Data Protection Policy

1. Purpose

Grow Fruit Trees is committed to protecting the privacy and security of personal information. This policy explains how we collect, use, store, and protect personal data in line with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Scope

This policy applies to:

  • All employees, volunteers, and contractors working with Grow Fruit Trees.
  • All personal data processed in connection with our business activities, customers, suppliers, and community partners.

3. Principles of Data Protection

We comply with the following data protection principles:

  • Lawfulness, fairness, and transparency – We process data legally, fairly, and openly.
  • Purpose limitation – We collect data only for specified, legitimate purposes.
  • Data minimisation – We collect only the data we need.
  • Accuracy – We keep personal data accurate and up to date.
  • Storage limitation – We retain data only as long as necessary.
  • Integrity and confidentiality – We protect data with appropriate security measures.
  • Accountability – We are responsible for complying with data protection laws and can demonstrate our compliance.

4. Types of Personal Data We Collect

We may collect and process:

  • Contact details (name, address, phone number, email).
  • Employment or volunteer application details.
  • Customer and supplier information needed for business transactions.
  • Any other personal information provided with consent.

We do not collect or store sensitive personal data unless strictly necessary and with explicit consent.

5. How We Use Personal Data

Personal data is used for purposes such as:

  • Delivering services and fulfilling contracts.
  • Managing staff, volunteers, and contractors.
  • Communicating with customers, suppliers, and partners.
  • Meeting legal and regulatory obligations.

6. Data Security

We will:

  • Store data securely, whether electronically or in paper form.
  • Restrict access to authorised personnel only.
  • Use passwords, encryption, and secure storage systems where appropriate.
  • Ensure data is disposed of securely when no longer needed.

7. Data Sharing

  • We will never sell personal data.
  • We may share data with third-party providers only when necessary to deliver our services (e.g., IT or payment providers), and only under data protection agreements.
  • We may share data if required by law.

8. Individual Rights

Individuals have the right to:

  • Access the personal data we hold about them.
  • Request correction of inaccurate data.
  • Request erasure of their data, where legally appropriate.
  • Restrict or object to processing.
  • Request transfer of their data (data portability).

Requests can be made by contacting Grow Fruit Trees directly.

9. Data Breaches

If a personal data breach occurs, we will:

  • Contain and assess the breach immediately to minimise harm.
  • Record all breaches, regardless of severity, in our internal data breach log.
  • Notify the Information Commissioner’s Office (ICO) within 72 hours if the breach is likely to result in a risk to individuals’ rights and freedoms, explaining the nature of the breach, the categories and approximate number of individuals affected, and the measures taken.
  • Inform affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms, giving clear information about what happened and advice on protecting themselves.
  • Review and learn from all breaches to prevent recurrence.

10. Responsibilities

  • Managers/Coordinators – Ensure this policy is followed and that staff and volunteers handle data responsibly.
  • All staff and volunteers – Follow this policy, handle data carefully, and report any concerns or breaches immediately.

11. Review

This policy will be reviewed annually to ensure ongoing compliance with legislation and best practice.

Approved: September 2025/Review Date: September 2026