Data Protection



Linx needs to gather and use certain information about individuals.  These can include young people, suppliers, business contacts, employees, and other people Linx has a relationship with or may need to contact.  This policy describes how this personal data must be collected, handled, and stored to meet Linx data protection standards — and to comply with the law.

The policy should be read in conjunction with our Data access, correction, transfer, and destruction policy as well as our Data breach policy. It also has relevance to our Safeguarding policies in relation to the personal data of people other than staff.

Why this policy exists

This data protection policy ensures Linx:

  • Complies with data protection law and follow good practice
  • Protects the rights of staff, young people, families, and partners
  • Is open about how it stores and processes individuals’ data
  • Protects itself from the risks of a data breach

Data protection law

Linx are required to comply with the provisions of the General Data Protection Regulations, UK Data Protection Act 2018 (DPA), and subsequent statutory updates in relation to how we handle any personal data which we obtain from employees or clients. These rules apply regardless of whether data is stored electronically, on paper or on other materials.

Data Protection Act 2018                                 

The Data Protection Act 2018 is legislation that aims to ensure that any personal or sensitive data that an organisation (known, in this context, as the ‘Data Controller’) holds about an individual is used appropriately.

The lawful bases for processing are set out in Article 6 of the UK GDPR. At least one of these must apply whenever you process personal data:

(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.

(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.

(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).

(d) Vital interests: the processing is necessary to protect someone’s life.

(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.

(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)

We must include information about our lawful basis (or bases, if more than one applies) in our privacy notice. Under the transparency provisions of the UK GDPR, the information we need to give people includes:

  • our intended purposes for processing the personal data; and
  • the lawful basis for the processing.

This applies whether we collect the personal data directly from the individual or we collect their data from another source.

In accordance with the Regulation, employees have to give consent to the processing of personal data unless it is:

  • for a reason such as to comply with legislation, e.g. processing data to calculate tax and national insurance contributions
  • necessary for the performance of a contract
  • necessary in an emergency, e.g. giving medical information in a life-or-death situation; or
  • necessary for legitimate interests pursued by the Data Controller.

Explicit permission has to be given for the use of sensitive data unless it meets one of the legal requirements explained in the Regulation. Sensitive data is classified as:

  • racial or ethnic origin
  • political opinions
  • religious beliefs or beliefs of a similar nature
  • trade union membership
  • physical or mental condition
  • sexual life
  • the commission or alleged commission of any offence or any proceedings in relation to any offence.

To comply with the law, personal information must be collected and used fairly, stored safely and not disclosed unlawfully.

The Data Protection Act (DPA) is underpinned by eight important principles. These say that personal data must:

  1. Be processed fairly and lawfully
  2. Be obtained only for specific, lawful purposes
  3. Be adequate, relevant, and not excessive
  4. Be accurate and kept up to date
  5. Not be held for any longer than necessary
  6. Processed in accordance with the rights of data subjects
  7. Be protected in appropriate ways. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data
  8. Not be transferred outside the UK to any EU country unless that country or territory also ensures an adequate

level of protection and accepts the level of protection provided by the UK Data protection Act at the time.


People, risks, and responsibilities         

This policy applies to:

  • Linx Board of Management
  • All staff and volunteers of Linx
  • All contractors, suppliers and other people working on behalf of Linx

It applies to all data that Linx holds relating to identifiable individuals.

This can include:

  • Names of individuals
  • Postal addresses
  • Email addresses
  • Telephone numbers
  • …plus any other information relating to individuals

Data protection risks

This policy helps to protect Linx from some very real data security risks, including:

  • Breaches of confidentiality. For instance, information being given out inappropriately.
  • Failing to offer choice. For instance, all individuals should be free to choose how Linx Youth Project uses data relating to them.
  • Reputational damage. For instance, Linx Youth Project could suffer if hackers successfully gained access to sensitive data.


Everyone who works for or with Linx has some responsibility for ensuring data is collected, stored, and handled appropriately. Each member of staff/volunteer that handles personal data must ensure that it is handled and processed in line with this policy and data protection principles.

However, these people have key areas of responsibility:

  • The Board of Trustees of Linx is ultimately responsible for ensuring that Linx meets its legal obligations.
    • Approving any data protection statements attached to communications such as emails and letters.
    • Addressing any data protection queries from journalists or media outlets like newspapers.
    • Where necessary, working with other staff to ensure marketing initiatives abide by data protection principles.
  • The CEO of Linx with advice and assistance from any sourced IT services is responsible for:
    • Keeping the board updated about data protection responsibilities, risks, and issues.
    • Reviewing all data protection procedures and related policies, in line with an agreed schedule.
    • Arranging data protection training and advice for the people covered by this policy.
    • Handling data protection questions from staff and anyone else covered by this policy.
    • Dealing with requests from individuals to see the data Linx holds about them (also called ‘subject access requests’).
    • Checking and approving any contracts or agreements with third parties that may handle Linx sensitive data.
    • Ensuring all systems, services and equipment used for storing data meet acceptable security standards.
    • Performing regular checks and scans to ensure security hardware and software is functioning properly.
    • Evaluating any third-party services Linx is considering using to store or process data. For instance, cloud computing services.

