Data Protection Policy

The Data Protection Legislation (“the Legislation”) is concerned with the protection of human rights in relation to personal data. The aim of the Legislation is to ensure that personal data is used fairly and lawfully and that where necessary the privacy of individuals is respected.

UFM Worldwide Data Protection Policy

Effective Date: March 2025
Reviewed: March 2025

1. Purpose

This Data Protection Policy sets out how UFM Worldwide (“the Organisation”) protects the personal data of its supporters, members, employees, missionaries, suppliers, and other stakeholders, ensuring compliance with the UK GDPR, Data Protection Act 2018, and other applicable data protection laws. The policy outlines how we collect, store, and process personal data, maintaining the trust and confidence of all those associated with our activities.

2. Scope

This policy applies to all Council Members, employees, volunteers, contractors, and third-party partners who handle personal data on behalf of UFM Worldwide. It covers all personal data processed, including electronic, paper-based, or any other format.

3. Data Protection Principles

UFM Worldwide is committed to processing personal data in accordance with the following principles:

• Lawfulness, Fairness, and Transparency: Personal data must be processed lawfully, fairly, and transparently.
• Purpose Limitation: Data must be collected for specified, explicit, and legitimate purposes and not processed further in a manner incompatible with those purposes.
• Data Minimisation: Only data that is necessary for the specified purpose should be collected and processed.
• Accuracy: Personal data must be accurate and, where necessary, kept up to date.
• Storage Limitation: Data should not be retained longer than necessary for its intended purpose.
• Integrity and Confidentiality: Personal data must be processed securely to protect against unauthorised access, loss, or damage.
• Accountability: UFM Worldwide is responsible for and must demonstrate compliance with these principles.

4. Lawful Basis for Data Processing

UFM Worldwide processes personal data under one or more of the following lawful bases:

• Consent: Explicit consent is obtained from individuals when required, especially for processing sensitive personal data.
• Contractual Necessity: Processing is necessary for contractual obligations, including employee-related processes.
• Legal Obligation: Processing is required to comply with legal requirements.
• Legitimate Interests: Processing is necessary for the legitimate interests of UFM Worldwide, provided these do not override the rights of data subjects.
• Vital Interests and Public Task: Processing is necessary to protect vital interests or to perform tasks in the public interest.

5. Processing Personal Data

Processing includes obtaining, holding, maintaining, storing, erasing, blocking, and destroying data. All personal data should be processed in accordance with the legislation and this policy.

6. Roles and Responsibilities

• Data Protection Officer (DPO): The Head of Finance and Operations is responsible for overseeing data protection strategy and ensuring compliance with data protection laws and this policy.
• Employees and Volunteers: Responsible for adhering to this policy and processing data lawfully.
• Third-Party Processors: Must comply with UFM Worldwide’s data protection requirements outlined in their contracts.

7. Monitoring and Compliance

To ensure ongoing compliance:

• Employees handling personal data will receive regular training and be closely monitored.
• Regular reviews and spot checks will be conducted to assess data protection practices.
• An annual report on compliance will be produced, and data breaches will be recorded and investigated.

8. Data Security

UFM Worldwide takes appropriate technical and organisational steps to safeguard personal data, including:

• Access Controls: Manual records will be kept secure, and access will be restricted.
• Technical Measures: Use of encryption, passwords, and secure storage locations.
• Physical Security: Locked cabinets for manual records and restricted access to sensitive areas.
• Data Disposal: Secure deletion or destruction of personal data, including shredding of sensitive records and appropriate disposal by specialist contractors.

9. Data Sharing and Transfers

Personal data will only be shared with third parties when necessary to provide requested services or as required by law. Transfers outside the UK, including to the USA (e.g., UFM Worldwide USA Inc.), will be conducted with appropriate safeguards such as Standard Contractual Clauses approved by the UK’s Information Commissioner’s Office.

10. Individual Rights

Individuals have rights regarding their data, including the right to:

• Access their personal data.
• Correct inaccurate or incomplete data.
• Erase personal data (right to be forgotten), subject to legal exceptions.
• Restrict or object to processing.
• Data portability where applicable.

Requests should be made in writing to the Data Protection Officer, and responses will be provided within 30 days.

11. Handling Sensitive Personal Data

Sensitive data, such as information about racial or ethnic origin, religious beliefs, or health conditions, will be identified and processed with additional safeguards. Such data will only be processed with explicit consent or under specific lawful conditions.

12. Data Breach Reporting

Any data breaches will be reported to the Data Protection Officer immediately. We will notify the Information Commissioner’s Office (ICO) within 72 hours if required and inform affected individuals when necessary.

13. Changes to This Policy

UFM Worldwide reserves the right to amend this policy at any time. Any changes will be communicated as appropriate.

Contact Information

For questions or concerns about this policy, contact the Data Protection Officer at data@ufm.org.uk

Other Relevant Links:

Supporters Privacy Notice

Personnel Privacy Notice