Our Confidentiality and Data Protection Policy & Practice

1. Controlling and Processing Data

Under the U.K. General Data Protection Regulations (U.K GDPR) 2021, organisations must identify who controls and who processes the data. 

Our Data Controllers determine what data / information to collect and how to collect it. At SMA UK, these decisions are made on behalf of our trustees by the managers of the Support Services and Fundraising Teams.

Our Data Processors process the data on behalf of the controllers. At SMA UK, all staff process data / information that will enable them to carry out their duties. What they process will depend on their role. Other Data Processors are BlackBaud, Mail Chimp and Survey Monkey. Data is stored on a secure server run by BlackBaud who are an industry recognised IT support organisation. Blackbaud run the system and provide security and updates so that our database system works effectively. Mail Chimp and Survey Monkey are pieces of external software that holds email addresses and supports the processing of our electronic newsletter and surveys. All the email addresses held on the software are secure and only available to specified employees of SMA UK.

You can see a summary of what we hold and a Data Flow Analysis Flow Analysis here:

Appendix 1 Data Flow Diagram
Appendix 2 Data Flow Analysis

We hope this policy will help you understand more about how we comply with the GDPR:

2. Protecting Individual Privacy

We believe that respecting and protecting a person’s privacy is of the utmost importance. We apply the principles of the UK General Data Protection Regulations (U.K GDPR) that came into effect on 1st January 2021, the Data Protection Act 2018, the Freedom of Information Act 2000 and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) across all our activities. For Data received from the E.U. before 1st January 2021 we also apply the E.U. General Data Protection Regulations (E.U. GDPR).

The principles of the above Acts and Regulations apply across all our activities. How we implement these principles varies depending on the activity e.g. the provision of an information and support service; a fundraising initiative; the recruitment and supervision of employees and volunteers; Trustee business. Team managers are responsible for their implementation and monitoring and report to the Board as required.

The GDPR principles and how we practise them follow:

2.1 Processed lawfully, fairly and transparently

We must have legitimate grounds for collecting and using personal data and be transparent about how the information will be used. People’s personal data must be handled only in ways they would reasonably expect us to use it. This includes giving individuals clear statements about how we use and protect their information. Individuals have a right to ask for a copy of the information we hold about them in our records. Please see:

Appendix 3 Our Privacy Notices
Appendix 4 Lawful Processing
Appendix 5 Support Services Practice

2.2 Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.

We must be clear why we are collecting personal data and what we intend to do with it. We must ensure that if we wish to use or disclose the personal data for any purpose which is different or additional to the original purpose, then the new use is agreed as fair by the owner of the information and / or a senior colleague. Please see:

Appendix 3 Our Privacy Notices
Appendix 6 What information do we share, when and how?

2.3 Adequate, relevant and limited to what is necessary

Any personal data we hold about an individual must be sufficient for the purpose for which we hold it. We must not hold more information than we need. Please see:

Appendix 3 Our Privacy Notices
Appendix 5 Support Services Practice

2.4 Accurate and, where necessary, kept up to date

We must take reasonable steps to ensure that personal data obtained is correct and not misleading and consider whether or when it is necessary to update the information. Please see:

Appendix 3 Our Privacy Notices
Appendix 5 Support Services Practice
Appendix 7 Your rights over your information

2.5 Retained for as long as necessary. Can be archived for statistical purposes but must protect the rights of the individual  

We must keep under review the length of time we hold personal data. This may be for longer in some cases than others depending on the purpose for which the data was obtained. We must regularly review personal data and delete in a secure way information that is no longer needed. 

Individuals may at any time request that their personal information is removed. Such requests should be responded to promptly. All database entries should be deleted in a secure manner and hard copy information should be shredded. Please see:

Appendix 3 Our Privacy Notices
Appendix 8 How long are records kept?

2.6 Processed in an appropriate manner to maintain security. Ensures against loss, damage or destruction

We must have appropriate security systems and practices that prevent personal data we hold being accidentally or deliberately compromised.  Please see:

Appendix 9 Our Security Systems and Practices

3. Data Protection by Design and Default and Risk Assessments of new projects

Article 25 of the GDPR outlines that all systems for data processing and storage are subject to assessment of Data Protection by Design and Default. You can read more about what this entails in appendix 10. The practical implementation of how we do this is described in this policy. Additionally, all new projects are risk assessed following the risk assessment process outlined appendix 11.

Appendix 10 Data Protection by Design and Default
Appendix 11 Data Protection Impact Assessment

4. Protecting the interests of SMA UK

Employees and trustees must not disclose to any un-authorised person any confidential information about the interests or business of the charity, its staff, trustees, beneficiaries, funders or other partners.

