Data Protection Policy


Chinthawa Development Trust needs to gather and use certain information about individuals to fulfil its purpose(s) and acts as a Data Controller as defined by legislation.

This policy describes how this personal data will be collected, handled and stored to meet the Organisation’s data protection standards and to comply with legal requirements.

This data protection policy ensures Chinthowa Development Trust:

  • Complies with data protection law and follows good practice
  • Protects the rights of staff, volunteers, sponsors and donors
  • Provides clarity about how it stores and processes personal data
  • Protects against the risks of a data breach.

This policy applies to all activities conducted by Chinthowa Development Trust and all persons working on its behalf involving any and all data relating to identifiable individuals.

Data Protection Law

This policy is based upon the UK Data Protection Act 1998 and the General Data Protection Regulation (GDPR) which operates within EU Regulation 2016/679. These provide a robust model for Data Protection and Privacy compliance and apply regardless of whether data is stored electronically, on paper or on other materials.  To comply with the law, personal data must be collected and used fairly, stored safely and not disclosed unlawfully.
The Data Protection Act was underpinned by eight important principles. These say that personal data must:

  • Be processed fairly and lawfully
  • Be obtained only for specific, lawful purposes
  • Be adequate, relevant and not excessive
  • Be accurate and kept up to date
  • Not be held for any longer than necessary
  • Processed in accordance with the rights of data subjects
  • Be secured and protected in appropriate ways
  • Not be transferred outside the European Economic Area (EEA), unless that country or territory also ensures an adequate level of protection

Article 5 of the GDPR clarified these requirements by stipulating that personal data shall be:

  • processed lawfully, fairly and in a transparent manner in relation to individuals;
  • collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historicalresearch purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
  • adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
  • accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without delay;
  • kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed; (although personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals); and
  • processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.


The following definitions apply within this document:

Breach – The unlawful disclosure, loss or destruction of personal data being processed.

Consent – Freely given, unambiguous statement indicating a data subject’s wishes agreeing to the processing of specified personal data relating to himself or herself.

Data Controller – An organisation or person determining the purposes and means of processing personal data.

Data Owner – The person to whom the management of purposes and means of processing personal data may be delegated by the data processing officer.

Data Processing Officer – The person appointed by a data controlling organisation to determine the purposes and means of processing personal data.

Data Processor – Personal or third party agent processing data on behalf of a data controller.

Data Protection – The process of safeguarding personal data from unauthorised or unlawful disclosure, access, alteration, processing, transfer or destruction.

Data Subject – The identified or identifiable living person to which personal data refers.

Personal Data – Any information relating to a living person from which they can be directly or indirectly identified.

Processing – Collection, recording, storage, retrieval, alteration, copying, consultation, transmission, dissemination, archiving or deletion of personal data in any form.

Special Categories – Specified sensitive personal data.

Data Subject GDPR Rights

Every Data Subject has Data Protection Rights under the Regulations. There include:

The right to be informed

Chinthowa Development Trust must provide Data Subjects with various pieces of information about the data processing activities carried out with their personal data, in a concise, transparent, intelligible and easily accessible manner and without charge.

The right of access

Chinthowa Development Trust must provide Data Subjects with confirmation their data is being processed and access to their personal data within one month of receipt of a request for such access. This must be without charge unless the request is ‘manifestly unfounded or excessive’.

The right to rectification

Chinthowa Development Trust must provide Data Subjects with rectification of their personal data if it is inaccurate or incomplete, within one month of receipt of such a request.

The right to be forgotten

Chinthowa Development Trust must provide Data Subjects with the right to withdraw consent for their data to be processed and to be removed from records.

The right to object

Chinthowa Development Trust must provide Data Subjects with the right to object, or challenge, the use of their personal data if held under grounds other than their consent. In such cases the use of that data must be ceased unless processing the personal data unless compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual, can be demonstrated or the processing is for the establishment, exercise or defence of legal claims.

