Ups and Downs Southwest is committed to the protection of the rights and freedoms of individuals in accordance with the provisions of the Data Protection Act 1998 and GDPR 2018. We will comply fully with the requirements of the Act and will follow procedures which aim to ensure that all persons who have access to any personal data held by or on behalf of Ups and Downs Southwest are fully aware and abide by their duties and responsibilities under the Act.
In order to operate effectively and fulfil its legal obligations, Ups and Downs Southwest needs to collect, maintain and use certain personal data about current, past and prospective members, suppliers and other individuals that contact Ups and Downs, or with whom it has dealings with (each, a “data subject” and together, “data subjects”). Ups and Downs Southwest is dedicated to obtaining, handling, processing, transporting and storing all personal data, whether held on a computer or paper, lawfully and correctly in accordance with the safeguards contained in the UK GDPR Act 2018 (the “GDPR”).
Ups and Downs will ensure that all personal information is handled and dealt with properly however it is collected, recorded and used and whether it be on paper, in computer records or recorded by any other means. All staff and volunteers having access to personal data will be required to adhere fully to the Act in carrying out their duties for us.
The trustees of Ups and Downs Southwest have overriding responsibility to ensure that this policy is implemented and have appointed the Director to oversee the implementation of this policy by all staff, volunteers and trustees.
What does the Act govern? The Act relates to the processing of personal data and sensitive personal data which must be processed in accordance with the eight data protection principles.
Processing is a wide ranging activity that includes obtaining, recording, holding or storing personal data and carrying out any operations on it such as adaption, alteration, use, disclosure, transfer, erasure and destruction.
Personal data is data which relates to an individual who can be identified from such data and other information which is in the possession of, or is likely to come into the possession of the organisation and includes any expression of opinion about an individual. It includes information relating to an individual’s name, date of birth, address and photographs.
Sensitive personal data is defined as personal data consisting of information as to racial or ethnic origin, political opinion, religious or other beliefs, trade union membership, physical or mental condition, sexual life and criminal proceedings or convictions. Sensitive personal data has even greater conditions for processing and normally in order to process the information it will be necessary to have the explicit consent of the individual.
The Eight Data Protection Principles
The Act stipulates that anyone processing personal data must comply with the eight principles of good practice. These principles are legally enforceable.
The principles require that personal information must be known to the owner of the data and:
- Fairly and lawfully processed
- Obtained for specific purposes and not processed in a manner incompatible with those purposes
- Adequate, relevant and not excessive for the purposes for which it is processed
- Accurate and kept up-to-date
- Not kept for longer than necessary for the purposes
- Not transferred to countries without adequate protection
- Processed in accordance with the data subject’s rights
The Responsibilities of Ups and Downs Southwest
Ups and Downs will ensure that personal and sensitive information is processed lawfully and fairly and will through appropriate management and systems:
- Ensure the owner of the data is aware that it is being kept and who else may read it i.e. other staff, trustees
- Observe fully the conditions regarding the fair collection and use of information
- Meet its legal obligations to specify the purpose for which the information is used
- Collect and process appropriate information only to the extent that it is needed to fulfil operational needs or to comply with legal requirements
- Ensure the quality of information used
- Ensure the information is held for no longer than is necessary
- Ensure that the rights of people about whom information is held can be fully exercised under the Act. These include the right to be informed that processes are being undertaken, the right to access one’s personal information, the right to prevent processing in certain circumstances and to correct, rectify, block or erase information that is regarded that is factually established as incorrect
- Ensure that everyone managing and handling personal information understands that they are responsible for following good data protection practice and is appropriately trained to do so
- Ensure that personal information collected or used is secure
What Ups and Downs Southwest collects:
Ups and Downs Southwest collects personal data that data subjects (you) provide to Ups and Downs, which is information that can be used (or reasonably used) to identify someone as an individual. Ups and Downs will only do this when you (as the data subject) have agreed to Ups and Downs request for that personal data. This personal data may include your:
- Telephone Number
How Ups and Downs Southwest will use the data subject’s personal data.
By providing personal data, you (as a data subject) agree that, where it is permitted by law or where you have agreed to receive these communications from Ups and Downs, Ups and Downs may use your personal data to:
- Respond to your request
- Improve our services for children, parents and professionals
- Improve the content of our communications
- Provide you with helpful information, news and updates
- Notify you of events, training and new services
- Consider applications for employment
- Assist Ups and Downs own administrative and quality assurance purposes
Ups and Downs Southwest will act as a data controller of such personal data
Ups and Downs Southwest will only collect personal data to serve specific operational, business or legal purpose and only gather the minimal amount needed. Ups and Downs Southwest will use only fair and lawful means to obtain personal data.
Ups and Downs Southwest will obtain a data subjects’ informed consent to process his or her personal data in cases where it is necessary and appropriate to do so in compliance with applicable laws.
