GDPR & Data Protection Policy
ParentSkills2Go (PS2Go)
Last Updated: January 2025
1. Introduction
ParentSkills2Go (referred to as PS2Go, 'we', 'us', or 'our') is committed to protecting the privacy and rights of individuals whose personal data we process.
Effective data security and proper data management are critical to our operations. They ensure we serve our members and the wider community sector lawfully, transparently, and responsibly.
All personal data handled by PS2Go is governed by:
- The General Data Protection Regulation (GDPR)
- The UK Data Protection Act 2018 (DPA)
Every PS2Go staff member is required to uphold the principles outlined in this policy and adhere to the GDPR framework.
2. Data Protection Principles
Under Article 5 of the GDPR, PS2Go upholds the six key principles of data protection:
Lawfulness, fairness, and transparency
Purpose limitation
Data collected for specific, explicit, and legitimate purposes only
Data minimisation
Data must be relevant and not excessive
Accuracy
Kept up to date and correct
Storage limitation
Kept only for as long as necessary
Integrity and confidentiality
Protected against unauthorised access or loss
We also commit to:
- Reviewing our Data Processing Register every six months
- Ensuring compliance across all data-handling processes
3. Lawful Processing
All personal data must be processed on one of the following lawful bases (Article 6(2), GDPR):
Special Category Data:
For sensitive or special category data (Article 9(1)), processing must meet additional criteria under Article 9(2).
Consent Requirements:
When consent is the basis for processing, it must be easy for individuals to withdraw consent at any time.
Marketing Communications:
- Offer a clear opt-out option in every message
- Respect and action all opt-out requests immediately
4. Data Minimisation, Control & Accountability
-
Data collection methods are regularly reviewed by the Data Protection Officer (DPO) and monitored by the Board.
-
We only collect the minimum personal data required to fulfil a specific purpose.
-
If no legal obligation exists to retain data, we assess whether there's a valid business need.
-
Personal data is retained only for as long as necessary.
-
If data is shared with third parties, only what is strictly necessary is shared.
-
PS2Go maintains a Data Processing Register in line with Article 30 of the GDPR.
All staff, volunteers, consultants, and partners who handle personal data on PS2Go's behalf will be appropriately trained and supervised.
5. Staff Procedures & Responsibilities
All staff must comply with this policy and associated data handling procedures. This includes awareness of cybersecurity practices and relevant guidance.
Key Procedures
-
Respect confidentiality: Don't share personal information unless authorised
-
Secure storage: Physical data should be locked away when not in use
-
Safe transfer: Hand hard copies directly to recipients — never leave them unattended
-
Careful emailing: Always double-check recipients; use BCC for group emails
-
Personal device access: Devices must be password-protected and have a firewall if accessing data via Office 365
6. Reporting Data Breaches
What is a Personal Data Breach?
A breach is any accidental or unlawful destruction, loss, alteration, or unauthorised access/disclosure of personal data.
Common Breach Examples:
Loss or theft of devices, USBs, or printed documents
Hacking or unauthorised access to emails, accounts, or systems
Sending data to the wrong recipient via email
Altering or deleting personal data without proper authority
Reporting Protocol
- All staff must be alert to signs of a potential breach
- Any suspected breach should be reported to the DPO immediately
- If there is a risk to individual rights and freedoms, the DPO will notify the ICO within 72 hours
-
The DPO will:
- Log all breaches
- Investigate causes
- Implement corrective actions to prevent recurrence
Contact the Data Protection Officer (DPO)
If you have any questions regarding GDPR, data use, or concerns: