1. Introduction
In the course of your duties at the Trust you are likely to come into contact with personal data, such as names and contact details for people that we work with including members, supporters, volunteers, staff, contractors and others.
All personal data must be processed in accordance with current legislation from point of collection, throughout its use and for the duration of its storage, whether it is in paper or electronic form. This legal requirement applies to the Trust and all those who process data on our behalf, including staff and volunteers.
The Trust regards the lawful processing of personal data as vital to our successful operation and to maintaining confidence between us and those with whom we carry out business. This policy sets out how we process personal data at the Trust.
2. Definitions for terms used in this policy
The Act is the Data Protection Bill (currently going through Parliament) which is based on the General Data Protection Regulation (GDPR)
Confidential data includes any of the trade secrets or technical or commercial information relating to the business, organisation, accounts, analysis or other affairs of the Trust
Data subject is defined as an identified or identifiable living person
Data controller is the Wildlife Trust for Bedfordshire, Cambridgeshire and Northamptonshire
Personal data is any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier such as name, contact details, photo, identification number, location data or online identifier.
Special categories of personal data contain information about:
a) racial or ethnic origin;
b) political opinions;
c) religious or philosophical beliefs;
d) trade union membership;
e) health
f) sex life or sexual orientation
and
g) genetic data
h) biometric data where processed to uniquely identify an individual
3. The data protection principles
The Act defines six data protection principles which set out the main responsibilities for organisations and requires that personal data shall be:
a) processed lawfully, fairly and in a transparent manner in relation to individuals;
b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
The Act states that the Data Controller shall be responsible for, and be able to demonstrate, compliance with the principles.
4. Lawful basis for processing personal data
The Act requires that the lawful basis and purpose for processing personal data are determined, documented and published in our Privacy Policy before processing begins. There are six lawful bases for processing, four of which are valid for the Trust:
a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
d) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
At least one of the above must apply whenever you process personal data. The lawful basis can also affect which rights are available to the data subject (see section 6).
5. Processing special category personal data and criminal offence data
If you are processing special category personal data, you need to document both the lawful basis for processing (see section 4) and a special category condition for processing (see Appendix 1) before processing begins.
The rules for special category data do not apply to information about criminal allegations, proceedings or convictions. If you are processing data about criminal convictions or criminal offences, you need to document both the lawful basis for processing and an additional condition for processing (see Appendix 2) before processing begins, to comply with article 10 of the GDPR.
6. Rights of data subjects
Data subjects have rights under the Act and the Trust is required to make public these rights in our Privacy Policy on our website. The Act provides the following rights for individuals in relation to their personal data:
a) To be informed how it will be processed;
b) To access it and verify the lawfulness of its processing;
c) To rectification if it is inaccurate or incomplete;
d) To erasure;
e) To restrict its processing;
f) To data portability ie to receive their data in a machine readable format (only when data processed on the basis of consent or contract);
g) To object to direct marketing, processing on the basis of Legitimate Interest or for the purposes of statistical analysis or research;
h) To not be subject to automated decision making or profiling.
The Trust must ensure that our processes enable individuals to exercise their rights under the Act.
7. Accountability
The Trust will, through appropriate management, training and the implementation and review of policies and procedures, ensure that all staff and volunteers are aware of this policy and their responsibilities under the Act.
The Trust will ensure that:
a) everyone processing personal data understands that they are contractually responsible for adhering to this policy;
b) data protection training is provided to all staff;
c) the principles of data protection are integrated into all of the Trust’s data processing activities from the outset – this is “data protection by design”;
d) our approach to processing personal data is documented, regularly assessed and evaluated for compliance with the Act.
8. Data security and confidentiality
All staff and volunteers must take steps to ensure that all personal data is kept secure at all times to prevent unauthorised or unlawful processing or disclosure, accidental loss, destruction or damage.
Mangers must ensure that all third party contractors engaged in data processing on behalf of the Trust have signed a written contract with the Trust and that this contract is stored centrally.
