Updated: 07th November 2019
Under the EU General Data Protection Regulations (GDPR) the National Emergencies Trust (herein after referred to as “the Charity”) is required to comply with applicable data protection legislation (which includes the GDPR, the Data Protection Act 2018 (DPA 2018) and the Privacy and Electronic Communications Regulations 2003 (PECR) which shall be replaced by the ePrivacy Regulation)and undertakes to do so.
The definitions of terms used in this policy are the same as the definitions of those terms detailed in Article-4 of the GDPR.
Data Subject
A data subject is an identifiable individual person about whom the Charity holds personal data.
Contact Information
For the purposes of this Policy, “Contact Information” means any or all of the person’s:
The Charity will ensure that all personal data that it holds will be:
a) processed lawfully, fairly and in a transparent manner in relation to individuals;
b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
The importance of accountability is also stressed by GDPR. This means that as well as complying with data protection legislation, the Charity must be able to evidence how it has complied by keeping appropriate records of its processing of personal data.
The Charity will obtain, hold and process all personal data in accordance with the GDPR for the following lawful purposes.
In all cases the information collected, held and processed will include Contact Information (as defined in 2 above).
Sensitive data such as data revealing ethnic or racial origin, sexual orientation or data concerning health is classified as ‘special category data’ and lawful bases under both Art 6 and Art 9 must be identified.
a) People who are interested in, and wish to be kept informed of, the activities of the Charity. Any marketing by email will be undertaken using the basis of consent as this is a requirement of PECR.
b) Subject to the person’s consent, this may include information selected and forwarded by the Charity on activities relevant to those of the Charity by other organisations.
The information collected may additionally contain details of any particular areas of interest about which the person wishes to be kept informed.
The information provided will be held and processed solely for the purpose of providing the services requested by the person.
When using consent as a legal basis, it is important that the organisation relying on the consent is specifically identified in the consent wording. Consent must also be ‘opt-in’, specific, informed and freely given.
Where the Charity is processing ‘special category data’ the most commonly available basis will be the data subject’s explicit consent. In practice, this means that the consent wording must be particularly detailed and specific.
People who sell goods and/or services to, and/or purchase goods and/or services from the Charity.
The information collected will additionally contain details of:
a) The goods/services being sold to, or purchased from the Charity;
b) Bank and other details necessary and relevant to the making or receiving of payments for the goods/services being sold to, or purchased from the Charity.
The information provided will be held and processed solely for the purpose of managing the contract between the Charity and the person for the supply or purchase of goods/services. This basis will only apply where the data subject is a party to the contract.
People where there is a legal obligation on the Charity to collect, process and share information with a third party – eg: the legal obligations to collect, process and share with HM Revenue & Customs payroll information on employees of the Charity.
The information provided will be held, processed and shared with others solely for the purpose meeting the Charity’s legal obligations.
Employees (Human Resources)
Personal data appropriate to the employment of the individual and to allow the Charity to exercise its rights and carry out its obligations under employment law.
Taxation (HM Revenue & Customs)
For the purpose of managing an employee’s PAYE and other taxation affairs the information collected will additionally contain details, as required by HM Revenue & Customs, of:
a) The person’s National Insurance Number;
b) The person’s taxation codes;
c) The person’s salary/wages, benefits, taxation deductions & payments;
d) Such other information as may be required by HM Revenue & Customs.
Pensions
For the purpose of managing an employee’s statutory pension rights the information collected will additionally contain details, as required by the Charity’s pension scheme (National Employees Savings Trust, NEST), of:
a) The person’s National Insurance Number;
b) The person’s salary/wages, benefits, taxation & payments;
c) Such other information as may be required by the NEST scheme.
The Charity undertakes no activities which require the collection, holding and/or processing of personal information which are necessary to protect the vital interests of the data subject or another living person. This basis is only applicable where the processing of personal data (including special category data) is essential for someone’s life and so generally only applies to matters of life and death (for example, emergency medical care). It will not apply where the data subject is capable of providing their consent.
Condition 16, schedule 1, Part 2 of the DPA 2018 provides a basis for processing special category data to support for individuals with a medical condition where there is a substantial public interest. This condition may apply where: (1) a not-for-profit body provides support to individuals with a medical condition (or their carer); (2) the processing can reasonably be carried out without the individual’s consent; and (3) the Charity cannot reasonably be expected to obtain the consent of the individual (for example, because the individual is incapable of providing consent due to their medical condition). This basis may be useful in instances where the individual is unable to complete an application form or where the Charity has received the individual’s details directly from a partner/third party without the individual’s explicit consent.
