Wayforweb

Donate

GDPR POLICY

MAHMUD SABIR MASJID

MAHMUDSABIR MASJID & ALFURQAN RELIEF TRUST 

REGISTERED CHARITY NUMBER 1197260

DATA PROTECTION POLICY

Version

1.0

Approved by

THE BOARD OF TRUSTEES

Dated

31 MAY 2024

Next review

31 MAY 2026
1. Introduction

This policy explains how MAHMUD SABIR MASJID uses the personal information we collect from you when you register yourself or your children for any of our activities/services (such as classes, trips, etc.), donate to us, complete a Gift Aid form or we collect your or your children’s personal details for any legitimate purpose. By providing such information to MAHMUD SABIR MASJID, you are consenting to our use of your information in accordance with GDPR rules and equivalent UK laws as listed below. We may make changes to this policy so please check our policy from time to time for any updates.

This data protection policy meets the legal requirements under the Data Protection Act 2018 (DPA 2018) and the UK General Data Protection Regulation (UK GDPR) and its equivalent.

2. Data Protection and Safeguarding

It should be noted that where there is a safeguarding concern in relation to a child or an adult with support and care needs, information can be shared lawfully within the parameters of the Data Protection Act 2018 and the General Data Protection Regulation (GDPR). The law does not prevent the sharing of sensitive, personal information within or between organisations where the public interest served outweighs the public interest served by protecting confidentiality – for example, where a crime or abuse is suspected or may be prevented.

3. Our approach to data protection

We believe that data protection is about ensuring people can trust us as the data controller to use their data fairly and responsibly.

Data protection is the fair and proper use of information about people. It’s part of the fundamental right to privacy – but on a more practical level, it’s really about building trust between people and our organisation. It’s about treating people fairly and openly, recognising their right to have control over their own identity and their interactions with us.

4. Data Controller

A controller is the person that decides how and why to collect and use the data. A data controller has the responsibility of deciding how personal data are processed and protecting those from misuse or leak. MAHMUD SABIR MASJID is the data controller for the personal data processed at our organisation.

We may receive personal data from individuals through the application process for applying to enroll for our services or activities or in other ways. It has appointed Mohammed Arshad Ahmed as the person responsible for processing data whose duty is to ensure that all personal data are processed in compliance with this policy and the applicable laws. Mohammed Arshad may be contacted via email: Mahmudsabirmasjid@outlook.com or telephone 07821107072.

5. Definition of personal data

Personal data includes: any piece of information (for example, name, date of birth, home address, phone number, NHS number etc.) about a living individual (known as ‘data subject’) that can identify the data subject.

The living individual might be anyone, including a trustee, client, beneficiary, service user, employee, volunteer, child, adult, member, supporter, business contact, public official or member of the public.

Identification can be by a single piece of information alone or when combined with any other information in the data controller’s possession or likely to come into such possession. The processing of personal data is governed by GDPR.

6. Meaning of “Processing” data

Almost anything we do with data counts as processing; including collecting, recording, storing, using, analysing, combining, disclosing or deleting it.

7. Our commitment

7.1 All personal information anyone gives to us will be processed in compliance with the Data Protection Act 2018 (DPA 2018), and the UK General Data Protection Regulation (UK GDPR).

7.2 MAHMUD SABIR MASJID will not disclose any information about you with anyone unless law requires us to do so. We will do that in accordance with ‘access to information regimes’; these are primarily the Freedom of Information Act 2000, the Data Protection Act 1998 and the Environmental Information Regulations 2004.

8. Lawful basis

We collect and process personal data on a lawful basis. A lawful basis is the reason or legal grounds for using people’s personal data. There are six lawful bases:

  • consent;
  • contract;
  • legal obligation;
  • vital interests;
  • public task; and
  • legitimate interests.
9. The Information that we hold
  • Names, addresses, telephone numbers, e-mail addresses and other contact details.
  • Bank details and other financial information, e.g. about donors who give money for our charitable work or parents who pay fees for their children attending our classes, or payroll details for members of staff or volunteers claiming expenses.
  • where appropriate, information about individuals’ health, allergies, social services involvement and contact details for next of kin;
  • references given or received about staff/volunteers or DBS checks, right to work information;
  • academic and professional qualifications, previous experience and annual reviews of employees/volunteers;
  • images of beneficiaries and other individuals engaging in our activities, and images captured by our CCTV system (in accordance with our policy on taking, storing and using images).
10. Sources of personal information

Individuals may give us personal information about themselves or their next of kin or their dependent children through different means such as

  • filling in forms in person or on our websites
  • subscribing to our publications, newsletters and updates about our activities and events
  • registering for or enquiring about our activities, events and services
  • registering to join our supplementary education service
  • contacting us through our websites
  • reporting problems with our websites
  • and other means.
11. The nature of your personal data we process

