We Are Family


We Are Family CIO

Privacy Policy and Procedure

1    Introduction

1.1    We Are Family (‘WAF’) is committed to protecting the privacy and rights of individuals (including members and their families, volunteers, trustees and others) and to fully comply with data protection legislation (principally the Data Protection Act 1998 (‘DPA’)). In particular, WAF adheres to the eight principles of the DPA which apply to obtaining, handling, processing, transporting and storing personal data about individuals. In summary, information about individuals must be collected and used fairly, stored safely and securely, and not disclosed to any third party unlawfully or inappropriately.

1.2    WAF recognises the fundamental importance of protecting personal data about adoptive families, and that any failure to do so could have far-reaching negative consequences for its members and their families. Equally, the sharing of adoptive parenting information and experiences with each other and offering mutual support is at the core of WAF’s reason for existence.

1.3    WAF has to process certain information about its members and other individuals it has dealings with for various purposes, including providing information, support and training to members; enabling the sharing of information and experiences between members; for administrative purposes; and in dealing with external suppliers.

1.4    This policy applies to all WAF members (both adoptive parents and prospective adopters), volunteers and trustees. In this Policy, for simplicity, the word ’member’ covers all these groups as well as any other individuals WAF holds personal information about.

1.5    As at the date of establishment of this Policy, certain aspects of WAF’s activities do not fully comply with the procedures set out in this Policy. The Board will therefore work to ensure compliance within a reasonable period of time. Part of this will involve the preparation of a practical guide to support compliance with this Policy. In addition, and in the meantime, Appendix 2 contains a basic list of ‘Dos’ and ‘Don’ts’.

2    The Data Protection Act

2.1    The purpose of the DPA is to protect the rights and privacy of living individuals and to ensure that personal data is not processed without their knowledge and, wherever possible, is processed with their consent. Appendix 1 sets out key information about the DPA which underpins this Policy.

2.2    The DPA aims to require data users like WAF to be open about the collection and disclosure of personal data and to ensure adherence to a set of principles designed to prevent the misuse of data; protect individuals from any harm or distress which could be caused by information getting into the wrong hands; and give individuals rights of access to, information about, and control over, the processing of their personal data. The DPA covers computer files and certain relevant manual filing systems (which includes paper, microfiches and any other material which can be printed or written on; see Appendix 1 for more information). Non-compliance with the DPA can be a criminal offence, and can result in sanctions including unlimited fines.

3    Responsibilities under the DPA

3.1    WAF is the data controller under the DPA.

3.2    A member of WAF’s Board of Trustees has been appointed Data Protection Officer (‘DPO’) with responsibility for overseeing operational data protection matters and for developing specific procedures and practices on data protection issues. The DPO must ensure that systems exist to make sure that all personal data are processed fairly; personal data are accurate, and checked and amended as necessary; consent from data subjects is obtained either generally or expressly (except where not required, as mentioned in 4.1 below); personal data is kept securely and disposed of properly; notification requirements are satisfied; and determinations are made regarding the processing of personal data without consent where necessary. The DPO must ensure that WAF’s registration (if any) with the Information Commissioner’s Office is in order at all times.

3.3    This Policy will be reviewed at least annually by the WAF Board of Trustees, which shall also implement a system to regularly audit compliance with this Policy.

3.4    Compliance with data protection legislation and this Policy is the responsibility of all WAF members who deal with personal information.

3.5    Members, volunteers, trustees and others who supply personal data to WAF are responsible for ensuring that any data supplied are accurate and up-to-date. Completion of a membership form will be taken as an indication that the data contained therein is accurate. Individuals should notify WAF of any changes in circumstances to enable records to be updated accordingly. It is WAF’s responsibility to ensure that any notification regarding change of circumstances is noted and acted upon. As much of WAF’s membership information is of a highly sensitive and personal nature, great emphasis is placed on accuracy and attention to detail.

3.6    If WAF uses a third party service provider to process personal data, WAF will ensure that there is a written contract in place and that the data protection principle relating to keeping personal data secure is satisfied.

