Data Protection Policy

Introduction

This policy outlines how Nexus complies with the UK General Data Protection Regulations (UK GDPR) and the Data Protection Act 2018 in handling personal data. As a charity providing sensitive services such as counselling, aftercare, early intervention and prevention, and a confidential helpline - we are committed to protecting the rights, dignity and privacy of all individuals whose data we process.

We recognise that our work often involves special category data, such as health, ethnicity, and safeguarding information.

This policy reflects our responsibility to uphold the highest standards of confidentiality, transparency and data security.

Scope

This policy applies to:

  • All personnel: employed, associates, volunteers, students, trustees.
  • All personal data processed: clients, donors, contractors, partners
  • All formats: paper, electronic, photographic, portable devices

Policy Statement

Nexus is committed to protecting the rights of individuals in accordance with the

provisions of the UK GDPR and DPA.

Every member of personnel (employed, associate, volunteer, student, trustee) has the responsibility to adhere to the principles outlines in this policy.

If you have a question about this Data Protection Policy or an area of concern about data protection matters, please contact our Business Support Manager, the organisation’s designated Data Protection Officer (DPO).

Policy Overview

The UK GDPR has two key functions:

  • Firstly, it sets out the seven principles for organisations to follow for Processing of Personal data (see section 1).
  • Secondly, it provides details of important Data Subject Rights (see section 2). There are important Roles and Responsibilities to carry out these tasks (see section 3). We need to know what to do if things go wrong and how to deal with this (see section 4). Definitions of key terms related to Data Protection is provided for reference (see section 5).

SECTION 1: DATA PROTECTION PRINCIPLES

There are seven Data Protection Principles in the UK GDPR. All personal data under our control must be processed in accordance with these principles.

Nexus’ approach is explained below:

1. LAWFULNESS, FAIRNESS AND TRANSPARENCY

We process personal data lawfully, fairly, and transparently.

Nexus relies on the following six lawful bases defined in Article 6(2) of the UK GDPR:

  • Where we have the consent of the data subject.
  • Where it is in our legitimate interests, and this is not overridden by the rights and freedoms of the data subject.
  • Where necessary to meet a legal obligation.
  • Where necessary to fulfil a contract, or pre-contractual obligations.
  • Where we are protecting someone’s vital interests.
  • Where we are fulfilling a public task or acting under official authority.

The most appropriate lawful basis for holding personal data will be noted in Nexus’ Data Retention and Destruction Schedule (NEXUS/G/007a) and Nexus Privacy Notices. In addition, Special Categories of Personal Data are more sensitive and so need more protection. Both a lawful basis and separate condition for Processing under Article 9(1) of the UK GDPR must also be identified and noted on the Data Processing Register. This will normally be due to Nexus’ status as ‘Not-for-profit body.’

2. PURPOSE LIMITATION

Personal data should only be collected for specific, explicit, legitimate and limited purposes. We must ensure that we are clear and open about our reasons for obtaining personal data, and that it is not further processed in a manner that is incompatible with those purposes.

3. DATA MINIMISATION

We will ensure that the personal data we are collecting is adequate, relevant and limited to what is necessary.

4. ACCURACY

We take reasonable steps to ensure data is accurate and up to date. Inaccuracies are corrected or erased promptly.

5. STORAGE LIMITATION (Retention)

Personal data should not be kept for longer than necessary.

Different types of data have different retention periods as outlined in (Nexus/G/007a) - Retention and Destruction Schedule.

6. INTEGRITY AND CONFIDENTIALITY (Security)

Personal data should be processed securely, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures.

Nexus will consider our security measures to prevent the personal data we hold being accidentally or deliberately compromised. This includes measures against cybersecurity (the protection of our networks and information systems from attack), and physical and organisational security measures.

In addition to service level records management guidance, these include:

  • Cyber Essentials Certification
  • Investigating & Reporting Serious Incidents Policy (Nexus/G/005)
  • IT Access Policy (Nexus/G/012)
  • Privacy Policy (Nexus/G/010)
  • Social Media Policy (CS/G/002)
  • Use of Artificial Intelligence Policy (please add details once signed off)

7. ACCOUNTABILITY

The accountability principle requires that we take responsibility for what we do with personal data and how we comply with the other principles.

