Data Protection Policy

1. Introduction

Kids After Hours Foundation Limited ("we", "us", "our", or "Foundation") is committed to protecting personal data in accordance with the General Data Protection Regulation (GDPR) and other applicable data protection laws. This Data Protection Policy outlines our commitment to data protection and explains how we implement data protection principles in our operations.

This policy applies to all personal data processed by the Foundation, whether collected from individuals, organisations, or other sources. It covers data protection in all areas of our operations, including fundraising, service delivery, and website management.

2. Data Protection Principles

We are committed to upholding the following data protection principles in accordance with the GDPR:

2.1 Lawfulness, Fairness, and Transparency

We process personal data lawfully, fairly, and transparently. We only process personal data where we have a valid legal basis to do so, and we provide clear information about how we use data.

2.2 Purpose Limitation

We collect personal data for specified, explicit, and legitimate purposes. We do not process data for purposes incompatible with the original purpose without obtaining additional consent or legal basis.

2.3 Data Minimisation

We collect only the personal data that is necessary and relevant for the purposes for which it is being processed. We do not collect excessive or unnecessary data.

2.4 Accuracy

We ensure that personal data is accurate and kept up to date. We take reasonable steps to correct or delete inaccurate data and provide individuals with the opportunity to correct their own data.

2.5 Storage Limitation

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected or as required by law. We have established retention schedules for different types of data.

2.6 Integrity and Confidentiality

We process personal data securely and implement appropriate technical and organisational measures to protect data against unauthorised access, alteration, disclosure, or destruction.

2.7 Accountability

We are responsible for demonstrating compliance with data protection principles. We maintain records of our data processing activities and can provide evidence of our compliance.

3. Data Protection Governance

The Foundation has established data protection governance structures to ensure compliance with data protection laws:

3.1 Data Protection Responsibility

The Foundation's management is responsible for ensuring that data protection principles are implemented across all operations. All staff members are responsible for handling personal data in accordance with this policy and applicable laws.

3.2 Data Protection Training

All staff members who handle personal data receive training on data protection principles, legal requirements, and best practices. Training is provided to new staff and updated regularly.

3.3 Data Protection Impact Assessments

The Foundation conducts Data Protection Impact Assessments (DPIAs) for new processing activities that may pose a high risk to individuals' rights and freedoms.

4. Legal Bases for Processing

The Foundation processes personal data on the following legal bases:

• • Consent: When individuals have explicitly consented to the processing of their personal data
• • Contract: When processing is necessary to fulfil a contract with the individual
• • Legal Obligation: When the Foundation is required by law to process personal data
• • Vital Interests: When processing is necessary to protect the vital interests of an individual
• • Public Task: When processing is necessary for the Foundation to perform a task in the public interest
• • Legitimate Interests: When processing is necessary for the Foundation's legitimate interests or those of a third party

5. Data Subject Rights

The Foundation recognises and respects the rights of data subjects under the GDPR. Individuals have the right to:

• • Request access to their personal data
• • Request correction of inaccurate personal data
• • Request deletion of their personal data
• • Request restriction of processing of their personal data
• • Request portability of their personal data
• • Object to processing of their personal data
• • Not be subject to automated decision-making

Requests to exercise these rights should be submitted to the contact information provided below. The Foundation will respond to requests within 30 days or provide a reasonable explanation for any delays.

6. Data Security

The Foundation implements appropriate technical and organisational security measures to protect personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:

• • Encryption of personal data in transit and at rest
• • Access controls and authentication mechanisms
• • Regular security audits and vulnerability assessments
• • Secure disposal of personal data
• • Incident response and breach notification procedures

7. Data Breach Notification

In the event of a personal data breach that poses a risk to the rights and freedoms of individuals, the Foundation will notify affected individuals and the relevant supervisory authority without undue delay, and in any case within 72 hours of becoming aware of the breach.

Breach notifications will include information about the nature of the breach, the data involved, likely consequences, and measures taken or proposed to address the breach.

8. International Data Transfers

The Foundation primarily operates within the United Kingdom and processes personal data in accordance with UK data protection laws. If personal data is transferred outside the UK, the Foundation ensures that appropriate safeguards are in place, such as Standard Contractual Clauses or adequacy decisions.

9. Third-Party Data Processors

When the Foundation engages third-party data processors, we ensure that they are bound by appropriate data protection obligations through Data Processing Agreements. We conduct due diligence on processors to ensure they meet our data protection standards.

10. Data Retention and Disposal

The Foundation maintains a data retention schedule that specifies how long different categories of personal data are retained. Personal data is retained only for as long as necessary and is securely disposed of when no longer required.

Retention periods include:

• • Appointment booking data: 1 year
• • Donation and sponsorship enquiry data: 2 years
• • Website analytics data: 26 months
• • Financial records: 6 years (as required by law)

11. Children's Data Protection

The Foundation takes special care to protect the personal data of children. We do not knowingly collect personal data from children under the age of 13 without parental consent. When collecting data from children, we provide age-appropriate privacy information and obtain verifiable parental consent where required.

12. Policy Review and Updates

This Data Protection Policy is reviewed regularly and updated as necessary to reflect changes in data protection laws, regulatory guidance, or the Foundation's practices. Material changes will be communicated to affected individuals.

13. Contact Information

For questions about this Data Protection Policy or to exercise your data protection rights, please contact:

If you have concerns about how the Foundation handles your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's independent authority for data protection.