4    Consent

4.1    Personal data and/or sensitive data should not be obtained, held, used or disclosed, unless the individual (the ‘data subject’) has given consent. This means that the data subject must have been fully informed of the intended processing and has indicated agreement. Consent should ideally be recorded in a written form. Consent cannot be inferred from non-response to a communication. For sensitive data, the explicit written consent of the data subject must be obtained unless an alternative legitimate basis exists. As an exception to the above, in the case of personal data which is not sensitive, consent is not necessary where obtaining, holding, using or disclosing data is for the legitimate interests of WAF.

4.2    In most instances, consent to process personal and sensitive data for new WAF members is obtained routinely by completing a membership form. In respect of existing members as at the date of establishment of this Policy, the Board will make arrangements to identify who is an active member, who does not wish to continue as a member, and who should be considered to be no longer active. For active members, ongoing consent will be appropriately sought. Those who do not wish to continue will be asked if they wish WAF to retain their data in case of future contact, renewed membership or so that they can be contacted about events and information that could be useful to them in future. If they consent, then their details will be retained; if not, then their information will be deleted and/or shredded. For members who should be considered no longer active (for example where contact cannot be made), information will be deleted and/or shredded. An annual review of information held about members should also be conducted. In all cases, there may be limited instances when consent is not required as mentioned in 4.1 above.

4.3    Any WAF form (whether paper-based, electronic or web-based) which gathers data on an individual should contain a statement explaining what the information is to be used for and to whom it may be disclosed.

5    Data security

5.1    All WAF members are responsible on behalf of WAF for ensuring that any personal data which they physically hold or for which they are responsible are kept securely and are not disclosed to any unauthorised third party.

5.2    All personal data should be accessible only to those who need to use it. The following table sets out who within WAF holds what personal data and who is entitled to access it in addition. In each case, access is permitted also to any one acting as a Designated Person under WAF’s Safeguarding Policy in respect of any steps required under that policy.

Who holds personal data

What they hold

Who else may have access

Group head(s), co-ordinator(s) and/or organiser

Personal data in respect of WAF members who have joined the relevant local group/ pan-London group, or who participate in a WAF activity

Any head, co-head, organiser or administrator within the relevant group

WAF support group coordinator

Personal data about group facilitators

Blog manager

Personal data about WAF members on Blog direct mailing list

Chair of the Board of Trustees

Personal data about trustees, volunteers and others undertaking any activity organised centrally

Deputy Chair; other trustees as required for specific tasks agreed by the Board

    In addition, WAF does not sell membership information or lists to any other organisation.

5.3    Personal data should ideally only be stored on a computer and should be password protected and encrypted. To reduce the risk of loss or disclosure personal data should not be printed or put in any other physical form unless absolutely necessary. If it must be, then it should always be kept in a locked room with controlled access or in a locked drawer or filing cabinet. Where electronic data is stored on a separate memory storage device, that device must be password protected, encrypted and then treated in the same way as any other physical item containing personal data.

5.4    Computer and data passwords must be kept confidential. Personal data must never be used on a shared access computer or device unless access to that data is protected by a strong password. WAF emails containing personal data or with an attachment containing personal data (other than not visible email addresses) should only be used through the WAF webmail system (rather than through a system such as Outlook where the emails will reside on the user’s own computer/device). Care must be taken to ensure that paper or computer screens showing personal data are not overlooked at any time. Only access the WAF webmail system when your browser is in private or ‘incognito’ mode; and ensure that you delete any downloaded items when using the WAF webmail system from your download folder and waste bin.

5.5    Personal information about members should not be stored on any mobile telephone, except for a telephone number linked to a name provided that there is no indication of WAF membership. Where it is absolutely necessary to store personal information on any other type of mobile device (such as a lap-top computer or tablet), the information must be protected by a strong password and ideally encrypted.

5.6    Appropriate security measures must be in place for the deletion/disposal of personal data. Physical records must be disposed of as confidential waste.

5.7    WAF recognises that photographs and other images of members and their families can present a serious risk to privacy. For this reason, WAF will not take or use any image of a member unless explicit consent has been obtained and will never make or use an image of a member’s child. Photography or video recording at any WAF event is strictly prohibited.

6    Rights of access to data

Members have the right to access any personal data about them which is held by WAF in electronic format and manual records which form part of a relevant filing system. Any member who wishes to exercise this right should apply in writing to the DPO. WAF reserves the right to charge a fee for such data subject access requests. Any such request will normally be complied with within 40 days of receipt of the written request and, where appropriate, the fee.

