1. Purpose of Policy
Annex A gives a full explanation of the defined terms used in this Policy.
The Eikon Charity (“Eikon”) recognises the rights of every individual in respect of their Personal Data. The General Data Protection Regulation and Data Protection Act 2018 (DPA) require that Eikon is able to demonstrate compliance as an organisation. The correct and lawful treatment of Personal Data by Eikon will maintain confidence in the organisation and operations, whilst protecting the confidentiality and integrity of Personal Data; this is a critical responsibility that Eikon takes seriously at all times.
This Policy sets out the clear scope, principles, responsibilities and codes of practice which all employees and volunteers must read, understand and comply with when processing Personal Data on behalf of Eikon. Compliance with this Policy and supporting Procedures is mandatory and any breach may result in disciplinary action.
This Policy is designed to ensure that Eikon:
a) Protects the rights of all stakeholders, beneficiaries, employees and volunteers;
b) Complies with the General Data Protection Regulation and Privacy and Electronic Communications Regulations (PECR) and follows good practice;
c) Is open about what Personal Data it stores and processes and how this is done;
d) Protects itself and others from the risk of data breach.
This Policy describes how Personal Data is to be collected, stored, processed, accessed and disposed of to comply with relevant legislation, in particular the DPA and the current Fundraising Regulator’s Code of Fundraising Practice (CFP).
2. Policy Scope
a) Covers all Personal Data held or processed by Eikon, however it is stored – whether in digital media, on paper or any other form.
b) Does not form part of any employee’s contract of employment and may be amended at any time.
c) Has associated Procedures to provide detailed support for employees & volunteers in applying this Policy
3. Data Protection Principles
The processing of Personal Data must comply with the fair and lawful principles set out in the DPA. These require that our handling of Personal Data must be:
a) Processed lawfully, fairly and transparently – there must be a legal basis for processing Personal Data; this includes obtaining, holding, or carrying out any operation on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it.
b) Collected only for specified, explicit, legitimate and prescribed charitable purposes – these include beneficiaries of our youth services, fundraising, personnel/employee/volunteer administration, to meet charity organisational objectives, public relations and external affairs and purchase / supplier information.
c) Accurate and, where necessary, kept up to date – every reasonable step will be taken to ensure that Personal Data that is inaccurate, having regard to the purpose for which it is processed, is erased or rectified without delay.
d) Kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Data is processed. Personal Data may be stored for longer periods insofar as the Personal Data will be processed solely for historical research or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the DPA in order to safeguard the rights and freedoms of individuals.
e) Processed in a manner that ensures appropriate security of the Personal Data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical and organisational measures.
f) Protected by design – all the charity’s procedures and processes need to be designed with data protection in mind. Eikon is responsible for and must be able to demonstrate compliance with the data protection principles listed above.
4. Legal Rights of Data Subjects
DPA makes clear that the people about whom we hold and process Personal Data (Data Subjects) have clear legal rights as set out below. As well as complying with the requirements for security and transparency, Eikon must have a legal basis for processing Personal Data. The DPA allows processing for specific purposes, including but not necessarily limited to:
a) When the Data Subject has given their consent;
b) When the processing is necessary for the performance of a contract with or delivery of a service for the Data Subject;
c) Compliance with a legal obligation to which Eikon is subject;
d) Protect the vital interests of the Data Subject;
e) The legitimate interests pursued by Eikon or a related third party (except where these interests are overridden by the interests or fundamental rights and freedoms of the Data Subject).
f) Public tasks or processing.
Where consent is the legal basis used, a Data Subject consents to the processing of their Personal Data if they indicate agreement clearly either by a statement or positive action to the processing. Consent requires positive action so silence, pre-ticked boxes or inactivity are unlikely to be sufficient.
Data Subjects must be easily able to withdraw consent to processing at any time and any withdrawal request must be promptly actioned. Consent may need to be refreshed if Personal Data is to be processed for a different and incompatible purpose which was not disclosed when the Data Subject first consented.
Eikon will need to evidence consent captured and keep records of the above to demonstrate compliance with the DPA.