Employee Personal Records

Linx has developed guidelines for the processing of personal data to meet the requirements of the DPA.  We keep personal information on employees and will share such information only on a need-to-know basis as and when required.  The processing of information, which is held about employees includes such data as personal contact details, absence, sickness and health records, equalities information and, where appropriate, trade union/non-trade union membership.

The information will be used for personnel and payroll purposes and in the management of staff. This information is retained securely at each site and has controlled access by the Managers.

Throughout employment, and for as long a period as is necessary following the termination of employment (normally 6 years), the organisation will need to keep information for purposes connected with an employee’s employment, including recruitment and termination information.

These records may include:

  • information gathered about an employee and any references obtained during recruitment – employment history
  • details of terms of employment – contract of employment
  • payroll, tax, and National Insurance information – full name, date of birth, last known address
  • contact names and addresses
  • relevant DBS information
  • performance information
  • details of grade and job duties
  • health records
  • absence records, including holiday records and self-certification forms
  • disciplinary or grievance records – details of any disciplinary investigations and proceedings training records
  • correspondence with the organisation and other information provided to the organisation.

Links believes these uses are consistent with our employment relationship and with the principles of the DPA. The information held will be for our management and administrative use only, but from time to time, we may need to disclose some information we hold about employees to relevant third parties (e.g. where legally obliged to do so by the HMRC or requested to do so by an employee for the purposes of giving a reference). We may also transfer information to another group or organisation, solely for purposes connected with an employee’s career or the management of the organisation’s business. We will not transfer complete personnel records to a third party.

It should also be noted that the organisation might hold the following information about an employee for which disclosure to any person will be made only when strictly necessary for the purposes set out below:

  • an employee’s health, for the purposes of compliance with our health and safety and our occupational health obligations
  • for the purposes of personnel management and administration, for example to consider how an employee’s health affects his or her ability to do his or her job and, if the employee is disabled, whether he or she requires any reasonable adjustment to be made to assist him or her at work
  • the administration of insurance, pension, sick pay, and any other related benefits in force from time to time
  • in connection with unspent convictions to enable us to assess an employee’s suitability for employment.

The data may also be used from time to time for organisational reporting on items such as personal headcount, career enquiries etc.

All personal data undergoes a regular data audit which identifies the data, the purpose it is being processed, the subject category (payroll, performance, discipline etc.) the lawful basis for processing, retention period, who can access it and security measures to protect it. If you wish to see this audit you may do so on written request.

Linx requires all employees to comply with the DPA in relation to the information about other staff. Failure to do so, e.g. unauthorised, inappropriate, or excessive disclosure of, or obtaining information about individuals, will be regarded as serious misconduct, and will be dealt with in accordance with the Organisation’s disciplinary policy and procedure.  If an employee is in a position to deal with personal information about other employees, he or she will be given separate guidance on his or her obligations and must ask the Manager/CEO if they are unsure.

The person with overall responsibility for compliance with the DPA is CEO.

Data subject rights

The law on data protection gives people certain rights in relation to the data we hold on them. These are:

  • the right to be informed. This means that we must tell you how we use your data, and this is the purpose of this privacy notice
  • the right of access. You have the right to access the data that we hold on you. To do so, you should make a subject access request. You can read more about this in our Subject Access Request policy which is available from admin.
  • the right for any inaccuracies to be corrected. If any data that we hold about you is incomplete or inaccurate, you are able to require us to correct it
  • the right to have information deleted. If you would like us to stop processing your data, you have the right to ask us to delete it from our systems where you believe there is no reason for us to continue processing it
  • the right to restrict the processing of the data. For example, if you believe the data, we hold is incorrect, we will stop processing the data (whilst still holding it) until we have ensured that the data is correct
  • the right to portability. You may transfer the data that we hold on you for your own purposes but we will not transfer complete personnel folders.
  • the right to object to the inclusion of any information. You have the right to object to the way we use your data where we are using it for our legitimate interests
  • the right to regulate any automated decision-making and profiling of personal data. You have a right not to be subject to automated decision making in a way that adversely affects your legal rights.

Where you have provided consent to our use of your data, you also have the unrestricted right to withdraw that consent at any time. Withdrawing your consent means that we will stop processing the data that you had previously given us consent to use. There will be no consequences for withdrawing your consent. However, in some cases, we may continue to use the data where so permitted by having a legitimate reason for doing so.