Volunteers, Including Trustees
In order to be able to operate efficiently, effectively and economically, it is in the legitimate interests of the Charity to hold such personal information on its volunteers and trustees as will enable the Charity to communicate with its volunteers on matters relating to the operation of the charity. Legitimate interests is a flexible basis but in each case requires the Charity to balance its (or a third party’s interests) against the rights and impact on the individual. Where there is doubt that legitimate interests may apply, the Charity should conduct a Legitimate Interests Assessment to show that it has considered the benefits and impact of its processing and the mitigation measures it should implement to protect the individual. Examples of the Charity’s legitimate interests include:
Closed Circuit TV (CCTV) Recording
The Charity may collect video CCTV images of people entering and moving around its premises in order to safeguard its collection from theft and vandalism, as required by its insurers.
The information collected is only processed and, where appropriate, shared with other authorities (eg: the Police) where it is necessary to investigate a potential crime.
Note: The following clauses are taken primarily from the guidance provided by the Office of the Information Commissioner,
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-be-informed/
When collecting personal information the Charity will provide to the data subject free of charge, a Privacy Notice written in clear and plain language which is concise, transparent, intelligible and easily accessible containing the following information:
In the case of data obtained directly from the data subject, the information will be provided at the time the data are obtained.
In the case that the data are not obtained directly from the data subject, the information will be provided within a reasonable period of the Charity having obtained the data (within one month), or,
if the data are used to communicate with the data subject, at the latest, when the first communication takes place; or
if disclosure to another recipient is envisaged, at the latest, before the data are disclosed.
The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him/her are being processed, and, where that is the case, access to his/her personal data and the information detailed in the Charity’s relevant Privacy Notice:
The data subject shall have the right to require the controller without undue delay to rectify any inaccurate or incomplete personal data concerning him/her.
Except where the data are held for purposes of legal obligation or public task (4.3 or 4.5) the data subject shall have the right to require the controller without undue delay to erase any personal data concerning him/her.
Note: This provision is also known as “The right to be forgotten”.
Where there is a dispute between the data subject and the Controller about the accuracy, validity or legality of data held by the Charity the data subject shall have the right to require the controlled to cease processing the data for a reasonable period of time to allow the dispute to be resolved.
Where data are held for purposes of consent or contract (4.1 or 4.2) the data subject shall have the right to require the controller to provide him/her with a copy in a structured, commonly used and machine-readable format of the data which he/she has provided to the controller, and have the right to transmit those data to another controller without hindrance.
a) The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him/her which is based Public Task or Legitimate Interest (4.5 or 4.6), including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
b) Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him/her for such marketing, which includes profiling to the extent that it is related to such direct marketing.
c) Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
d) At the latest at the time of the first communication with the data subject, the right referred to in paragraphs a) and d) shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.
Except where it is:
a) based on the data subject’s explicit consent, or
b) necessary for entering into, or performance of, a contract between the data subject and a data controller; the data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him/her or similarly significantly affects him/her.
Operational Policies and Procedures
NET (the Charity) is a small charity holding just a small amount of personal data on a small number of people. However, in some cases, the personal data held is sensitive and in respect to data concerning health, is classified as ‘special category data’ under GDPR. Where the Charity is processing special category data then an appropriate lawful basis needs to be identified for the processing (see above) and the data must be stored in a manner appropriate to the risk. There may be exceptional circumstances when NET need to higher levels of data, for example when acting as a distributor, and in these situations will afford the appropriate levels of protection.
The Trustees understand and accept their responsibility under the data protection legislation to hold all personal data securely and use it only for legitimate purposes.
By the following operational policies and procedures the Trustees undertake to uphold the principles and requirements of the GDPR in a manner which is proportionate to the nature of the personal data being held by the Charity. The policies are based on the Trustees’ assessment, in good faith, of the potential impacts on both the Charity and its data subjects of the personal data held by the Charity being stolen, abused, corrupted or lost.
As the core activities of the Charity do not involve large scale processing of special category data, a Data Protection Officer (as defined by Art 37 GDPR) is not required. The CEO is the Data Protection Lead for the Charity.
The Charity is the Data Controller of the personal data it processes and has registered as a data controller with the ICO.
