Adur Special Needs Project will receive, use and store personal information about our employees, customers, sub-contractors and suppliers. It is important that this information is handled lawfully and appropriately in line with the requirements of the General Data Protection Regulation requirements. We take our data protection duties seriously and respect the trust that is being placed in us to use personal information appropriately and responsibly.
ABOUT THIS POLICY
This policy sets out the basis on which we will process any personal data we collect or process. This policy does not form part of any employee’s contract of employment or 3rd party agreement and may be amended at any time.
Adur Special Needs Project is responsible for ensuring compliance with the Data Protection Requirements and with this policy. Any questions about the operation of this policy or any concerns that the policy has not been followed should be referred in the first instance to the Data Protection Officer.
WHAT IS PERSONAL DATA?
Personal data means data (whether stored electronically or paper based) relating to a living individual who can be identified directly or indirectly from that data (or from that data and other information in our possession).
Processing is any activity that involves use of personal data. It includes obtaining, recording or holding the data, organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transferring personal data to third parties.
Sensitive personal data includes personal data about a person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic, biometric, physical or mental health condition, sexual orientation or sexual life. It can also include data about criminal offences or convictions. Sensitive personal data can only be processed under strict conditions, including with the consent of the individual.
DATA PROTECTION PRINCIPLES
Anyone processing personal data, must ensure that data is:
- Processed fairly, lawfully and in a transparent manner.
- Collected for specified, explicit and legitimate purposes and any further processing is completed for a compatible purpose.
- Adequate, relevant and limited to what is necessary for the intended purposes.
- Accurate, and where necessary, kept up to date.
- Kept in a form which permits identification for no longer than necessary for the intended purposes.
- Processed in line with the individual’s rights and in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
- Not transferred to people or organizations situated in countries without adequate protection and without firstly having advised the individual.
FAIR AND LAWFUL PROCESSING
The Data Protection Requirements are not intended to prevent the processing of personal data, but to ensure that it is done fairly and without adversely affecting the rights of the individual.
In accordance with the Data Protection Requirements, we will only process personal data where it is required for a lawful purpose. The lawful purposes include (amongst others): whether the individual has given their consent, the processing is necessary for performing a contract with the individual, for compliance with a legal obligation, or for the legitimate interest of the business. When sensitive personal data is being processed, additional conditions must be met.
PROCESSING FOR LIMITED PURPOSES
In the course of our business, we may collect and process the personal data. This may include data we receive directly from a data subject e.g. by completing electronic or paper-based forms or by corresponding with us by mail, phone, email. We may also collect and store data we receive from other sources (including, for example, employment references, credit reference agencies and others).
We will only process personal data for the specific purposes or for any other purposes specifically permitted by the General Data Protection Regulation. We will notify those purposes to the data subject when we first collect the data or as soon as possible thereafter.
If we collect personal data directly from an individual, we will inform them about:
- The purpose or purposes for which we intend to process that personal data, as well as the legal basis for the processing.
- Where we rely upon the legitimate interests of the business to process personal data, the legitimate interests pursued.
- The types of third parties, if any, with which we will share or disclose that personal data.
- How individuals can limit our use and disclosure of their personal data.
- Information about the period that their information will be stored or the criteria used to determine that period.
- Their right to request from us as the controller access to and rectification or erasure of personal data or restriction of processing.
- Their right to object to processing and their right to data portability.
- Their right to withdraw their consent at any time (if consent was given) without affecting the lawfulness of the processing before the consent was withdrawn.
- The right to lodge a complaint with the Information Commissioners Office.
- Other sources where personal data regarding the individual originated from and whether it came from publicly accessible sources.
- Whether the provision of the personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the individual is obliged to provide the personal data and any consequences of failure to provide the data.
- The existence of automated decision-making, including profiling and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the individual.
If we receive personal data about an individual from other sources, we will provide them with this information as soon as possible (in addition to telling them about the categories of personal data concerned) but at the latest within one month.
We will also inform data subjects whose personal data we process that we are the data controller with regard to that data and our contact details and who the Data Protection Officer is.
ADEQUATE, RELEVANT AND NON-EXESSIVE PROCESSING
We will only collect personal data to the extent that it is required for the specific purpose notified to the data subject.
We will ensure that personal data we hold is accurate and kept up to date. We will take all reasonable steps to destroy or amend inaccurate or out-of-date data.
We will not keep personal data longer than is necessary for the purpose or purposes for which it was collected. We will take all reasonable steps to destroy, or erase from our systems, all data which is no longer required.
PROCESSING IN LINE WITH DATA SUBJECT’S RIGHTS
We will process all personal data in line with data subjects’ rights, in particular, their right to:
- Confirmation as to whether or not personal data concerning the individual is being processed.
- Request access to any data held about them by a data controller.
- Request rectification, erasure or restriction on processing of their personal data.
- Lodge a complaint with a supervisory authority.
