Women’s Rights





Data Protection Policy and Procedures

Policy Statement

Greater Manchester Doulas Community Interest Company (GMD CIC) recognises the importance of the correct and lawful treatment of personal data.

Personal data is about living individuals (data subjects) that enables them to be identified, such as name and address.

Sensitive data refers specifically to data about race, ethnic origin, politics, religion, trade union membership, genetics, biometrics (where used for ID purposes), health, sex life or sexual orientation.

This policy explains what data we keep and why, and how we make sure this information is kept safe and is as accurate as possible. It also provides guidelines on individuals’ rights to access their data, and the circumstances under which we may disclose data to others. This applies to all personal data that we process, regardless of the way that information is stored (e.g. on paper, electronically, or by other means including email, minutes of meetings and photographs).


Legal Requirements

The use of personal data is governed by the Data Protection Act 2018, the UK legislation that provides a framework for responsible behaviour by those using personal information. This is the UK’s implementation of the General Data Protection Regulation (GDPR). The Information Commissioner’s Office (ICO) is responsible for implementing and overseeing the Data Protection Act 2018.

GMD CIC is required to maintain certain personal data about individuals in order to carry out our work and legal obligations.

GMD CIC is the data controller for the information it collects and holds.

GMD CIC is currently not legally required to have a Data Protection Officer. However, a data protection lead has been identified and the person responsible for ensuring that GMD CIC follows its data protection policy and complies with legislation is Elle James.

GMD CIC is not required to register with the Information Commissioner’s Office.


Aim and Scope of the Policy

The aim of this policy is to ensure that anyone handling personal data is fully aware of the requirements and acts in accordance with data protection procedures.

All those involved with GMD CIC who have access to personal information are expected to read and comply with this policy. Training will be provided where necessary. Individuals are personally responsible for processing and using personal information in accordance with current legislation. Processing means collecting, amending, handling, storing or disclosing personal information.

Non-compliance, or deliberate unauthorised disclosure of personal data, may result in disciplinary action for staff, termination of volunteering agreements, personal fines, and prosecution. The directors are accountable for compliance of this policy and could be personally liable for a penalty arising from a breach they made.

This policy is distributed to all staff and volunteers and will be included in induction packs for all new staff and volunteers and made available to relevant partners and stakeholders.


1. Principles of Data Protection

There are seven key principles of data protection. Compliance with the spirit of these principles is the foundation of good data protection practice. GMD CIC fully endorses and adheres to these principles. Personal data we hold must be:

  • processed lawfully, fairly and in a transparent manner
  • collected only for legitimate purposes that have been clearly explained and not further processed in a way that is incompatible with these purposes (purpose limitation)
  • adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimisation)
  • accurate and, where necessary kept up-to-date
  • kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (storage limitation)
  • processed with integrity and confidentiality in a way that ensures appropriate security of the personal data
  • accountable, to those we hold data on and our stakeholders.


2. Data Collection

When collecting data, GMD CIC will ensure that the individual:

  1.  clearly understands why the information is needed
  2.  understands what it will be used for and what the consequences are should they decide not to   accept
  3.  is, as far as reasonably practicable, competent enough to understand what processing would require
  4.  where necessary (for example, for special category data), grants explicit consent, either written or   verbal for data to be processed
  5.  has received sufficient information on why their data is needed and how it will be used. Details about the kind of information we collect, how we store it and how long we keep it for can be found in our Privacy Policy.


3. Data Storage, Retention and Disposal

Information and records relating to individuals, members and service users will be stored securely and will only be accessible to authorised staff and volunteers.

Information will be stored for only as long as it is needed or required by law and will be disposed of appropriately.

The retention schedule for data kept by GMD CIC:



Location and


Method of disposal and length of storage



Securely in GMD CIC cloud service

Deletion after 12 months

Business need



Protected cloud service

Deletion if opted out and data cleansed every 2 years

Business need

Online surveys

Protected cloud service

Deleted after analysis

Business need

Accident book

Locked filing cabinet

Shredding at 3 years from date of last entry (or, if child/young adult involved, until they reach 21 years old)

RIDDOR statutory regulation

Board meeting minutes

Electronically on password protected GMD CIC cloud drive

Kept for at least 10 years and deleted only when no longer required.

Legal compliance and business need

Training and event


Drive or paper sign-in


Deleted from system after 12 months and paper shredded daily

Business need

Session notes

Anonymised and kept in locked cabinet/saved electronically on password protected cloud service

Kept for at least 10 years and deleted only when no longer required.


Business need


Client financial details

Online banking system and password protected software

Deleted from system within 12 months following payment or refund

Business need



4. Data Accuracy

GMD CIC will take reasonable steps to keep data accurate and up to date, such as:

  • Only hold data where necessary to limit errors
  • Discourage staff/volunteers from establishing unnecessary additional data sets
  • Investigate and act upon notifications of inaccuracies
  • Correct or delete data shown to be inaccurate
  • Review and redesign the database system where necessary to encourage and facilitate the entry of accurate data


5. Data Security

GMD CIC will take steps to ensure that personal data is kept secure at all times against unauthorised or unlawful loss or disclosure. The measures taken include:

  • Personal data on paper will be kept in a locked cabinet with access restricted to those who are authorised
  • Password protection on personal information files
  • Restricted access to computer files and systems
  • Use of secure VPN mechanisms
  • Data, including personal data, is backed up daily through use of cloud servers
  • Encrypted attachments for sensitive personal information sent by email


It is GMD CIC’s responsibility to ensure all personal data is non-recoverable from a computer system and not passed on/sold to a third party. Any physical destruction of data will be undertaken in line with contractual obligations and any relevant British Standard.