The right to restrict processing

Chinthowa Development Trust must provide Data Subjects with the right to restrict processing in certain defined circumstance including the suspension of processing whilst requests for other rights are being processed or the delay of disposing records beyond their retention period because of a Data Subject’s need for them to be retained.


The trustees and Data Protection Officer of Chinthowa Development Trust has responsibility for ensuring any personal data is collected, stored and handled in accordance with this policy and data protection principles.

The Trustees are ultimately responsible for ensuring that the Chinthowa Development Trust meets its legal obligations.

The Data Protection Officer is responsible for:

  • Monitoring compliance with data processing legislation and this policy;
  • Regular review and maintenance of this policy and all related procedures;
  • Updating the trustees regarding data protection responsibilities, risks and issues;
  • Arranging data protection training and familiarity with this policy, as required, for trustees and volunteers and anyone else covered by this policy;
  • Handling data protection questions from trustees and anyone else covered by this policy;
  • Dealing with ‘subject access requests’ from individuals to see the data Chinthowa Development Trust holds about them;

The Data Protection Officer is responsible for:

  • Ensuring all systems, services and equipment used for storing data meet acceptable security standards, inclusive of any third party services used.
  • Performing regular checks and scans to ensure that data security hardware and software is functioning properly.
  • Regular review and maintenance of privacy statements
  • Approval of any new or changed consent forms or promotional materials relevant to the use or collection of personal data.

Grounds for Holding Personal Data

In accordance with the Regulations, personal data will only be held in compliance with one of the following Grounds:

  • The Data Subject has given clear consent and evidenced for their personal data to be processed for a specified purposes, for the legitimate interests of Chinthowa Development Trust.
  • The processing is necessary for compliance with a legal or regulatory obligation.

Principles for Data Access, Retention and Storage

All personnel have a responsibility to uphold the following principles within Chinthowa Development Trust.

  • The only people able to access data covered by this policy should be those who need it to fulfil their responsibilities.
  • All personnel must keep all personal data secure, by taking prescribed precautions including locking computers used to process personal information when unattended.
  • When data covered by this policy is stored electronically it must only be stored in a designated manner and protected by strong passwords that are changed regularly and never shared.
  • When data covered by this policy is stored on removable media, this must be kept locked away securely when not being used.
  • Personal data covered by this policy should never be used on or stored on computers owned by staff or volunteers.
  • When personal data is stored on paper, it must be kept where unauthorised people cannot see or access it and when not required should be kept securely in a locked drawer or filing cabinet. When no longer required, such paper records should be shredded before disposal.
  • Personal data should not be disclosed to unauthorised people, either within the Chinthowa Development Trust or externally.
  • Personal data should be held in accordance with established and recorded record retention cycles. All such data outside its retention cycle, or otherwise no longer required, should be deleted and disposed of.
  • All trustees must seek advice from the Data Protection Officer if they are unsure about any aspect of data protection.
  • The Data Protection Officer has a responsibility to ensure that:
  • Personal data and any backup media are located in a secure location.
  • All computers containing personal data are protected by approved security software and firewalls.

[Principles for Managing Imagery]

Chinthowa Development Trust may during fundraising events take photographs for use on their website, this will only be done with the express permission of the individuals involved.

[Principles for Managing Personal Data/Images of Children]

Images of children will only be used with the express permission of the childs/childrens parent or guardian.

Principles for Data Disposal

All personal data will be disposed of by shredding of paper records or deletion from electronic storage. Any electronic storage previously used within Chinthowa Development Trust for holding personal data will be destroyed to the point where data is non-recoverable before disposal.

Principles for Data Accuracy

Chinthowa Development Trust will take all reasonable steps to ensure data covered by this policy is kept accurate and up to date. Accordingly, it is the responsibility of all Trustees to ensure that:

  • any item of personal data is held in as few places as necessary.
  • every opportunity is taken to ensure data is updated.
  • It is made as easy as possible for data subjects to update the information held about them.
  • Any item of personal data is updated or removed as soon as any inaccuracies are discovered, e.g. a stored telephone number is no longer correct.

