top of page

Internal Data Protection Policy 

Soul of the Junction SCIO

Charity Number: SC053656
Adopted: 09.01.2026
Review date: 08.01.2027

1. Policy statement

Soul of the Junction SCIO is committed to protecting personal data and handling it lawfully, fairly and transparently. This policy explains how trustees, volunteers, staff and contractors must collect, use, store and share personal data in line with UK GDPR and the Data Protection Act 2018.

This policy supports our public Privacy Policy and applies internally.

2. Scope of the policy

This policy applies to:

  • Trustees

  • Volunteers

  • Staff

  • Contractors and facilitators

  • Anyone handling personal data on behalf of the charity

It covers personal data relating to:

  • Participants and service users

  • Children and families

  • Volunteers and trustees

  • Donors and supporters

  • Partners and contractors

3. Legal framework

This policy is informed by:

  • UK General Data Protection Regulation (UK GDPR)

  • Data Protection Act 2018

  • Equality Act 2010

  • Children and Young People (Scotland) Act 2014

4. Key data protection principles

All personal data must be:

  1. Processed lawfully, fairly and transparently

  2. Collected for specified, legitimate purposes

  3. Adequate, relevant and limited to what is necessary

  4. Accurate and kept up to date

  5. Kept securely and not longer than necessary

  6. Processed in a way that ensures appropriate security

5. Roles & responsibilities

Data Protection Lead

The Board of Trustees appoints a Data Protection Lead responsible for:

  • Overseeing data protection compliance

  • Handling data protection queries and breaches

  • Ensuring this policy is implemented and reviewed

Trustees, volunteers & staff

All individuals must:

  • Follow this policy

  • Protect personal data they handle

  • Report data protection concerns immediately

6. What personal data we collect

We may collect:

  • Names and contact details

  • Event registrations and attendance records

  • Volunteer records

  • Safeguarding and incident records

  • Donation records (financial details processed by third parties)

  • Website and digital communications

We collect only what is necessary.

7. Special category data

Special category data (e.g. health information, ASN details) is:

  • Collected only where necessary

  • Handled with additional care

  • Accessed on a strict need-to-know basis

  • Stored securely

Parental or guardian consent is obtained where required.

8. Lawful bases for processing

We process personal data under one or more of the following:

  • Consent

  • Legitimate interests

  • Legal obligation

  • Vital interests (in safeguarding situations)

9. Consent

Where consent is required:

  • It must be clear and informed

  • It must be recorded

  • Individuals can withdraw consent at any time

10. Data security

We protect personal data by:

  • Using secure systems and passwords

  • Limiting access to authorised individuals

  • Locking physical records securely

  • Avoiding use of personal devices where possible

  • Ensuring data is not shared insecurely

11. Data sharing

Personal data is shared only:

  • Where necessary to deliver activities

  • With trusted third parties (e.g. WIX, payment processors)

  • Where legally required

We never sell personal data.

12. Data retention

We keep data only for as long as necessary:

  • Event records: short-term

  • Volunteer records: while active + reasonable period

  • Safeguarding records: in line with legal requirements

Data is securely deleted when no longer required.

13. Individual rights

Individuals have the right to:

  • Access their data

  • Correct inaccurate data

  • Request deletion

  • Restrict processing

  • Withdraw consent

  • Lodge a complaint with the ICO

Requests must be responded to within one month.

14. Data breaches

A data breach includes:

  • Loss of personal data

  • Unauthorised access or disclosure

  • Accidental deletion

All breaches must be reported immediately to the Data Protection Lead. Serious breaches will be reported to the ICO within 72 hours where required.

15. Training & awareness

Trustees and volunteers are:

  • Made aware of this policy

  • Supported to handle data responsibly

  • Reminded regularly of data protection duties

16. Monitoring & review

This policy is:

  • Reviewed annually

  • Updated following changes in law or practice

Approval

This Internal Data Protection Policy was approved by the Board of Trustees of Soul of the Junction SCIO on:

Date: 09.01.2026
Signed: S SAVOVA
Role: Trustee

bottom of page