Jesus Youth JY UK Safeguarding
Section 14

Storage, Destruction & Access Requests

Access tiers, encryption, destruction procedures, and subject access requests.

Storage, Access & Security

  • Central Volunteer Record stored in an access-controlled system (e.g. encrypted shared drive or dedicated platform)
  • Access tiers:
    • DSL + Deputy DSL: full access
    • National lead / trustees: aggregate reporting only, named-individual access only when justified
    • Programme leads: access to records of volunteers in their programme, no DBS detail beyond “checked / valid until”
    • Volunteers themselves: access to their own record on request (SAR)
  • Restricted sections (positive disclosures, safeguarding concerns, allegations): DSL + Deputy DSL only, with audit log of access
  • Encryption: at rest and in transit; if cloud-hosted, UK/EU data residency, signed DPA with provider
  • Backups: encrypted, retention aligned to live data, regularly tested
  • Devices: no records on personal devices; if mobile access needed, MDM or sandboxed app
  • Paper records: locked cabinet, restricted key holders, never left out

Destruction

  • Scheduled destruction at least annually (December sweep recommended)
  • Method:
    • Paper: cross-cut shred or accredited confidential waste service (with destruction certificate)
    • Digital: secure deletion including from backups (or wait until the backup retention cycle naturally rolls off, documented)
  • Destruction log kept permanently: what was destroyed, date, by whom, method
  • Holds: if a record is subject to a legal hold (police request, ongoing complaint), suspend destruction and document the hold

Subject Access Requests (SARs)

  • Anyone we hold data on (volunteers, parents, young people) can request a copy of their data
  • Must respond within one calendar month, extendable to three months for complex requests
  • Process: identity verified → data gathered from all systems → third-party data redacted → safeguarding exemptions applied where applicable → provided in accessible format
  • Exemptions worth knowing:
    • Safeguarding (Sch 3 Pt 1 §3 DPA 2018) — can withhold data where disclosure would prejudice prevention of harm
    • References (given confidentially)
    • Crime / regulatory investigations
  • Each SAR logged: requester, date received, response date, exemptions applied, outcome