Personal data is information about a living individual from which that person can be identified. Such information can exist in a variety of formats, for example, on a computer or in a paper filing system.
As data controllers, contract is identified as our appropriate lawful basis.
There are the eight governing principles that must be followed in connection with the processing of data about individuals.
1. Be processed fairly and lawfully.
2. Be collected and processed for the particular purposes specified. In other words, it must not be collected for one reason and then used for another.
3. Be adequate, relevant and not excessive for the purposes for which it is kept.
4. Be accurate and, where necessary, kept up-to-date.
5. Not be kept for longer than necessary.
6. Be processed in accordance with the subject’s rights.
7. Be kept securely and adopt measures to guard against its accidental loss.
8. Not be transferred outside the European Economic Area unless the country receiving it has an adequate level of protection for the rights and freedoms of data subjects.
All personal data is treated strictly in accordance with the terms of the Data Protection Act 1998. This means that, as outlined below, confidentiality will be maintained and appropriate security measures are taken to prevent unauthorised disclosure.
Under the Act, STORM Global Network CIC is the data controller and its trustees are therefore ultimately responsible for implementing this policy and the procedures it sets out.
The named Executive Director has been designated as the Data Protection Compliance Officer for STORM Global Network CIC. This is subject to change if another dedicated officer is appointed.
Where appropriate, all new staff and volunteers will be given training as part of their induction on this policy and STORM Global Network CIC procedures around data protection and confidentiality.
In accordance with the Act, STORM Global Network CIC will only use the personal data that others have chosen to provide for the purpose for which it was requested. STORM Global Network CIC will not use it for any other purpose without the prior consent of those concerned.
Furthermore, STORM Global Network CIC will not disclose personal data, such as names, addresses, email addresses or telephone numbers, to any organisation or person outside of STORM Global Network CIC without the prior explicit or implied consent of those concerned, unless it is under a legal obligation to do so, e.g. where withholding such information would place an individual at risk.
STORAGE & ACCESS
All personal data held by STORM Global Network CIC is kept with the consent of those who have provided it; password protected where held on computer; and stored securely in lockable non-portable filing cabinets or inaccessible to public, private place, where kept on paper. In all cases, access is strictly controlled and limited to those who are authorised to use it in the course of their duties for the organisation.
STORM Global Network CIC maintains a record of all those who have access to personal data or to whom such information has been revealed and recognises that it is a criminal offence to pass personal data to anyone who is not entitled under the Act and other legislation to have access to it.
Any individual about whom STORM Global Network CIC holds personal data shall be given access to the data held about them upon request. At all times, STORM Global Network CIC will ensure that the rights of such individuals can be fully exercised.
HANDLING & RETENTION
STORM Global Network CIC will not keep personal data for longer than necessary. In particular, personal data held for recruitment purposes will be destroyed within a period of 6 months of the data subject’s active involvement with STORM Global Network CIC coming to an end.
STORM Global Network CIC will also take reasonable steps to ensure that all personal data it holds is kept up-to-date by putting in place measures through which data subjects can update the information held about them.
Sensitive data, defined by the Data Protection Act as information about racial or ethnic origin, political opinions, religious beliefs, trade union membership, physical or mental health, sexual life, criminal record or proceedings relating to an individual’s offences, where collected by STORM Global Network CIC will not be kept with a person’s records but will always be kept separately and securely as outlined under the section on storage and access above.
Equal opportunities monitoring information if collected will be stored anonymously and will only be used for reviewing how STORM Global Network CIC is ensuring equality of opportunity.
Once the retention period has elapsed, STORM Global Network CIC will ensure that personal data is destroyed by secure means, i.e. by shredding, pulping or burning. While awaiting destruction, personal data will not be kept in any insecure receptacle (e.g. waste bin or confidential waste sack). A photocopy, other image, or any copy or representation of the personal data will not be kept.
This policy will be reviewed by the management committee / board of trustees to reflect best practice in response to changes in relevant legislation or an identified failing in its effectiveness.
GDPR POLICY GUIDANCE
The STORM Global Network CIC is committed to processing data in accordance with its responsibilities under the GDPR.
Article 5 of the GDPR requires that personal data shall be:
a.processed lawfully, fairly and in a transparent manner in relation to individuals;
b.collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
c.adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
d.accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
e.kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
f.processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”
2. General provisions
a.This policy applies to all personal data processed by the STORM.
b.The Responsible Person shall take responsibility for the STORM’s ongoing compliance with this policy.
c.This policy shall be reviewed at least annually.
3. Lawful, fair and transparent processing
a.To ensure its processing of data is lawful, fair and transparent, STORM shall maintain a Register of Systems.
b.The Register of Systems shall be reviewed at least annually.
c.Individuals have the right to access their personal data and any such requests made to STORM shall be dealt with in a timely manner.
4. Lawful purposes
a.All data processed by the charity must be done on one of the following lawful bases: consent, contract, legal obligation, vital interests, public task or legitimate .
b.The Charity shall note the appropriate lawful basis in the Register of Systems.
c.Where consent is relied upon as a lawful basis for processing data, evidence of opt-in consent shall be kept with the personal data.
d.Where communications are sent to individuals based on their consent, the option for the individual to revoke their consent should be clearly available and systems should be in place to ensure such revocation is reflected accurately in the Charity’s systems.
5. Data minimisation
a.The Charity shall ensure that personal data are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
a.The Charity shall take reasonable steps to ensure personal data is accurate.
b.Where necessary for the lawful basis on which data is processed, steps shall be put in place to ensure that personal data is kept up to date.
7. Archiving / removal
a.To ensure that personal data is kept for no longer than necessary, the Charity shall put in place an archiving policy for each area in which personal data is processed and review this process annually.
b.The archiving policy shall consider what data should/must be retained, for how long, and why.