Staff and volunteers must not use, divulge or communicate to any person, firm or organisation (except in the proper course of their duties during their employment by the Trust and providing that an appropriate non-disclosure agreement is in place) confidential data which they may have received or obtained while working for the Trust.
9. Transparency
The Act requires that organisations such as the Trust are transparent about their processing of personal data and publish details of this in their Privacy Policy. The Trust could face a reputational and/or financial risk for any failure to comply with the Act or in the event of a complaint to the Information Commissioner’s Office or an individual making a claim against the Trust.
10. Your responsibilities in relation to personal data
You must:
• undertake any data protection training required by the Trust
• notify all data subjects - at the point of data collection - of the purpose for collecting and processing their personal data
• ensure that the lawful basis for processing any data you collect is valid and documented in the Trust’s Privacy Policy, together with any special category conditions or additional conditions (if required). This may include ensuring consent for processing the data has been received within the last two years or that a Legitimate Interest Assessment has been completed
• complete a Privacy Impact Assessment before commencing any new activity which involves processing personal data, such as a new type of event, installing CCTV or implementing new software
• follow the Trust’s organisational procedures and technical measures to ensure the personal data for your contacts is accurate, up to date and secure, eg in a locked filing cabinet or password- protected files or databases
• promptly rectify any personal data that is inaccurate or incomplete
• dispose of personal data in accordance with the Trust’s data retention schedule
• forward any requests for personal data about another employee (current or former) to the Human Resources Manager. This includes reference requests.
• not disclose personal data to any third party unless you have checked that a data processing contract is in place with that third party
• not disclose any confidential data to any third party
• only transmit personal data between locations via a secure network and appropriate security measures as outlined in the Trust’s IT policy
• notify the data team promptly (within 1 working day) if you receive any request from a data subject in relation to their rights as outlined in section 6 of this policy.
• comply with any requests from the Data Team in relation to Subject Access Requests within the required timescale
• report any data breach to the Data Team within 1 hour of you becoming aware of it.
Compliance with this policy and the Act is your responsibility. You could be criminally liable if you knowingly or recklessly disclose personal data in breach of the Act. A serious breach of data protection policy is also a disciplinary offence and will be dealt with under the Trust’s disciplinary procedures. If you access another employee’s personnel records without authority, this constitutes a gross misconduct offence and could lead to your summary dismissal.
We update this policy periodically.
Last updated: March 2018
Appendix 1 - The conditions for processing special category personal data
PLEASE NOTE THAT THIS SECTION IS SUBJECT TO CHANGE:
The Data Protection Bill currently going through Parliament includes proposals for additional conditions and safeguards, which the ICO will publish more detailed guidance on once these provisions are finalised.
(a) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject;
(b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;
(c) processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
(d) processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;
(e) processing relates to personal data which are manifestly made public by the data subject;
(f) processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
(g) processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;
(h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;
(i) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;
(j) processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.
Appendix 2 - The conditions for processing personal data relating to criminal offences
PLEASE NOTE THAT THIS SECTION IS SUBJECT TO CHANGE:
The Data Protection Bill currently going through Parliament includes proposals for additional conditions and safeguards, which the ICO will publish more detailed guidance on once these provisions are finalised.
Article 10 of GDPR says:
“Processing of personal data relating to criminal convictions and offences or related security measures based on Article 6(1) shall be carried out only under the control of official authority or when the processing is authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects. Any comprehensive register of criminal convictions shall be kept only under the control of official authority.”
This means you must either be processing the data in an official capacity, or have specific legal authorisation – which in the UK, is likely to mean a condition under the Data Protection Bill and compliance with the additional safeguards set out in the Bill. We will publish more detailed guidance on the conditions in the Bill once these provisions are finalised.
Even if you have a condition for processing offence data, you can only keep a comprehensive register of criminal convictions if you are doing so in an official capacity.