ensuring the security of the data and that the rights of the individuals are upheld
These principles determine how Lollipop processes information relating to its members.
To join Lollipop we ask parents/carers to complete a membership form and provide Lollipop with personal and, in some cases, sensitive data relating to health issues that would affect support at activities.
Personal data requested is: name and address of member and family members, telephone, email, date of birth, medical conditions, degree of hearing loss, hearing devices used and preferred method of communication.
Sensitive data is collected in cases where there are identified medical conditions that would affect leaders and volunteers support roles at activities. We ask families to complete Form 1 for health, care and additional needs information and Form 2 for medication information.
Form 1 asks for family contact details, GP/Clinical contact details, specific details on symptoms, additional needs, daily care requirements, what constitutes an emergency with this condition and what actions to take in an emergency.
Form 2 asks for medication details, the type of medication, when begun, dosage, precautions, side effects, administration and procedures in an emergency.
This information is required to ensure leaders and volunteers at activities can provide the appropriate support for members with health, care and additional needs and can administer or supervise medication appropriately for this with identified medication needs .
The membership form states that personal data will be:
- kept by Lollipop (York & District) for as long as the child is a member.
- stored securely on Lollipop’s intranet and password protected and will not be shared with other agencies or individuals without consent.
- kept so that Lollipop can contact members with information about activities and other Lollipop events and also so that we can adequately support children at Lollipop events.
The membership form also states that:
- If, at any future date, parents/carers or members wish to end Lollipop membership they will need to contact the Lollipop office.
- By signing the membership form they agree to receive Lollipop newsletters, Lollipop surveys and regular information about Lollipop activities and fundraising events.
- If contact details change, they must inform the office so that they can continue to receive invitations to activities.
- If medical conditions change, they must inform the office so that Lollipop can continue to provide appropriate support at activities.
Members also have the option to unsubscribe from mailchimp emails if they wish by choosing the unsubscribe option at the end of each mailchimp email.
Staff, Volunteer and Sessional Worker details:
Staff have access to personal and sensitive data about members. They are required to sign a confidentiality agreement, must be DBS checked before having access to this data on joining the charity and receive training and induction after appointment.
Staff ensure that personal and sensitive data is stored securely in the office and on the Lollipop intranet and that volunteers and sessional workers are only given access to data that is essential and relevant to them carrying out their work at Lollipop activities.
Volunteers and some sessional workers that will be given access to personal and sensitive data will sign a confidentiality agreement, be DBS checked and receive training and induction.
DBS details of staff, volunteers and sessional workers will only be kept while they are working at Lollipop and their details will be deleted from files once they have left the charity.
On joining Lollipop, staff details are requested on a HMRC starter checklist and an employee details form. The data is kept for communication and payroll requirements. These are: name, address, telephone, email, date of birth, bank account details and national insurance number. Sessional workers are asked for the same details except their national insurance number. Volunteers are asked for the same information except their national insurance number and their bank account details. Date of birth is required for the online DBS check.
Lollipop and the data Protection Act (2002) and GDPR (2018)
Lollipop is exempt from being required to register with the Office of the Data Protection Supervisor (ODPS) as its processing of personal data is only for:
- establishing and maintaining membership and support
- providing and administering activities for members
Rights and Complaints
Members and staff have the right to access their own personal data once satisfying Lollipop of their correct identification. They have the right to remove any data stored by Lollipop that is no longer relevant or up to date and to have all data removed from files once they have left the charity unless they give consent for it to be kept by Lollipop.
Members have the right to withdraw their membership and therefore remove all data from Lollipop files before the child reaches 20 years old when Lollipop membership automatically ends. They must contact the office and request a cancellation of their membership. Membership will automatically end on a member’s 20th birthday.
If any members, staff, volunteers or sessional workers have a complaint regarding data handling, they should send their complaint in writing to the Senior Information Risk Owner (Chair of Trustees) c/o Lollipop, Minster Building, 84 Lowther Street, York, YO31 7LX
For further information on data protection, Lollipop can contact:
PO Box 69,