Principles for Data Disclosure

In certain circumstances, it is permissible to disclose personal data to law enforcement agencies without the consent of the Data Subject.

Under these circumstances, the Data Protection Officer will ensure the request is legitimate, seeking assistance from [the trustees and legal advisers] as necessary before Chinthowa Development Trust will disclose requested data.

Subject Access Requests

All individuals who are the subject of personal data held by Chinthowa Development Trust are entitled to:

  • ask what information Chinthowa Development Trust holds about them and why.
  • ask how to gain access to a copy of that data.
  • be informed how to keep that data up to date.
  • be informed how Chinthowa Development Trust is meeting its data protection obligations.

An enquiry seeking this information is called a ‘Subject Access Request’ and individuals making such an enquiry should be invited to address their request to the Data Protection Officer by letter or Email. The data controller will aim to provide the relevant data within [Timeframe].

The Data Protection Officer must verify the identity of anyone making a Subject Access Request before providing any information.

Management of Consent and Privacy Notices

Chinthowa Development Trust aims to ensure that individuals are aware that their data is being processed, and that they understand:

  • How the data is being used
  • How to exercise their rights

To these ends, Chinthowa Development Trust has a Privacy Notice, setting out how data relating to individuals is used. This will be made available on request and also be permanently available on Chinthowa Development Trust’s website.

The Privacy Notice will be reviewed by the Trustees at least every two years to ensure that it remains current and accurate.

Where consent is to be obtained from a Data Subject, by electronic or paper based collection there shall be a clear, concise statement, in the form of a mini Privacy Notice, of:

  • How the data will be used
  • How long it will be retained
  • Any intentions to share it
  • Chinthowa Development Trust commitment to secure storage and data protection
  • How to access the full Privacy Notice.

The record of consent provided will be retained in parallel with the data provided for the same period of retention and do so securely in accordance with the Regulations.

Management of Breach

Chinthowa Development Trust will ensure that any breach of data protection will be managed in accordance with legislation. Any unauthorised access to, unauthorised alteration of or accidental loss or sharing of personal data will be notified to the Data Protection Officer with immediate effect.

The Data Protection Officer will initiate an immediate investigation to establish both the cause of the breach and the likelihood and severity of the resulting risk to the rights and freedoms of Data Subject(s).

The Data Protection Officer will, in consultation with The Trustees as judged appropriate, determine whether any impact is of sufficient severity to comply with the obligation to notify the Information Commissioner’s Office within 72 hours of the breach.

Corrective action will be taken to address identified risks of repeat breaches. If disciplinary action is considered appropriate or complaints/grievances are received, these will be dealt with under the relevant procedures.

Trustee and Volunteer Training

Chinthowa Development Trust will ensure that all personnel at every level who are involved in the governance, oversight, management or handling of personal data are appropriately trained to undertake their responsibilities in accordance with this policy.

Version 1:1 19th April 2018

Website Privacy Policy & Cookies

At the Chinthowa Development Trust, we are committed to maintaining the trust and confidence of our visitors to our website and subscribers to our newsletter. Here you’ll find information on how we treat data that we collect from visitors to our website, or when someone subscribes to our newsletter.

Visitors to our Website

When someone visits https://chinthowa-development-trust.org.uk we use a third party service, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. This information is only processed in a way which does not identify anyone. We do not make, and do not allow Google to make, any attempt to find out the identities of those visiting our website. You can find more information on how cookies are used on this website in the Cookies Policy below.

If we do want to collect personally identifiable information through our website, we will be explicit about this. We will make it clear when we collect personal information and will explain what we intend to do with it.

