top of page

Privacy Policy

Palacerigg Community Trust - Data Protection Policy

Palacerigg Community Trust is a Company Limited by Guarantee, registered in Scotland (number SC675892) and also a Scottish registered Charity (number SC054233) and is registered as a Data processor with the Information Commissioners Office (ICO) Registration number ZB298319 – Registered contact: Brian Chapman, Secretary.

This policy applies to all trustees, employees, and volunteers of Palacerigg Community Trust and covers our commitment to meeting our requirements to protect personal data under the Data Protection Act 2018 (also known as the UK GDPR) and the General Data Protection Regulation (GDPR).

“Personal data” means any information relating to an identified or identifiable living individual

Principles of Data Protection

Palacerigg Community Trust will ensure that all personal data that it holds will be:

  • processed lawfully, fairly and in a transparent manner;

  • collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (purpose limitation)

  • adequate, relevant and limited to what is necessary (data minimisation)

  • accurate and kept up to date (data accuracy)

  • kept in a form which permits identification of data subjects for no longer than is necessary (storage limitation)

  • processed in a manner that ensures appropriate security of the personal data, including protection against accidental or unauthorised access to, or destruction, loss, use, modification, or disclosure of personal data (integrity and confidentiality)

 

Lawful, fair and transparency

To ensure processing of data is lawful, fair and transparent, Palacerigg Community Trust shall keep and maintain Data Audits to record where and why we process personal data. The Data Audits will be kept up to date and fully reviewed every year.

The Data Audits will record our lawful bases (our reason) for processing any personal data, this must be one of the following as required by legislation:

  • consent

  • contract,

  • legal obligation,

  • vital interests,

  • public task

  • legitimate interests

The way in which we process personal data is detailed within our privacy notices, which are all freely on our website (www.palacerigg.scot) Our privacy notices will be kept up to date and fully reviewed every year.

Palacerigg Community Trust is fully committed to meeting the data protection principle of lawfulness, fairness and transparency.

Purpose limitation

Palacerigg Community Trust will be clear about what our purposes for processing data are from the start. We will record these purposes in our Data Audits and include details in our public privacy notices.

We will not use the personal data for any other purpose unless this is compatible with our original purpose, we get consent, or we have a clear obligation or function set out in law.

Data minimisation

We will make sure that the personal data we are processing is:

  • adequate – sufficient to properly fulfil our stated purpose;

  • relevant – has a rational link to that purpose; and

  • limited to what is necessary – we do not hold more than we need for that purpose.

Data accuracy

Palacerigg Community Trust will take all reasonable steps to ensure the personal data we hold is not incorrect or misleading as to any matter of fact.

We may need to keep the personal data updated, although this will depend on what we are using it for.

If we discover that personal data is incorrect or misleading, we will take reasonable steps to correct or erase it as soon as possible.

Storage limitation

Palacerigg Community Trust will not keep personal data for longer than we need it.

How long we keep personal data will depend on our purposes for holding the data. We have a separate document retention policy which records how long we keep personal data for and how it will be erased, anonymised, or removed from our systems.

We may keep personal data for longer for public interest archiving, scientific or historical research, or for statistical purposes.

​

Integrity and confidentiality

Palacerigg Community Trust takes the security of personal data extremely seriously. We do this in a variety of technical and organisational security measures, including but not limited to:

  • regular data protection and cyber security training for trustees, staff and volunteers

  • our IT security policy covers technical measures such as passwords, two factor authentication, encryption, clarity on which systems must be used

  • a named Data Protection Officer (DPO) to provide advice, support, training, resources, and updates on all aspects of Data Protection. Our DPO is Brian Chapman, Secretary.

Our security measures are regularly updated, tested and reviewed to make sure that we keep personal data secure and confidential.

Rights of individuals

Individuals have the right to access their personal data and any such requests made to Palacerigg Community Trust shall be dealt with in line with legal requirements, with some limited exceptions.

The UK GDPR provides the following rights for individuals in relation to their personal data:

  • the right to be informed – we do this by making sure our privacy notices are correct and up to date and direct individuals to these notices on our website

  • the right to access their own data – any subject access requests must be notified to our Data Protection Officer (DPO) who will co-ordinate a full search all of our systems before responding to the individual within 30 days, as required by law.

  • rectification – we will quickly update any personal data which has been identified as inaccurate or incorrect.

  • erasure – we will remove any personal data if an individual request this, unless we have another lawful bases which would prevent this e.g. we cannot delete employee records as we need to keep these to comply with other legislation

  • to restrict processing - where there is a dispute about the accuracy, validity or legality of personal data held by us, an individual has the right to require us to cease processing the data for a reasonable period of time to allow the dispute to be resolved.

  • the right to data portability - we will provide an individual with their data in a common and machine-readable electronic format.

  • the right to object – complaints or objections to processing personal data will be dealt with quickly and accurately.

  • rights in relation to automated decision making and profiling – we do not carry out any automated decision making or profiling of any individual.

 

 

Data breach

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

All trustees, staff and volunteers must be able to identify a suspected personal data breach. A breach could include:

•          access by an unauthorised third party to personal data;

•          deliberate or accidental action (or inaction);

•          sending personal data to an incorrect recipient;

•          computing devices containing personal data being lost or stolen;

•          alteration of personal data without permission; and

•          loss of availability of personal data.

•          leaving a file on a train.

Where a member of staff discovers or suspects a personal data breach, this should be reported to the DPO as soon as possible.

Where there is a likely risk to individuals’ rights and freedoms, the DPO will report the personal data breach to the ICO within 72 hours of Palacerigg Community Trust being aware of the breach.

Where there is also a likely high risk to individuals’ rights and freedoms, we will inform those individuals without undue delay.

