Skip to content

Data Protection and Privacy Policy

1. Introduction

Kidney Care for All CIC (KCA) is committed to protecting the privacy and personal data of all individuals we engage with, including volunteers, service users, staff, funders, and partners. We comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

This policy outlines how we collect, use, store, and protect personal data.

2. Purpose

This policy ensures:

– Personal data is handled legally, transparently, and fairly

– Individuals understand their rights regarding their data

– KCA meets its obligations under UK data protection laws

3. Scope

This policy applies to:

– All directors, staff, volunteers, contractors, and anyone handling personal data on behalf of KCA

– All forms of data processing, whether electronic, paper-based, or verbal

4. What Data We Collect

We may collect and process personal data such as:

– Names, contact details, addresses

– Emergency contacts for volunteers

– Attendance, training, and role history

– Feedback or case records

– Donation and funding details

We will only collect data necessary for our legitimate activities or as required by law

5. Legal Bases for Processing

We process personal data on one or more of the following lawful bases:

– Consent – when individuals have clearly agreed to us processing their data

– Legal obligation – to comply with the law (e.g. safeguarding, financial records)

– Contract – to fulfil a contract or agreement (e.g. volunteer agreements)

– Legitimate interests – to run our organisation effectively and deliver our charitable services

6. How We Use Personal Data

We use data to:

– Communicate with volunteers, service users, and stakeholders

– Manage activities, events, and services

– Keep people safe (e.g. safeguarding, emergency contacts)

– Maintain accurate records for governance and reporting

– Comply with regulatory and legal obligations

7. How We Store and Protect Data

– Data is stored securely, whether electronically (e.g. password-protected files, cloud systems) or in locked paper files

– Access is limited to authorised individuals on a need-to-know basis

– We do not keep data longer than necessary. Data is regularly reviewed and securely deleted or destroyed when no longer required

8. Sharing Data

We will not sell or share personal data with third parties unless:

– Required by law (e.g. safeguarding, HMRC)

– With the individual’s explicit consent

– With trusted partners or funders for specific activities, under appropriate agreements

9. Data Subject Rights

Individuals have the right to:

– Access their data (subject access request)

– Correct inaccurate data

– Request deletion of their data (in some cases)

– Restrict or object to certain types of processing

– Withdraw consent at any time (if applicable)

Requests should be made in writing to the Treasurer of KCA.

10. Breaches of Data Security

Any suspected data breach must be reported to a Director immediately. Serious breaches will be investigated and reported to the Information Commissioner’s Office (ICO) if required.

11. Review and Responsibilities

The Board of Directors is responsible for ensuring compliance. This policy will be reviewed annually or in response to changes in legislation or organisational practice.