Down Masonic Widows Fund: Data Protection Policy
(the “Policy”)
1. INTRODUCTION
1.1 The Down Masonic Widows Fund (“DMWF”) needs to collect and use information about various individuals. DMWF is subject to the General Data Protection Regulation (“GDPR”) which imposes obligations upon DMWF as a data controller in relation to the protection, use, retention and disposal of such information about various individuals. This Policy sets out the procedures that are to be followed when dealing with Personal Data (as defined below).
1.2 The purpose of this Policy is to ensure that:
1.2.1 DMWF complies with data protection law and follows good practice;
1.2.2 DMWF takes appropriate steps to prevent a data protection breach; and
1.2.3 all Trustees are aware of their responsibilities under data protection legislation, and comply with the law.
1.3 Please refer to DMWF’s privacy notice (the “Privacy Notice”), a copy of which can be obtained from the Data Privacy Manager or on our web site www.downwidows.org
2. USEFUL DEFINITIONS
2.1 The following definitions apply in this Policy:
“Data Controller” the DMWF is the data controller under GDPR, meaning that it determines when, why and how to process personal data. It is responsible for establishing practices and policies in line with GDPR.
“Data Privacy Manager” means the data privacy manager appointed by DMWF, contactable as follows:
Down Masonic Widows’ Fund,
1 The Grange, Lisburn, BT28 3XX
Telephone no: 02892 665 306 email:- [email protected]
“Data Processor” means any other party who processes personal information in accordance with the instructions of the DMWF.
“Personal Data” means any information about a living individual (a “data subject”) which includes names, addresses, photos, identification numbers (for example, a National Insurance number), bank account details, online identifiers (for example, an email address, IP address etc.), and any sensitive personal data (for example, information concerning an individual’s health, race, political opinions or sexual orientation).
“processing” means anything that is done to personal data including collecting, recording, organising, storing, altering, retrieving, disclosing, destructing or erasing the data.
3. DATA PROTECTION PRINCIPLES
3.1 DMWF will adhere to the data protection principles set down in the GDPR which require Personal Data to be:
3.1.1 processed lawfully, fairly and in a transparent way (Lawfulness, Fairness and Transparency);
3.1.2 collected only for specified, explicit and legitimate purposes (Purpose Limitation) and not further processed in a manner that is incompatible with those purposes;
3.1.3 adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed (Data Minimisation);
3.1.4 accurate and, where necessary, kept up to date (Accuracy);
3.1.5 kept in a form which permits identification of individuals for no longer than is necessary for the purposes for which the information is processed (Storage Limitation); and
3.1.6 processed in a way that ensures its security, using appropriate technical and organisational measures to protect against unauthorised or unlawful processing and against accidental loss, destruction or damage (Security, Integrity and Confidentiality).
3.2 With the exception of where processing is based on consent, DMWF shall satisfy itself that the processing is necessary for the purpose of the relevant lawful basis i.e. that there is no other reasonable way to achieve that purpose.
3.3 DMWF should document its decision as to which lawful basis applies to help demonstrate its compliance with the data protection principles.
3.4 Ultimately DMWF is responsible for, and must be able to demonstrate, compliance with the data protection principles listed above.
3.5 Lawfulness and Fairness
3.5.1 The GDPR requires that there is a legal justification for processing any Personal Data. For example, Personal Data may be processed by DMWF if:
(a) the individual has given their consent;
(b) the processing is necessary for the performance of a contract;
(c) the processing is necessary for DMWF to comply with legal obligations e.g. equality monitoring;
(d) the processing is necessary to protect the vital interests of the individual or another person;
(e) the processing is necessary for the performance of a task carried out in the public interest; or
(f) the processing is necessary for the purposes of legitimate interests of DMWF or a third party, except where those interests are overridden by the interests or fundamental rights and freedoms of the data subject.
3.5.2 It is not envisaged that DMWF processes any sensitive Personal Data. However, in the event that DMWF was to process any sensitive Personal Data, such as health information, one of the following conditions must be satisfied:
(a) the individual has given their explicit consent;
(b) processing is necessary to protect an individual’s vital interests; or
(c) processing is necessary for the establishment, exercise or defence of legal claims.