Individual Rights

The GDPR provides the following rights for individuals:

The right to be informed – organisations processing personal information must provide fair information and be transparent over how they use personal data. This can be found in our Privacy Policy.

The right of access – individuals can request access to data held about them, known as Subject Access. The request can be made verbally or in writing, via any format including social media, to any GMD CIC representative. The words ‘subject access’ are not needed for the request to be valid. Any such request should be reported to Elle James who will log it. Individuals can only access their own data (or provide evidence they are legitimately acting on another person’s behalf). GMD CIC will respond to requests within one month. Information will be provided for free unless requests are overly excessive or repetitive, in which case an admin fee may be charged.

The right to rectification – personal data can be corrected if it is inaccurate or incomplete.

The right to erasure – this right allows an individual to be ‘forgotten’ by requesting the deletion or removal of personal information where there is no compelling reason for its continued processing.

The right to restrict processing – individuals have a right to block or suppress the processing of personal data, for example if they contest its accuracy and are seeking verification, or where the organisation no longer needs the data, but the individual does, e.g. for a legal claim. The data can still be stored, but must not be used.

The right to data portability – this gives individuals the right to obtain and reuse their personal data for their own purposes across different services. This only applies to data provided by the individual, based on consent or for performance of a contract and where processing is automated.

The right to object – individuals can object to direct marketing and processing. GMD CIC gives all our service users choices about their marketing preferences when they first contact us and these preferences can be changed at any time.

Rights in relation to automated decision making and profiling – at present GMD CIC does not engage in this activity.

 6. Subject Access Request

Under the Data Protection Act 2018 individuals have the right to access data held about them as well as the right to be ‘forgotten’ where there is no longer a compelling reason to continue processing.

A subject access request can be considered as any enquiry whether written (including email or webform) or verbal that asks for information you hold about the person.

Individuals can only request access to their own data (or must provide evidence that they are legitimately acting on another person’s behalf). GMD CIC may request proof of identity to ensure this.

GMD CIC may request further information on or clarification of the request.

Information mentioning other people will be redacted if reasonable to do but may not be shared unless reasonable to do so or unless consent can be obtained for the relevant individual.

Where requests are manifestly unfounded, excessive, or repetitive GMD CIC has the right to charge a fee or refuse to respond. However, individuals will receive a response to this effect within a calendar month.

GMD CIC will respond to any formal request within a calendar month. If there is a delay in obtaining the information requested then the request shall be acknowledged within this period, with an explanation for the delay and an expected date of response.

Members of the public may request certain information from statutory bodies under the Freedom of Information Act 2000. The Act does not apply directly to GMD CIC. However, if at any time we undertake the delivery of services under contracts with relevant statutory bodies we may be required to assist them to meet the Freedom of Information Act request where we hold information on their behalf.

In case of any requiring further information on this aspect of the policy please contact the GMD CIC Data Protection Lead.

7. Disclosure and Data Sharing

GMD CIC may need to share data with other agencies such as local authorities, funding bodies, and other voluntary agencies as part of its work.

The data subject will be made aware in most circumstances how and with whom their information will be shared as part of the Privacy Policy process.

However, there are circumstances where the law allows GMD CIC to disclose data, including sensitive data, without the data subject’s knowledge. These include:

  • when required to by law – this may be as simple as providing information to HMRC for tax purposes or if required by the police in relation to a crime.
  • protecting vital interests of a data subject or other person – this includes safeguarding concerns where an individual may be at risk or in cases of medical emergencies.
  • the data subject has already made the information public.
  • when conducting any legal proceedings, obtaining legal advice or defending any legal rights.

 8. Risk Management

The consequences of breaching Data Protection can cause harm or distress to individuals. GMD CIC’s data protection policy and procedures are designed to minimise the risks to individuals, and to ensure the reputation of GMD CIC is not damaged.

While we make every effort to avoid data protection incidents, it is possible that mistakes will occur on occasions. Examples of how personal data incidents might occur include: through loss or theft of data or equipment, ineffective access controls allowing unauthorised use, equipment failure, unauthorised disclosure (e.g. email sent to the incorrect recipient), human error, and hacking attack.

In the event of a breach GMD CIC will promptly assess the risk to the individual(s) concerned and if appropriate report this breach to the ICO. More information on when to report is available via the ICO website. If a report is required, GMD CIC should notify the ICO as soon as possible, and not later than 72 hours after becoming aware of it.

Data protection is everyone’s responsibility. Staff and volunteers are actively encouraged to report any incidents or concerns in order to improve both our data protection and services to users. If you know or suspect that a personal data breach has occurred, then you should immediately contact the Data Protection Lead, Elle James.

9. Further Information

You can find other relevant policies here.
More guidance on data protection for small to medium-sized organisations is available via the ICO web hub.
To discuss your data or anything in this policy please email hello@greatermanchesterdoulas.com FAO Elle.

10. Review Log

Policy: Data Protection Policy and Procedures
Date first adopted: July 2022
Review dates:

Date of review

Amendments/updates made

Reviewed and accepted

Proposed next review date


Officially adopted during a directors meeting




Edited for clarity by directors. No significant changes




Formatting changes by directors. No change to policy or procedures