1. Introduction

SalamaNet C.I.C processes personal data about service users, staff, volunteers, and other individuals in the course of our work. We are committed to handling all personal data lawfully, fairly, and transparently, in accordance with UK GDPR and the Data Protection Act 2018. This policy applies to all staff, volunteers, trustees, and contractors.

2. Data Protection Principles

• Lawfulness, fairness, and transparency — data is processed on a valid legal basis and individuals are informed
• Purpose limitation — data is collected for specified, explicit, and legitimate purposes and not further processed incompatibly
• Data minimisation — only data that is adequate, relevant, and limited to what is necessary is collected
• Accuracy — data is kept accurate and up to date; inaccurate data is corrected or deleted without delay
• Storage limitation — data is kept no longer than necessary for its purpose
• Integrity and confidentiality — data is protected against unauthorised access, loss, or destruction
• Accountability — SalamaNet takes responsibility for compliance and can demonstrate it

3. Lawful Bases for Processing

We rely on the following lawful bases: consent (freely given, specific, informed, and unambiguous); contract (processing necessary to deliver a service); legal obligation (compliance with a statutory duty); and legitimate interests (where our interests are not overridden by the rights of the individual). We document our lawful basis for each processing activity.

4. Special Category Data

Some of the data we process is special category data under UK GDPR — including health information, ethnicity, and religion. We process this data only with explicit consent or where another specific condition under Article 9 applies. Special category data is subject to additional security controls and access restrictions.

5. Data Security

• All personal data is stored on password-protected systems with appropriate access controls
• Paper records containing personal data are stored in locked cabinets
• Personal data is not transmitted by unencrypted email unless the individual has consented
• All staff and volunteers receive data protection training before handling personal data
• Data breaches are reported to the ICO within 72 hours where required

6. Data Retention

We maintain a data retention schedule that specifies how long each category of data is kept. In general, service user records are retained for seven years after the end of service; financial records for six years; and staff records for six years after employment ends. Data is securely deleted or destroyed at the end of its retention period.

7. Individual Rights

• Right of access — you may request a copy of the personal data we hold about you (Subject Access Request)
• Right to rectification — you may ask us to correct inaccurate data
• Right to erasure — you may ask us to delete your data in certain circumstances
• Right to restrict processing — you may ask us to limit how we use your data
• Right to data portability — you may request your data in a structured, machine-readable format
• Right to object — you may object to processing based on legitimate interests

8. Data Breaches

A personal data breach is any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. All suspected breaches must be reported immediately to the Data Protection Lead. We will assess the risk, take steps to contain the breach, and notify the ICO and affected individuals where required by law.

9. Responsibility and Accountability

The board of trustees has overall responsibility for data protection compliance. Day-to-day responsibility is delegated to the Data Protection Lead. All staff and volunteers are responsible for handling personal data in accordance with this policy. Breaches of this policy may result in disciplinary action.