Nexus has a range of measures and records in place to be able to demonstrate compliance with this principle:

  • The ‘Data Protection Officer’ (DPO) has the specific responsibility of overseeing data protection by providing a policy to ensure that we comply with the data protection principles and relevant legislation.
  • Nexus will maintain a Data Processing register, (BS/F/006) and a Retention and Destruction Schedule (NEXUS/G/007a) as required by Article 30 of the UK GDPR to document regular processing activities.
  • The DPO will liaise with the Senior Leaders to ensure that the Data Processing Register is kept up to date. Individual members of SLT have a duty to contribute to ensure that the measures outlined in the Register are accurate and reflect our practice.
  • The collection, storage, use and sharing of personal data will be regularly reviewed by our DPO.
  • All personnel or other parties who will be handling personal data on behalf of Nexus will be appropriately trained and supervised where necessary.
  • We will adhere to relevant codes of conduct where they have been identified as appropriate.

Nexus Trustees

The Board of Trustees at Nexus will monitor the implementation of this policy and will receive regular reports regarding data protection. The Finance Audit & Risk (FARC) committee will continue to review any legal changes to data protection. The Data Protection Officer can report directly to the Board or the Chair in exceptional circumstances without any risk of disciplinary procedures where they believe a data breach has or may have occurred and appropriate action was not taken.

SECTION 2: RIGHTS OF DATA SUBJECTS

Under the UK GDPR, individuals – referred to as data subjects have a range of rights regarding how their personal data is collected, used, stored, and shared.

Nexus is committed to upholding theses rights in a transparent, respectful and legally compliant manner.

Overview of the Data Subjects Rights:

Right to be informed

Individuals have the right to be informed about how their personal data is collected and used. Nexus provides clear accessible Privacy Notices that explain the purpose of processing, lawful bases, data sharing and retention periods.

Right of access

Individuals can request access to the personal data we hold about them. Nexus will respond to Subject Access Requests (SARs) within one calendar month, in accordance with our SAR Procedure (BS/P/001)

Right to data portability

Individuals have the right to receive their data in a common and machine-readable electronic format.

Right to be forgotten

Individuals may request deletion of their personal data where there is no compelling reason for its continued processing. The right is subject to legal and safeguarding obligations.

Right to rectification

Individuals can request correction of inaccurate or incomplete personal data. Nexus will take reasonable steps to verify and update records promptly.

Right to object

Individuals can object to processing based on legitimate interest, direct marketing or profiling. Nexus will assess each objection fairly and transparently.

Right to purpose limitation

Individuals have the right to limit the extent of processing of their personal data.

Rights related to automated decision-making and profiling

Individuals have the right not to be subject to decisions made solely by automated means without human involvement, where such decisions have legal or significant effects.

Nexus`s Commitment to Uphold the rights of Data Subjects:

  • We will uphold individuals’ rights under data protection laws and allow them to exercise their rights over the personal data we hold about them. Privacy notices will acknowledge these rights and explain how individuals can exercise them. Most rights are not absolute, and the individual will be able to exercise them depending on the circumstances, and exemptions may apply in some cases.
  • There will not be a fee for facilitating a request, unless it is ‘manifestly unfounded or excessive’, in which case administrative costs can be recovered.
  • Requests that are ‘manifestly unfounded or excessive’ can be refused.
  • We will provide a procedure to guide you through the steps to make a request to access the personal data we hold about individuals. See (BS/P/001) Procedure for Subject Access Requests.

SECTION 3: ROLES & RESPONSIBILITIES

THE DATA CONTROLLER

In accordance with the UK GDPR, Nexus`s Chief Executive Officer (CEO) is designated as the Data Controller. This role carries overall responsibility for ensuring that personal data is processed lawfully, ethically, and in line with Nexus mission and legal obligations.

Key responsibilities of the Data Controller:
  • Oversee Nexus compliance with data protection legislation
  • Ensure that appropriate governance structures are in place to support data protection
  • Work in collaboration with the DPO to ensure policies, procedures and practices are implemented effectively across all areas of operation
  • Support the DPO in responding to complex or high-risk data protection matters, including serious breaches or ICO investigations
  • Ensure that data protection is embedded into strategic decision-making, risk management, and operational culture

While the CEO holds ultimate accountability, data protection is a shared responsibility across the organisation. All personnel must understand their role in safeguarding personal data and upholding the rights of individuals.

THE DATA PROTECTION OFFICER (DPO)

Nexus will maintain a designated Data Protection Officer (DPO) who has appropriate expertise in data protection law, UK GDPR compliance, and best practices relevant to all services provided. The designated DPO is the Business Support Manager.

The DPO is supported with access to ongoing training, resources and organisational authority to carry out their responsibilities effectively. While the DPO leads on data protection, all personnel share responsibility for ensuring compliance with this policy.