The categories of your personal data in our records are:

  • Registering your child to our supplementary education service or the activities we organise such as trips
  • Your child’s details, date of birth, age, name, health history, address
  • Your contact details, name, address history,
  • Personal sensitive information, e.g. health conditions, ethnicity, social worker involvement
  • Staff employment/volunteering history, appraisal notes, DBS checks etc.
12. Why our use of your personal data is lawful

In order for our use of your personal data to be lawful, we need to meet one (or more) conditions in the data protection legislation. For the purpose of this work, the relevant condition that we are meeting is:

  1. Explicit consent of the data subject so that we can keep you informed about news, events, activities and services and keep you informed about our events.
  2. Processing is necessary for carrying out legal obligations in relation to Gift Aid or under employment, social security or safeguarding law or any other lawful and rightful purpose.
13. How long we will keep your personal data

Please note that, under data protection legislation and in compliance with the relevant data processing conditions, we can lawfully keep personal data processed purely for research and statistical purposes indefinitely. The electronic storage system currently used means that data is never deleted but archived after five years and only securely deleted when requested by relevant individual.

14. Reasons we can collect and use your personal information
  • To support learning
  • To safeguard children, adults, staff and volunteers
  • To monitor progress
  • To provide pastoral care
  • To be able to make health or social care referrals
  • To comply with the law

We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another legitimate interest or reason and that reason is compatible with the original purpose.

15. Legitimate Interests

As mentioned above, we can, sometimes, use your personal information where this is necessary for our legitimate interests (or those of a third party). This includes where use of your personal information is necessary to:

  • ensure child safety, maintain safeguarding procedures, link up to other support services.
  • ensure we can contact you or your family in an emergency;
  • check you are legally entitled to work, manage performance, discipline, and promotion processes;
  • manage training and development requirements; 
  • deal with disputes, incidents and accidents and take legal or other professional advice; 
  • comply with another country’s laws and regulations;
  • ensure effective administration and management of your employment or engagement, benefits, management of the supplementary school, and business continuity;
  • ensure our assets are protected, kept confidential, and not used for inappropriate or unlawful purpose; 
  • prevent fraud or any crime and any other incidents that might bring the organisation into disrepute;
  • ensure network and information security.

If you would like further information on our legitimate interests as applied to your personal information, please contact our Data Protection Officer named above.

If there is processing or sharing that relies on your consent, we will make this clear to you and ensure we seek your consent.

16. Who we share your personal information with
  • Government officials working to improve outcomes for children and young people.
  • Commissioned providers of local authority services (such as education services).
  • Support organizations.
  • Local police services ensuring safety for children and the local community.
  • Charity Commission, local authority Designated Officer (for safeguarding purposes) team, safeguarding practitioners.
  • Local multi-agency forums that provide advice, support and guidance.

We will share personal information with law enforcement or other authorities only when allowed under law.

17. Your data protection rights

You have the right:

  • to ask us for access to information about you that we hold;
  • to have your personal data rectified, if it is inaccurate or incomplete;
  • to request the deletion or removal of personal data where there is no legitimate reason for its continued processing;
  • to restrict our processing of your personal data (i.e., permitting its storage but no further processing);
  • to object to direct marketing (including profiling) and processing for the purposes of scientific/historical research and statistics; and
  • not to be subject to decisions based purely on automated processing where it produces a legal or similarly significant effect on you.

If you need to contact us regarding any of the above, please do so via our Data Protection Officer named above.

18. Keeping your personal information secure

We have appropriate security measures in place to prevent personal information from being accidentally lost or used or accessed in an unauthorised way. We keep all data doubly secure. We limit access to your personal information to those who have a genuine business need to know it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.

We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.

19. Withdrawal of consent and the right to lodge a complaint

Where we are processing your personal data with your consent, you have the right to withdraw that consent. If you change your mind, or you are unhappy with our use of your personal data, please contact our Data Protection Officer named above.

20. Contact Information

If you have any questions about how your personal information will be processed, please contact us via our Data Protection Officer named above.

………………………………………….

Discussed at the Board of Trustees meeting on ……31.05.24…………….. (date) and approved by the trustees.

This policy will be given to every employee and volunteer during their induction. Key extracts of this policy will be displayed at the premises used by the organisation and its web site.

All committee members/trustees, paid and voluntary staff as well as the interested service users will be provided basic awareness training in data protection at least once every two years.

This policy will be reviewed every two years or sooner if there is any breach of data protection or changes in law that require it to be reviewed.

Signed: M A Ahmed 

Name: M A Ahmed

Position: Chairperson

Date 31.05.24