Introduction
Thank you for reading this Policy! We are required to have it and to follow it by law. Here is our explanation of it:
We, Screw Cancer Limited have received information, including contract information from friends and supporters, in the course of launching and fundraising for the charity. We will continue to need to be able to receive, gather, retain and use certain personal information in the ordinary course of running the charity and for all purposes reasonably related to doing so.
The information concerned, which we need to be able to receive, gather, retain and use includes information about friends, supporters, donors, volunteers, suppliers, service users, facilities users, and business contacts; directors, members and employees of Screw Cancer Limited; people to whom we are introduced by any of them, and any other people we have a relationship with or may need to contact.
This policy describes how Screw Cancer Limited must collect, handle and store the data comprising that information in order to meet data protection standards and to comply with the law.
Why this policy exists
This data protection policy ensures that:
Data protection law
The General Data Protection Regulation (EU 2016/679) (GDPR) regulates how organisations collect, handle and store personal information.
These rules apply regardless of whether data is stored electronically, on paper or on other materials. To comply with the law, personal information must be collected and used fairly, stored and disposed of safely and not disclosed unlawfully. The GDPR is underpinned by six important principles to which we will adhere. These say that personal data shall be:
Policy scope
This policy applies to us and all staff, Trustee Directors, volunteers, contractors, suppliers and other people processing personal data on behalf of us. It applies to all data that we hold relating to identifiable individuals. This can include for example:
Data Protection Risks
This policy helps to protect us from some very real data security risks, including:
Responsibilities
Everyone who works for or with us has some responsibility for ensuring personal data is collected, stored and handled appropriately.
All Trustee Directors, staff, and volunteers are required to respect the confidentiality of personal data, to take all reasonable measures to ensure its security while in their position, and to return or securely destroy/delete personal data held on the congregation’s behalf when they leave their position.
Everyone who handles personal data must ensure that it is handled and processed in line with this policy and data protection principles. Failure to comply with the data protection policy and principles is a serious offence and in the case of staff could result in disciplinary action.
However, the following have key areas of responsibility:
General Staff Guidelines
Our staff, Trustee Directors and volunteers will refer a request to the Board of Directors for assistance in difficult situations. Individuals should not be pressurised into disclosing personal information.
Data Collection
In accordance with data protection legislation the main legal basis for collecting personal data on our members, staff, volunteers, service users and those affiliated with us will be on the basis that it is necessary for us to hold said data for the purposes of legitimate interests which are not overridden by the interests of the data subject. In respect of certain types of sensitive data (and in particular data revealing health issues of the data subject) this data will be held on the basis that it is processed in the course of the legitimate activities of a not-for-profit health charity and will not be disclosed outside of that body without the consent of the data subject.
Other legal bases will also apply such as employment law, contract law, etc. There are particular provisions under the General Data Protection Regulation when the legal basis being relied upon is consent. In certain circumstances we may need to seek your consent to process your personal data, particularly if it is outside of our normal day to day activities or it would involve sharing your personal data with a third party. If this is necessary then your consent will be informed consent. Informed consent is when
Processing in line with Data Subject’s Rights
We will process all personal data in line with data subjects' rights, in particular their right to:
Data Storage
These rules describe how and where data should be safely stored and the security measures implemented by us. Questions about storing data safely can be directed to the Data Protection Lead.
When data is stored on paper, it should be kept in a secure place where unauthorised people cannot see it. These guidelines also apply to data that is usually stored electronically but has been printed out for some reason:
When data is stored electronically, it must be protected from unauthorised access, accidental deletion and malicious hacking attempts. It must be password protected and encryption should also be considered:
Data Retention and Secure Destruction
Personal data will not be retained longer than necessary, in relation to the purpose for which such data is processed. We will ensure that secure storage/archiving periods are clearly defined for each type of data and ensure confidential destruction of data when no longer required.
Data Use
Personal data is of no value to us unless we can make use of it. However, it is when personal data is accessed and used that it can be at the greatest risk of loss, corruption or theft and as such we adopt the following additional security measures:
Data Accuracy
The law requires us to take reasonable steps to ensure data is kept accurate and up to date. The more important it is that the personal data is accurate, the greater the effort we should put into ensuring its accuracy.