The Charity will not knowingly outsource its data processing to any third party (eg: Google G-Suite, Microsoft OneDrive) except as provided for in the section “Third Party Access to Data”. Where an organisation processes personal data on behalf of the Charity then it will be a data processor. Art 28 GDPR requires certain contractual clauses to be in place between the Charity and its data processors. Partners will generally considered to be data controllers rather than data controllers as they will be making overarching decisions as to how and why they process personal data.
Except where necessary to pursue the legitimate purposes of the Charity, only the Data Controller and Data Processors shall have access to the personal data held by the Charity. In the event of a Complaint the Chair of the group hearing the complaint will be given appropriate access to understand the issue and reach a conclusion.
The Data Protection Lead and Charity staff who process personal data will periodically undergo appropriate training commensurate with the scale and nature of the personal data that the Charity holds and processes under the GDPR.
The Charity collects a variety of personal data commensurate with the variety of purposes for which the data are required in the pursuit of its charitable objects.
All personal data will be collected, held and processed in accordance with the relevant Privacy Notice provided to data subjects as part of the process of collecting the data.
A Privacy Notice will be provided, or otherwise made accessible, to all persons on whom the Charity collects, holds and processes data covered by the GDPR. The Data Privacy Notice provided to data subjects will detail the nature of the data being collected, the purpose(s) for which the data are being collected and the subjects’ rights in relation to the Charity’s use of the data and other relevant information in compliance with the prevailing GDPR requirements.
The Charity is obliged to implement security measures that are appropriate to the risk (taking into account the available technology and the cost of implementing the measures). The Charity will use encryption where appropriate and shall implement policies that set out how the Charity will use Information Technology.
The scale and nature of the personal data held by the Charity is not sufficient to justify the Charity purchasing dedicated computers for the processing of personal data.
Instead the Charity will purchase and own at least 2 and not more than 10 removable storage devices to store the personal data that it holds and processes.
The removable storage devices will also act as backup devices.
Whilst the data will be processed on the computers/laptops to which the Charity’s staff and volunteers have access, no personal data will be stored for an extended period on those computers/laptops. All interim working data transferred to such computers/laptops for processing will be deleted once processing has been completed.
When not in use the removable storage devices will be kept in a secure location and reasonably protected against accidental damage, loss, avoidable theft or other misuse by persons other than the Data Processors.
The Data Controller & Data Processors will keep a register of:
a) the location of all removable devices used for the storage and processing of personal data;
b) each occasion when the data on each device were accessed or modified and by whom.
The Charity’s removable storage devices shall not be used for the storage of any data which are unrelated to the Charity’s processing of personal data.
Staff shall only process the Charity’s personal data in a secure location, and not in any public place, eg: locations whether the data could be overlooked by others, or the removable data storage devices would be susceptible to loss or theft.
Computers/laptops in use for data processing will not be left unattended at any time unless securely stored.
To protect against loss of data by accidental corruption of the data or malfunction of a removable data storage device (including by physical damage), all the Charity’s personal data shall be backed up periodically and whenever any significant changes (additions, amendments, deletions) are made to the data.
Backup copies of the data shall be held in separate secure locations which are not susceptible to common risks (eg: fire, flood, theft).
As far as is reasonably practical, all files containing personal data covered by the GDPR will be encrypted by the use of HNC-Meo, Kaspersky Vault or other comparable software.
The encryption keys will be held securely in a location which is separate from the data storage media.
(Disposal of Removable Storage Media)
Equipment used to hold personal data, whether permanently or as interim working copies, which come to the end of their useful working life, or become dysfunctional, shall be disposed of in a manner which ensures that any residual personal data held on the equipment cannot be recovered by unauthorised persons.
Inasmuch as:
a) this will be a relatively infrequent occurrence;
b) techniques for data recovery and destruction are constantly evolving;
c) none of the Trustees have relevant up-to-date expert knowledge of data cleansing; equipment which becomes obsolete or dysfunctional shall not be disposed immediately. Instead it will be stored securely while up-to-date expert advice on the most appropriate methods for its data cleansing and disposal can be sought and implemented.
In compliance with the GDPR the Charity will give data subjects the following rights.
These rights will be made clear in the relevant Data Privacy Notice provided to data subjects:
It should be noted that exemptions may apply to the above rights.
Data subjects will be clearly informed of their right to access their personal data and to request that any errors or omissions be corrected expeditiously.
