1. Purpose and Scope
1.1. The purpose of this policy is to set out Lippy Peoples aims and objectives for the management of data protection and information security. Data protection and information security is defined as the preservation of confidentiality, integrity and availability of information.
1.2. The scope of the data protection and information security policy covers the storage, access and transmission of information in the course of Lippy Peoples business and therefore applies to the conduct of staff, Trustees, volunteers and others with access to that information and collection systems.
1.3 This policy complies with law and requirements outlined within the ‘General Data Protection Regulations’. Under GDPR, Lippy People’s role is that of a ‘data processor’. Our clients are ‘data controllers’.
2. Policy Statement
2.1. Lippy People is committed to preserving the confidentiality, integrity and availability of all its key information assets in order to maintain its legal and contractual compliance and reputation. 
3.  Information Security Aims
Lippy People is committed to meeting its legal and regulatory obligations with respect to information handling to enable business to be conducted efficiently and in ways that protects the reputation of the organisation. Lippy People recognises the role of information security in ensuring that users have access to the information they require in order to carry out their work. We recognise that the loss, theft or unauthorised disclosure of information and intellectual property has the potential to damage Lippy Peoples reputation and cause financial loss.
3.1. Lippy People aims to deliver a compliant environment that balances information security with appropriate accessibility, in ways that provide the optimum level of risk management to support achievement of our strategic goals.
3.2. Lippy People aims to protect the security of its Information Assets in order to:
a) Maintain the integrity and quality of information, so that it is accurate, up to date and ‘fit for purpose’;
b) Make information available to those who need it and ensure there is no disruption to the business of Lippy People;
c) Ensure that confidentiality is not breached and that information is accessed only by those authorised to do so.
4. Responsibilities
The Lippy People Trustees have ultimate responsibility for information security within the charity. More specifically, they are responsible for ensuring that the charity complies with relevant external requirements, including legislation. Trustees have delegated this responsibility to the Chief Executive.
The Chief Executive is responsible for:
a)  Ensuring that this policy and the information security objectives remain compatible with the strategic direction of Lippy People;
b) Implementing the technical environment and controls around data within the charity;
c)  Determining when and by whom breaches of information security shall be reported to relevant external authorities;
d)   Ensuring that Trustees are adequately briefed on risk management issues.
5. Breaches of Policy
Breaches of the Information Security Policy may be treated as a disciplinary matter dealt with under Lippy Peoples Disciplinary Rules and Grievance Procedures Policy.
6. Our Role As a Data Processor
6.1. GDPR says there should be a written contract between data controllers and data processors. We will only collect and keep data about service users and partners that is required for the purpose of providing the ‘chain of title contracts and agreements’ for the video stories they produce with us. This current data is in the form of:
Contributor Consent Agreements (permission to be filmed, edited and published);
Location Agreement;
Peer Support Details;
Contractor contracts.
6.2.We will keep all data information safe and secure.
6.3. Allow contributors and partners to view the data we have collected.
6.4. Processing is necessary for compliance with a legal obligation to seek personal permissions before filming, editing and publishing. In some instances it may be part of a contractual agreement we have with funders - in which instance we will discuss with the data controllers these specific requirements and gain their permission in advance.
6.5. We will ensure that all people processing data are subject to a duty of confidence.
6.6 We will take appropriate measures to ensure security of processing.
6.7. We will assist the data controller in providing access to their data and allowing them to exercise their rights under GDPR.
6.8. We will assist the data controller in meeting their GDPR obligations in relation yo the security of processing, the notification of personal data breaches and data protection impact assessments.