A non-exhaustive list of the information which SMA UK considers confidential, unless such information is already legitimately in the public domain, includes information held in relation to:

  • Funding applications, grant applications, joint ventures, project initiatives, strategic plans etc.
  • Finances
  • Security arrangements
  • Individual salaries or other confidential information relating to contracts of employment.

When employees or trustees leave SMA UK, they must immediately return any files, documents reference books and other papers relating directly or indirectly to the charity or its staff, beneficiaries, funders or other partners. Any emails and electronic documents relating to the organisation should be deleted from personal computers.

Employees and trustees must be particularly alert to requests from the press or other media and should refer such requests to the Support Services and Fundraising Managers before disclosing any information in response to such enquiries.

Confidential and sensitive information is restricted to those who need the information in the course of their work for the organisation. Any restricted information must not be disclosed to anyone else, whether inside or outside the charity. Restricted information, whether communicated orally, electronically or in writing should always be identified as ‘Confidential’ and where appropriate ‘for (recipient’s) eyes only'. Such information might include:

  • Proposals or plans for the future
  • Special forthcoming events or projects before they have been announced
  • Financial and statistical information
  • Sensitive business information
  • Sensitive personal information
  • Information relating to employees, volunteers and staff including applicants for positions, leavers or joiners prior to any public announcement.

5. Summary of General Rules – Staff, Trustees and Volunteers

All employees, turstees and any volunteers are required NOT to:

  • Leave confidential information (in paper or electronic form) where it is easily visible in the office or elsewhere. THINK PRIVACY!
  • Use computer software or programmes or any electronic equipment unless they are authorised by SMA UK
  • Give any press interviews or statements on or off the record without first discussing this with the SMA UK's managers
  • Write personal letters on SMA UK’s headed paper or under SMA UK’s banner
  • Discuss with others the business of other service users, volunteers, staff, trustees or funders except as strictly required by their job.
  • Conduct confidential conversations (including over the phone) where they may be overheard

Employees and trustees, whether paid or unpaid, who leave the charity will continue to be bound by their obligations of confidentiality even after the termination of their SMA UK post, whatever the reason.

Nothing in this policy will prevent an individual from making a ‘protected disclosure’ within the meaning of the Public Interest Disclosure Act 1998 (i.e. a legitimate, good faith ‘whistleblowing’ disclosure)

Breaches of this policy by employees will be dealt with through the SMA UK’s disciplinary procedures. Breaches by trustees will be dealt with under the process laid down in the trustee code of conduct.

Very occasionally we may introduce a volunteer who has been carefully recruited and received training from our Shared Experiences Coordinator directly to support another member of the SMA community. Training includes the topics of confidentiality and boundaries. They know not to share the personal details of the person / family they are supporting, nor the contents of any conversations and Emails, nor to leave any confidential information (in paper or electronic form) where it is easily visible. They know that this applies during their time as a volunteer supporter and thereafter as well. They know to always check that they have the person’s specific permission before they discuss or do anything on their behalf.  If they have any doubts, they know to ask the Shared Experiences Coordinator, who is there in an ongoing support role, or any member of the Support Services team for guidance.  

Volunteers also know that safeguarding of children and adults at risk takes priority over confidentiality. 

6. Data Breaches  

If a Data Breach Occurs a risk assessment is made immediately, recorded and addressed using our Security Concern or Data Breech Notification Form Appendix 12 using the guidelines laid out in Appendix 12a or 12 b

Appendix 12 Security Concern or Data Breach Notification Form
Appendix 12a Risk Assessment process for the Security of Data
Appendix 12b Risk Assessment process for a Data Breach

7. Making our confidentiality and data protection policy known

All staff and trustees are given a copy of this policy and, where appropriate, any relevant implementation guidelines, when they join the Trust. They have an opportunity for discussion with their manager or mentor.

Anyone visiting our website can read a short summary of how this policy impacts on them when they read our Privacy Notices.

Appendix 1 Data Flow Diagram

Appendix 2 Data Flow Analysis

Appendix 3 Our Privacy Notices

Appendix 4 Lawful Processing

Appendix 5 Support Services Practice

Appendix 6 What information do we share, when and how?

Appendix 7 Your rights over your information

Appendix 8 How long are records kept?

Appendix 8a Buzzacot retention of accounting records

Appendix 9 Our Security Systems and Practices

Appendix 9a OGL Certificates

Appendix 9b Datto Cloud

Appendix 10 Data Protection by Design and Default

Appendix 11 Data Protection Impact Assessment Proforma

Appendix 12 Security Concern or Data Breach Notification

Appendix 12a Risk Assessment process for Data Security

Appendix 12b Risk Assessment process for Data Breach

Appendix 13 House of Lords Bill March 2018 Amendment 83

Last reviewed and updated April 2021.