- Data portability.
- Object to processing including for direct marketing.
- Not be subject to automated decision making including profiling in certain circumstances.
We will take appropriate security measures against unlawful or unauthorised processing of personal data, and against the accidental or unlawful destruction, damage, loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed.
We have controls in place to maintain the security of all personal data from the point of the determination of the means for processing and point of data collection to the point of destruction. Personal data will only be transferred to a data processor if he/she agrees to comply with those procedures and policies, or if he/she puts in place adequate measures.
We will maintain data security by protecting the confidentiality, integrity and availability of the personal data, defined as follows:
- Confidentiality means that only people who are authorised to use the data can access it.
- Integrity means that personal data should be accurate and suitable for the purpose for which it is processed.
- Availability means that authorised users should be able to access the data if they need it for authorised purposes. Personal data should therefore be stored on the company’s central computer system instead of individual PCs.
Security procedures include:
- Access to paper documents regarding personal data: This is restricted to Trustees and play scheme staff only.
- Door entry controls. Any visitor needs to report to reception and there is no unauthorized entry on site permitted.
- Secure lockable desks and cupboards. Desks and cupboards should be kept locked if they hold confidential information of any kind. (Personal information is always considered confidential.)
- Data minimisation. We only keep necessary personal data for legitimate reasons.
- Methods of disposal. Paper documents should be shredded. Digital storage devices should be physically destroyed when they are no longer required.
- Staff must ensure that individual monitors do not show confidential information to passers-by and that they log off from their PC when it is left unattended.
- Transferring Personal Data Outside of the EEA. We may transfer any personal data we hold to a country outside the European Economic Area (‘EEA’) or to an international organisation, provided that one of the following conditions applies:
- The country to which the personal data are transferred ensures an adequate level of protection for the data subjects’ rights and freedoms.
- The data subject has given his consent.
- The transfer is necessary for one of the reasons set out in the Act, including the performance of a contract between us and the data subject, or to protect the vital interests of the data subject.
- The transfer is legally required on important public interest grounds or for the establishment, exercise or defence of legal claims.
- The transfer is authorised by the relevant data protection authority where we have adduced adequate safeguards with respect to the protection of the data subjects’ privacy, their fundamental rights and freedoms, and the exercise of their rights.
SUBJECT ACCESS RIGHTS
Individuals must make a formal request for information we hold about them. Employees who receive a request should forward it to Yvonne McKeown immediately.
When receiving telephone enquiries, we will only disclose personal data we hold on our systems if the following conditions are met:
- We will check the caller’s identity to make sure that information is only given to a person who is entitled to it.
- We will suggest that the caller put their request in writing if we are not sure about the caller’s identity and where their identity cannot be checked.
Where a request is made electronically, data will be provided electronically where possible.
Our employees will refer a request to the Data Protection Officer for assistance in difficult situations.
CHANGES TO THIS POLICY
We reserve the right to change this policy at any time. Where appropriate, we will notify changes by mail or email.
Adur Special Needs Project understands that your privacy is important to you and that you care about how your personal data is used and shared online. We respect and value the privacy of everyone who visits this website, www.adurspecialneeds.org.uk (“Our Site”) and will only collect and use personal data in ways that are described here, and in a manner that is consistent with Our obligations and your rights under the law.
- Definitions and Interpretation
In this Policy, the following terms shall have the following meanings:
|“Cookie”||means a small text file placed on your computer or device by Our Site when you visit certain parts of Our Site and/or when you use certain features of Our Site. Details of the Cookies used by Our Site are set out in section 13, below;|
|“Cookie Law”||means the relevant parts of the Privacy and Electronic Communications (EC Directive) Regulations 2003;|
|“Personal Data”||means any and all data that relates to an identifiable person who can be directly or indirectly identified from that data. In this case, it means personal data that you give to Us via Our Site. This definition shall, where applicable, incorporate the definitions provided in the EU Regulation 2016/679 – the General Data Protection Regulation (“GDPR”); and|
|“We/Us/Our”||Mean Adur Special Needs Project, a charity registered in England, whose registered address is The Old School House, Ham Road, Shoreham-By-Sea, West Sussex. BN43 6PA under registered charity number 1088423.|
- Information About Us
- Our Site is owned and operated by Adur Special Needs Project.
- Our Data Protection Officer is Yvonne McKeown and can be contacted by post at the above address or raise an enquiry via e-mail to firstname.lastname@example.org.
- What Does This Policy Cover?