7    Use of data

7.1    To further the provision of information, support and training to members, personal information collected is used for the following purposes:

  • To administer and manage membership applications;

  • To provide information of benefit to members including about WAF and other organisations’ activities; about WAF blog postings; and about things affecting adoptive families.

  • To identify members when they contact WAF;

  • To allow group heads and/or co-ordinators to run support groups (including notifying members about group meetings) and to provide access to various means of support ;

  • To compile non-identifying statistical information on the membership of WAF and to support the development of service provision.

7.2    Personal data about trustees is used to allow WAF to fulfil its regulatory responsibilities and to administer the operation of the WAF Board of Trustees. Personal data about volunteers is used to facilitate their voluntary work on committees and other activities.

8    Disclosure of data

8.1    WAF will ensure that personal data are not disclosed to unauthorised third parties, including other family members, friends, government bodies and, in certain circumstances, the police, unless otherwise permitted under the statements below. Caution must always be used when asked to disclose personal data held on an individual to a third party, with a presumption not to disclose information unless one of the following conditions applies:

  • The individual has given consent (eg to be contacted by a support group head);

  • Where disclosure is required to allow a requested service to be provided (eg disclosure of personal information so that information requested can be provided);

  • Where WAF is legally obliged to disclose the data (eg in relation to a Charity Commission inspection or inquiry, police investigations, under a court order etc);

  • Where disclosure of data is required for the performance of a contract (although this will be unusual in relation to WAF); and

  • Where WAF becomes aware of a child or vulnerable adult protection concern and decides to inform the relevant authorities (see WAF’s Safeguarding Policy).

8.2    Unless consent has been obtained from the member, information should not be disclosed over the telephone. Instead, the enquirer should be asked to provide documentary evidence to support the request (ideally, a statement consenting to disclosure to the third party should accompany the request).

8.3    As an alternative to disclosing personal data, WAF may offer to pass on a message asking them to contact the enquirer; or accept an incoming email message and attempt to forward it. WAF will not accept sealed envelopes or packets for forwarding to members. Due to the many sensitivities of adoption, WAF will not forward unknown messages or materials to members.

9    Retention and disposal of data

9.1    WAF will not retain personal data longer than required. Once a member has left or should be considered no longer active, it will not be necessary to retain all, or any of, their information. Paragraph 4.2 above sets out what will be done in respect of these categories.

9.2    Personal data must always be disposed of in a way that protects the rights and privacy of data subjects (eg disposal as confidential waste, secure electronic deletion etc).

10    WAF’s Data Protection Officer

The DPO is:  ....... In the absence of the DPO, please contact the Chair or Deputy Chair of the Board of Trustees.

Approved by Board of Trustees: 23 November 2015


  1. Policy assumes that WAF has no employees; will need review if any staff are employed;

  1. Policy will need to be reviewed after further experience of using the Adoption Link site is gained;

  1. Initially WAF practice will not be fully compliant with all aspects of the policy and procedures, hence the inclusion of paragraph 1.5. A programme of work to ensure full compliance within an agreed period should be established;

  1. A key step to achieve full compliance will be to prepare and then implement a practical set of guidelines about how to set up equipment and systems to best support this policy and procedures; in the meantime, a simple list of ‘dos’ and ‘don’ts’ is attached; and

  1. This policy should be posted on WAF’s website, along with a set of web terms and conditions of use (to replace the current Privacy Policy & Disclaimer); the terms and conditions of use still need to be prepared.)

Appendix 1

Data Protection Act 1998 (‘DPA’)


Personal data

Data relating to a living individual who can be identified from that information or from that data and other information in possession of the data controller. That includes name, address, telephone number, membership or ID number. It also includes an expression of opinion about the individual, and of the intentions of the data controller in respect of that individual.