Such access shall be given and the correction of errors or omissions shall be made free of charge provided that such requests are reasonable and not trivial or vexatious.
There is no prescribed format for making such requests provided that:
a) the request is made in writing, signed & dated by the data subject (or their legal representative);
b) the data claimed to be in error or missing are clearly and unambiguously identified;
c) the corrected or added data are clear and declared by the subject to be complete and accurate.
It will be explained to subjects who make a request to access their data and/or to have errors or omissions corrected, or that their data be erased, that, while their requests will be actioned as soon as is practical there may be delays where the appropriate volunteers or staff to deal with the request do not work on every normal weekday.
Where a data subject requests that their data be rectified or erased the Data Controller will ensure that the rectifications or erasure will be applied to all copies of the subject’s personal data including those copies which are in the hands of a Third Party for authorised data processing.
The Charity will only provide copies of personal data to the subject (or the subject’s legal representative) on written request.
The Charity reserves the right either:
a) to decline requests for portable copies of the subject’s personal data when such requests are unreasonable (ie: excessively frequent) or vexatious;
or
b) to make a reasonable charge for providing the copy.
Personal data shall not be retained for longer than:
a) In the case of data held by subject consent:
the period for which the subject consented to the Charity holding their data;
b) in the case of data held by legitimate interest of the charity:
the period for which that legitimate interest applies. For example: in the case of data subjects who held a role, such as a volunteer, with the Charity the retention period is that for which the Charity reasonably has a legitimate interest in being able to identify that individual’s role in the event of any retrospective query about it;
c) in the case of data held by legal obligation:
the period for which the Charity is legally obliged to retain those data.
The Charity shall regularly – not less than every 6 months – review the personal data which it holds and remove any data where retention is no longer justified. Such removal shall be made as soon as is reasonably practical, and in any case no longer than 20 working days (of the relevant Data Processor) after retention of the data was identified as no longer justified.
The volume of personal data is very low – less than 15 individuals.
The sensitivity of the data is low-moderate: the most sensitive data being date of birth, previous names and previous addresses;
The risk of data breach is small as the data are rarely used, with the majority of the data being held for a combination of legal obligation and legitimate interest.
Overall impact: LOW
The volume of personal data is medium – more than 100 individuals.
The sensitivity of the data is high: the most sensitive data being bank, passport, address, financial information and data concerning the health of the data subject.
The likelihood of a data breach is small – primarily the accidental disclosure of names & e-mail addresses, although the risk to data subjects of disclosure of health information is potentially high and the Charity shall take this into account in respect to the measures implemented to protect such special category data.
Overall impact: HIGH
The volume of personal data is low-moderate.
The sensitivity of the data is low: the most sensitive data being an e-mail address;
The risk of data breach is small – primarily the accidental disclosure of names & e-mail addresses.
Overall impact: LOW
Under no circumstance will the Charity share with, sell or otherwise make available to Third Parties any personal data except where it is necessary and unavoidable to do so in pursuit of its charitable objects as authorised by the Data Controller.
Data subjects will be informed in the Charity’s Privacy Notice aof the necessity to share their personal data with a Third Party in pursuit of the Charity’s objects.
Before sharing personal data with a Third Party the Charity will take all reasonable steps to verify that the Third Party is, itself, compliant with the provisions of the GDPR and confirmed in a written contract. The contract will specify that:
In the event of any data breach where it is likely that there is a risk to the individual concerned coming to the attention of the Data Controller the Trustees will without undue delay notify the Information Commission’s Office and consider whether a Serious Incident Report should be submitted to the Charity Commission. The data subject may also need to be informed where there is a high risk to their privacy rights.
In the event that full details of the nature and consequences of the data breach are not immediately accessible (eg: because Data Processors do not work on every normal weekday) the Trustees will bring that to the attention of the Information Commissioner’s Office and undertake to forward the relevant information as soon as it becomes available.
The Charity will have appropriate Privacy Notices which it will make available to everyone on whom it holds and processes personal data, in accordance with 5.1.
In the case of data obtained directly from the data subject, the Privacy Notice will be provided at the time the data are obtained.
In the case that the data are not obtained directly from the data subject, the Privacy Notice will be provided within a reasonable period of the Charity having obtained the data (within one month), or, if the data are used to communicate with the data subject, at the latest, when the first communication takes place; or disclosure to another recipient is envisaged, at the latest, before the data are disclosed.