Young Brent Foundation Data Protection Policy
Young Brent Foundation is fully committed to a policy of protecting the rights and privacy of all individuals in accordance with The Data Protection Act 1998. The policy applies to all voluntary and community member groups, partner, YBF’s Board and Management Teams. Any breach of The Data Protection Act 1998 or YBF Data Protection Policy is an offence and in that event, disciplinary procedures apply.
As a matter of good practice, other organisations and individuals working with the Young Brent Foundation, and who have access to personal information, will be expected to have read and complied with this policy. It is expected that any staff who deal with external organisations will take responsibility for ensuring that such organisations sign a contract agreeing to abide by this policy.
Data are protected by the Data Protection Act 1998, which came into effect on 1 March 2000. Its purpose is to protect the rights and privacy of individuals and to ensure that personal data are not processed without their knowledge, and, wherever possible, is processed without their consent.
The Act requires us to register the fact that we hold personal data and to acknowledge the right of ‘subject access’ for YBF members and staff who each have the right to copies of their own data.
Managing Data Protection
We will ensure that our details are registered with the Information Commissioner.
Data may be held by Young Brent Foundation for the following purposes:
1. Staff Administration
3. Realising the Objectives of a Charitable Organisation or Voluntary Body
4. Accounts & Records
5. YBF own Marketing & Public Relations (never used by third parties)
6. Information and Databank Administration
7. Journalism and Media
8. For Processing purposes of member organisations
YBF’s Data Protection Key Principles & Summary
- YBF will fully uphold the Data Protection Act 1998 when dealing with personal information, including respecting the right of individuals under this Act.
- YBF will not hold information about individuals or groups without their knowledge and consent.
- YBF will only hold information for specific purposes. YBF will inform individuals what these purposes are, and inform them if those purposes change.
- YBF will only obtain data that is adequate, relevant and not excessive in relation to the purpose, or purposes, for which it is collected.
- YBF will make every effort to ensure that the data held is accurate and kept up-to-date, and will respond to any request from an individual or group to check the accuracy of the data that is held about them.
- YBF will not keep data processed for any purpose for longer than is necessary for that purpose.
- YBF will maintain secure data storage systems and policies ensuring that personal and organisational data is protected against unauthorised or unlawful processing. YBF will maintain procedures for all staff in the event of a data breach.
- YBF Where possible, YBF undertakes to protect the anonymity and confidentiality of individuals and groups it supports when sharing information externally.
Data Protection in Practice
In terms of the Data Protection Act 1998, and as part, our commitment to accountability YBF designates its Operations Manager who is our responsible Officer as our point of contact and compliance and acts as ‘data controller’. As an organisation, we determine the purpose for which, and the way, any personal data is or will be, processed strictly and in accordance with the Law including upholding all data protection laws and principles. We will ensure that we:
1. Fairly and lawfully processed personal data. We will always put our logo on all paperwork, stating our intentions on processing data and state if, and to whom, we intend to give the personal data to. We will also, provide an indication of the duration that the data will be kept.
2. Processed for limited purpose
We will not use data for a purpose, other than those agreed by data subjects (voluntary and community group members, staff and others). If the data held by us is requested by external organisations for any reason, this will only be passed if data subjects (voluntary and community group members, staff and others) agree. Also, external organisations must state the purpose of processing, and agree not to copy the data for further use and sign a contract agreeing to abide by The Data Protection Act 1998 and YBF's Data Protection Policy.
3. Adequate, relevant and not excessive
YBF will monitor the data held for our purposes, ensuring we hold neither too much, nor too little data in respect of the individuals about whom the data is held. If data given or obtained is excessive for any such purpose, it will be immediately deleted and / or destroyed.
4. Accurate and up-to-date
We will provide our members with a copy of their data once a year for information and update their data where relevant. All amendments will be made immediately and data no longer required will be deleted or destroyed. It is the responsibility of individuals and organisations to ensure the data held by us is both accurate and up-to-date. Completion of an appropriate form (which we will provide) will be accepted to mean that the data it contains, is true and accurate. Individuals should notify us of any changes, to enable records to be updated accordingly. It is the responsibility of the YBF to act upon notification of changes to data, amending them where relevant.
5. Not kept longer than necessary
We discourage the retention of data for longer than it is required. All personal data will be deleted or destroyed by us after one year after non-membership has elapsed.
6. Processed in accordance with the individual’s rights
All individuals that YBF hold data on have the right to:
1) Be informed upon the request of all the information held about them within 30 days.
2) Prevent the processing of their data for direct marketing.
3) The removal and correction of any inaccurate data about them.
Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of data.
All YBF computers have a login system and our Contact Database is password protected, which allows only authorised staff to access personal data. Passwords on all computers are changed frequently. All personal and financial data is kept in a locked filing cabinet and can only be accessed by the Executive officers. Staff members using the laptops or other information holding devices outside of the office will exercise care to ensure that any personal data on screens or devices are not visible to strangers and confined to those with authority to view them.
8. Not transferred to countries outside the European Economic Area, unless the country has adequate protection for the individual. All our Data must not be transferred to countries outside the European Economic Area without the explicit consent of the individual. YBF takes care to protect data when publishing information on the Internet, which can be accessed from anywhere in the globe. This is because transfer includes placing data on a web site that can be accessed from outside the European Economic Area.
In addition to current Data Protection Laws in force at August 2017, YBF is working towards compliance with The General Data Protection Regulations, numbered Regulation 2016/679, entered into force on 25th May 2016 which will apply as Law in the UK from 25th May 2018. For more information on YBF work towards these, kindly see below :
Fair Processing Notice
All our contacts and members Rights will be upheld, including the ability to withdraw consent for the use or storage of their data at any stage, buy giving written notice. Members data will be stored for the period of their membership.
Data breach Notification
Our Data controller will notify any high risk and other data breaches to the DPA. This will be done without undue delay and, where feasible, within 72 hours of awareness. YBF will provide a reasoned justification, if for any reason this timeframe is not met. In some cases, the data controller will also notify a selected data subject and without undue delay.
Data controllers will notify relevant data breaches to the DPA.
Additionally, and in line with the UK ICO, who under current regulations already expects to be informed about all “serious” data breaches accepting that notifications do not need to be made to the DPA if the breach is unlikely to result in a risk to the rights and freedoms of individuals, only in cases where there is likely to be a “high risk” to data subjects and their rights and freedoms.
DATA SUBJECTS’ RIGHTS
YBF will uphold our Members Rights to require the supply of information about data being processed about them, and access to the data in certain circumstances, including the Right of correction of any data about them which is inaccurate.
Members have a right to restrict certain processing. We uphold our member's rights to ensure no personal data being processed by us is used for direct marketing purposes.
Members and individuals can also ask to receive their personal data in a structured and commonly used format so that it can easily be transferred to another data controller (this is known as “data portability”).
Rights of Erasure
“Right to be forgotten” or the Right of erasure” as it has become known. Individuals can at any time should they wish request our data controller to erase their personal data who will do so without undue delay and will observe our obligation to take reasonable steps to inform any third parties, to ensure that the data subject request of erasure is acted upon, by removing any links to, or copies of that data.