The purpose of this policy is to ensure that Ribble Rivers Trust (RRT) provides appropriate protection to the storage and use of personal data held, that is also in compliance with the Data Protection Act 1998 (DPA) and the new General Data Protection Regulations (GDPR) 2018. It also links with the Trust’s IT Policy.
Personal data / information held by RRT will be used for the effective operation of RRT in line with the constitution and policies of RRT. Personal data will only be used with explicit consent for the purpose that it was originally provided for, or where there is another lawful basis for processing the data.
Who is covered by the policy?
All employees and trustees are covered by this policy.
What is covered by the policy?
Personal data: The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier, reflecting changes in technology and the way organisations collect information about people.
Sensitive personal data: The GDPR refers to sensitive personal data as ‘special categories of personal data’. These special categories include racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, physical and mental health, and sexual orientation. The special categories specifically include genetic data, and biometric data where processed to uniquely identify an individual.
RRT is utilising the GDPR guidance to implement our policy on data protection and privacy. This has been communicated to employees and trustees through training covering the following plan.
The Ribble Rivers Trust has a twelve-point plan to ensure that its current practice is strengthened and complies with the intent as well as the letter of the new regulations:
- Information we hold
- Communicating privacy notices
- Individuals’ rights
- Subject access requests
- Lawful bases for processing personal data
- Extra protection for children
- Data breaches
- Data protection by design
- Define who is responsible
- Data storage and protection
The following sections will deal with each of these parts of the plan.
Via a training session, we have ensured that employees within our organisation are aware that the law is changing to the GDPR and they understand the impact this will have. New employees will also undergo this training, and GDPR will be a standing item at the monthly staff meetings.
- Information we hold
The GDPR requires us to maintain records of our data processing activities. These records not only demonstrate our compliance with the new regulations, but also enable us to track any personal data that may have been shared with third party organisations should records need to be amended (e.g. change of addresses, requests for removal of personal data).
The Trust has audited its data holdings; identified the main sources of data and generated a Data Inventory. The inventory identifies the nature of the data, where it originated from, what it is used for, who it is shared with and where it is stored.
The Trust believes that it has identified all sources of personal data retained by Trust staff, however, it is possible that legacy data will be uncovered in the future and if this happens, the data will either be added to the inventory or deleted as appropriate.
3. Communicating privacy information
The Office Manager is responsible for the review the Trust’s privacy notices and how we ask for consent to ensure that the Trust continues to follow best practice.
Our privacy notices have been reviewed, amended and made available at all points of personal data collection. These include;
- Websites – donations, volunteer sign-up, fishing ticket purchases and the contact forms
- Meetings – sign in sheets
- Public events – volunteer sign in sheets, supporter forms
- Training events – sign in sheets
Privacy notices enable us to communicate how we intend to use personal data before consent is given, how long the data will be stored for and to inform individuals of their right to complain to the ICO should they believe their data is being handled inappropriately.
4. Individuals’ rights
GDPR includes the following rights for individuals:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- The right not to be subject to automated decision-making, including profiling
We have checked our systems and procedures to ensure that they cover all of the above rights. As a matter of routine, the Office Manager will arrange that any person who does not wish to receive any communication from the Trust accede to such a request. Other than to maintain an audit trail for the Trust’s auditors or the Government’s auditors where public grants are involved, or the data is processed in such a manner so as prevent any individual identification (e.g. market research data), the Office Manager will arrange for any other personal data the subject of a request to be deleted and provide the individual with confirmation within 72 hours, or provide an explanation in writing to the contrary.
- Subject access requests
Individuals have the right to obtain a copy of the personal information that is held about them. This is known as a subject access request. Any request by an individual to have access to the personal data held by the Trust will be referred to the Office Manager. The request will be answered as soon as practicable and in any event within 30 days. It is the responsibility of the CEO to exercise his/her professional judgement or to seek external legal advice in any restriction of information disclosed. If a request is refused, RRT will provide the individual with the reason within 30 days and explain that they have the right to complain to the supervisory authority and to a judicial remedy. RRT reserves the right to make a charge for requests that are manifestly unfounded or excessive.
- Lawful basis for processing personal data
The lawful bases for data processing are set out in Article 6 of the GDPR. At least one of these must apply whenever RRT processes personal data:
(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
(d) Vital interests: the processing is necessary to protect someone’s life.
(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
The Article 6 lawful basis for our data processing activities has been identified and documented within our Data Inventory. Our privacy notices have been updated to explain it.
Electronic copies of proof of consent records are made and stored in a central location. Any paperwork is subsequently shredded.
