City of Winchester Trust
  • kingalf
  • cathedral
  • roundtable
  • westgate
  • guildhall
  • wolsey
  • stcross
  • library

City of Winchester Trust Data Protection Policy

This policy applies to the running of the City of Winchester Trust. The policy sets out the requirements that we have to abide by to gather of data on members, employees, volunteers and trustees (collectively called 'stakeholders'). The policy details how data will be gathered, stored and managed in line with the General Data Protection Regulation (GDPR). The policy will be reviewed on a regular basis to ensure that the Trust is compliant. This policy should be read in tandem with the Trust Privacy Policy.

This data protection policy ensures that the Trust:

  • Comply with data protection law and follow good practice.
  • Protect the rights of stakeholders and partners.
  • Are open about how we store and process stakeholders data.
  • Protect ourselves from the risks of a data breach.


  • Access to data covered by this policy will be limited to those employees, Trustees or committee members who need to contact or provide a service to our Stakeholders or to manage the Trust. This will normally be one or more trustees or an employee acting on behalf of Trustees.
  • We will provide training to employees, Trustees and committee members to help them understand their responsibilities when handling personal data.
  • We will keep all data secure, by taking sensible precautions and following the guidelines below.
  • Strong passwords will be used for computerised data records and they will never be shared. Paper records are kept under lock and key.
  • Data will not be shared outside of the Trust unless with prior consent from Stakeholders and for specific and agreed reasons.
  • We will request help from the Information Commissioners Office if we are unsure about any aspect of data protection.


The General Data Protection Regulation identifies 8 data protection principles and the Trust will comply with all these eight data protection principles.

We request data from Stakeholders so we can contact them about their involvement with the Trust. Stakeholders will be asked to provide consent for their data to be held and a record of this consent and their data will be held securely. Stakeholders can, at any time, remove their consent by contacting the Trust Secretary. Once a Stakeholder requests the Trust not to contact that person this will be acted upon promptly and comnfirmed by the Trust by email, telephone or post.


Stakeholders data will be used for the following purposes:

  • Contacting them about our events and activities.
  • Contacting them about their membership and/or renewal of their Consent.
  • Contacting them about specific issues that may have arisen during the course of their membership/employment/volunteering.
  • Occasionally the Trust will send details of activities of other organisations that the Council of Trustees thinks will be of interest.

The Trust will not pass the details held about stakeholders to other organisations without their consent.

We will ensure that use of Stakeholders' data does not infringe their rights which include:

  • The right to be informed.
  • The right of access.
  • The right to rectification.
  • The right to erasure.
  • The right to restrict processing.
  • The right to data portability.
  • The right to object.

We will only keep data that is relevant for membership/employee/volunteering purposes. This will include:

  • Name
  • Postal address
  • Email address
  • Telephone number
  • Bank account details for setting up standing orders for the payment of membership fees

Where a stakeholders' data is required by law to be shared with a third party involving statutory authorities then consent does not have to be sought from the stakeholder.

The Trust will endeavour to keep stakeholders' data up to date. Stakeholders will be asked to let the Trust know if any of their data changes.

We will ensure that we are compliant with data protection requirements and can prove it. Stakeholders will be asked to provide the Trust with written consent to retain their data which will be securely held as evidence of compliance. We will also stay up to date with guidance and practice of the GDPR and will seek additional input from the Information Commissioners Office should any uncertainties arise. We will review data protection and what data is held and who has access to it on a regular basis.

The Council of Trustees has contracted for services from the following external service providers:

  • Website services
  • The printer of our newsletter and our Annual Report & Accounts.
  • A bulk email service.

The Council of Trustees has scrutinised their Terms and Conditions and judges that they are GDPR compliant. We will ensure inappropriate contact is not made to or Stakeholders such as for maarketing and/or promotional purposes from those vetted external service providers.

Stakeholders can request access to the data we hold on them by contacting the Trust Secretary and we will normally deal with a request within 14 days. A record will be kept of the date of the request and the date of the response.

Where a data breach has occurred action will be taken to minimise the harm. We will seek to rectify the cause of the breach as soon as possible. We will contact the Information Commissioners Office within 72 hours of the breach being reported. We will contact the relevant members to inform them of the data breach and actions taken to resolve it.

If a stakeholder contacts us feeling that there has been a breach, he/she will be asked to produce an email or a letter detailing their concern. We then will investigate the breach. The Member will also be informed that he/she can report their concerns to the Information Commissioners Office. Breach matters will be subject to a full investigation, records will be kept and all those involved notified of the outcome.

Policy review date: 03/20

City of Winchester Trust Council
July 2018 vers1.1