3.6 Consent
When relying on consent to process Personal Data, the individual must clearly indicate their consent either by a statement, or a positive action, to the processing. Individuals must be able easily to withdraw consent at any time. When written consent is obtained for processing, this must be retained.
3.7 Transparency
3.7.1 The GDPR requires that the DMWF provides individuals with certain information about how their Personal Data is being processed. This should be provided through a “Fair Processing Notice” which must be concise, clear and in plain language. The individual must also be informed of:
(a) the identity of the Data Controller i.e. the DMWF;
(b) the contact details of the Data Privacy Manager;
(c) the purpose of the processing and the legal justification for processing;
(d) who their Personal Data may be shared with;
(e) how long their Personal Data may be kept for;
(f) their rights under GDPR, as summarised at paragraph 5;
(g) whether the provision of Personal Data is a statutory or contractual requirement, whether the individual is required to supply the information and the consequences of not supplying the information; and
(h) whether their Personal Data will be used for automated decision making.
3.8 Purpose Limitation
DMWF must only collect Personal Data for specified, explicit and legitimate purposes. Personal Data may not be used for different reasons than those for which it was originally obtained.
3.9 Data Minimisation
DMWF must ensure that the Personal Data which it holds is adequate, relevant and limited to what is necessary. DMWF volunteers must only access Personal Data when performing their duties requires it. When it is no longer necessary to keep Personal Data, it must be securely destroyed.
3.10 Accuracy
Personal Data held by DMWF must be accurate and, where necessary, kept up to date. It must be corrected or deleted without delay when inaccurate. DMWF Trustees should ensure that the accuracy of Personal Data is checked when it is collected, and at regular intervals.
3.11 Storage Limitation
Personal Data must not be kept for longer than is necessary. The Data Protection Manager oversees the retention and destruction of personal data in compliance with this Policy.
3.12 Security, Integrity and Confidentiality
3.12.1 DMWF must ensure that the Personal Data it holds is protected by appropriate technical and organisational measures to prevent unauthorised access, accidental loss, destruction or damage to records.
3.12.2 Information and records relating to individuals will be stored securely and will only be accessible to Trustees where they need to access it. Paper records will be kept in a secure place, away from public areas, where unauthorised individuals or members of the public could view it. When not required, paper records will be kept in a lockable drawer or filing cabinet. When data is held electronically it will be protected from unauthorised access, accidental destruction and malicious hacking attempts. The DMWF will ensure that all Personal Data is non-recoverable from any computer system, drive or removable storage device previously used within the organisation, which has been passed on or sold to a third party.
3.12.3 All Trustees with access to a computer are to be provided with a password. When leaving their computer unattended, Trustees must either log out or ensure their screen is locked.
3.12.4 DMWF shall ensure that its IT systems are kept up to date to ensure the security and integrity of digital records.
4. PERSONAL DATA BREACHES
4.1 A data breach is any (potential) unintended loss of control over or loss of Personal Data within DMWF’s environment (e.g. loss or theft of data, equipment failure, hacking or unforeseen circumstances such as fire or flood). Preventing a data breach is the responsibility of all DMWF Trustees.
4.2 The person who discovers / receives a report of a breach must inform the Data Protection Manager immediately.
4.3 The Data Protection Manager will take steps to recover any losses and limit the damage caused by the breach. These steps might include:
4.3.1 attempting to recover the lost Personal Data or equipment;
4.3.2 the use of back-ups to restore data;
4.3.3 if the data breach includes entry codes or passwords, ensure that these are changed immediately.
4.4 The Data Protection Manager will undertake an assessment into the breach in order to ascertain the data which was involved, the cause of the breach, steps needed to remedy the breach and the effect on the Data Subject(s). A record must be kept of the each breach outlining the nature of the breach and steps taken (including whether the ICO was informed).
4.5 If the Data Protection Manager assesses that is likely that there will be a risk to the rights of the individuals, the ICO must be notified without undue delay, and in any event within 72 hours of the breach coming to light.
4.6 When assessing the likely risk to individuals, you should consider whether the individual(s) are likely to suffer discrimination, identity theft or fraud, financial loss, damage to reputation, loss of confidentiality, or economic or social disadvantage.
