1 Purpose

The purpose of this document is to demonstrate the management board’s commitment to the protection of personal data.

2 Policy Overview

The Board of Directors and management of DutySheet Ltd located at Riverbridge House, Guildford Rd, Fetcham, Leatherhead, KT22 9AD operates primarily in the business of Software as a Service delivery; Volunteer Management Software.  

We are committed to preserving the confidentiality, integrity and availability of all the physical and electronic information and information-related assets relevant to meet the purpose and goals of the organisation. This includes the handling of personal data or “Personally Identifiable Information” (PII).

Furthermore, we are committed to ensuring compliance with the European Union General Data Protection Regulation (GDPR) and the UK Data Protection Act (DPA) 1998 and any other data protection legislation or regulation relevant to our business operations.

In complying with the above-mentioned legislation and regulation, the organisation makes commitments to implement policies and processes related to that compliance and to make staff and relevant third parties aware of their responsibilities when handling personal data.

More detailed policies and processes thus support this policy, including our Information Security Policy. A GDPR compliance workspace is also maintained in line with Information Commissioner Office recommendations. These are located and managed within the ISMS.online platform.

This policy will be reviewed regularly to respond to any changes in the business, its risk assessment or risk treatment plan, and at least annually. 

3 Scope

All employees and relevant interested parties associated to the organisation’s handling of personal data have to comply with this policy. Appropriate training and materials to support it are available.

4 Definitions

The key definitions of terms used within or referred to by this policy are based upon those in the GDPR or other recognised documentation and are contained in Annex A.

IT Manager

• Ensure all systems, services, software and equipment meet acceptable security standards

• Checking and scanning security hardware and software regularly to ensure it is functioning properly

• Researching third-party services, such as cloud services the company is considering using to store or process data

Marketing Manager

• Approving data protection statements attached to emails and other marketing copy

• Addressing data protection queries from clients, target audiences or media outlets

• Coordinating with the Data Protection Officer to ensure all marketing initiatives adhere to data protection laws and the company’s Data Protection Policy

• Complying with other legislation and regulation relevant to data protection in marketing activities (e.g. Privacy & Electronic Communications Act (UK))

5.2 Staff data protection training

All staff will receive training on this policy. New joiners will receive training as part of the induction process. Further training will be provided at least every two years or whenever there is a substantial change in the law or our policy and procedure.

Training is provided on a regular basis and when specific trigger events occur e.g. threats or incidents affecting all or part of the organisation, its supply chain or other Interested Parties that might impact the organisation financially or its reputation.

It will cover:

• The law relating to data protection

• Our data protection and related policies and procedures.

Completion of this training is compulsory and where appropriate will be evidenced by task completion in the ISMS.online platform.

5.3 Privacy Notice – transparency of data protection

Being transparent and providing accessible information to individuals about how we will use their personal data is important for our organisation and is required under GDPR. