Jesus Youth JY UK Safeguarding
Section 15

Data Protection — Operational Detail

UK GDPR and Data Protection Act 2018 operational compliance detail.

15. Data Protection — Operational Detail

15.1 Data controller and registration

Jesus Youth UK is the data controller for the personal data it processes. As an organisation processing personal data, registration with the ICO is required (currently £40–£60/year for most charities, fee tier depends on size). Maintain proof of current registration.

Where Jesus Youth UK shares data with the international Jesus Youth movement, dioceses, or third parties, the relationship is documented (controller/controller, controller/processor, joint controllers as appropriate).

15.2 Lawful bases used

Map every data flow to a lawful basis. Most common:

ProcessingArticle 6 basisArticle 9 basis (special category)
Volunteer recruitment & managementLegitimate interestsSubstantial public interest — safeguarding (Sch 1 Pt 2 §18) where DBS / safeguarding-relevant
Under-18 event participationLegitimate interests + parental consentConsent (medical) / safeguarding
Adult event participationLegitimate interests / consentConsent (medical)
Media (photos, video)ConsentConsent
Marketing / newsletterConsentn/a
Safeguarding investigationsLegal obligation / legitimate interestsSubstantial public interest — safeguarding
Financial recordsLegal obligationn/a

15.3 Privacy notices

Three required at minimum:

  1. Volunteer privacy notice — what we collect at recruitment, why, who sees it, how long, rights
  2. Parent / participant privacy notice — for under-18 programmes, written so a young person can also understand it
  3. Website / general privacy notice — covers contact forms, newsletter, cookies

Every notice version-controlled and dated. Show on the form / process where data is collected.

15.4 Consent — what makes consent valid

Where consent is the basis (notably media):

  • Specific — not bundled with other agreements; granular tick-boxes by purpose
  • Informed — they know what they’re consenting to
  • Freely given — no detriment for refusing
  • Unambiguous — opt-in, not pre-ticked
  • Recorded — date, method, what they consented to
  • Revocable — easy mechanism to withdraw, take effect promptly

Children under 13 cannot consent to data processing under UK GDPR for “information society services” (online); parental consent required. For most safeguarding consent, parental consent is the operative consent regardless of the child’s age.

15.5 Data subject rights

Volunteers, parents, and participants have the right to:

  • Be informed (privacy notice)
  • Access (SAR)
  • Rectification
  • Erasure (limited where safeguarding retention applies)
  • Restrict processing
  • Data portability (limited — typically only consent-based or contract-based)
  • Object
  • Not be subject to solely automated decisions

Have a documented procedure for handling each.

15.6 Data breaches

Definition: any unauthorised disclosure, loss, alteration, or unavailability of personal data.

Procedure:

  1. Within 1 hour of discovery: notify DSL + named data lead
  2. Within 24 hours: contain and assess severity
  3. Within 72 hours of becoming aware: notify ICO if breach is likely to result in risk to rights and freedoms (high bar — not all breaches need reporting, but err on the side of reporting for safeguarding-relevant breaches)
  4. Notify affected individuals if high risk
  5. Log in breach register (kept permanently) — what, when, how detected, remediation, lessons learned

15.7 Data sharing

Only share when:

  • There is a clear lawful basis
  • The minimum data is shared
  • The recipient has appropriate safeguards
  • It is documented

For ongoing relationships (e.g. with a diocese, with an umbrella DBS body, with a venue): a Data Sharing Agreement in writing.

For one-off safeguarding sharing (police, LADO, social services): no agreement needed but the sharing event is logged with date, recipient, what was shared, why.

15.8 International transfers

If using cloud services hosted outside the UK/EEA (some US-hosted tools), an appropriate transfer mechanism is required (UK IDTA, adequacy decision, etc.). Document for each tool used.

15.9 Records of Processing Activities (ROPA)

Maintain a single ROPA spreadsheet listing each processing activity:

  • Activity name
  • Purpose
  • Categories of data subjects (volunteers, children, parents, etc.)
  • Categories of data
  • Recipients
  • Retention
  • Lawful basis (Art 6 + Art 9 if applicable)
  • International transfers (if any)
  • Security measures

Reviewed annually. Required to be available on request from ICO.