5. RIGHTS OF DATA SUBJECTS UNDER THE GDPR
5.1 Individuals have rights as to how DMWF can handle their Personal Data:
5.1.1 the right to be informed: DMWF shall keep data subjects informed of its processing activities through its Privacy Notice;
5.1.2 the right of access: a data subject may request access to the Personal Data which DMWF holds about them (known as a “Subject Access Request” and more fully explained at paragraph 6 below);
5.1.3 the right to rectification: if a data subject informs DMWF that Personal Data held by DMWF is inaccurate or incomplete, the data subject may request that it is rectified;
5.1.4 the right to erasure: a data subject may ask DMWF to erase their Personal Data. DMWF must comply with this request unless it has reasonable grounds to refuse;
5.1.5 the right to data portability: a data subject is entitled to receive a copy of their Personal Data and use it for other purposes;
5.1.6 the right to object: a data subject may object to DMWF’s processing of their Personal Data at any time;
5.1.7 rights in relation to automated decision-making and profiling: a data subject has the right to challenge any decision that is made about them on an automated basis (subject to certain exceptions). DMWF is also required to comply with certain conditions if it uses Personal Data for profiling purposes.
5.2 Data subjects have the right to make a complaint at any time to the Information Commissioner’s Office (the “ICO”), the UK supervisory authority for data protection issues. The ICO’s details are as follows:
Information Commissioner’s Office – Northern Ireland
3rd Floor
14 Cromac Place
Belfast
BT7 2JB
Telephone: (028) 9027 8757 / 0303 123 1114
Email: [email protected]
6. SUBJECT ACCESS REQUESTS
Individuals have the right to request access to the Personal Data which DMWF holds about them. This is called a Subject Access Request. Subject Access Requests should be made in writing, and the identity of anyone making a request should be verified. One copy of the requested information must be provided free of charge, within one month of the request being received by DMWF. Trustees who receive a Subject Access Request should pass this on to the Data Privacy Manager who will be responsible for responding to the request.
7. SHARING PERSONAL INFORMATION WITH OTHERS
At times, the DMWF may share Personal Data with others. DMWF shall obtain guarantees that the Personal Data it shares with others will be processed in accordance with data protection law. Where DMWF uses a data processor, a written data processing contract will be put in place between the processor and DMWF. Individuals will be informed if their Personal Data is to be shared with any third party.
8. DATA RETENTION & DISPOSAL
8.1 The longer that Personal Data is retained, the higher the likelihood is of accidental disclosure, loss, theft and/or information growing stale.
8.2 All Personal Data kept by DMWF should only be retained for a maximum of four years (being the current year and three previous years). All Trustees have a responsibility to ensure that Personal Data is not retained beyond this period and if any Trustees uncover Personal Data which has been retained for more than four years, or is nearing this four year period, they should immediately inform the Data Protection Manager.
8.3 The Data Protection Manager will oversee the safe and secure destruction of the appropriate Personal Data and records.
9. AUDIT
9.1 DMWF may, from time to time, test its systems and processes to assess compliance.
10. DATA PROTECTION IMPACT ASSESSMENTS
10.1 The GDPR requires that “Data Protection Impact Assessments” are carried out by DMWF if its processing activities present a “high risk” to the rights of individuals.
10.2 Advice should be sought from the Data Privacy Manager on carrying out such an assessment.
11. SUMMARY OF TRUSTEES GUIDELINES AND OBLIGATIONS
11.1 Trustees should not give out confidential Personal Data except to the data subject, following the Data Privacy Manager’s authorisation. In particular, Personal Data should not be given to someone from the same family or to any unauthorised third party unless the data subject has given their explicit consent to this.
11.2 It is important to be aware that those seeking information sometimes use deception to gain access to it. Trustees must always verify the identity of the data subject and the legitimacy of a request for information, particularly before releasing information via telephone.
11.3 Personal Data may only be transmitted by fax or email if security procedures are in place e.g. encryption used in email.
11.4 Trustees should always double check that they have the correct email or postal address before sending out any Personal Data.
11.5 If a member of Trustees receives a request for Personal Data about another volunteer, (s)he should forward this to the Data Privacy Manager.
11.6 Trustees should ensure that any Personal Data that they use in the course of their work is kept securely. Paper records should be kept in locked storage, and devices such as computers and mobile phones should be encrypted.
11.7 If Trustees have any questions, they should contact the Data Privacy Manager.
This Policy may be amended or updated from time to time, and Trustees should therefore ensure that they consult the most up to date version.