Key responsibilities of the DPO:
  • Policy Drafting and Review
  • Drafting, reviewing and updating the Data Protection Policy
  • Ensuring alignment with UK GDR, Data Protection Act 2018 and ICO Guidance
  • Advising on service-specific data protection practices
  • Training and Awareness
  • Developing and delivering staff training on data protection principles and procedures
  • Ensuring all personnel understand their responsibility and receive regular refreshers
  • Data Processing Register
  • Maintaining Data Processing Register (BS/F/006), documenting all personal data processed by Nexus
  • Identify lawful basis for processing, including special category under Article 9
  • Coordinating an annual review with the Senior Leadership Team (SLT) to ensure accuracy and relevance
  • Privacy Notices
  • Ensuring Privacy Notices are clear, accessible and up to date
  • Oversee the processing of Subject Access Requests, respond to complaints and other data subject enquiries
  • Monitoring and Compliance
  • Reviewing incidents and breaches and reporting lessons learned to Head of People and Organisational Development
  • Ensuring Nexus compliance with internal policies such as:
  • Investigating and Reporting Serious Incidents (NEXUS/G/005)
  • IT Access Policy (NEXUS/G/012)
  • Privacy Policy (NEXUS/G/010)
  • Social Media Policy (NEXUS/G/002)
  • Liaison with external bodies
  • Acting as the primary contact for the ICO
  • Liaising with external agencies and legal advisors where appropriate
  • Reporting serious breaches to the ICO within 72 hours, as required by law

SENIOR LEADERSHIP TEAM (SLT)

The SLT members must support the DPO in implementing this Data Protection policy and all relevant information across their departments and that the departmental procedures factor the data protection requirements. They are responsible for ensuring the Data Processing Register reflects current operational practices. The SLT contribute to annual reviews and ensure personnel within their departments are trained and compliant.

ALL PERSONNEL (employees, associates, volunteers, students, trustees)

All personnel (employed, associates, volunteers, students, trustees), contractors, temporary workers, consultants, partners or anyone working on behalf of Nexus and handing personal data are bound by the data protection legislation and this Policy.

All members of personnel are expected to read and understand this Policy and related policies (see appendix 2 below) and where required seek further clarification from the DPO or their Line Manager.

Any alleged breaches of the UK GDPR or DPA by personnel will be fully investigated and my result in disciplinary action and may in some instances be considered gross misconduct.

It is compulsory for all Nexus personnel to complete the Nexus Data Protection Training at induction and attend yearly refresher training.

Where any contractor, temporary worker, consultant, or anyone else working on behalf of Nexus fails in their obligations under this Policy, they shall indemnify Nexus against any cost, liabilities, damages, loss, claims or proceedings that may arise from that failure.

All personnel must apply the criteria listed below as appropriate and relevant to the processing of personal data in both electronic and hard copy:

  • Always treat people’s personal information with integrity and confidentiality.
  • Ensure that access to Personal Data is restricted only to authorised persons.
  • Where personal data exists as hard copy, it should be stored in a locked box, drawer or cabinet, and not left where anyone else could access it.
  • The transfer of hard copies should be passed directly to the recipient.
  • Ensure that the use of, and access to, computers, laptops, and other portable electronic data processing/storage devices is compliant with Nexus’ code of practice as specified in (Nexus/G/012) Nexus IT Access Policy.
  • The loss of data or theft of any device should be reported as soon as possible to the DPO.
  • If you are thinking of sending marketing to individuals, consult with the DPO first, as there are certain laws that apply to electronic direct marketing. This could include anything that promotes the aims or purpose of Nexus, including promoting an event or seeking engagement.
  • Inform a senior member of staff immediately of incidents where persons without proper authorisations are found in areas where Personal Data is held of processed.
  • Ensure that Personal data is held according to the 7 Principles in section 1 of this policy. When deciding on the information we will request from an individual, Nexus staff have a responsibility to check their practice meets the UK GDPR principles.
  • Avoid, in so far as is possible, recording personal opinions not based on fact about a Data Subject. These comments will be disclosable.
  • Ensure that Personal Data is processed securely and not disclosed either accidently or deliberately either verbally or in writing to any unauthorised person or organisation.
  • Avoid giving Personal Data by telephone unless there is a very high degree of certainty that the caller is the person they claim to be and is the appropriate person to receive the data.
  • If you are requested by a third party to provide personal details for a client, e.g. from a solicitor, you should follow our Subject Access Request Procedure (BS/P/001) to allow us to release the relevant information. Advise them of the appropriate channel to request this.
  • Ensure that accurate, up-to-date staff details are provided to the Nexus and notify HR department immediately if there are any changes or errors in your own personal data.

