Data Protection Policy
1 INTRODUCTION AND BACKGROUND
1.1 The Poor Servants of the Mother of God (PSMG/'The Charity'), through its Trustees, is a Data Controller and consequently must process all Personal Data (including Special Categories of Personal Data) about Data Subjects in accordance with the General Data Protection Regulation 2016/679 (the "GDPR") and any other relevant data protection legislation, domestic or otherwise, (as may be in force or repealed or replaced from time to time) (together the "Data Protection Rules"). For the avoidance of doubt, the Charity remains the sole Data Controller, even where processing is carried out by the Frances Taylor Foundation, the.., Kairos Centre or any of its communities or associated organisations. Members of staff delivering a service through any associated organisation are employed by the Charity and therefore covered by this policy.
1.2 The Charity will collect, store, use and otherwise process Personal Data about the people with whom it interacts, who are the Data Subjects. This may include job applicants, services users, employees, former employees, agency workers, volunteers, community members, contractors, suppliers and other third parties.
1.3 The Charity processes Personal Data so that it can comply with its statutory obligations and achieve its charitable objects through the operation of the charity.
1.4 You have a number of rights in relation to how the Charity processes your Personal Data. The Charity is committed to ensuring that it processes Personal Data properly and securely in accordance with the Data Protection Rules, as such commitment constitutes good governance and is important for achieving and maintaining the trust and confidence of Data Subjects. Therefore, the Charity will regularly review its procedures to ensure that they are adequate and up-to-date.
1.5 All those who work for or are otherwise associated with the Charity who are involved in the Processing of Personal Data held by the Charity have a duty to protect the data that they process and must comply with this Policy. The Charity will take any failure to comply with this Policy or the Data Protection Rules very seriously. Any such failure may result in legal action being taken against the Charity and/or the individual responsible.
1.6 Details of the data we collect and process in relation to employees, how sensitive personal data is processed and shared, our obligations and your rights are detailed within the Privacy Notice for employees.
2 THE DATA PROTECTION PRINCIPLES
2.1 The Charity as the Data Controller is required to comply with the six data protection principles set out in the GDPR, which provide that Personal Data must be:
2.1.1 Processed fairly, lawfully and in a transparent manner;
2.1.2 Collected for specified, explicit and legitimate purposes and not further processed for other purposes incompatible with those purposes;
2.1.3 Adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed;
2.1.4 Accurate and, where necessary, kept up to date - every reasonable step must be taken to ensure that inaccurate personal data is erased or rectified
without delay;
2.1.5 Kept in a form that permits identification of Data Subjects for no longer than is necessary for the purposes for which the personal data is processed; and
2.1.6 Processed in a way that ensures its security, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational security measures.
2.2 There is also an overarching principle; the Data Controller must be able to demonstrate compliance with the six principles. Accountability is vital.
3 THE DATA PROTECTION OFFICER AND REGISTRATION WITH THE ICO
3.1 The Trustees have overall responsibility for compliance with the Data Protection Rules. However, the Data Protection Officer (the "DPO") shall be responsible for ensuring day-to-day compliance with this Policy and with the Data Protection Rules. The DPO will undergo training at least once a year and the Charity will provide the OPO with sufficient resources and support to carry out their responsibilities. The DPO's name and contact details can be found in section 10 of this Policy.
3.2 The Charity is registered with the Information Commissioner's Office (the "ICO") as the Data Controller as is required by law. The Charity will be responsible for paying to the ICO any future fees levied on Data Controllers by the Data Protection Rules.
3.3 This Policy applies to all Personal Data processed by the Charity in whatever format (e.g. paper, electronic, film) and regardless of how it is stored (e.g. electronically or in filing cabinets). It also includes information that is in paper form but is intended to be put into electronic form and to any recordings made such as telephone recordings and CCTV.
