Statement of Intent

Transform is a charitable think tank that campaigns for the legal regulation of drugs both in the UK and internationally. We collect personal information for our employees, volunteers, trustees, key stakeholders, activists and visitors. 

It is also necessary to process information so that staff can be recruited and paid, activities organised and legal obligations to funding bodies fulfilled. We intend to meet all the requirements of the Data Protection Act 1998 (the Act) and the General Data Protection Regulations (GDPR) 2018 when collecting, storing, and destroying personal data. 

To comply with the law, information must be collected and used fairly, stored safely and not disclosed to any other person unlawfully. To do this, Transform Drugs Policy Foundation must comply with the Data Protection Principles which are set out in the Data Protection Act 1998. In summary these state that personal data must be: 

obtained and processed fairly and lawfully; obtained for a specified and lawful purpose and not processed in any manner incompatible with that purpose; adequate, relevant, and not excessive for that purpose; accurate and kept up to date; not kept for longer than is necessary; processed in accordance with the data subject’s rights; kept safe from unauthorised access, accidental loss, or destruction; not be transferred to a country outside the European Economic Area, unless that country has equivalent levels of protection for personal data. 

All Transform staff and volunteers who process or use any Personal Information must ensure that they follow these principles at all times. In order to ensure that this happens, the organisation has adopted this Data Protection Policy. Prior permission will be obtained to hold personal details on all stakeholders or staff. 

The Data Control Overseer and the Designated Data Controller

Transform Drugs Policy Foundation is a registered charity, and the Data Control Overseer under the Act, for the organisation is James Nicholls (Chief Executive) who is therefore ultimately responsible for implementation of the act. 

However, the Designated Data Controller will deal with day to day matters. The Organisation’s designated Data Controller is: Emma Caldwell (Executive Assistant). 

Notification of Data Held and Processed

All employees, trustees, activists, stakeholders, visitors, and other members of the public have the right to: 

know what information the organisation holds and processes about them and why; know how to gain access to it; know how to keep it up to date; know what the organisation is doing to comply with its obligations under the Act. 

Personal Information

Personal Information is defined as any details relating to a living, identifiable individual. Within the organisation this relates to employees; volunteers, activists and their families; trustees; professional visitors; and other stakeholders such as MPs and media contacts. 

We will ensure that the information gained from each individual is kept securely and to the appropriate level of confidentiality. 

The personal information collected from individuals for employment could include: 

Their name Address Email address Telephone numbers-including those of emergency contacts Date of birth Medical information  21’28 National Insurance number Photographs 

Transform Drugs Policy Foundation will store personal information to comply with the employment act 

Processing of Personal Information

All staff and volunteers who process or use any Personal Information are responsible for ensuring that: 

Any Personal Information which they hold is kept securely; Personal Information is not disclosed either orally or in writing or otherwise to any unauthorised third party. 

Staff and volunteers should note that unauthorised disclosure will usually be a disciplinary matter and may be considered gross misconduct in some cases. 

Personal information will be: 

kept in a locked filing cabinet, a locked cupboard or in our office which is locked when not in use, or stored securely on Google Drive . if it is computerised, be password protected; kept on a storage device which is itself kept securely. 

Conversations and Meetings

Information of a personal or confidential nature should not be discussed in a public area, in front of anyone that is not an employee of the organisation. Transform employees should be aware of confidentiality at all times when discussions are taking place, either distancing themselves from the conversation if it does not concern them, or, ensuring that their discussion is not overheard by others. All staff should respect the confidential nature of any information inadvertently overheard. 

When meetings are being recorded it is important that only relevant information is written down. This must be carried out using the correct forms provided by Transform. The written notes are then to be stored in a locked cupboard and disposed of (shredded) in a timely manner once the employee/volunteer/activist/family have left the setting (3 -5 years unless of a child protection nature). 

Collecting Information

Whenever information is collected about people, they should be informed why the information is being collected, who will be able to access it and to what purposes it will be put. The individual concerned must agree that he or she understands and gives permission for the declared processing to take place, or it must be necessary for the legitimate business of the organisation. 

Sensitive Information

Sensitive information is defined by the Act as that relating to ethnicity, political opinions, religious beliefs, trade union membership, physical or mental health, sex life, criminal proceedings or convictions. 

The person about whom this data is being kept must give express consent to the processing of such data, except where the data processing is required by law for employment purposes or to protect the vital interests of the person or a third party. 

Disposal of Confidential Material

Sensitive material should be shredded as soon as it is no longer needed; following retention guidelines and statutory requirements. 

Staff Responsibilities

All staff are responsible for checking that any information that they provide to the organisation in connection with their employment is accurate and up to date. Staff have the right to access any personal data that is being kept about them, either on computer or in manual filing systems. Staff should be aware of and follow this policy and seek further guidance where necessary. 

Staff will not store personal data at home. From time to time it may be necessary for staff members to take information home to update learning diaries or prepare for meetings / home visits. On these occasions, staff will use a memory stick provided by Transform DPF and staff take care to ensure that it is stored in such a way that confidentiality is respected. The information on memory sticks is deleted as soon as no longer needed. Files will always be password protected. 

Sharing data between staff members/outside agencies is sometimes necessary. Password protected file sharing will be used for sensitive data. 

Staff will not disclose sensitive data to any other person other than the individual concerned. 


The Trustees do not generally access personal data at home. The Company Secretary will ensure that no confidential data relating to families, volunteers or staff at Transform is recorded in minutes of Trustees meetings. 

Trustees will not discuss confidential matters concerning the families with others. 

In the unlikely event that there is a need to communicate personal data it; 

Will be kept securely in a cupboard or filing cabinet. Data held on a computer, memory stick, file storage device will be password protected Will keep data confidential and only disclose/discuss with other Trustees or staff. Will make available data held about staff/volunteers/activists/families to view by them if requested When no longer required, data will be returned to the organisation disposal or storage and files held on computers will be deleted 

Duty to Disclose Information

There is a legal duty to disclose certain information, namely, information about: safeguarding/families at risk. 

Any concerns/evidence/records relating to a person’s personal welfare or an allegation against staff will be recorded and kept in a confidential file and will not be shared within the setting except with necessary staff, or Trustees. 

Families will be informed that this data is being held/shared unless staff feel that sharing this information with the families could put the family at significant risk of harm. 

Retention of Data

Transform takes care to only store personal information that is absolutely necessary. 

Personal information is kept for the period of time requested following guidelines from Direct Gov. These retention periods are either recommended or statutory. 

Stored information is filed in filing cabinet and kept in the Transform office which is locked when not in use. 

Once the retention period has lapsed, the information is destroyed. 

Prepared by Emma Caldwell on 21st May 2018