There may be circumstances when it is appropriate for Nexus to share personal information with other organisations, for example if it relates to a criminal investigation. In any such circumstances, further guidance should be sought from the DPO.

The CEO and Heads of Service are responsible having in place appropriate procedures to ensure compliance with UK GDPR and DPA within their areas of responsibility and dissemination of good practice.

BOARD OF TRUSTEES

The Board of Trustees monitors the implementation of this policy and receives regular updates via the Finance Audit and Rik Committee (FARC).

Trustees ensure that Nexus remains accountable and transparent in its data protection practices.

ORGANISATIONAL RESPONSIBILITIES

Data collection processes will be led by the SLT to ensure good Data Governance:

  • Ensure that personal data collected and processed is kept to a minimum.
  • Where we do not have a legal obligation to retain some personal data, we will consider whether there is a business need to hold it.
  • We will retain personal data only for as long as it is necessary to meet its purpose. Our approach to retaining and erasing data no longer required will be specified in the Retention and Destruction Schedule (Nexus/G/007a). This schedule will be reviewed annually.
  • In the case of sharing personal data with any third party, only the data that is necessary to fulfil the purpose of sharing will be disclosed.
  • Anonymisation and pseudonymisation of personal data stored or transferred should be considered where doing so is a possibility.
  • All devices owned by Nexus will have hardware encryption set up by default where possible, including laptops, mobile devices and removable media.

Use of Third-Party Processors is as follows:

  • Nexus must only appoint processors who can provide sufficient guarantees around compliance with the UK GDPR and that the rights of data subjects will be protected.
  • Where a processor can demonstrate that they adhere to approved codes of conduct or certification schemes, this should be taken into consideration for choice of supplier.
  • Where Nexus uses a processor, a written contract with compulsory terms as set out in Article 28 of the UK GDPR must be in place (plus any additional requirements that we determine). Processors can only act on the instruction of Nexus.

SECTION 4: REPORTING OF BREACHES & COMPLAINTS

BREACHES OF THE UK GDPR

Definition of a Personal Data Breach

A Personal Data Breach is defined under the UK GDPR as a breach of security leading the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data.

What should be reported?

All members of personnel should be vigilant and able to identify a suspected personal data breach.

You should report any incident that could potentially compromise the security of Personal Data, for example:

  • Lost or stolen devices: laptop, mobile phone, or USB drive containing data;
  • Unauthorised disclosure of personal information;
  • Loss of personal files;
  • Non-arrival of sensitive information;
  • Maintenance of unsecured databases;
  • Hacking or other forms of unauthorised access to a device, email account, or the network;
  • Disclosing personal data to the wrong person, through wrongly addressed post/emails, or bulk emails that inappropriately reveal all recipients email addresses
  • Alteration or destruction of personal data without permission.
When should the event/incident be reported?

Immediately, as soon as the data loss has been discovered.

How should the event/incident be reported?
  • In the event of a breach, the personnel member should inform their line manager and DPO immediately detailing what that breach entailed.
  • The DPO will work with Head of People & Organisational Development to investigate the issue and assess the risk. This is to determine the potential impact on individuals` rights and freedoms. If the breach is likely to result in a high risk, the DPO will inform the affected individual without undue delay.
  • The DPO and HOPD will establish if the breach meets the threshold for reporting to ICO. If it meets the threshold of a Data Breach, the DPO will inform the ICO within 72 hours of becoming aware of it.
  • The DPO will document the breach: details of the breach, its effects and remedial actions taken.
  • The DPO and HPOD, after the breach has been addressed, will review the data protection practices and make necessary improvements to prevent future breaches.

BUILDING SECURITY

All personnel members are responsible for maintaining the physical security of personal data:

  • Ensure all paper documents are securely stored at the end of each day or while not in use.
  • Maintain the clear desk policy.
  • Lock computers and devices when unattended.
  • Personnel responsible for closing the building must ensure:
  • All areas are secure
  • Alarms are activated
  • Any lost keys or security concerns are reported immediately to the Business Services Manager

COMPLAINTS

Under Article 77 of the UK GDPR, individuals have the right to make a complaint if they believe that their personal information has not mishandled.

How to make a complaint

Complaints should be submitted in writing to the Data Protections Officer (Business Support Manager) at info@nexusni.org.

All complaints will be handled in accordance with Nexus` Comments, Compliments and Complaints Policy (Nexus/G/001).

