Data Protection Policy
- The policy is intended to set the parameters for the use of personal information in compliance with the General Data Protection Regulations (GDPR), in force from 25th May, 2018. The policy ensures that clients, employees, partners and other stakeholders are kept informed of our activities, have a right to examine personal information concerning themselves and to correct any errors or omissions that may arise.
- The Data Protection Policy covers all information, held in our manual and computer files relating to job Board Members, Directors, employees, volunteers, contractors, position applicants, clients, partners and other stakeholders.
- We are committed to being transparent about how we collect and use personal data, and to meetings our data protection obligations.
- We have appointed our Project Manager as Data Protection Officer. Their role is to inform and advise us on our data protection obligations.
“Personal data” is any information that relates to an individual who can be identified from that information. Processing is any use that is made of data, including collecting, storing, amending, disclosing or destroying it.
“Special categories of personal data” means information about an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation and biometric data.
“Criminal records data” means information about an individual’s criminal convictions and offences, and information relating to criminal allegations and proceedings.
- The policy is intended to set the parameters for the use of personal information. The policy and procedure are based on the following data protection principles, which state that personal data must be: –
- Processed fairly, lawfully, and in a transparent way;
- Collected only for specified, explicit and legitimate purposes;
- Processed only where it is adequate, relevant and limited to what is necessary for the purposes of processing;
- We take all reasonable steps to ensure that inaccurate personal data is rectified or deleted without delay;
- Not kept for longer than is necessary for processing;
- Processed in accordance with individuals’ rights;
- Secure, and protected against unauthorised or unlawful processing, and accidental loss, destruction or damage;
- Not transferred to countries outside of the UK without adequate protection and agreements in place;
- Information on our files is kept for one or more of the following purposes:
- Administration of personnel, payroll and associated functions (the performance of the employment contract and/or legal requirements i.e., processing data to the HMRC for tax purposes)
- Appropriate response to incidents, accidents and emergencies (the performance of the employment contract and/or legal requirements i.e., complying with HSE regulations)
- The day to day running of its legitimate business.
- We can process your personal data for these purposes without your knowledge or consent. We will not use your personal data for an unrelated purpose without telling you about it and the legal basis that we intend to rely on for processing it.
- If you choose not to provide us with certain personal data you should be aware that we may not be able to carry out certain parts of the contract between us. For example, if you do not provide us with your bank account details, we may not be able to pay you. It might also stop us from complying with certain legal obligations and duties which we have such as to pay the right amount of tax to HMRC or to make reasonable adjustments in relation to any disability you may suffer from.
- The Company is registered with the Information Commissioner’s Office and Head of Community Development is nominated as the Data Controller (DC).
- We collect and process personal information relating to members of staff/workers, as a necessary part of complying with our obligations under the contract of employment/contract of engagement and our legal requirements.
- We will inform individuals of the purpose for which personal information is requested, processed, and the legal basis for processing in its privacy notices. We will not process personal data of individuals for other reasons. Where the Company relies on its legitimate interests as the basis for processing data, it will carry out an assessment to ensure that those interests are not overridden by the rights and freedoms of individuals.
- Where we process special categories of personal data or criminal records data to perform obligations or to exercise rights in employment law, this is done in accordance with specific documented considerations on special categories of data and criminal records data.
- We will update personal data promptly if an individual advises that their information has changed or is inaccurate.
- Personal data gathered during employment/engagement is held in the individual’s personnel file (in hard copy or electronic format, or both), and on HR systems. The periods for which we hold HR-related personal data are set out in our Employee Information Data Retention and Disposal Schedule (‘the Schedule’).
- The Company keeps a record of its processing activities in respect of personal data in accordance with the requirements of the GDPR.
- As a data subject, individuals have a number of rights in relation to their personal data.
Subject access requests
- Individuals have the right to make a subject access request. If an individual makes a subject access request, we will tell them:
- whether or not their data is processed and if so why, the categories of personal data concerned and the source of the data if it is not collected from the individual;
- to whom their data is or may be disclosed, including to recipients located outside the European Economic Area (EEA) and the safeguards that apply to such transfers;
- for how long their personal data is stored (or how that period is decided);
- their rights to rectification or erasure of data, or to restrict or object to processing;
- their right to complain to the Information Commissioner if they think the Company has failed to comply with their data protection rights; and
- whether or not the Company carries out automated decision-making and the logic involved in any such decision-making.
- We will also provide you with a copy of the personal data undergoing processing. This will normally be in electronic form if you have made a request electronically, unless you agree otherwise.
- If the individual wants additional copies, we will charge a fee, which will be based on the administrative cost to us of providing the additional copies.
- To make a subject access request, the individual should send the request to their manager. In some cases, we may need to ask for proof of identification before the request can be processed. We will inform the individual if we need to verify their identity and the documents we require.
- We will normally respond to a request within a period of one month from the date it is received. In some cases, such as where we process large amounts of the individual’s data, we may respond within three months of the date the request is received. We will write to the individual within one month of receiving the original request to tell them if this is the case.
- If a subject access request is manifestly unfounded or excessive, we are not obliged to comply with it. Alternatively, we can agree to respond but will charge a fee, which will be based on the administrative cost of responding to the request. A subject access request is likely to be manifestly unfounded or excessive where it repeats a request to which we have already responded. If an individual submits a request that is unfounded or excessive, we will notify them that this is the case and whether or not we will respond to it.
- It is a criminal offence to conceal or destroy personal data which is part of a subject access request. This conduct would also amount to gross misconduct under our disciplinary procedure, which could result in your dismissal.
- Individuals have a number of other rights in relation to their personal data. They can require the Company to:
- rectify inaccurate data;
- stop processing or erase data that is no longer necessary for the purposes of processing;
- stop processing or erase data if the individual’s interests override the Company’s legitimate grounds for processing data (where the Company relies on its legitimate interests as a reason for processing data);
- stop processing or erase data if processing is unlawful; and
- stop processing data for a period if data is inaccurate or if there is a dispute about whether or not the individual’s interests override the Company’s legitimate grounds for processing data.