Effective Date: 08/05/2025
Review Date: 08/05/2026
Approved by: Board of Trustees

1. Policy Statement
The Global Health Access Trust (“the Trust”) is committed to protecting the personal data of donors, partners, beneficiaries, trustees, staff, and all other individuals whose information we collect. We comply fully with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

This policy outlines how we collect, store, process, and protect personal information.

2. Scope
This policy applies to all personal data processed by the Trust, whether held electronically, on paper, or by third-party processors acting on our behalf. It covers:

- Trustees and staff

- Donors and supporters

- Funding applicants and partners

- Website users and enquirers

- Any individuals who contact or engage with the Trust

3. Data We Collect
We only collect data that is relevant and necessary for charitable operations, including:

- Full names, email addresses, phone numbers, postal addresses

- Donation and Gift Aid records

- Application or funding information

- Employment or volunteer data

- Website usage analytics (non-identifiable unless consented)

We do not collect more information than needed and we do not keep it longer than necessary.

4. Lawful Basis for Processing
The Trust processes personal data under one or more of the following lawful bases:

Consent: Where individuals have given clear consent

Contract: To fulfil a contractual obligation

Legal obligation: To comply with legal or regulatory duties

Legitimate interests: In pursuing the Trust’s lawful charitable aims in a proportionate way

Public task: Where processing is necessary in the public interest

5. Data Storage and Security
All data is stored securely using encrypted and access-controlled systems

Paper records are stored in locked cabinets in secure premises

We restrict access to personal data to only those who need it to carry out their role

We use secure, GDPR-compliant third-party processors (e.g. email, CRM, accounting tools)

6. Individual Rights
Under UK GDPR, individuals have the following rights:

- To be informed about how their data is used

- To access their data (subject access request)

- To correct inaccurate data

- To request deletion (“right to be forgotten”)

- To restrict or object to processing

- To data portability (in applicable contexts)

Requests should be directed to the Trust’s Data Protection Lead and will be processed within 30 days.

7. Sharing Data
We do not sell or share personal data with third parties for marketing. Data may be shared only when:

Required by law (e.g. HMRC for Gift Aid records)

Necessary for delivering our services (e.g. with grant management partners)

Processed securely by GDPR-compliant third parties under data processing agreements

8. Cookies and Website Analytics
Our website may collect anonymous usage data via cookies. For more information, see our Cookie Policy.

Visitors can manage or disable cookies using browser settings or via the consent banner on first visit.

9. Data Breaches
Any actual or suspected data breach will be assessed immediately. Where required, we will notify the Information Commissioner’s Office (ICO) and affected individuals within 72 hours.

10. Review and Accountability
This policy is reviewed annually by the Board of Trustees. Trustees and staff receive regular data protection training. The Trust may appoint a Data Protection Officer or external adviser as required.

Contact for Data Protection Enquiries or Subject Access Requests:
Mandy King
Subject Line: Data Protection – Confidential