Blueprint is committed to protecting the privacy and personal data of our stakeholders, in compliance with the General Data Protection Regulation (GDPR) and applicable data protection laws. This policy outlines our commitment to handling personal data responsibly, securely, and transparently.

1. Purpose and Scope

1.1 This policy aims to ensure the lawful and fair processing of personal data, including its collection, storage, use, and disclosure, in line with the rights and expectations of individuals.

1.2 This policy applies to all personal data held by Blueprint, regardless of the format or medium in which it is stored.

2. Data Protection Principles

2.1 We adhere to the principles of data protection as set forth in the GDPR, including:

a. Lawfulness, fairness, and transparency

b. Purpose limitation

c. Data minimization

d. Accuracy

e. Storage limitation

f. Integrity and confidentiality

g. Accountability

3. Data Collection and Use

3.1 We only collect personal data that is necessary for the purposes stated at the time of collection and in accordance with applicable laws.

3.2 Personal data will only be used for the purposes for which it was collected, and we will obtain consent where required or rely on other lawful bases for processing.

3.3 We will ensure that personal data is accurate, up-to-date, and relevant, taking reasonable steps to rectify or erase inaccurate or outdated information.

4. Data Security and Storage

4.1 Blueprint will nominate a named lead for GDPR compliance who is appropriately trained.

4.2 We have implemented appropriate technical and organizational measures to safeguard personal data against unauthorized access, loss, theft, or misuse.

4.3 Personal data will be stored securely, and access will be restricted to authorized individuals who require it for legitimate purposes.

4.4 Retention periods for personal data will be determined based on legal requirements, the purpose of processing, and the necessity of data retention.

5. Data Sharing and Disclosure

5.1 We will only share personal data with third parties when necessary and in compliance with applicable data protection laws, WASPI and safeguarding regulations.

5.2 Personal data will not be disclosed or transferred to third parties unless there is a legal basis for doing so, such as obtaining explicit consent, reporting concerns in line with the All Wales Safeguarding Procedures and fulfilling contractual obligations.

6. Data Subject Rights

6.1 We respect the rights of data subjects as outlined in the GDPR, including the right to access, rectify, erase, restrict processing, object to processing, data portability, and the right not to be subject to automated decision-making.

6.2 We will respond to data subject requests in a timely and lawful manner, ensuring that appropriate measures are in place to verify the identity of the data subject.

7. Data Breach Notification

7.1 In the event of a personal data breach, we will promptly assess and mitigate the risks, notify the relevant supervisory authority as required, and communicate with affected individuals in accordance with applicable legal requirements.

8. Training and Compliance

8.1 We will provide training and awareness programs to our staff and volunteers to ensure their understanding of data protection principles, their responsibilities, and the importance of maintaining data privacy and security.

9. Review and Updates

9.1 This GDPR and Data Holding Policy will be regularly reviewed and updated to reflect changes in data protection laws and organizational practices.

9.2 We will continually monitor our data protection practices to ensure ongoing compliance with applicable regulations and to address any emerging risks or concerns.

By adhering to this GDPR and Data Holding Policy, Blueprint is committed to protecting the privacy and rights of individuals and maintaining the confidentiality and security of personal data in our possession.