The way in which RRT seeks, records and manages consent has been reviewed and any necessary changes have been made to meet the GDPR standard.
Consent from individuals must be freely given, specific, informed and unambiguous. There must be a positive ‘opt-in’ – consent cannot be inferred from silence, pre-ticked boxes or inactivity. Each item of communication will detail simple ways for people to withdraw their consent.
Consent to process personal data is;
- Properly documented
- Easily withdrawn
Where current consent does not meet the above GDPR standard, fresh consent has been sought.
- Extra protection for children
The GDPR sets the age when a child can give their own consent to data processing at 16. RRT regularly works with children as part of its education programme and sometimes at volunteering events. As such, consent from a parent or guardian must be sought and documented before any personal data is collected. The parental consent must be verifiable and our privacy notice written in language that children will understand.
- Data breaches
The GDPR places a duty on all organisations to report certain types of data breach to the ICO and in some cases, individuals. If there is a data breach it is the responsibility of the project manager and/or RRT data lead identified in the data inventory to notify the ‘Data Processor’ as soon as possible. The issue will be investigated by the senior management team and rectified. Data breaches will be documented in the Data Inventory.
The ICO must be notified where a breach is likely to result in a risk to the rights and freedoms of individuals e.g. discrimination, damage to reputation, financial loss, loss of confidentiality, or any other significant economic or social disadvantage. We will also notify individuals directly if such a breach occurs.
- Data Protection by Design and Data Protection Impact Assessments
The ICO encourages organisations to ensure that privacy and data protection is a key consideration in the early stages of any project, and then throughout its lifecycle. For example when:
- building new IT systems for storing or accessing personal data;
- developing legislation, policy or strategies that have privacy implications;
- embarking on a data sharing initiative;
- or using data for new purposes.
The GDPR makes privacy by design an express legal requirement and Data Protection Impact Assessments (DPIAs) are mandatory in certain circumstances. A DPIA is required in situations where data processing is likely to result in high risk to individuals, for example;
- Where a new technology is being deployed
- Where profiling is likely to significantly affect individuals
- Where there is processing on a large scale of the special categories of data.
RRT does not deem any of its data processing to be high risk and therefore does not foresee a need to conduct DPIAs. However if the need arose and the DPIA indicated high risks that could not be sufficiently addressed, RRT would be required to consult the ICO as to whether the processing operation was compliant with the GDPR.
- Who is responsible?
Due to the low risk associated with its data processing operations, RRT recognises that there is no formal requirement to designate a Data Protection Officer. It is however good practice to designate someone within an organisation to take responsibility for data protection compliance. The individual(s) must have the knowledge, support and authority to carry out their role effectively.
The main roles identified with respect to the control of data are:
Data Controller: The Trustees are ultimately responsible for the Trust’s management of data and fulfil the role of ‘Data Controller’. The Data Protection Policy will be reviewed annually by the CEO and Trustees, updated with any issues or risks to ensure that it is fit for purpose and that the purpose for collecting, storing and processing personal data is still required for the Trust’s work.
Data Processor: This is the CEO and Office Manager, whose main responsibilities are to ensure that any processing of personal data within the Trust is done in accordance with the regulations and that data protection is built in at the design stage of any project.
Back-up of databases and security: This is the responsibility of the CEO.
- Data storage and protection
All employees have a confidentiality clause within their contracts of employment. Personal data is largely incidental to the business advice given. The confidentiality and personal data obligations are periodically reinforced at staff meetings.
Any external fundraising agreements or consultation responses will incorporate a clause making the confidentiality and data protection obligations clear. Other agreements routinely include reciprocal confidentiality undertakings to protect the Trust’s intellectual property rights and any personal data that may arise.
The Trust’s employees are required to effect and maintain security protection on all computers and other devices in accordance with the IT Policy.
General principles for the collection and use of personal data
- Processed fairly and lawfully.
- Obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with the purpose or those purposes.
- Adequate, relevant and not excessive in relation to the purpose(s) for which it is held.
- Accurate and, where necessary, kept up to date.
- Held no longer than is necessary or legally required for the specified purpose(s).
- Processed in accordance with the rights of the data subjects.
- Held securely, with appropriate technical and organisational measures taken to prevent unauthorised or unlawful processing of personal data, and to prevent accidental loss or destruction of, or damage to, personal data.
- Not transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection of the rights and freedoms of data subjects in relation to the processing of personal data.
Review of Policy
The CEO will review this Policy upon each renewal or more frequently if circumstances dictate or suggest otherwise. Any issues identified will be raised with the Trustees at the soonest opportunity.