The protection of private and sensitive data held by businesses is one of the most regulated issues in the business sector. Organisations who fail to protect the data they use can find themselves in trouble with the law, facing significant fines and even imprisonment. The risk to the company and its operations from corrupted data and loss of reputation can also be devastating. Since 25th May 2018 the new General Data Protection Regulations (GDPR) also requires businesses to be much more open and clear about the data they hold, how they use it and also protect it.
In order to operate efficiently, we collect information about people we engage with, this may be members of the public, current, past and prospective employees, funded bodies and suppliers. The protection of this private and sometimes sensitive data is of paramount importance to us.
This policy exists to ensure Dudley Canal and Tunnel Trust understands what is required of it in terms of collating, handling and storing individual’s personal data and also what rights individuals and other organisations have to access that data. It is accepted that business to business data is not as regulated but DCTT will still do all it can to ensure all data held is handled with care and sensitivity.
This policy has been drawn up in recognition of the requirements of The Data Protection Act 1998, Privacy of Electronic Communication Regulations and the 2018 General Data Protection Regulations (GDPR) requirements. These rules apply regardless of whether information is stored electronically, on paper or through other means.
The Data Protection Act is underpinned by eight important principles. These say that personal data must –
Be collected and processed fairly and lawfully.
Be obtained only for specific lawful purposes.
Be adequate, relevant and not excessive.
Be accurate and kept up to date.
Not be held for longer than necessary.
Processed in accordance with the rights of data subjects.
Be protected in appropriate ways.
If transferred outside the European Economic Area (EEA) the data must be managed and protected as per the EU regulations.
This policy applies to all Trustees, Directors, Staff, Volunteers, Supporters, Contractors, Suppliers and others working for or representing DCTT.
It applies to all data that the company holds relating to identifiable individuals, even if it falls outside of the Data Protection Act 1998. Data can include-
Names of individuals.
Plus, any other indirect information relating to individuals such as physical, economic or social identity which can be traced back to an individual.This policy will help protect the Trust from data security risks including –
Breaches of confidentiality – i.e. information given out inappropriately.
Failing to offer clear choice – i.e. all individuals should opt in to giving permission to DCTT using their data.
Reputational damage – i.e. hackers gaining information to sensitive data.
Difficult to understand policies and procedures which cause confusion.
Everyone who works for or supports DCTT has responsibility to ensure data is collected, stored and handled appropriately. Anyone who handles personal data must ensure it is handled, processed and stored in line with this policy and the Data Protection Principles. Where sensitive or large-scale data is to be processed which is likely to result in a high risk to an individual a Data Protection Impact Assessment will be carried out.
LAWFUL BASES FOR PROCESSING
At DCTT we recognise the following lawful bases for processing data.
(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
(d) Vital interests: the processing is necessary to protect someone’s life.
(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
KEY AREAS OF RESPONSIBILITY
Due to the limited data stored and the fact DCTT does not meet the requirements for a Data Protection Officer the decision has been to identify from the existing team a Data Controller and Data Processors.
DCTT does not rely on the managing of data for its core business purpose
DCTT does not handle large volumes of data.
DCTT does not handle large scale sensitive data
DCTT is not a public authority
The Board of Directors/Trustees is ultimately responsible for ensuring DCTT meets all its legal obligations.
The CEO acting as The Data Controller is responsible for setting the procedures for handling, processing and using data for the organisation.
Keeping the board up to date with Data Protection responsibilities, risks and issues.
Reviewing all data protection procedures and related policies.
Arranging data protection training and advice for all covered by this policy.
Handling requests for information/access and disposal of data held by individuals
Checking any contracts or agreements with third parties that may handle the company’s sensitive data.
Reporting any breaches of data and representing the organisation during any investigations concerning breaches or mis management of data.
The Data Processors are made up of members of the Management Team, Trustees and any staff who routinely handle data as part of their role. This includes ticket and catering staff. They are responsible for the following.
Collating and storing data as per the guidelines.
Following procedures to safeguard data, ensuring it is regularly reviewed and kept up to date.
Keeping an audit trail of data held, removed and managed.
Passing onto the Data Controller any Subject Access Requests or for data to be removed or transferred.
Inform the Data Controller of any breaches.
Your data will/may also be available to our website provider to enable us and them to deliver their service to us, carry out analysis and research on demographics, interests and behavior of our users and supporters to help us gain a better understanding of them to enable us to improve our services. This may include connecting data we receive from you on the website to data available from other sources. Your personally identifiable data will only be used where it is necessary for the analysis required, and where your interests for privacy are not deemed to outweigh their legitimate interests in developing new services for us. In the case of this activity the following will apply:
Your data will/may be made available to our website provider
Our website provider will not transfer your data to any other third party, or transfer your data outside of the EEA.
They will store your data for a maximum of 7 years.
RAISING AWARENESS/UNDERSTANDING OF DATA PROTECTION
A range of systems and processes have been put in place to ensure all within the organisation are aware of the need to handle data in the prescribed ways. This has included circulation of policies to all, presentations at Board meetings, staff training and one on one meetings with staff.
