1. Purpose of this policy

Yesoid is committed to protecting the privacy and security of personal information. We collect and use data to run mentoring programmes, youth activities, sports sessions, support groups, and to keep children and adults safe.

This policy explains how we collect, use, store, share, and protect personal information in line with:

  • UK General Data Protection Regulation (UK GDPR)

  • Data Protection Act 2018

  • Charity Commission guidance

  • Safeguarding requirements

This policy applies to trustees, staff, volunteers, mentors, contractors, sessional workers, and anyone acting on behalf of Yesoid.

2. What personal data we collect

We collect and process personal data for the legitimate operation of our services. This includes:

Children and young people

  • Name, date of birth, school, contact details

  • Parent/guardian details

  • Health or access needs

  • Attendance records

  • Safeguarding information (where relevant)

  • Notes relating to mentoring or support sessions

Parents and carers

  • Contact details

  • Emergency contact information

  • Consents (photo, trips, data use)

Mentors, staff and volunteers

  • Name, contact details

  • DBS checks

  • References and training records

  • Supervision notes (where relevant)

  • Emergency contact information

Supporters and donors

  • Contact and donation details

  • Gift Aid declarations

We only collect information we genuinely need to provide safe, effective services.

3. Lawful bases for processing

We process personal data under the following lawful bases:

  • Legitimate Interests – running youth activities, mentoring, communication with families

  • Legal Obligation – safeguarding, reporting concerns, DBS checks, charity law

  • Vital Interests – sharing information in an emergency

  • Consent – photos, media use, and some types of communication

For safeguarding and health data (special category data), we rely on:

  • Substantial Public Interest (safeguarding duties)

  • Vital Interests (to protect a child or vulnerable adult)

4. How we use personal data

We use personal information to:

  • deliver mentoring and youth programmes

  • run sports and activity sessions safely

  • support children, teens and families who need additional help

  • manage volunteers and staff

  • communicate with families about sessions

  • monitor attendance and outcomes

  • meet safeguarding requirements

  • manage donations and Gift Aid

  • keep accurate records for legal, insurance, and governance purposes

We never sell personal data.

5. How we store and protect data

We store information securely using:

  • password-protected devices

  • encrypted storage (where applicable)

  • secure E-Voice website systems

  • locked cabinets for paper records

  • restricted access for staff and volunteers

Access is given only to people who need it for their role.

Safeguarding records are stored separately with enhanced restrictions.

6. How long we keep information

We keep data only for as long as necessary:

  • Safeguarding records: up to 25 years (per statutory guidance)

  • DBS details: not stored — only the date and reference are kept

  • Attendance records: 3 years

  • Volunteer records: 3 years after leaving

  • Donation/Gift Aid records: 6 years (legal requirement)

  • General enquiries: 1 year

At the end of the retention period, data is securely deleted or shredded.

7. Sharing information

We only share data when necessary and appropriate:

  • with emergency services to protect a child or adult

  • with statutory agencies (e.g., social services) if required under safeguarding law

  • with partner organisations delivering sessions (only minimal information)

  • with funders in an anonymised and non-identifiable form

We do not share data for marketing.

8. Data rights of individuals

People we support have the right to:

  • access their personal data

  • request correction of inaccurate data

  • request deletion (except safeguarding records)

  • object to processing

  • withdraw consent (where consent is used)

Requests can be made to the Data Protection Lead (see below).

9. Data breaches

A data breach includes the loss, theft, or unauthorised access to personal information.

If a breach occurs:

  1. It is reported immediately to the Data Protection Lead.

  2. We assess the risk to individuals.

  3. Serious breaches are reported to the ICO within 72 hours.

  4. Affected individuals are informed where required.

10. Photography and media

We only use photographs or video with explicit parental consent.
Images of children are stored securely and never shared publicly without permission.

11. Roles and responsibilities

Trustees

Ensure Yesoid complies with data protection law.

Data Protection Lead

Oversees data practices and responds to requests.

Staff and Volunteers

Must read and follow this policy, keep data secure, and report any concerns or breaches.

12. Contact

Data Protection Lead 
Mr Yehuda Heller
Email: info@yesoid.co.uk
Phone: 07942819976

This policy was created on the 24th December 2025 and will be updated yearly