Sensitive data

Different from ordinary personal data (such as name, address, telephone number) and relates to racial or minority ethnic origin, religious beliefs, health, sexuality, family circumstances, criminal convictions, etc. Sensitive data are subject to much stricter conditions of processing. Sensitive data may only be held and processed in one of the following circumstances:

  • If the data subject has given explicit consent;

  • For the purposed of monitoring equality of opportunity;

  • In order to exercise a right or obligation conferred or imposed by law, such as revealing information about past convictions in order to protect children under the Children Act;

  • In connection with legal proceedings or to obtain legal advice;

  • For the exercise of the functions of a Government department, such as tax returns to the Inland Revenue and national insurance payments to the Contributions Agency or statistical returns to funding agencies;

  • To protect the individual’s interests where it is not possible to obtain the individual’s consent, or the individual’s consent cannot reasonably be obtained;

  • The individual has deliberately made the data public, for example, by talking to the media or writing an article; and

  • For medical purposes, such as an examination carried out or a report written by a health professional.

Data controller

Any person (or organisation) who makes decisions with regard to particular personal data, including decisions regarding the purposes for which personal data are processed and the way in which personal data processed.

Data subject

Any living individual who is the subject of personal data held by an organisation.


Any operation related to the organisation, retrieval, disclosure and deletion of data and includes: obtaining and recording data; accessing, altering, adding to, merging, and deleting data; retrieving, consulting on or using data; disclosing or otherwise making available data.

Third party

Any individual or organisation other than the data subject, the data controller or its agents.

Relevant filing system

Any paper filing system or other manual filing system which is structured so that information about an individual is readily accessible. Personal data, as defined and covered by the DPA, can be held in any format, such as electronic (including websites and emails), paper-based, photographic, etc, from which the individual’s information can be readily extracted.

Data protection principles

The DPA’s principles require that personal data shall:

  • Be processed fairly and lawfully and shall not be processed unless certain conditions are met.

  • Be obtained for specific and lawful purposes and shall not be processed in any manner incompatible with those purposes.

  • Be adequate, relevant and not excessive for those purposes – information which is not strictly necessary for the purpose for which it is obtained should not be collected. If data are given or obtained that is excessive for the purpose, then it should be immediately deleted or destroyed.

  • Be accurate and, where necessary, kept up to date – data which are kept for a long time should be reviewed and updated as necessary. No data should be kept unless it is reasonable to assume they are accurate

  • Not be kept for longer than is necessary for that purpose.

  • Be processed in accordance with the data subject’s rights.

  • Be kept secure from unauthorised or unlawful processing and protected against accidental loss, destruction or damage by using appropriate technical and organisational measures.

  • Not be transferred to a country or territory outside the European Economic Area (‘EEA’), unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

Data subject rights

Data subjects have the following rights regarding data processing, and that data that are recorded about them:

  • To make subject access requests regarding the nature of the information held and to whom it has been disclosed.

  • To prevent processing likely to cause damage or distress.

  • To prevent processing for purposes of direct marketing.

  • To be informed about the mechanics of any automated decision-taking processes that will significantly affect them.

  • Not to have significant decisions that will affect them taken solely by automated processes.

  • To sue for compensation if they suffer damage by any contravention of the DPA.

  • To take action to rectify, block, erase or destroy inaccurate data.

  • To request the Information Commissioner to assess whether any provision of the DPA has been contravened.

Appendix 2

Basic list of ‘Dos’ and ‘Don’ts’

  • Personal information about a WAF member and their family is very sensitive and great care must be taken to keep it secure and to use it only in the way that is allowed.

  • Always think carefully about who might see personal information and what is being done with it.

  • Only keep personal data on a computer wherever possible, rather than any other type of device, and make sure that it is encrypted and password protected.

  • Only print personal data if absolutely necessary.

  • Keep computer and data passwords confidential, change them regularly and ensure they are ‘strong’ passwords.

  • Never keep personal data on a shared access computer unless it is fully protected.

  • Only use WAF emails through the WAF webmail system.

  • Do not store personal information on a mobile phone apart from a name and number, (but make sure that it is not identified as a WAF contact).

  • Make sure that any file containing personal information is not inadvertently retained in your computer’s download folder (or similar).

  • Photography or video recording is not allowed at any WAF event

  • Never use a photograph of a WAF member without permission, and never use a photograph of a member’s child at all.

  • Only use personal data in the way that the person providing it has agreed to.

  • If you are asked to share personal data with anyone outside of WAF, always ask for advice first.

If in doubt, always ask for help first. The security of someone’s family and WAF’s reputation might be at risk if you do not.