4 HOW THE CHARITY Will COMPLY AND DEMONSTRATE COMPLIANCE
4.1 This Policy is intended to ensure that any Processing of Personal Data is in accordance with the Data Protection Rules and the data protection principles. The Charity will therefore:
4.1.1 Ensure that, when personal information is collected (whether direct from the individual or from a third party), you are provided with a Privacy Notice and informed of what data is being collected and for what legitimate purpose(s);
4.1.2 Be transparent and fair in processing Personal Data;
4.1.3 Take steps to ensure the accuracy of data at the point of collection and at regular intervals thereafter, including advising you of your right to ask for rectification of Personal Data held about you;
4.1.4 Securely dispose of inaccurate or out-of-date data, or data which is no longer required for the purpose(s) for which it was collected;
4.1.5 Share information with others only when it is lawful to do so and ensure that individuals are informed of the categories of recipient to whom data
will or may be disclosed and the purposes of any such disclosures;
4.1.6 Ensure that additional safeguards (as required by the Data Protection Rules) are in place to protect Personal Data that is transferred outside of the European Economic Area (the "EEA") (see section 7.4 of this Policy);
4.1.7 Ensure that data is processed in line with your rights, which include the right to:
( ) Request access to Personal Data held about you by the Charity (including, in some cases, having it provided to you in a commonly used and machine-readable format};
( ) Have inaccurate Personal Data rectified;
( ) Have the processing of your Personal Data restricted in certain circumstances;
( ) Have Personal Data erased in certain specified situations (in essence where the continued processing of it does not comply with the Data Protection Rules);
( ) Prevent the processing of Personal Data for direct-marketing purposes;
( ) Ask the Charity to prevent Processing of Personal Data which is likely to cause unwarranted or substantial damage or distress to you or any other individual; and
( ) Prevent, in some cases, decisions being made about you which are based solely on automated processing (i.e. without human intervention), and which produce significant or legal effects on them;
4.1.8 Ensure that all those who work for or are otherwise associated with the Charity are aware of and understand the Charity's data protection policies and procedures; and
4.1.9 Adopt a Data Retention Schedule which sets out the periods for which different categories of Personal Data will be kept.
4.2 Through adherence to this Policy and related data protection policies, and through appropriate record-keeping, the Charity will seek to demonstrate compliance with each of the data protection principles.
4.3 In addition, the Data Protection Rules require the Data Controller to carry out a Data Protection Impact Assessment (a "DPIA") prior to undertaking any Processing
of Personal Data that is "likely to result in a high risk for the rights and freedoms" of Q
individuals. DPIAs will therefore be considered where appropriate in relation to the implementation of any new projects, services or systems which could result in a high privacy risk to individuals (particularly where new technology is being deployed). Please contact the DPO for guidance (see section 10 of this Policy).
5 RETENTION OF DATA
5.1 The Charity may retain data for differing periods of time for different purposes as required by statute or best practices and will incorporate these retention times into its processes and manuals as appropriate. Other statutory obligations, legal processes and enquiries may also necessitate the retention of certain data. The Charity may store some data of employees such as names, addresses, date of birth, date of joining, date of leaving, job title, photographs, etc. indefinitely in its archive.
5.2 The Charity follows the retention periods recommended by the Information Commissioner in its Employment Practices Data Protection Code as follows for HR Related records:
| Application form/CV/Covering letter etc. | Duration of retention |
|---|---|
| References received | 1 year |
| Payroll and tax information | 6 years |
| Sickness records | 3 years |
| Annual leave records | 2 years |
| Unpaid leave/special leave records | 3 years |
| Annual appraisal/assessment records | 5 years |
| Records relating to promotion, transfer, training, disciplinary matters | 1 year from end of employment |
| References given/information to enable references to be provided | 5 years from reference/end of employment |
| Summary of record of service, e.g. name, position held, dates of employment | 10 years from end of employment |
| Records relating to accident or injury at work | 12 years |
| Applications and CV's of unsuccessful candidates | 6 months |
| Disclosure and Barring Service (DBS)/Disclosure Scotland/PVG documents (HR database record of whether a check has yielded a satisfactory or unsatisfactory result should remain under the Criminal records check policy and procedure) | 6 months |
6 DATA SECURITY & RESPONSIBILITIES OF ALL THOSE WHO WORK FOR OR ARE OTHERWISE ASSOCIATED WITH THE CHARITY
6.1 The Charity must ensure that appropriate technical and organisational security measures are in place to prevent unauthorised or unlawful Processing or damage to or loss (accidental or otherwise), theft, or unauthorised disclosure of Personal Data (a "Data Breach"). In particular, all those who work for or are otherwise associated with the Charity should ensure that:
6.1.1 The only individuals who have access to Personal Data and are able to process it are those who are authorised to do so;
6.1.2 Personal Data may be stored on the central Charity computer system or on local PCs. It is not to be stored on portable electronic devices or removable storage media.