It is the responsibility of all staff, leaders and volunteers who work with data to take reasonable steps to ensure it is kept as accurate and up to date as possible.
Subject Access Requests
All individuals who are the subject of personal data held by us are entitled to:
If an individual contacts us requesting this information, this is called a subject access request.
Subject access requests from individuals should be made by e-mail or in writing and addressed to the Data Protection Lead. We can supply a standard request form, although individuals do not have to use this.The Data Protection Lead will aim to provide the relevant data within 14 days and in any event within 1 month.
The Data Protection Lead will always verify the identity of anyone making a subject access request before handing over any information.
Disclosing data for other reasons
In certain circumstances, the GDPR allows personal data to be disclosed to local authorities, law enforcement and statutory agencies without the consent of the data subject. Under these circumstances, we will disclose the necessary data. However, the Data Protection Lead will ensure the request is legitimate, seeking assistance and approval from the Board where necessary.
Service Users will be made aware in most circumstances how and with whom their information will be shared. There are circumstances where the law allows us to disclose data (including sensitive data) without the data subject’s consent. These include carrying out a legal duty and protecting vital interests of a member or other individual.
We regard the lawful and correct treatment of personal information as very important to successful working, and to maintaining the confidence of those with whom we deal.
Providing information to Data Subjects
We aim to ensure that individuals are aware that their data is being processed and that they understand:
To these ends, we will issue privacy notices as appropriate to members and those affiliated with our charity, employees, customers, suppliers, business contacts, and other individuals we have a relationship with or may need to contact, setting out how data relating to an individual is used by us, how to exercise their rights in relation to same including options available and how to raise a complaint.
A version of this statement will also be available on our website.
Security Breach Management
We have an incident response procedure in place so that any breach of data protection can be acted upon immediately. The breach will be internally investigated with appropriate remedial taken and where required, notification will further be made within 72 hours to the Information Commissioner’s Office/Data Protection Commissioner (as is applicable) and those affected providing details of the nature of the breach, likely consequences and mitigations being taken to address same.
Review
This policy and related data protection procedures will be reviewed on an annual basis by the Data Protection Lead to reflect best practice in data management, security and control and to ensure compliance with GDPR.
Signed:
Position:
Date:
Review Date:
Personal Data
Any information relating to an identifiable natural person ‘data subject’; an identifiablenatural person is one who can be identified, directly or indirectly, in particular by referenceto an identifier such as: a name, an identification number, location data, an online identifieror to one or more factors specific to the physical, physiological, genetic, mental, economic,cultural or social identity of that natural person.
Sensitive Personal Data
Any data relating to: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, physical or mental health conditions, sexual life or sexual orientation, genetic data and/or biometric data. We process this data in respect of our both our service users and our staff.
A Data Subject
An individual who is the subject of personal data, not including deceased individuals or individuals who cannot be identified or distinguished from others – e.g. statistics.
Data Processing
The operation or set of operations performed upon personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Data Protection Lead
Is the person from time to time that has agreed with us to take on responsibility for ensuring that we abide by our data protection policies, to act as a point of contact for anyone with concerns as to how their information is being handled and generally to undertake the responsibilities as detailed in this policy.
Data Controller
The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing the data.
Data Processor
A natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller.
Pseudonymisation
Pseudonymisation takes the most identifying fields within a database and replaces them with artificial identifiers, or pseudonyms. For example a name is replaced with a unique number. The purpose is to render the data record less identifying and therefore reduce concerns with data sharing and data retention
Encryption
Encryption is a mathematical function using a secret value — the key — that encodes data so that only users with access to that key can read the information. In many casesencryption can provide an appropriate safeguard against the unauthorised or unlawful processing of personal data, especially in cases where it is not possible to implement alternative measures.
Screw Cancer Limited is registered in England number 09982274
Registered Office 270 Kings Road London SW3 5AW
Screw Cancer Limited is a registered charity with the Charity Commission for England and Wales number 1167706
Copyright © 2021 Screw Cancer - All Rights Reserve