- Your Rights
- As a data subject, you have the following rights under the GDPR, which this Policy and Our use of personal data have been designed to uphold:
- The right to be informed about Our collection and use of personal data;
- The right of access to the personal data We hold about you (see section 12);
- The right to rectification if any personal data We hold about you is inaccurate or incomplete (please contact Us using the details in section 14);
- The right to be forgotten – i.e. the right to ask Us to delete any personal data We hold about you (We only hold your personal data for a limited time, as explained in section 6 but if you would like Us to delete it sooner, please contact Us using the details in section 14);
- The right to restrict (i.e. prevent) the processing of your personal data;
- The right to data portability (obtaining a copy of your personal data to re-use with another service or organisation);
- The right to object to Us using your personal data for particular purposes; and
- Rights with respect to automated decision making and profiling.
- If you have any cause for complaint about Our use of your personal data, please contact Us using the details provided in section 14 and We will do Our best to solve the problem for you. If We are unable to help, you also have the right to lodge a complaint with the UK’s supervisory authority, the Information Commissioner’s Office.
- For further information about your rights, please contact the Information Commissioner’s Office or your local Citizens Advice Bureau.
- As a data subject, you have the following rights under the GDPR, which this Policy and Our use of personal data have been designed to uphold:
- What Data Do We Collect?
- email address
- telephone details
- How Do We Use Your Data?
- All personal data is processed and stored securely, for no longer than is necessary in light of the reason(s) for which it was first collected. We will comply with Our obligations and safeguard your rights under the GDPR at all times. For more details on security see section 7, below.
- Our use of your personal data will always have a lawful basis, either because it is necessary for Our performance of a contract with you, because you have consented to Our use of your personal data (e.g. by subscribing to emails), or because it is in Our legitimate interests. Specifically, we may use your data for the following purposes:
- Supplying our products and services to you (please note that We require your personal data in order to enter into a contract with you);
- Personalising and tailoring Our products and services for you;
- Replying to emails from you;
- With your permission and/or where permitted by law, we may also use your data for marketing purposes which may include contacting you by email or telephone with information, news and offers on our products and We will not, however, send you any unsolicited marketing or spam and will take all reasonable steps to ensure that We fully protect your rights and comply with Our obligations under the GDPR and the Privacy and Electronic Communications (EC Directive) Regulations 2003.
- Third parties whose content appears on Our Site may use third party Cookies, as detailed below in section 13. Please refer to section 13 for more information on controlling Cookies. Please note that We do not control the activities of such third parties, nor the data they collect and use and advise you to check the privacy policies of any such third parties.
- You have the right to withdraw your consent to Us using your personal data at any time, and to request that We delete it.
- We do not keep your personal data for any longer than is necessary in light of the reason(s) for which it was first collected. Data will therefore be retained for the following periods (or its retention will be determined on the following bases):
- For the duration of the relationship;
- To answer the enquiry;
- How and Where Do We Store Your Data?
- We only keep your personal data for as long as We need to in order to use it as described above in section 6, and/or for as long as We have your permission to keep it.
- Where possible, your data will only be stored in the UK or EEA.
- Data security is very important to Us, and to protect your data we have taken suitable measures to safeguard and secure data collected through Our Site.
- Steps We take to secure and protect your data include:
- Virus & Firewall protection for our servers.
- E-mail/file encryption
- IT security procedures for our internal systems
- Do We Share Your Data?
- We may sometimes contract with third parties to supply products and services to you on Our behalf. These may include payment processing and delivery of goods and services. In some cases, the third parties may require access to some or all of your data. Where any of your data is required for such a purpose, we will take all reasonable steps to ensure that your data will be handled safely, securely, and in accordance with your rights, Our obligations, and the obligations of the third party under the law.
- In certain circumstances, We may be legally required to share certain data held by us, which may include your personal data, for example, where we are involved in legal proceedings, where We are complying with legal requirements, a court order, or a governmental authority.
- What Happens If Our Charity Changes Hands?
- In the event that any of your data is to be transferred in such a manner, you will not be contacted in advance and informed of the changes.
- How Can You Control Your Data?
- You may also wish to sign up to one or more of the preference services operating in the UK: The Telephone Preference Service (“the TPS”), the Corporate Telephone Preference Service (“the CTPS”), and the Mailing Preference Service (“the MPS”). These may help to prevent you receiving unsolicited marketing. Please note, however, that these services will not prevent you from receiving marketing communications that you have consented to receiving.
- How Can You Access Your Data?
You have the right to ask for a copy of any of your personal data held by us (where such data is held). Under the GDPR, no fee is payable and we will provide any and all information in response to your request free of charge. Please contact Us for more details at The Old School House, Ham Road, Shoreham-By-Sea, West Sussex. BN43 6PA.
- Our Site may place and access certain first party Cookies on your computer or device. First party Cookies are those placed directly by us and are used only by us. We ensure that your privacy and personal data is protected and respected at all times.
- All Cookies used by and on our site are used in accordance with current Cookie Law.
- Your consent will not be sought to place these Cookies, but it is still important that you are aware of them. You may still block these Cookies by changing your internet browser’s settings, but please be aware that our site may not work properly if you do so. We have taken great care to ensure that your privacy is not at risk by allowing them.
- Contacting Us