SECTION 5: APPENDIX

APPENDIX 1: DEFINITIONS OF IMPORTANT TERMS

Data Controller

The Data Controller is the person or organisation that determines the purposes and means of processing personal data. At Nexus, the Chief Executive Officer (CEO) acts as the Data Controller, holding overall responsibility for ensuring that personal data is processed lawfully and ethically, in collaboration with the Data Protection Officer (DPO).

Data Subject

A Data Subject is an identifiable living individual whose personal data is being processed. This includes anyone who can be identified directly or indirectly through identifiers such as name, ID number, location data, or other personal characteristics.

At Nexus, Data Subjects include:

  • Current, former, and prospective service users
  • Staff, volunteers, and students
  • Donors, contractors, consultants, and referees

We often use the term “individuals” in place of “Data Subjects” throughout this policy.

Personal Data

Any information relating to a Data Subject. This includes:

  • Names, dates of birth, addresses
  • Contact details, photographs, and identification numbers
  • Employment records, service history, and case notes

Personal data does not need to be private information about someone’s professional life or public role can also be considered personal data.

Special Categories of Personal Data

This is a more sensitive type of personal data that requires additional protection. It includes:

  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetic and biometric data (used for identification)
  • Health data (physical or mental)
  • Data concerning a person’s sex life or sexual orientation

Nexus processes special category data primarily in the context of counselling, helpline, and aftercare services, under lawful bases provided by Article 9 of the UK GDPR.

Processing

Processing refers to any operation performed on personal data, including:

  • Collecting, recording, storing
  • Using, analysing, combining
  • Sharing, disclosing, or deleting

Almost everything we do with data counts as processing.

Processor

A Processor is a person or organisation (other than an employee) that processes personal data on behalf of the Data Controller. Processors must follow the Controller’s instructions and have specific legal obligations under UK GDPR.

Example: When Nexus collects specific data on behalf of a funder (e.g. SPPG), we act as a Processor.

ICO - Information Commissioners Office

The ICO is the UK’s independent authority responsible for upholding information rights and enforcing data protection laws. The ICO:

  • Provides guidance and promotes good practice
  • Investigates complaints and monitors compliance
  • Has powers to take enforcement action where necessary
DPA - Data Protection Act 2018

The DPA 2018 is the UK’s national data protection legislation. It complements the UK GDPR by:

  • Providing exemptions and tailoring GDPR to the UK context
  • Setting rules for law enforcement and national security
  • Defining the ICO’s powers and responsibilities
UK GDPR General Data Protection Regulation

The UK GDPR sets out the core principles, rights, and obligations for most personal data processing in the UK. It came into effect on 25 May 2018 and was retained in UK law following Brexit under the European Union (Withdrawal) Act 2018, with necessary amendments to reflect the UK context.

APPENDIX 2: RETENTION & DESTRUCTION SCHEDULE

Nexus retains personal data only for as long as necessary to fulfil the purposes for which it was collected, in line with legal, regulatory, and ethical obligations. Retention periods vary depending on the type of data and the nature of the service provided.

Please refer to the full Retention & Destruction Schedule (NEXUS/G/007a) for detailed guidance on:

  • Counselling and therapeutic records
  • Helpline logs (anonymised)
  • HR and volunteer records
  • Donor and financial records
  • Safeguarding documentation
  • Education programme data
  • Governance and trustee documentation

All data is securely destroyed when no longer required, using appropriate methods such as digital wiping, shredding, or secure disposal services.

APPENDIX 3: FURTHER RELEVANT INFORMATION AND RESOURCES

To support understanding and compliance with data protection legislation, the following resources are recommended:

UK GDPR Overview

https://ukgdpr-info.eu

A comprehensive guide to the UK GDPR, including articles and recitals.

Data Protection Act 2018

http://www.legislation.gov.uk/ukpga/2018/12/contents/enacted

The UK’s national data protection framework, supplementing the UK GDPR.

Privacy and Electronic Communications Regulations (PECR)

https://www.legislation.gov.uk/uksi/2018/1189/contents/made

Governs electronic marketing, cookies, and communications.

ICO Guide to Data Protection

https://ico.org.uk/for-organisations/guide-to-data-protection/

Official guidance from the Information Commissioner’s Office (ICO).

Information Commissioner’s Office (ICO)

https://ico.org.uk

The UK’s independent authority for data protection and privacy rights.

NICVA Data Protection Toolkit

https://www.nicva.org/data-protection-toolkit

Practical resources for charities and voluntary organisations in Northern Ireland.

Leave site