FINCHLEY FOODBANK

Data Protection Complaints Policy

At Finchley Foodbank, we aim to deliver a high quality service where clients (the people who visit us) are at the heart of everything we do. We may at times fall short of this, and this Data Protection Complaints Policy guides you on the process of how to make a complaint.

It contains the following sections:
Introduction
Identification
Investigation
Confidentiality
Response, reporting and action

CONTACT DETAILS

Post: Finchley Foodbank, 279 High Road, LONDON, N2 8HG, GB
Telephone: 07849 558 307
Email: feedback@finchleyfoodbank.org.uk

Introduction:

1. This Policy only covers Data Subjects making complaints about the way in which the FFB has handled or used their data. It does not cover other complaints or requests for information including Subject Access Requests. These should continue to be made through other routes. The Policy is governed by the Data Use and Access Act 2025 (DUAA).

2. Complaints may be made by any means the complainant wants but ideally should be in writing.

Identification:

3. Before supplying any information to the complainant it is essential that their identity is confirmed. The information they supply should be sufficient to establish that the complainant is the Data Subject or their appointed representative. This may involve asking for additional documents to establish this. This is particularly important if the complainant is the representative of the Data Subject when a Power of Attorney or letter of authority from the Data Subject is necessary. If there is any doubt about the authenticity of the representative the complainant should be contacted to confirm the details of their representative.

4. Once the identity of the Data Subject has been confirmed FFB must acknowledge the Complaint within 30 days and respond to the complainant without undue delay.

Investigation:

5. The complaint must be investigated by an Investigating Panel of two people who were not involved in the handling of the Data Subject’s data. This should include one member of the Management Group. One of the Panel should be knowledgeable in the requirements of the Data Protection Act 2018. This may involve getting external assistance.

6. The investigation must take place in a timely manner so that a response to the complainant can be given without undue delay. This may involve setting up the Investigating Panel outside of the Management Group meeting cycle. The investigation should look at the data covered by the complaint, the systems and processes used for handling the data and be able to question any staff or volunteers who may have touched the data in the time covered by the complaint.

7. If the investigation will not be concluded within 30 days the complainant should be given regular updates.

Confidentiality:

8. Throughout this process it is important that confidentiality about the Data Subject is maintained. This means that only those people who need to know to manage and investigate the complaint need to know the identity of the complainant. For other purposes all that needs to be disclosed is that a complaint has been made. Disclosing information about the nature of the complaint should also be avoided as this may identify the Data Subject. There should also be a dedicated email address created so that data complaints don’t get mixed in with general email traffic. The recipient should be the member of the Management Group responsible.

Response:

9 The complainant must be given a response once the complaint has been investigated. This should be a clear statement of what has been found and if their data has been miss-handled any actions to mitigate data being miss-handled again in future.

10. If the complainant’s data has been miss-handled the Chair of the Management Group should send an appropriate apology to the complainant.

Reporting:

11. The Chair of the Management Group and the Chair of the Trustees should be informed of any complaint of miss-handling of data within 3 days of a complaint being received. The complaint should also be raised at the next meeting of both bodies within the constraints outlined in the paragraph regarding confidentiality. If the complaint has been investigated and a response sent to the complainant this should be included in the reporting.

Action:

12: Necessary changes to data handling processes and training arising from a valid complaint should be put in place as a matter of urgency.

Review
This policy and procedure will be reviewed annually.

LAST UPDATED
27th May 2026