Data for Policy CIC
Data Protection Policy
Data Protection Policy v1 – January 2021
The security and management of data is important to ensure that we can function effectively and successfully for the benefit of our members and for the community and voluntary sector.
In doing so, it is essential that people’s privacy is protected through the lawful and appropriate use and handling of their personal information.
The use of all personal data by Data for Policy CIC is governed by:
- The General Data Protection Regulation (GDPR)
- The UK Data Protection Act 2018 (DPA)
- The Privacy and Electronic Communications Regulations (PECR)
Every member of staff has a responsibility to adhere to the Data Protection Principles outlined in the GDPR, and to this Data Protection Policy.
The Data Protection Officer (DPO) is Dr Emily Gardner.
2. Data protection principles
There are six data protection principles defined in Article 5 of the GDPR. These require that all personal data be:
- processed in a lawful, fair and transparent manner.
- collected only for specific, explicit and limited purposes (‘purpose limitation’).
- adequate, relevant and not excessive (‘data minimisation’).
- accurate and kept up-to-date where necessary.
- kept for no longer than necessary (‘retention’).
- handled with appropriate security and confidentiality.
We are committed to upholding the data protection principles. All personal data under our control must be processed in accordance with these principles.
3. Lawful processing
All processing of personal data must meet one of the six lawful bases defined in Article 6(2) of the GDPR:
- Where we have the consent of the data subject
- Where it is in our legitimate interests and this is not overridden by the rights and freedoms of the data subject.
- Where necessary to meet a legal obligation.
- Where necessary to fulfil a contract, or pre-contractual obligations.
- Where we are protecting someone’s vital interests.
- Where we are fulfilling a public task, or acting under official authority.
Any special category data (sensitive types of personal data as defined in Article 9(1) of the GDPR) must further be processed only in the line with one of the conditions specified in Article 9(2).
Where processing is based on consent, the data subject has the option to easily withdraw their consent. Where electronic direct marketing communications are being sent, the recipient should have the option to opt-out in each communication sent, and this choice should be recognised and adhered to by us.
4. Data minimisation and control
Data collection processes will be regularly reviewed to ensure that personal data collected and processed is kept to a minimum. We will keep the personal data that we collect, use and share to the minimum amount required to be adequate for its purpose. Where we do not have a legal obligation to retain some personal data, we will consider whether there is a business need to hold it.
We will retain personal data only for as long as it is necessary to meet its purpose. Our approach to retaining and erasing data no longer required will be specified in the retention policy and schedule. This schedule will be reviewed annually. In the case of sharing personal data with any third party, only the data that is necessary to fulfil the purpose of sharing will be disclosed.
Anonymisation and pseudonymisation of personal data stored or transferred should be considered where doing so is a possibility.
The DPO has the specific responsibility of overseeing data protection and ensuring that we comply with the data protection principles and relevant legislation.
The data we collect and the manner in which we process it is set out in our data protection statement. The DPO will ensure that the Data Protection Statement is kept up to date and demonstrates how the data protection principles are adhered to by our activities. Individual members of staff have a duty to contribute to ensure that the measures outlined in the Register are accurately reflected in our practice.
- Main points
To help protect people’s personal data keep to these Dos and Don’ts:
- Always treat people’s personal information with integrity and confidentiality
- Know what the data protection principles are and apply them
- Store hard copies securely and transfer them directly to recipients
- Use your encrypted USB drives to store and transfer data where needed
- Be alert to cyberattacks and report suspicious emails or calls
- Report losses of data or devices as soon as possible
- Take care to use the ‘bcc’ option for bulk emailing
- Beware of autocomplete on email. Check you are sending to the right address
- Ensure your personal device has appropriate security measures if using it for work-related activity
Data Protection Policy v1 – January 2021