Data Protection Policy

1. Introduction

Bolton Together is committed to protecting personal data and ensuring it is handled securely, responsibly, and in accordance with the law.

This policy explains how we collect, use, store, and protect personal data in line with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

As an organisation supporting children, young people, and families, we recognise the importance of maintaining the highest standards of data protection and confidentiality.

2. About Us

Bolton Together
Registered Charity No. 1163466
Company No. 08730010

Address:
c/o Beyond Profit, F114 Bolton Arena
Arena Approach, Horwich
Bolton, BL6 6LB

3. Scope

This policy applies to:

  • All personal data processed by Bolton Together

  • Staff, volunteers, trustees, and partner organisations

  • All systems, platforms, and processes used to handle data

4. Data Protection Principles

We adhere to the following principles:

  • Lawfulness, fairness, and transparency

  • Purpose limitation

  • Data minimisation

  • Accuracy

  • Storage limitation

  • Integrity and confidentiality

  • Accountability

5. Types of Personal Data We Process

We may process the following types of data:

Service Users (Children, Young People, Families)

  • Names and contact details

  • Dates of birth

  • Address and household information

  • Support needs and case information

  • Referral details

Professionals and Partners

  • Names and contact details

  • Organisation details

  • Referral and communication records

Website Users

  • IP address

  • Usage data (via cookies and analytics)

In some cases, we may process special category data (e.g. health, safeguarding, or support needs), where lawful and necessary.

6. Lawful Basis for Processing

We process personal data under:

  • Legal obligation – safeguarding and statutory duties

  • Public task – delivering services for the public benefit

  • Legitimate interests – improving services and operations

  • Consent – where required (e.g. certain communications)

Where special category data is processed, we rely on additional lawful conditions such as:

  • Safeguarding of children and individuals at risk

  • Provision of health or social care support

7. How We Use Personal Data

We use personal data to:

  • Deliver services and support programmes

  • Assess and manage referrals

  • Safeguard children and vulnerable individuals

  • Communicate with service users and professionals

  • Monitor and improve service delivery

  • Meet legal, regulatory, and funding requirements

8. Data Sharing

We do not sell personal data.

We may share data with:

  • Partner organisations delivering services

  • Local authorities and safeguarding bodies

  • Health and social care providers

  • Funding bodies (in anonymised or necessary formats)

  • Legal or regulatory authorities where required

All data sharing is conducted securely and in line with data protection law.

9. International Data Transfers

We do not routinely transfer personal data outside the UK.

Where this is necessary (e.g. cloud services), appropriate safeguards are in place.

10. Data Security

We implement robust security measures, including:

  • Secure IT systems and encrypted storage

  • Access controls based on roles

  • Staff training on data protection and safeguarding

  • Secure handling of sensitive information

11. Data Retention

We retain personal data only as long as necessary:

  • Service user records: in line with safeguarding and legal requirements

  • Referral records: as required for service delivery and reporting

  • Administrative data: in accordance with legal obligations

Data is securely deleted or anonymised when no longer required.

12. Data Subject Rights

Individuals have the right to:

  • Access their personal data

  • Request correction of inaccurate data

  • Request deletion (where applicable)

  • Restrict or object to processing

  • Request data portability

Requests can be made via the contact details below.

13. Data Breaches

In the event of a data breach, we will:

  • Assess the risk to individuals

  • Notify the Information Commissioner’s Office (ICO) where required

  • Inform affected individuals where there is a high risk

We maintain procedures for identifying, reporting, and managing breaches.

14. Responsibilities

All staff, volunteers, and partners must:

  • Handle personal data responsibly

  • Follow this policy and related procedures

  • Report any concerns or breaches immediately

Failure to comply may result in disciplinary action.

15. Third-Party Processors

We ensure that any third-party processors:

  • Act only on our instructions

  • Have appropriate security measures

  • Comply with UK GDPR

Data Processing Agreements are in place where required.

16. Monitoring and Review

This policy is reviewed regularly to ensure it reflects:

  • Legal and regulatory requirements

  • Organisational changes

  • Best practice in data protection

17. Contact Us

For any questions about this policy or data protection matters, please contact us via our website.

18. Data Protection Complaints

If you have concerns about how we process your personal data, please contact us in the first instance using the details provided on this website.

We will acknowledge your complaint within 30 days and investigate the matter promptly.

We aim to provide a full response without undue delay.

If you remain dissatisfied, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO).

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Telephone: 0303 123 1113

Website: Information Commissioner’s Office (ICO)