The DPO will keep a record of all personal data breaches reported and follow up with appropriate measures and improvements to reduce the risk of reoccurrence.

Privacy by design

Privacy by design is an approach that promotes privacy and data protection compliance from the beginning.

When relevant, and when it does not have a negative impact on an individual, privacy settings will be set to the most private by default.

Trustees, Staff and volunteers must become familiar with this policy and include privacy and good data protection practices as core within any new project design or any material change to an existing project/work.

 

If you have any questions, concerns or need help or advice about any aspect of Data Protection, contact our DPO: brian@palacerigg.scot

 

Document version control

Version number

Change or update

Author or owner

Date

1.0

First version (draft)

Brian Chapman

11 Sept 2025

​

Palacerigg Community Trust - Record Retention Policy

 

 

Introduction

 

The purpose of this policy is to ensure that records and documents of Palacerigg Community Trust are retained in a secure environment, are accessible to those who need them and are securely disposed of when they are no longer required for legal, business or historical reason.

The policy applies to all trustees, employees and volunteers of Palacerigg Community Trust.

The length of retention for each type of record will be determined by Palacerigg Community Trust Trustees. Their decision will be based on several factors, including legal requirements, best practice, storage costs and historical significance.

 

Scope

The policy applies to records received and created by Palacerigg Community Trust including electronic documents, email, internet, databases, videos and hard copy.

Data Protection

 

The policy will ensure that Palacerigg Community Trust complies with data protection legislation. This requires that Palacerigg Community Trust does not retain personal data for longer than is necessary.

 

The principles of the data protection legislation require that Palacerigg Community Trust must only keep data when there is a valid reason for doing so and the Trustees will ensure that the records kept meet at least one of the 6 valid reasons detailed in the legislation. Records will be held securely and will be kept only whilst there is a business or legal need for them.  Records will be easily retrievable and will allow a natural person access to the information held by Palacerigg Community Trust with respect to them should they request it.

 

Palacerigg Community Trust will ensure that data is secure when it is on any premises occupied by Palacerigg Community Trust. A record of the storage location will be maintained for all records.

 

All records created by or on behalf of Palacerigg Community Trust remain the property of Palacerigg Community Trust. Records, both hard copy and electronic will be securely disposed of or released in accordance with legislation and Palacerigg Community Trust’s business needs.

 

Palacerigg Community Trust will maintain retention schedules tracking the retention and disposal of records.  The data owner is responsible for the storage and retrieval of records and will determine what will be kept and where and how the records will be kept.

Review and Audit

Records will be reviewed by the data owner against the Record Retention Schedule on an annual basis.  Where there is no longer a legal, business or historical requirement to retain the record a Disposal Request form will be completed and passed to the Chair.

The Disposal Request form will detail the method of disposal of the records.  Where hard copy records are shredded, this will be to no larger than DIN P5 size.  Electronic records must be securely destroyed, and all backups and copies must be included in the destruction of the records.

The Disposal Request form will include details of the records being disposed of, format of the data, either electronic or hard copy, proposed disposal method, proposed disposal date and brief explanation as to why the record is no longer being retained.  When the Disposal Request is approved the form will be signed by the approving officer and the date of disposal will be added by the Data Owner.  A copy of all Disposal Request forms will be held by Secretary.

Pandemic process

 

During a pandemic or other emergency period if Palacerigg Community Trust cannot adhere to the record retention policy with respect to storage and disposal of records alternate arrangements will be made to ensure the secure storage of the charity’s records. When it is possible to do so the approved record retention and disposal process will resume.

 

Information covered by this Record Retention Policy is detailed below. If any additional personal data is required to be maintained, resulting from the activities of the charity, this list will be updated to include the new data types.

 

The policy should include records relating to governance, financial, personnel, health and safety, gift aid, property, grants, insurance and other activities relevant to its charitable purposes.

 

 

 

Data class

Records retained

Retention period

Data owner

Membership data

 

 

Paper membership forms

6 months after the application has been accepted

If application not accepted, paper form is destroyed not less than 1 month or more than 3 months after applicant is notified of that decision.

Secretary

Electronic record of information on membership forms

As long as a member is current, plus 1 year after membership ends

Secretary

 

Management records

Minutes of Trustee meetings and decisions made as resolutions in writing. Minutes of General meetings and members resolutions passed other than at a General Meeting

 

Minimum period is 10 years however the charity policy is to permanently retain these records.

Chair / Secretary

Annual accounts and Annual review

Permanently

Chair / Treasurer

 

Purchase Invoices, Sales Invoices, Records of monies received and paid

6 years after the end of the relevant financial year

Treasurer

 

Expenses claim forms

6 years after the end of the relevant financial year

Treasurer

Payment details from customers

The charity currently uses third party payment companies so no details of payment methods are stored. Record retention is the responsibility of the third party payment companies used.

N/A

N/A

 

HR records

 

Application forms and interview notes for unsuccessful candidates

1 year after the applicant has been notified of the decision

Chair / Secretary

Employee details

6 years after the end of their employment

Chair / Secretary

Income Tax Records, P45 and P60

6 years after the end of the relevant tax year

Payroll Manager

Health and Safety

Accident books, records/reports

Relevant policies

 

Legal requirement 3 years after last entry or end of any investigation, if later. Charity will retain for at least 6 years

Secretary

Governance

All policies relating to the operation of the charity.

When updated, previous versions will be retained until any periods mentioned in the policy have expired.

Secretary

 

 

 

The Record Retention Policy was approved by the Board of Trustees of Palacerigg Community Trust on 14/10/25 and will be reviewed either on 14/10/27 or an earlier date if a change to legislation or practice with respect to the retention and disposal of records is brought to the attention of the Board.

 

 

 

Document version control

 

Version number

Change or update

Author or owner

Date

1.0

First version

bottom of page