Ups and Downs Southwest will not use personal data collected for one purpose for a different purpose without getting the data subject’s consent, unless applicable laws allow or require it.
Ups and Downs Southwest will correct any personal data where it is notified that such data is incorrect.
Only authorised paid employees, trustees and volunteers of Ups and Downs Southwest and third party suppliers can carry out processing of personal data, which must be consistent with their individual roles and responsibilities.
How Ups and Downs Southwest protects personal data
Ups and Downs Southwest will take appropriate legal, organisational and technical measures to protect personal data consistent with applicable privacy and data security laws.
When Ups and Downs Southwest uses a third-party service provider, that provider will be carefully selected and required to use appropriate measures to protect the confidentiality and security of personal data.
When we collect your personal information we use strict procedures and security features to prevent unauthorised access. Unfortunately, no data transmission over the internet is 100 percent secure. As a result, while we try to protect your personal information, Ups and Downs Southwest cannot guarantee the security of any information you transmit to us and you do so at your own risk.
Sharing personal data with third parties
Ups and Downs Southwest may share the personal data of a data subject in compliance with applicable law.
In certain special cases where permitted by applicable law, Ups and Downs Southwest may disclose your personal data when:
- Ups and Downs has reason to believe that disclosure of this information is necessary to identify, contact or bring legal action against someone who may be causing injury to you or otherwise injuring or interfering with Ups and Downs rights, property or operations.
- Ups and Downs believes that applicable law requires it, or in response to any demand by law enforcement authorities in connection with a pending civil case or administrative investigation.
- Ups and Downs believes it is necessary in order to safeguard vulnerable children, young people or adults.
The Responsibilities of Employees
All employees are required to:
- Familiarise themselves with the provisions of the Act and ensure that they understand their responsibilities under the Act in relation to personal information they may process in their role
- Ensure that they seek guidance from their manager if he or she is unclear as to the application of the Act; this may be covered in supervision
- Access any training provided by Ups and Downs in relation to data protection
- Ensure that any information they provide in relation to their employment is accurate and up to date
- Inform Ups and Downs of any changes to information that they have provided e.g. changes of addresses, next of kin details
- Ensure that all personal data collected or used is known about by the owner and kept secure at all times against unauthorised or unlawful loss or disclosure and in particular will ensure that :-
- Paper files and other records or files containing personal or sensitive data are kept securely
- Personal data held on computers or computer systems is protected by the use of secure passwords which should be such that they are not easily compromised
- Personal information is not disclosed either orally or in writing or via web pages carelessly or otherwise to an unauthorised third party
If an employee discloses personal data in breach of the principles set out in the Act, he/she may be committing a criminal offence and he/she may be subject to disciplinary action.
Data in Transit
There may be occasions when it is necessary for sensitive and personal data to be taken outside the office e.g. if a member of staff is asked to attend a professionals meeting or case conference. This includes data in all formats; non electronic (paper) and electronic (laptops, tablets, other mobile devices and storage media such as USB memory sticks). All employees are personally responsible for taking reasonable and appropriate precautions to ensure that all sensitive and confidential data taken outside of the office is secure. Any information sent electronically must be redacted to ensure anonymity.
It is not possible to be prescriptive in this policy and procedure as to the action which should be taken to ensure security as there may be a number of different situations where data may be taken out of the office and it will be necessary for each individual taking data out of the office to assess the security measures needed for every situation and make considered judgement in terms of how they handle data whilst delivering their service and if in any doubt seek support from their line manager or supervisor. Employees must be familiar with and adhere to the Ups and Downs guidance on common sense precautions to be taken as a minimum requirement.
Ups and Downs Southwest recognises that under the Act any person whose personal data is held by Ups and Downs has the right to request access to his or her personal data. Such a request is known as a ‘Subject Access Request’.
An employee may request details of personal information which Ups and Downs holds about him or her. If an employee would like a copy of any of the information held on him or her they should notify their line manager. If an employee believes that any information held on him or her is incorrect or incomplete they should write to their manager as soon as possible setting out the information which they believe needs correction.
A person (other than an employee) whose personal information Ups and Downs holds may make a Subject Access Request in writing to the chairperson of the charity for a copy of the information held on him or her.
Ups and Downs Southwest will respond to all requests for personal information within 30 days of the request.
Copies of confidential references about employees written by Ups and Downs will not be provided in response to a Subject Access Request as provision of copies of such references are exempted under the Act.
Confidential references about employees received by Ups and Downs Southwest are not exempted. Ups and Downs will make reasonable attempts to gain consent from referees prior to release.
Statement Regarding Third Party Processors.
Ups and Downs Southwest currently has the following parties as processors of personal data:
Milsted Langdon Payroll
Now Pensions Staff Pension Scheme
Sedgemoor District Council Disclosure and Barring Service
Charity Log Case File Management System
Simply Alien Website
Ups and Downs Southwest have access to all the current processor’s privacy statements and are happy that all comply with current GDPR regulations.