Data Protection Policy
Version 2.0 – November 2025
Purpose
Street Support Network (Street Support Network) is committed to protecting the personal data of its employees, volunteers, partners, and service users. This policy outlines how we comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, ensuring that personal data is handled lawfully, transparently, and securely.
Scope
This policy applies to all personal data processed by Street Support Network, including data relating to employees, volunteers, partners, and service users. It covers both electronic and physical records across all Street Support Network operations, including data processed through the Street Support Network Virtual Assistant (VA).
Key Principles
Street Support Network processes personal data in line with the following principles:
Lawfulness, Fairness, and Transparency
Personal data is processed lawfully and in a transparent manner.
Purpose Limitation
Data is collected for specific, explicit, and legitimate purposes and not further processed in a way incompatible with those purposes.
Data Minimization
Only data necessary for the purposes described is collected and processed.
Accuracy
Data is accurate and kept up-to-date. Inaccurate data is rectified or deleted promptly.
Storage Limitation
Personal data is retained only for as long as necessary and securely destroyed thereafter.
Security
Appropriate measures protect data against unauthorized access, loss, or destruction.
Accountability
Street Support Network demonstrates compliance with data protection obligations through appropriate policies, training, and documentation.
Roles and Responsibilities
Employees and Volunteers
- All staff and volunteers must handle personal data responsibly and in line with this policy.
- Report any data breaches or concerns to the designated contact immediately.
Data Protection Lead (DPL)
As a small charity, Street Support Network does not require a Data Protection Officer but designates a member of staff as the Data Protection Lead. The DPL oversees compliance, manages data requests, and handles data breaches. The DPL is the Managing Director of Street Support Network.
Lawful Basis for Processing
Street Support Network processes personal data under one or more of the following lawful bases:
Consent
Individuals have given clear consent.
Contract
Data is necessary to fulfill a contract or agreement.
Legal Obligation
Processing is necessary to comply with legal requirements.
Legitimate Interests
Processing is necessary for Street Support Network's legitimate interests and does not override individuals' rights.
For the Virtual Assistant, processing is based on legitimate interest (for matching individuals with services) and explicit consent (for special category data such as health or support needs).
Data Transfers & Third-Party Processing
Street Support Network works with third-party providers to ensure the highest level of data security and compliance. This includes our partnership with IBM Watsonx, which powers the Virtual Assistant (VA).
- No personally identifiable information (PII) is collected or stored by the VA.
- Any data processed is handled using private variables and is deleted after the session ends.
- Anonymised data may be retained for statistical analysis but cannot be linked back to individuals.
- IBM Watsonx follows the UK extension of the Data Privacy Framework, ensuring compliance with UK GDPR and international data protection laws.
- Data is stored securely within the UK/EU, and no personal data is transferred outside these jurisdictions.
Street Support Network reviews third-party compliance documentation regularly to ensure ongoing adherence to data protection standards.
Data Subject Rights & Subject Access Requests (SARs)
Individuals have the following rights regarding their personal data:
- Right to Access: Request access to their personal data (Subject Access Requests must be responded to within one month).
- Right to Rectification: Request correction of inaccurate or incomplete data.
- Right to Erasure: Request deletion of data where it is no longer necessary.
- Right to Restrict Processing: Request limited processing in specific circumstances.
- Right to Object: Object to processing based on legitimate interests or direct marketing.
- Data Portability: Request transfer of their data to another organization, if applicable.
For the Virtual Assistant, as no personally identifiable data is stored, SAR requests will be met with confirmation that Street Support Network does not retain user data from the VA. This will be clearly communicated in the privacy notice and VA interface.
Data Security
Street Support Network implements strong security measures, including:
- Street Support Network uses appropriate technical and organizational measures to safeguard personal data.
- Access to data is restricted to authorised personnel only.
- Employees are responsible for keeping their workspaces and devices secure.
- Staff must keep any tool that can record or analyse what's on their screen switched off. This includes features like Windows Recall or Copilot Vision. These tools must not be used on devices showing personal or confidential information.
- Staff must also be alert to any new AI or smart features that switch on automatically through updates. If a new function starts processing, storing, or analysing data without clear consent, it must be turned off straight away and reported to the Data Protection Lead for review.
For any concerns related to data security or compliance, please contact the Data Protection Lead (DPL) at admin@streetsupport.net.
Data Retention
Street Support Network retains personal data only as long as necessary for the purposes for which it was collected. A detailed retention schedule is maintained below and reviewed regularly.
| Data Category | Retention Period | Legal Basis / Guidance | Reason for Retention |
|---|---|---|---|
| Employee Records | 6 years after employment ends | Limitation Act 1980, ACAS guidance | Defence against potential claims |
| Payroll and Tax Records | 6 years | HMRC guidelines | Taxation and audit purposes |
| Service User Records | 6 years after last interaction | Limitation Act 1980, safeguarding best practice | Record of services provided, safeguarding |
| Complaints Records | 6 years after resolution | Limitation Act 1980 | Defence against potential claims |
| Health and Safety Records | 3 years after the date of incident | Health and Safety at Work Act 1974 | Legal defence in case of incident claims |
| Financial Records | 6 years | Companies Act 2006, HMRC | Statutory reporting and audit |
| Marketing Preferences | Until consent is withdrawn | UK GDPR | Ongoing communication management |
For the Virtual Assistant, session data is only retained for the duration of the session and is automatically deleted after 12 hours. No identifiable records are stored.
Data Breaches
In the event of a data breach:
- Notify the DPL immediately.
- The DPL will assess the breach and, if required, report it to the Information Commissioner's Office (ICO) within 72 hours.
- Affected individuals will be informed if the breach poses a significant risk to their rights.
Training
All employees and volunteers are provided with basic data protection training to ensure they understand their responsibilities.
Privacy Notices
Street Support Network provides clear and accessible privacy notices explaining how personal data is collected, used, and stored.
Monitoring and Review
This policy is reviewed annually or when significant changes to data protection laws occur.
For any questions or concerns, please contact admin@streetsupport.net.
This policy ensures that Street Support Network remains compliant with UK GDPR while protecting the privacy and security of all individuals interacting with our services, including the Virtual Assistant.