This section sets out exactly what data Jesus Youth holds, what we are permitted to hold, what we are not permitted to hold, how long we keep it, and how it is stored and destroyed. It applies safeguarding obligations and UK GDPR / Data Protection Act 2018 requirements together — they pull in the same direction in most places, but where they tension (e.g. data minimisation vs safeguarding retention), the resolution is documented here.
Core Principles
Every record held must satisfy all six of:
- Lawful basis — there is a documented Article 6 (and where applicable Article 9) basis for holding it
- Necessity — it is genuinely needed for the purpose; if a lesser data point would do, use the lesser one
- Minimisation — no “nice to have” fields; if you can’t say why a field is needed, don’t collect it
- Accuracy — kept up to date; volunteers told how to correct
- Storage limitation — destroyed at the end of the retention period without exception (unless extended for a documented reason)
- Security — access-controlled, encrypted at rest and in transit, breach-detected
If any of these can’t be satisfied for a piece of data, the data should not be collected in the first place.