GDPR & Data Protection Policy

ParentSkills2Go (PS2Go)

Last Updated: January 2025

1. Introduction

ParentSkills2Go (referred to as PS2Go, 'we', 'us', or 'our') is committed to protecting the privacy and rights of individuals whose personal data we process.

Effective data security and proper data management are critical to our operations. They ensure we serve our members and the wider community sector lawfully, transparently, and responsibly.

All personal data handled by PS2Go is governed by:

  • The General Data Protection Regulation (GDPR)
  • The UK Data Protection Act 2018 (DPA)

Every PS2Go staff member is required to uphold the principles outlined in this policy and adhere to the GDPR framework.


2. Data Protection Principles

Under Article 5 of the GDPR, PS2Go upholds the six key principles of data protection:

1
Lawfulness, fairness, and transparency
2
Purpose limitation

Data collected for specific, explicit, and legitimate purposes only

3
Data minimisation

Data must be relevant and not excessive

4
Accuracy

Kept up to date and correct

5
Storage limitation

Kept only for as long as necessary

6
Integrity and confidentiality

Protected against unauthorised access or loss

We also commit to:

  • Reviewing our Data Processing Register every six months
  • Ensuring compliance across all data-handling processes

3. Lawful Processing

All personal data must be processed on one of the following lawful bases (Article 6(2), GDPR):

Consent must be freely given, specific, informed and unambiguous. It must be as easy to withdraw consent as it is to give it.

Processing is necessary for legitimate interests that do not override the rights of individuals.

Processing is necessary to comply with a legal obligation to which the controller is subject.

Processing is necessary for the performance of a contract or to take steps at the request of the data subject prior to entering into a contract.

Processing is necessary to protect someone's vital interests.

Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority.

Special Category Data:

For sensitive or special category data (Article 9(1)), processing must meet additional criteria under Article 9(2).

Consent Requirements:

When consent is the basis for processing, it must be easy for individuals to withdraw consent at any time.

Marketing Communications:

  • Offer a clear opt-out option in every message
  • Respect and action all opt-out requests immediately

4. Data Minimisation, Control & Accountability

  1. Data collection methods are regularly reviewed by the Data Protection Officer (DPO) and monitored by the Board.
  2. We only collect the minimum personal data required to fulfil a specific purpose.
  3. If no legal obligation exists to retain data, we assess whether there's a valid business need.
  4. Personal data is retained only for as long as necessary.
  5. If data is shared with third parties, only what is strictly necessary is shared.
  6. PS2Go maintains a Data Processing Register in line with Article 30 of the GDPR.

All staff, volunteers, consultants, and partners who handle personal data on PS2Go's behalf will be appropriately trained and supervised.


5. Staff Procedures & Responsibilities

All staff must comply with this policy and associated data handling procedures. This includes awareness of cybersecurity practices and relevant guidance.

Key Procedures
  • Respect confidentiality: Don't share personal information unless authorised
  • Secure storage: Physical data should be locked away when not in use
  • Safe transfer: Hand hard copies directly to recipients — never leave them unattended
  • Careful emailing: Always double-check recipients; use BCC for group emails
  • Personal device access: Devices must be password-protected and have a firewall if accessing data via Office 365

6. Reporting Data Breaches

What is a Personal Data Breach?

A breach is any accidental or unlawful destruction, loss, alteration, or unauthorised access/disclosure of personal data.

Common Breach Examples:

Loss or theft of devices, USBs, or printed documents

Hacking or unauthorised access to emails, accounts, or systems

Sending data to the wrong recipient via email

Altering or deleting personal data without proper authority

Reporting Protocol
  1. All staff must be alert to signs of a potential breach
  2. Any suspected breach should be reported to the DPO immediately
  3. If there is a risk to individual rights and freedoms, the DPO will notify the ICO within 72 hours
  4. The DPO will:
    • Log all breaches
    • Investigate causes
    • Implement corrective actions to prevent recurrence

Contact the Data Protection Officer (DPO)

If you have any questions regarding GDPR, data use, or concerns: