Information governance statement

Barnardo’s recognises the following significant data privacy responsibilities:

• Service users, customers, business contacts, celebrities, politicians, supporters, committee members, employees and volunteers are required to entrust the charity with large volumes of sensitive data. This must remain confidential at all times.
• The movement of sensitive personal and commercial information outside of the organisation’s physical perimeter (paper documents, electronic communications, obsolete IT devices) is still the charity’s responsibility.
• Service delivery depends on maintaining the confidentiality, integrity and availability of our information resources, even in the event of hardware or facilities failure.
• Barnardo’s is subject to regulatory and legislative constraints.
• Barnardo’s reputation depends on the appropriate care and security of all and any data within our infrastructure. We have an obligation to protect data and should not take any risks or actions that may potentially violate the confidentiality, integrity, or availability of data; cause unnecessary exposure of them; or violate contractual or regulatory requirements.

Our ambition is to monitor the organisation and to strive to deliver continuous improvements in data privacy.  Specifically, the charity pledges to:

• Comply with all relevant regulations and codes of practice
• Act to prevent data privacy breaches of any sort through effective privacy by design, data minimisation, DPIA risk analysis, and appropriate information security management.
• Ensure that all employees and volunteers receive targeted training in data privacy responsibilities appropriate to their roles within the charity.
• Implement a documented strategy to manage data privacy proactively, maximise organisational learning and deliver continuous improvements in data privacy.
• Actively communicate our data privacy requirements to all staff and people acting for or on behalf of Barnardo’s, or on our premises.

These commitments are delivered by the implementation of a documented data privacy programme owned by the senior information risk officer.