If you wish to exercise any of the rights explained above, please contact the CEO, and complete the required forms.



General staff guidelines

  • The only people able to access data covered by this policy should be those who need it for their work.
  • Data should not be shared informally. When access to confidential information is required, employees can request it from their line managers.
  • Linx will provide training to all employees to help them understand their responsibilities when handling data.
  • Employees should keep all data secure, by taking sensible precautions and following the guidelines below.
  • In particular, strong passwords must be used, and they should never be shared.
  • Personal data should not be disclosed to unauthorised people, either within the company or externally.
  • Data should be regularly reviewed and updated if it is found to be out of date. If no longer required, it should be deleted and disposed of.
  • Employees should request help from their line manager or CEO if they are unsure about any aspect of data protection.

Data storage

These rules describe how and where data should be safely stored. Questions about storing data safely can be directed to the CEO or board of Linx.

When data is stored on paper, it should be kept in a secure place where unauthorised people cannot see it.  (These guidelines also apply to data that is usually stored electronically but has been printed out for some reason)

  • When not required, the paper or files should be kept in a locked drawer or locked filing cabinet.
  • Employees should make sure paper and printouts are not left where unauthorised people could see them, like on a printer.
  • Data printouts should be shredded by using a shredding machine and disposed of securely when no longer required.

When data is stored electronically, it must be protected from unauthorised access, accidental deletion, and malicious hacking attempts:

  • Data should be protected by strong passwords that are changed regularly and never shared between employees.
  • If data is stored on removable media (like a CD/DVD or any External Storage Device), these should be kept locked away securely when not being used and be password protected/encrypted.
  • Data should only be stored on designated drives and servers, and should only be uploaded to an approved cloud computing services which is currently LampLight as chosen by board of Linx
  • Servers containing personal data should be sited in a secure location, away from general office space.
  • Data should be backed up frequently. Those backups should be tested regularly, in line with Linx standard backup procedures.
  • Data should never be saved directly to Desktops, laptops or other mobile devices like tablets or smart phones.
  • All servers and computers containing data should be protected by approved security software and a firewall.


Data use

Personal data is of no value to Linx unless the business can make use of it. However, it is when personal data is accessed and used that it can be at the greatest risk of loss, corruption, or theft:

  • When working with personal data, employees should ensure the screens of their computers are always locked when left unattended.
  • Personal data should not be shared informally. In particular, it should never be sent by email, as this form of communication is not secure.
  • Data must be encrypted before being transferred electronically. The Director can explain how to send data to authorised external contacts.
  • Personal data should never be transferred outside of the European Economic Area.
  • Employees should not save copies of personal data to their own computers. Always access and update the central copy of any data.


Data accuracy

The law requires Linx to take reasonable steps to ensure data is kept accurate and up to date. The more important it is that the personal data is accurate, the greater the effort should put into ensuring its accuracy.

It is the responsibility of all employees who work w data to take reasonable steps to ensure it is kept as accurate and up to date as possible.

  • Data will be held in as few places as necessary. Staff should not create any unnecessary additional data sets.
  • Staff should take every opportunity to ensure data is updated. For instance, by confirming a young person’s details when they call.
  • Linx will make it easy for data subjects to update the information Linx holds about them.
  • Data should be updated as inaccuracies are discovered. For instance, if a young person can no longer be reached on their stored telephone number, it should be removed from the database.
  • It is the board of Linx responsibility to ensure marketing databases are checked against industry suppression files every six months.

Subject access requests

All individuals who are the subject of personal data held by Linx are entitled to:

  • Ask what information Linx holds about them and why.
  • Ask how to gain access to it.
  • Be informed how to keep it up to date.
  • Be informed how Linx is meeting its data protection obligations. If an individual contacts Linx requesting this information, this is called a subject access request.

Subject access requests from individuals should be made by email, addressed to the CEO. The CEO can supply a standard request form, although individuals do not have to use this.

The CEO will aim to provide the relevant data within 14 days.

The CEO will always verify the identity of anyone making a subject access request before handing over any information.

Disclosing data for other reasons         

In certain circumstances, the Data Protection Act allows personal data to be disclosed to law enforcement agencies without the consent of the data subject.

Under these circumstances, Linx will disclose requested data. However, the CEO will ensure the request is legitimate, seeking assistance from the board and seek legal advice where necessary.

Providing information

  • Linx aims to ensure that individuals are aware that their data is being processed, and that they understand:
    • How the data is being used
    • How to exercise their rights

To these ends, the Linx has a privacy statement, setting out how data relating to individuals is used by Linx.boa

Scroll to Top