5. Notifying Data Subjects
If Eikon collects Personal Data directly from Data Subjects, it will inform them about the purpose(s) for which we intend to process their Personal Data and the legal basis for processing. Such information will be provided through appropriate Privacy Notices which must be concise, transparent, intelligible, easily accessible, and in clear and plain language so that a Data Subject can easily understand them.
Wherever Eikon collects Personal Data directly from Data Subjects, it must provide the Data Subject with all the information required by the DPA including the fact that Eikon is the Data Controller for that data, as well as how and why Eikon will use, process, disclose, protect and retain that Personal Data via a Privacy Notice which must be presented when the Data Subject first provides the Personal Data.
6. Adequate, Relevant and Proportionate processing
Eikon will only collect Personal Data to the extent that it is required for specified, explicit and legitimate purposes. It will not be further processed in any manner incompatible with those purposes.
Eikon will not use Personal Data for new, different or incompatible purposes from that disclosed when it was first obtained unless Eikon has informed the Data Subject of the new purposes and they have consented, where necessary.
Eikon will ensure that Personal Data is adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed. Eikon will only process Personal Data when performing its specific job duties, and when Personal Data is no longer needed for specified purposes, Eikon will delete or anonymise it in accordance with Eikon’s Data Retention Procedures.
Eikon will only process data in line with the Data Subjects’ rights and in particular their rights to:
a) Withdraw consent to processing at any time.
b) Request access to their Personal Data held about them.
c) Prevent Eikon’s use of their Personal Data for direct-marketing purposes.
d) Ask to have inaccurate Personal Data amended.
e) Request the deletion or removal of Personal Data where there is no compelling reason for its continued processing.
f) Prevent processing that is likely to cause damage or distress to the Data Subject.
These rights are not absolute and can only be exercised if the Data Subject has previously given their consent.
7. Data Accuracy, Retention and Storage
Every effort will be made to ensure Personal Data is accurate and, where necessary, kept up to date. It must be corrected or deleted without delay when inaccurate. It must be relevant to the purpose for which it is collected. Accuracy of any Personal Data must be checked at the point of collection and at regular intervals thereafter. All reasonable steps must be taken to destroy or amend inaccurate or out of date Personal Data.
Personal Data will only be stored and held in line with Eikon’s Data Retention Procedure.
8. Disclosure and Sharing of Personal Data
We will only share Personal Data if the Data Subject has given consent or if we are under a duty to disclose or share a Data Subject’s Personal Data in order to comply with any legal obligation, or in order to perform any contract involving the Data Subject; or to protect our rights, property, or safety of our employees, volunteers, beneficiaries, stakeholders, or others. This includes exchanging information with other companies and organisations for the purposes of safeguarding, fraud protection and credit risk reduction.
9. Subject Access Requests
Data Subjects have a right to a copy of all their Personal Data held by Eikon, by making a formal request in writing. Eikon will meet the request in full within one calendar month and no charge will be levied for such a request.
10. Data Security Breaches
The DPA requires Data Controllers to notify to the applicable regulator and, in certain circumstances, to the Data Subject, any breach that may compromise the security confidentiality or integrity of Personal Data. The process to be followed is set out in Eikon’s Personal Data Breach Management Procedure.
11. Young Person’s Data
Where data is not processed under another legal basis (e.g. legitimate interest) the DPA requires that under the consent legal basis, permission from a parent/guardian is required before a young person’s Personal Data can be processed for children below the age of 13 years old. Eikon will ensure that where consent is the basis for processing data, parental/guardian permission will be sought before Personal Data is collected and processed for children below the age of 13 years.
12. Privacy by Design and Data Protection Impact Assessments (DPIA)
Eikon is required to implement privacy by design measures when processing Personal Data by implementing appropriate technical and organisational measures in an effective manner to ensure compliance with DPA.
Data Controllers must also conduct DPIAs in respect of processing likely to result in high risk to Data Subject for example:
a) where a new technology is being deployed;
b) where a profiling operation is likely to significantly affect Data Subjects; and
c) where there is processing on a large scale of sensitive data.
An introduction to and guidelines for a DPIA are given on the following Information Commissioner’s Office (ICO) webpage:
If a DPIA indicates that the processing is high risk, then the situation will need to be referred to the CEO who will consult the ICO to seek its opinion as to whether the processing operation complies with the DPA.
