Data Protection and Retention Policy
Definitions
”Data Protection Legislation”
This term refers to the Data Protection Act 1998, the Privacy and Electronic Communications Regulations (EC Directive) Regulations 2003 (SI 2426/2003 as amended), and all applicable laws and regulations, including any replacement UK or EU data protection legislation relating to the Processing of Personal Data, including, where applicable, the guidance and codes of practice issued by the Information Commissioner’s Office.
“UK-GDPR”
The UK General Data Protection Regulation and Data Protection Act 2018 is a legal framework that sets guidelines for the collection and processing of personal information from individuals who live in the United Kingdom and European Union. The Regulation came into full effect in May 2018 and the UK version ensures that the UK is in alignment with the European Union’s GDPR.
”Personal Data”
This term refers to any information that can be used to identify a living individual. Such data could include but isn't limited to:
- Name
- Address (email or postal)
- Telephone number
- Employment records
- Photographs
- Video footage
”Data subject”
This term refers to the living individual whom the personal data refers to.
”Sensitive Data” or ‘Special Category Data’
This term refers to any information relating to an individual’s:
- racial or ethnic origin
- political opinions
- religious or philosophical beliefs
- trade union membership
- genetic data
- biometric data (where used for identification purposes)
- health
- sex life
- sexual orientation
”World Without Orphans Europe“
This term refers to all those working for World Without Orphans Europe (WWO Europe), whether in a paid capacity or as a volunteer.
Purpose of Policy
This policy exists to set out how the data protection legislation impacts on the work of WWO Europe and what WWO Europe’s plans and policies are to maintain compliance.
This legislation is concerned with the protection of human rights in relation to personal data. The aim of the Legislation is to ensure that personal data is used fairly and lawfully and that where necessary the privacy of individuals is respected.
During the course of the activities of WWO Europe, we will collect, store and process personal data and we recognise that the correct and lawful treatment of this data will maintain confidence in WWO Europe. This policy sets out the basis on which we will process any personal data we collect from, or is provided by, the data subject.
Any questions about the operation of this policy or any concerns that the policy has not been followed should be referred in the first instance to the WWO Europe Data Protection Coordinator (Richard Procter, Leading Coordinator).
Lawful Bases
Under the UK General Data Protection Regulation and Data Protection Act 2018 we are only permitted to process data as long as it is necessary, and as long as it can be justified under any of the six lawful bases as set out by the regulation. WWO Europe’s lawful bases for processing personal data are:
- Consent
Consent must be given in response to clear, concise and granular information with a positive opt in option and no pre-ticked boxes. It cannot be used as a pre-condition of a service and must be easy to withdraw at any point - Legitimate Interest
We can process personal data if we can a) identify that we have a legitimate interest, b) show that processing the data is necessary to achieve the legitimate interest and c) prove that we’ve considered and balanced the individual’s rights and freedoms. - Contract
We can process personal data if a) it fulfils a contractual obligation, or b) we have been asked to do something before entering into a contract.
Data Protection Statement
WWO Europe will ensure that a data protection statement is given at every point of personal data collection. For example:
WWO Europe will never pass on your details to third parties for marketing purposes, and you can unsubscribe from our communications at any time, by emailing (europe@worldwithoutorphan.org). Find out how WWO Europe looks after and uses your data in our Privacy Policy.
We also recognise that a relevant privacy statement will also be necessary at every point of personal data collection, however that privacy statement will depend on the context that the data subject is providing their personal data in. For more information please speak to the data protection coordinator.
WWO Europe is a separate entity from WWO Global. Personal data is not shared between the two organisations without consent of the data subject. When data is collected jointly – it will be clearly stated that the data will be processed by both WWO Europe and WWO Global.
Data will only be used for the specific purpose collected. (For example, if booking into an event the data will only be used in connecting to this event – separate consent will be required before a data subject starts receiving monthly newsletters).
Processing of Personal Data
All personal data should be processed in accordance with the Legislation and this policy. Any breach of this policy by staff may result in disciplinary action. Volunteers breaking this policy may forfeit their right to serve as a volunteer or have access to data.
Processing includes obtaining, holding, maintaining, using, storing, erasing, blocking and destroying data.
