General Data Protection Policy
What is GDPR?
The General Data Protection Regulations (GDPR) are concerned with respecting the rights of individuals when processing their personal information. This can be achieved by being open and honest about the use of information about them and by following good data handling procedures. The regulation is mandatory and all organisations that hold or process personal data must comply.
This policy sets out how West Howe Community Enterprises comply with the requirements of the General Data Protection Regulation (GDPR), Data Protection Act 2018 (DPA) and other laws that regulate how personal data is managed. It also explains how you can obtain details of personal information we hold about you.
Personal Data: – Personal data is information about a living individual who is identifiable from the data held on them
Data Subject: – The individual about whom personal data is held.
Data Controller: – Is an individual, alone, jointly with others, or as an organisation responsible for, how and why, personal data is used. In WHCE the Controller is the organisation.
WHCE as the controller determines the purposes and means of processing personal data. As controllers, organisations are not relieved of obligations where a processor is involved – the GDPR places further obligations on controllers to ensure contracts with processors comply with the GDPR. https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/key-definitions/controllers-and-processors/
Data Processor: – Is an organisation or individual which processes data under the instruction of, or in provision of a service to, a data controller. In WHCE the Processor is the Charity Manager
A processor is responsible for processing personal data on behalf of a controller. As a processor, the GDPR places specific legal obligations on processors; for example, you are required to maintain records of personal data and processing activities. You will have legal liability if you are responsible for a breach.
Data Protection Officer: – is the member of staff within an organisation with responsibility for ensuring that personal data is processed lawfully. WHCE is not required to have a Data Protection Officer however if someone was appointed voluntarily this would need to register with the ICO.
Processing: – means any operation or set of operations, performed on personal data whether automated or not e.g. collecting, recording, organising, storing, altering, erasing or destroying
Consent of the data subject: – means any freely given, specific, informed indication of the data subject’s wishes by which they have agreed to the processing of their personal data.
Sensitive or Special Category personal data: – These are types of personal data which have to be treated with particular care. This includes information relating to an individual’s physical or mental health or condition, sexual life, religion or ethnicity, trade union membership and historical criminal offences.
Types of Data
There are two key types of data “Personal data” and “Sensitive Personal Data”
Personal data is information that can be used to identify a living individual. Personal data may also include “Sensitive Personal Data” which are special categories of personal data or criminal conviction and offences data. These are considered to be more sensitive and we may only process them in more limited circumstances.
Information can be held in a variety of formats. For example, electronic on a computer, via email, paper in a filing system, part of an accessible record, e.g. an education record, held by a public authority, or in more unusual formats such as CCTV footage.
This includes data that does not name an individual but could potentially identify them. For example a payroll or staff number. All staff and volunteers should be aware that any personal data they have in their possession will also be subject to the regulation. For example, if a manager has a written copy of contact details for their team
Lawful Basis / Basis’s
All organisation must have at least one of six lawful basis / bases for handling any personal data. These are set out in Article 6 of the GDPR at least one of these must apply whenever we process your personal data. No single basis is ’better’ or more important than the other. WHCE Privacy Notice includes our lawful basis for processing as well as the purposes of the processing your data.
What are the lawful bases for processing?
The lawful bases for processing as set out in Article 6 of the GDPR are:
(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
(d) Vital interests: the processing is necessary to protect someone’s life.
(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
For more detail on each lawful basis the ICO has an interactive tool to assist in identifying whether such a basis exists.
For further information, go to the ICO website. https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/
What is not personal data?
- Information about a deceased person does not constitute personal data and therefore is not subject to the GDPR.
- Information about companies or public authorities is not personal data.
How long can information be kept?
Information must not be kept for longer than is necessary. While there is no set period of time set out within the GDPR, some records must be kept for a certain period of time in accordance with other legislation. For example, HMRC require payroll records to be kept for 6 years from the end of the tax year that they relate to. Refer to the GDPR Retention Policy for a further breakdown of the retention periods used at WHCE.
All personal data at the end of its retention period is confidentially shredded.