6.1.3 Passwords are kept confidential, are changed regularly and are not shared between individuals;
6.1.4 PCs are locked or logged off and paper documents are securely locked away when individuals are away from their desks;
6.1.5 Offices, desks and filing cabinets/cupboards are kept locked if they contain Personal Data of any kind, whether in digital or electronic format or on paper;
6.1.6 When destroying Personal Data, paper documents are securely shredded and electronic data is securely deleted; and
6.1.7 Personal Data removed from an office is subject to appropriate security measures, including keeping paper files in a place where they are not visible or accessible by the public; using passwords/passcodes; encrypting portable electronic devices and storing such devices securely (e.g. not left in the boot of a car overnight).
Further detail on the Charity's requirements in relation to IT security are set out in the IT Security Policy.
6.2 In the event that you become aware that there has been a Data Breach, you must reportthis immediately to the DPO. Further contact details for the DPO can be found in section 10 of this Policy.
7 PRIVACY NOTICE
7.1 When any Personal Data is collected from an individual, they must be provided with a Privacy Notice. The Privacy Notice provides information about what, why and how information is processed.
8 PROCESSING, DISCLOSURE AND SHARING OF INFORMATION
The Charity processes personal data for a number of different purposes, including:
8.1 DISCLOSING PERSONAL DATA
| Lawful Grounds for Processing of Personal Data | Examples |
|---|---|
| Where we have an individual's consent |
|
| Where it is necessary for the performance of a contract to which an individual is party |
|
| Where it is necessary for compliance with a legal obligation |
|
| Where it is necessary to protect the vital interests of an individual |
|
| Where it is necessary for performance of a task in the public interest |
|
| Where it is necessary for the purposes of the legitimate interests pursued by the Charity or a third party |
|
| Lawful Grounds for Processing of Special Categories of Data | Examples |
|---|---|
| Where we have an individual's explicit consent |
|
| Where it is necessary for compliance with a legal obligation |
|
| Where it is necessary to protect the vital interests of an individual |
|
| Interests of an individual |
|
| Where it is carried out in the course of the Charity's legitimate activities |
|
| Where information has manifestly been made public |
|
| Where we are establishing, exercising or defending legal claims |
|
| Where the processing is for reasons of substantial public interest |
|
| Where the processing is necessary for archiving historical records |
|
8.1.1 When receiving telephone or email enquiries, you should exercise caution before disclosing any Personal Data. The following steps should be followed:
( ) Ensure the identity of the person making the enquiry is verified and check whether they are entitled to receive the requested information;
( ) Require the enquirer to put their request in writing so that their identity and entitlement to receive the information can be verified if the information is particularly sensitive and/or you are not confident the person is entitled to the information;
( ) If there is any doubt, refer the request to the DPO for assistance (particularly where Special Categories of Personal Data are involved); and
( ) When providing information, ensure that Personal Data is securely packaged and sent by the most appropriate means (e.g. special delivery, courier or hand delivery) in accordance with the Data Protection Rules, the Privacy Notice and this Policy.
8.1.2 Please remember that individuals are only entitled to obtain information about themselves and not any other third parties.
8.2 DATA PROCESSORS
8.2.1 The Charity may instruct another body or organisation to process Personal Data on its behalf as a Data Processor (e.g. a HR provider, payroll provider, a third party 1T provider, Occupational Health provider, DBS Organisation). In such situations, the Charity will share necessary information with the Data Processor, but will remain responsible for compliance with the Data Protection Rules as the Data Controller.
8.2.2 Personal Data will only be transferred to a third-party Data Processor if the DPO is satisfied that the third party has in place adequate policies and procedures to ensure compliance with the Data Protection Rules. There should also be a written contract in place between the Charity and the Data Processor, which includes provisions to ensure that the Data Processor complies with the requirements of the Data Protection Rules.
8.3 THIRD PARTY REQUESTS
8.3.1 The Charity may from time to time receive requests from third parties for access to documents containing Personal Data. The Charity may disclose such documents to any third party where it is legally required or permitted to do so. Such third parties may include health professionals, the Police and other law enforcement agencies, the Charity Commission, HR Provider, DBS Provider, HMRC, other regulators, immigration authorities, insurers, local authorities, Courts and Tribunals or organisations legitimately seeking references.