Information put in the Legger Magazine for all members.
Data Protection and Social Media Policies have been updated and circulated to Managers, Board members, Staff and Volunteers.
Staff Training has been delivered.
Board Presentation/Training has been delivered.
Enterprise Presentation/Training has been delivered.
Internal & External Data Protection Privacy Statements have been circulated and are on the DCTT website.
Data Processor training has taken place.
New Subject Access Request Forms have been developed.
A dedicated email address for data protection has been set up and circulated. firstname.lastname@example.org
All departments have registered data they hold and a review shows we hold the following personal data.
Members contact information.
Staff HR information. (Name/Address/Contact/Bank Information/Training/Disciplinary/Health Information/Next of Kin/)
Volunteer contact and engagement information. Safeguarding Information.
Cavern Explorers contact information.
Corporate/Hospitality Bookings (this may include dietary and access information).
Gift Aid contact information.
Work Party contact information.
Historic Boat Volunteer contact information.
Visitor Contact Information.
Accident Form Information (this may include name, address, phone/email details injury details).
Social Media posts onto our sites.
The law requires that DCTT takes reasonable steps to ensure data is kept accurate and up to date. This will be done as required but to safeguard this there will be an all department 6-month purge which will see all data reviewed and removed if no longer required.
Any data found to be inaccurate during routine use will be immediately updated or removed.
Data will only be held in necessary places, this will be kept to a minimum number of secure areas.
The only people able to access the data are those who need it to complete their duties.
Mail Chimp is used to send out emails and information to multiple receivers.
Where staff contact details are stored on personal phones for emergency use the phones are password protected.
Personal paper data is stored in locked cabinets/cupboards.
All employee’s computers are password protected. This password is changed regularly.
Visitors use an online booking system to pay for trips. Where they want DCTT to book this we use an online booking system, so we do not hold payment information. If details are taken for payment outside of this the information is shredded/deleted as soon as it is no longer required.
Visitor contact information is held for advance trip bookings/event/corporate service provision. This is held till the trip/service has been successfully delivered and there is no longer need to con5tact the Individual.
Professional service providers are used for payroll and HR disputes.
6 monthly review and data purges are held to review if data is required, up to date, adequately protected.
All Managers and Trustees have business emails addresses.
An audit of how data has been collated has been undertaken to ensure all data has been correctly obtained.
Paper data is shredded once no longer required.
Computers are backed up each night to our server.
Our server is backed up.
Up to date Firewall and server protection is in place.
Emails containing sensitive data are encrypted or password protected before they are sent.
All personal data is stored centrally on an agreed drive not on employees’ home computers.
USB sticks containing sensitive data will be password protected and stored in a secure location.
Sensitive data is not stored on laptops or mobile devices.
When working with sensitive data screens are locked if the computer is left unattended.
Marketing databases are regularly reviewed and updated.
Where required a Data Protection Impact Assessment will be undertaken prior to the processing of sensitive data.
SUBJECT ACCESS REQUESTS/RIGHT TO ERASURE
All individuals who are the subject of personal data held by DCTT are entitled to
Ask what information the company holds about them and why.
Ask how to gain access to it.
Ask how the information is gained, rectified and kept up to date.
Ask how the company meets its data protection obligations.
Ask the company to transfer its data to a Third Party/Data Portability.
Ask for the right to object to the processing, automated decision making or request erasure.
Ask the company to restrict processing/profiling.
DCTT will ensure that individuals are aware how their data is being used and how they can exercise their rights to request information. For the general public a privacy statement has been made available on the DCTT website. For staff a copy has been issued to all employees.
If an individual contact the company requesting access to their information, this is called a Subject Access Request.
A Subject Access Request form should be requested by email, addressed to the email@example.com, or by phone on 0121 5576265.
The Data Controller will verify the identity of anyone making a subject access request before sharing any information.
Information will be supplied within ICO timeframes and the individual will not be charged for this service unless it is found that requests are excessive or unfounded.
Where the Controller refuses the request, we will inform the individual why and inform them of their right to complain to the supervisory authority and to seek a judicial remedy. We will do this without undue delay, ensuring they are informed within the 28 days period of the request.
In some circumstances, the GDPR allows personal data to be disclosed to law enforcement agencies without the consent of the data subject. The Data Controller will ensure the request is legitimate and seek assistance from the Board and legal advisers before handing information over.
REPORTING OF BREACHES
Where a breach of “security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed” has occurred the Data Controller will inform ICO authorities within 72 hours of becoming aware of it. If the breach is likely to “result in a risk for the rights and freedoms of individuals” for example it could result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage.
Where a breach is likely to result in a high risk to the rights and freedoms of individuals, we will notify those concerned directly.
Where we are requested to transfer data this only applies to the following.
DCTT will transfer personal data an individual has provided to us and the data processing has been carried out by automated means.
The data will be provided in a machine-readable format.