Why do we collect data about people?
We need to collect personal data to fulfil our functions in relation to the provision of our services.
Data Protection 6 Principles
There are six governing principles that must be followed in relation to the processing of data about individuals:
- “Lawfulness, fairness and transparency” Data must be processed lawfully, in a transparent manner,
- “Purpose Limitation” Data must be collected and processed for only specific, explicit and legitimate purposes. e.g., we must not collect data for one reason and then use it for something else.
- Data minimisation’ Data we hold must be adequate and relevant for its purpose or purposes but not excessive.
- “Accuracy” Data must be accurate, kept up-to-date and where necessary, corrected if it is found to be inaccurate.
- “Storage Limitation” Personal data must not be stored for longer than necessary for the purposes for which it was collected
- “Integrity and Confidentiality” Data must be kept in a secure manner, including against unauthorised or unlawful access/processing and against accidental loss, destruction or damage.
All staff and volunteers have a responsibility to ensure that their activities comply with the data protection principles. They have responsibility for the type of personal data they collect and how they use it. Staff should not disclose personal data outside the organisation’s procedures, or use personal data held on others for their own purposes.
What rights do I have regarding information that is held about me?
As a Data Subject you have the following rights:
- The right to be informed – you have the right to be given information about how your data is being processed, who it is/will be shared with, for what purpose and how long it will be retained for
- The right of access – you have the right to see or have a copy of your personal data. If providing you with a copy of your personal data would adversely affect the rights and freedoms of others, an extract or summary of the information may be provided instead
- The right to rectification – you have the right to request that your personal data is rectified if it is inaccurate or incomplete.
- The right to erasure (‘the right to be forgotten’) – you have the right to request that your personal data is removed to prevent processing in certain circumstances
- The right to restrict processing – you have the right to block or stop processing of your personal data
- The right to data portability – you have the right, when requested, to be provided with your personal data in a structured, commonly used and machine readable format
- The right to object – you have the right to object to processing of your personal data in relation to legitimate interests, direct marketing (e.g. profiling) or for scientific/historical research and statistics
- Rights in relation to automated decision making and profiling – you have the right to not be subject to a decision based solely on automated processing, including profiling, which significantly affects you.
How do I obtain information about me?
You must make a Subject Access Request (SAR) in writing. The ICO provides some useful guidance to support you if submitting a request see the link below.
WHCE have created a SAR Form to facilitate this. It can be found in standard documents in BreatheHR or alternatively email email@example.com to request a copy.
If you want to know more information about how your data is being processed (right to be informed) please contact our Charity Manager.
Completed Subject Access Requests
Once Subject Access Requests are completed and returned to WHCE we must respond within one month. This can be extended where the request for information is extensive and will take longer to collate.
What can I do if I think that information you hold about me is incorrect?
If you think information that we hold on you is incorrect and you want it rectified, erased or restricted/blocked please complete the Individual Rights Request Form available on BreatheHR or alternatively contact the Charity Manager on firstname.lastname@example.org Further guidance on completion is available on the ICO website https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/
Completed Individual Rights Forms
Once Individual Rights Forms are completed and returned to WHCE we must tell you what we have done or intend to do within one month. This can be extended by two months where the request for rectification is complex.
If you do not agree with our decisions,
You can ask us to record that disagreement for future reference – or you can take the matter up with the Information Commissioner’s Office (ICO).
The ICO’s address:
Information Commissioner’s Office
Helpline number: 0303 123 1113
ICO website: https://www.ico.org.uk
What can you do if you think that there has been a breach of your personal data?
If you have any concerns about the way that your personal data has been used or if you wish to make us aware of a potential data breach, please inform our Charity Manager on email@example.com
Can I claim any compensation if I think that information about me has been wrongly used?
If you believe that WHCE has not complied with GDPR regulations and has caused you to suffer material or non-material damage, you have the right to apply for compensation via the courts. Any such claim will need to show that the organisation has not taken reasonable care to comply with GDPR. Guidance on compensation can be found on the website of the Information Commissioner’s Office.