8.3.2 Anyone in receipt of any verbal or written request from any person for access to, or disclosure of, any Personal Data outside of normal Charity operations must immediately contact the DPO.
8.4 TRANSFERS OF PERSONAL DATA OUTSIDE OF THE EEA
8.4.1 The Data Protection Rules require Data Controllers to put additional safeguards in place when transferring Personal Data outside of the EEA (e.g. to the Vatican). Additionally, such transfers can only take place on a number of legal grounds. However, the Charity may transfer Personal Data outside of the EEA where requested by you, on the basis of your informed consent.
8.5 SUBJECT ACCESS REQUESTS (SARs)
8.5.1 You may exercise your rights as set out above (e.g. the right of access to the Personal Data which the Charity holds about you, or the right to have Personal Data erased). Any and all such requests should immediately be referred to the DPO.
8.5.2 To be valid, a Subject Access Request must be made in writing (including requests made via email or on social media) and provide enough information to enable the Charity to identify you and to comply with the request.
8.5.3 All Subject Access Requests will be dealt with by the DPO. Anyone receiving a Subject Access Request {or something which they believe might be a subject access request) must forward it to the DPO immediately in order that such requests can be replied to within the strict deadlines set out in the Data Protection Rules (generally one month from the date of the request}.
8.5.4 No fees will be charged for dealing with Subject Access Requests unless a request is considered to be manifestly unfounded, excessive or repetitive. Fees may be charged to provide additional copies of information previously provided. Where the Charity considers a request to be manifestly unfounded, excessive or repetitive, the Charity may lawfully refuse to respond and, if so, the DPO will inform you of this in writing within the one-month period.
9 FUNDRAISING AND MARKETING
9.1 Any use of Personal Data for marketing (including fundraising) purposes must comply with the Data Protection Rules and the Privacy and Electronic Communications Regulations (the "PECR") (and any replacement legislation), which relate to marketing by electronic means.
9.2 You have a right to object to your Personal Data being used for electronic marketing purposes. You must be informed of their right to object when your data is collected. If an objection is received, no further marketing or fundraising communications must be sent to you.
9.3 The PECR requires that the Charity has the prior consent of recipients in certain circumstances before it sends any unsolicited electronic messages for the purpose of fundraising, or other marketing activities (e.g. events).
10 MONITORING AND REVIEW
10.1 This policy will be reviewed every 12 months and may be subject to change.
11 CONTACTS
11.1 Any queries regarding this Policy should be addressed to the Data Protection Officer, Mark James, who can be contacted by email at DPO@psmgs.org.uk, by telephone on 07443 577 577.
11.2 Complaints will be dealt with in accordance with the Charity's Complaints Policy.
11.3 Further advice and information can be obtained from the Information Commissioner's Office at www.ico.org.uk
12 GLOSSARY
"Data Controller" means a person, organisation or body that determines the purposes for which, and the manner in which, any Personal Data is processed. A Data Controller is responsible for complying with the Data Protection Rules and establishing practices and policies in line with them.
"Data Processor" means any person, organisation or body that Processes personal data on behalf of and on the instruction of the Charity. Data Processors have a duty to protect the information they process by following the Data Protection Rules.
"Data Subject" means a living individual about whom the Charity processes Personal Data and who can be identified from the Personal Data. A Data Subject need not be a UK national or resident. All Data Subjects have legal rights in relation to their Personal Data and the information that the Charity holds about them.
"Personal Data" means any information relating to a living individual who can be identified from that information or in conjunction with other information which is in, or is likely to come into, the Charity's possession. Personal Data can be factual (such as a name, address or date of birth) or it can be an opinion (e.g. a performance appraisal). It can even include a simple email address. A mere mention of someone's name in a document does not necessarily constitute Personal Data, but personal details such as someone's contact details or salary (if it enabled an individual to be identified) would fall within the definition.
"Processing" means any activity that involves use of Personal Data. It includes obtaining, recording or holding the information or carrying out any operation or set of operations on it, including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transferring or disclosing Personal Data to third parties.
"Special Categories of Personal Data" (previously called sensitive personal data) means information about a person's racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health or condition or sexuality. It also includes genetic and biometric data. Special Categories of Personal Data can only be processed under strict conditions and such processing will usually, although not always, require the explicit consent of the Data Subject.