Newsletter Sign Up

As part of the registration process for our e-newsletter, we collect a small amount of personal information. We use that information to:

  • Inform you about developments and services you’ve asked us to tell you about;
  • To contact you if we need to obtain or provide additional information;
  • To check our records are right and to check every now and then that you’re happy and satisfied.

We don’t share, rent or trade email lists with other organisations or businesses. We use a third party newsletter distribution provider, MailChimp, to deliver our newsletter. We gather statistics around email opening and clicks using industry standard technologies to help us monitor and improve our e-newsletter.

For more information, please see MailChimp’s privacy notice here.

You can unsubscribe to general mailings at any time of the day or night by clicking the unsubscribe link at the bottom of any of our emails or by emailing our data protection officer, Margaret Ingram at margaret@chinthowa-development-trust.org.uk.

Links to Other Web Sites

This privacy notice does not cover the links within this site linking to other websites. Those sites are not governed by this Privacy Policy, and if you have questions about how a site uses your information, you’ll need to check that site’s privacy statement.

Access to Your Personal Information

You are entitled to access the personal information that we hold. Email your request to our data protection officer, Margaret Ingram at margaret@chinthowa-development-trust.org.uk.

Changes to this Privacy Notice

We keep our privacy notice under review. This privacy notice was last updated on 10th April 2018.

Cookies Policy

We use a system of classifying the different types of cookies which we use on the Website, or which may be used by third parties through our websites. The classification was developed by the International Chamber of Commerce UK and explains more about which cookies we use, why we use them, and the functionality you will lose if you decide you don’t want to have them on your device.

What is a cookie?   

Cookies are text files containing small amounts of information which are downloaded to your personal computer, mobile or other device when you visit a website. Cookies are then sent back to the originating website on each subsequent visit, or to another website that recognises that cookie. Cookies are useful because they allow a website to recognise a user’s device.

How long are cookies stored for?

Persistent cookies – these cookies remain on a user’s device for the period of time specified in the cookie. They are activated each time that the user visits the website that created that particular cookie.

Session cookies – these cookies allow website operators to link the actions of a user during a browser session. A browser session starts when a user opens the browser window and finishes when they close the browser window. Session cookies are created temporarily. Once you close the browser, all session cookies are deleted.

Cookies do lots of different jobs, like letting you navigate between pages efficiently, remembering your preferences, and generally improve the user experience.
You can find more information about cookies at www.allaboutcookies.org and www.youronlinechoices.eu.

Cookies used on the Website

A list of all the cookies used on the Website by category is set out below.

Strictly necessary cookies 
These cookies enable services you have specifically asked for.  These cookies are essential in order to enable you to move around the Website and use its features, such as accessing secure areas of the Website.

Performance cookies 
These cookies collect anonymous information on the pages visited.  By using the Website, you agree that we can place these types of cookies on your device.
These cookies collect information about how visitors use the Website, for instance which pages visitors go to most often, and if they get error messages from web pages. These cookies don’t collect information that identifies a visitor. All information these cookies collect is aggregated and therefore anonymous. It is only used to improve how the Website works.

Functionality cookies
These cookies remember choices you make to improve your experience.  By using the Website, you agree that we can place these types of cookies on your device.
These cookies allow the Website to remember choices you make (such as your user name, language or the region you are in) and provide enhanced, more personal features. These cookies can also be used to remember changes you have made to text size, fonts and other parts of web pages that you can customise. They may also be used to provide services you have asked for such as watching a video or commenting on a blog. The information these cookies collect may be anonymised and they cannot track your browsing activity on other websites.

Third party cookies 
These cookies allow third parties to track the success of their application or customise the application for you. Because of how cookies work we cannot access these cookies, nor can the third parties access the data in cookies used on our site.

For example, if you choose to ‘share’ content through Twitter or other social networks you might be sent cookies from these websites. We don’t control the setting of these cookies, so please check those websites for more information about their cookies and how to manage them.