13. Employees & volunteers
All Eikon employees and volunteers required to access or handle Personal Data will be trained regularly in data protection good practice and will be required to read this Policy as part of their induction. Employees and volunteers will sign to say they have understood the Policy/training and, a copy will be kept on their HR file.
14. Privacy Notices
The DPA requires Data Controllers to provide detailed, specific information to Data Subjects through relevant privacy notices (“Privacy Notices”) setting out what Personal Data is held and processed, the reasons for this and the legal basis, together with how their rights in law are being upheld by Eikon.
15. Control and Review
Line managers will undertake checks with employees and volunteers on an annual basis or spot basis. Any data protection issues requiring a decision will be recorded on the Eikon Data Breach log and stored securely.
Eikon is responsible for and must be able to demonstrate compliance with the legal requirements and the principles set out above. To ensure we meet these requirements, key responsibilities are as follows:
a) Trustees are responsible for ensuring that this Policy meets all the legal requirements and regulations.
b) Line managers are responsible for and must be able to demonstrate compliance with the principles and policies set out in this document.
c) Employees and volunteers who are responsible for data collection and processing are also responsible for understanding and following the principles, practices and procedures set out for them in this Policy and by the appropriate training.
17. Changes to these Data Protection and Privacy Policies
|1.0 Data Protection, Record Keeping & Confidentiality||Sept 2013||Original Issue|
|2.0 Data Protection policy||July 2018||Re-written to cover DPA|
|Approved||Board Sept 18|
|3.1||February 2021||Updated role titles|
|3.2||February 2021||DPO updates (Satswana)|
ANNEX A – DATA PROTECTION TERMS
Consent: Consent is the Data Subject giving permission for their private data to be processed in a specific way. The DPA sets a high standard for consent. It means offering individuals genuine choice and control. Consent requires a positive and unambiguous opt-in – not pre-ticked boxes or any other method of default consent. It should be linked to a clear statement of how the private data will used (set out in the Privacy Statement) and how the consent might be withdrawn or altered by the Data Subject at any time.
Data is information that is stored electronically, on a computer, or in paper-based filing systems.
Data Subject: all living identified or identifiable individuals about whom we hold Personal Data. A Data Subject need not be a UK national or resident. All Data Subjects have legal rights in relation to their personal information, including those set out in the DPA, Privacy of Electronic Communications Regulation (PECR) and the Fundraising Regulator’s Code of Fundraising Practice.
Personal Data means data relating to a living individual who can be identified from that data (or from that data and other information in our possession). Personal Data can be factual (for example, a name, address or date of birth) or it can be an opinion about that person, their actions and behaviour.
Data Controller means the people who or organisations that determine the purposes for which, the manner in which and the reason for which, any Personal Data is processed. They are responsible for establishing practices and policies in line with the DPA. We are the Data Controller of all Personal Data used in our business for our own commercial purposes.
Data Users are those of our employees and volunteers whose work involves processing personal data. Data users must protect the data they handle in accordance with this data protection policy and any applicable data security procedures at all times.
Data processors include any person or organisation that is not a data user that processes Personal Data on our behalf and on our instructions. Employees of Data Controllers are excluded from this definition but it could include suppliers that handle Personal Data on our behalf.
General Data Protection Regulation (GDPR): The General Data Protection Regulation ((EU) 2016/679), Data Protection Act 2018 and any other national implementing laws, regulations and secondary legislation, as amended or updated from time to time.
Privacy Notices: separate notices setting out information that may be provided to Data Subjects when Eikon collects information about them. These notices may take the form of general privacy statements applicable to a specific group of individuals or they may be stand-alone, one-time privacy statements covering processing related to a specific purpose.
Processing or process means any activity that involves the use of Personal Data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. processing also includes transmitting or transferring Personal Data to third parties.
Sensitive Personal Data means information about a person’s racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health conditions or sexual life, or about the commission of, or proceedings for, any offence committed or alleged to have been committed by that person, the disposal of such proceedings or the sentence of any court in such proceedings, genetic data and biometric data where processed to uniquely identify a person (for example a photo in an electronic passport). Sensitive personal data can only be processed under strict conditions, including a condition requiring the express permission of the person concerned.