Aim and scope of policy
This policy applies to the processing of personal data in manual and electronic records kept by the Organisation in connection with its fundraising functions as described below. It also covers the Organisation’s response to any data breach and other rights under the General Data Protection Regulation and the Current Data protection Act.
This policy applies to the personal data of our website users. These are referred to in this policy as “relevant individuals”.
“Personal data” is information that relates to an identifiable person who can be directly or indirectly identified from that information, for example, a person’s name, identification number, location, online identifier. It can also include pseudonymised data.
“Special categories of personal data” is data which relates to an individual’s health, sex life, sexual orientation, race, ethnic origin, political opinion, religion, and trade union membership. It also includes genetic and biometric data (where used for ID purposes).
“Criminal offence data” is data which relates to an individual’s criminal convictions and offences.
“Data processing” is any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
The Organisation makes a commitment to ensuring that personal data, including special categories of personal data and criminal offence data (where appropriate) is processed in line with GDPR and domestic laws and all its staff conduct themselves in line with this, and other related, policies. Where third parties process data on behalf of the Organisation, the Organisation will ensure that the third party takes such measures in order to maintain the Organisation’s commitment to protecting data. In line with GDPR, the Organisation understands that it will be accountable for the processing, management and regulation, and storage and retention of all personal data held in the form of manual records and on computers.
The Data Controller
Gordon Miller trading as Ride for Freedom 2019 is the data controller.
Types of data held
Personal data is kept in our IT systems and a paper filing system. The following types of data may be held by the Organisation, as appropriate, on relevant individuals:
- Name
- Address
- Email address
- Phone number
- Organisation name
- Organisation address
- Organisation email address
- Organisation phone number
Relevant individuals should refer to the Organisation’s privacy notice for website forms displayed when we collect your personal data for more information on the reasons for its processing activities, the lawful bases it relies on for the processing and data retention periods.
Data protection principles
All personal data obtained and held by the Organisation will:
- be processed fairly, lawfully and in a transparent manner
- be collected for specific, explicit, and legitimate purposes
- be adequate, relevant and limited to what is necessary for the purposes of processing
- be kept accurate and up to date. Every reasonable effort will be made to ensure that inaccurate data is rectified or erased without delay
- not be kept for longer than is necessary for its given purpose
- be processed in a manner that ensures appropriate security of personal data including protection against unauthorised or unlawful processing, accidental loss, destruction or damage by using appropriate technical or organisation measures
- comply with the relevant GDPR procedures for international transferring of personal data.
In addition, personal data will be processed in recognition of an individuals’ data protection rights, as follows:
- the right to be informed
- the right of access
- the right for any inaccuracies to be corrected (rectification)
- the right to have information deleted (erasure)
- the right to restrict the processing of the data
- the right to portability
- the right to object to the inclusion of any information
- the right to regulate any automated decision-making and profiling of personal data.
Procedures
The Organisation has taken the following steps to protect the personal data of relevant individuals, which it holds or to which it has access:
- it has staff with specific responsibilities for the processing and controlling of data.
- it provides information to the relevant individuals on their data protection rights, how it uses their personal data, and how it protects it. The information includes the actions relevant individuals can take if they think that their data has been compromised in any way.
- it provides its staff with information and training to make them aware of the importance of protecting personal data, to teach them how to do this, and to understand how to treat information confidentially.
- it can account for all personal data it holds, where it comes from, who it is shared with and also who it might be shared with.
- it recognises the importance of seeking individuals’ consent for obtaining, recording, using, sharing, storing and retaining their personal data, and regularly reviews its procedures for doing so, including the audit trails that are needed and are followed for all consent decisions. The Organisation understands that consent must be freely given, specific, informed and unambiguous. The Organisation will seek consent on a specific and individual basis where appropriate. Full information will be given regarding the activities about which consent is sought. Relevant individuals have the absolute and unimpeded right to withdraw that consent at any time.
- it is aware of the implications of international transfer of personal data internationally.
Access to data
Relevant individuals have a right to be informed whether the Organisation processes personal data relating to them and to access the data that the Organisation holds about them. Requests for access to this data will be dealt with under the following summary guidelines:
- The request should be made to Gordon Miller.
- the Organisation will not charge for the supply of data unless the request is manifestly unfounded, excessive or repetitive.
- the Organisation will respond to a request without delay. Access to data will be provided, subject to legally permitted exemptions, within 30 days as a maximum. This may be extended by a further two months where requests are complex or numerous.
Relevant individuals must inform the Organisation immediately if they believe that the data is inaccurate, either as a result of a subject access request or otherwise. The Organisation will take immediate steps to rectify the information.
Data disclosures
The Organisation may be required to disclose certain data/information to any person. The circumstances leading to such disclosures include:
- to answer your enquiry
- to supply information to IT support suppliers.
These kinds of disclosures will only be made when strictly necessary for the purpose.
Data security
The Organisation adopts procedures designed to maintain the security of data when it is stored and transported.
In addition, staff must:
- ensure that all files or written information of a confidential nature are stored in a secure manner and are only accessed by people who have a need and a right to access them.
- ensure that all files or written information of a confidential nature are not left where they can be read by unauthorised people.
- check regularly on the accuracy of data being entered into computers.
- always use the passwords provided to access the computer system and not abuse them by passing them on to people who should not have them.
- always comply with password complexity and renewal requirements.
- use computer and phone encryption technologies.
- use computer screen blanking to ensure that personal data is not left on screen when not in use.
Personal data relating to relevant individuals should not be kept or transported on laptops, USB sticks, or similar devices, unless authorised by senior staff. Where personal data is recorded on any such device it should be protected by:
- ensuring that data is recorded on such devices only where absolutely necessary
- using an encrypted system
- ensuring that laptops or USB drives are not left lying around where they can be stolen.
International data transfers
We share your personal data with bodies outside of the European Economic Area. This is worldwide and the reason for sharing this is for legitimate business interests such as obtaining funding. When we do so we ensure that our suppliers have a signed data protection agreement with us.
Breach notification
Where a data breach is likely to result in a risk to the rights and freedoms of relevant individuals, it will be reported to the Information Commissioner within 72 hours of the Organisation becoming aware of it and may be reported in more than one instalment.
Relevant individuals will be informed directly in the event that the breach is likely to result in a high risk to the rights and freedoms of that individual.
If the breach is sufficient to warrant notification to the public, the Organisation will do so without undue delay.
Training
All staff receive training covering basic information about confidentiality, data protection and the actions to take upon identifying a potential data breach.
All staff who need to use the computer system are trained to protect relevant individuals’ private data, to ensure data security, and to understand the consequences to them as individuals and the Organisation of any potential lapses and breaches of the Organisation’s policies and procedures.
Records
The Organisation keeps records of its processing activities including the purpose for the processing and retention periods. These records will be kept up to date so that they reflect current processing activities.
Data protection compliance
Gordon Miller is the Organisation’s appointed compliance officer in respect of its data protection activities and can be contacted at info@rideforfreedom.org