Data Protection Policy

Purpose

Think Through Nutrition (TTN) is committed to protecting the privacy and security of all personal data it holds and processes. This policy ensures compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and forthcoming updates under the Data Protection and Digital Information (DPDI) Bill. It outlines how TTN collects, uses, stores, and shares personal data responsibly and transparently.

Scope

This policy applies to all trustees, employees, contractors, consultants, volunteers, and third parties acting on behalf of TTN. It covers all personal data processed in any format, including electronic, paper, audio, video, or cloud-based systems.

Policy Statement

TTN is committed to processing personal data lawfully, fairly, and transparently. All data processing activities will align with the principles outlined in Article 5 of the UK GDPR and its successor legislation under the DPDI Bill.

Data Protection Principles

Personal data will be:

  • Processed lawfully, fairly, and transparently.
  • Collected for specified, explicit, and legitimate purposes.
  • Adequate, relevant, and limited to what is necessary.
  • Accurate and kept up to date.
  • Stored no longer than necessary.
  • Secured against unauthorised access, loss, or damage.

TTN will adopt a risk-based approach to data management as outlined in the DPDI Bill, allowing flexibility where appropriate for low-risk data processing.

Lawful Bases for Processing

TTN will process personal data under one or more lawful bases as defined in the UK GDPR:

  • Consent
  • Contractual necessity
  • Legal obligation
  • Vital interests
  • Public task
  • Legitimate interests

Under the DPDI reforms, TTN may rely on legitimate interest assessments (LIAs) for certain processing activities where risks to individuals are minimal.

Roles and Responsibilities

  • The Chief Operating Officer acts as TTN's Data Protection Lead (Responsible Person).
  • All staff and contractors must ensure that personal data is processed in compliance with this policy.
  • Data processors working with TTN must adhere to data processing agreements ensuring compliance with UK data protection law.
  • TTN maintains a Record of Processing Activities (RoPA) proportionate to its scale and risk profile.

Data Subject Rights

TTN will uphold the following individual rights:

  • Right to be informed
  • Right of access
  • Right to rectification
  • Right to erasure
  • Right to restrict processing
  • Right to data portability
  • Right to object
  • Rights relating to automated decision-making and profiling

Requests will be responded to within one calendar month, or as permitted under future DPDI guidance.

Data Sharing and International Transfers

TTN will only share data where necessary and proportionate, ensuring data minimisation and protection. Any data sharing agreements will align with the forthcoming Digital Umbrella Agreement (DUA) framework to facilitate secure multi-agency data sharing. Where data is transferred outside the UK, TTN will ensure equivalent safeguards are in place through adequacy decisions or standard contractual clauses.

Where personal data relates to children or adults at risk, data sharing will also comply with TTN's Safeguarding Policy and the confidentiality requirements within that framework.

Data Breach Management

Any personal data breach must be reported immediately to the Data Protection Lead. TTN will assess all breaches and notify the Information Commissioner's Office (ICO) within 72 hours where required. Individuals will be informed if their rights and freedoms are at significant risk.

Retention and Disposal

Data will be retained only as long as necessary to fulfil its purpose, comply with legal obligations, or for archiving and research purposes. Retention periods are defined in TTN's Archiving Policy. Data will be securely destroyed or anonymised when no longer needed.

Training and Awareness

All staff and volunteers handling personal data will receive regular data protection training. Refresher training will be provided annually and whenever there are legislative changes.

Version control and review

This policy will be reviewed annually by the Management Committee and approved by the Board of Trustees, or sooner if required by legislation or organisational change.

Last reviewed: October 2025

Next review: September 2026