Personal data is data relating to a living individual. It includes employee data, volunteer data and any data relating to those who are in contact with us. It will not include data relating to a company or organisation, however any data relating to individuals will be treated as personal data. Personal data can be factual (for example a name, address or date of birth) or it can be an opinion about that person, their actions and behaviour.
Employees and volunteers who process data on behalf of WWO Europe should assume that whatever they do with personal data will be considered as processing. Individuals should only process data:
- If they have consent to do so; or
- If it is necessary to fulfil a contractual obligation or as part of the employer/employee relationship;
- It is considered to be of legitimate interest by the WWO Europe Data Protection Coordinator, after discussion with relevant parties
WWO Europe has a responsibility for processing personal data in a way that is compliant with the legislation. This means that all personal data must be collected and processed in a way that is:
- Lawful, fair and transparent
- Specific, explicit and legitimate
- Adequate, relevant and limited
- Accurate and up to date
- Kept within a clear timescale (as stated in our retention policy below and set out in Appendix 1)
- Used in a way that complies with the individual's rights (as stated below)
- As secure as possible
- Not transferred outside the European Economic Area
Monitoring the use of Personal Data
WWO Europe is committed to ensuring that this policy is understood and put into practise on every level. To ensure that the commitment to data protection remains a priority for us, the following steps will be taken:
- Data Protection and Data Security training will become a key component of the WWO Europe induction process for all new staff and volunteers
- Regular compulsory Data Protection and Data Security training will be made available to all staff
- All staff will remain diligent with data protection keeping all the data that they are responsible for up to date and accurate as well as secure
- DPIA (data protection impact assessments) spot checks will be completed periodically
- Data security checks will be completed on a 12 monthly basis ensuring that all personal data is kept secure (both digitally and physically)
- Limited and specific permissions will be given on our cloud-based folder where all personal data is stored, meaning that access to personal data will be available only to those who need it.
Handling and Security of Personal Data
We will take appropriate technical and organisational steps to guard against unauthorised or unlawful processing ensuring that staff and volunteers who handle personal data are adequately trained and monitored.
We will ensure that passwords and physical security measures are in place to guard against unauthorised disclosure.
All digital personal data will be kept secure on our database spreadsheet – which is stored in a secure, cloud-based, folder. Any physical personal data will be locked away securely in filing cabinets and destroyed when no longer needed. Access to this data will be restricted.
We will take particular care of sensitive data and security measures will reflect the importance of keeping sensitive data secure.
Security policies and procedures will be monitored on an ongoing basis (every 12 months) and reviewed to ensure data is being kept secure.
Where personal data needs to be deleted or destroyed adequate measures will be taken to ensure data is properly and securely disposed of. This will include destruction of files and back up files and physical destruction of manual files by shredding.
All data will be stored in a secure location and precautions will be taken to avoid data being accidentally disclosed.
When distributing information to an open group email addresses must be blind copied.
All staff will be trained in appropriate data security measures for working from.
Sensitive Data
We will strive to ensure that sensitive data is accurately identified on collection so that the necessary safeguards can be put into place. The definition of “sensitive data” has been identified above.
Employee sickness records may contain sensitive data and as such will only be held with explicit permission from each employee or when one of the other conditions for processing sensitive data is satisfied.
The Rights of the individual
The Legislation gives individuals certain rights to know what data is held about them and what it is used for. These rights are listed below:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure (only applicable in certain circumstances)
- The right to restrict processing (only applicable in certain circumstances)
- The right to data portability
- The right to object
- Rights in relation to profiling
Any request for access to data under the Legislation should be made to the Data Protection Coordinator in writing. In accordance with the Legislation we will ensure that written requests for access to personal data are complied with within 30 days of receipt of a valid request.
When a written data subject access request is received the data subject will be given a description of a) the personal data, b) the purposes for which it is being processed, c) those people and organisations to whom the data may have been disclosed, d) be provided with a copy of the information in an intelligible form.
Data Retention Policy
- All personal data will be stored in accordance with the security requirements and in the most convenient and appropriate location having regard for the period of retention required (Appendix 1)
- Personal data must not be held for any longer than necessary, according to the context of the personal data (see Appendix 1)
- Any physical personal data that is to be disposed of will be carefully shredded
- Any electronic personal data that is to be disposed of will be carefully deleted from all locations where it was stored
Changes to this Policy
We reserve the right to change this or a privacy policy at any time. Where appropriate we will notify the relevant data subjects of any changes by mail or email.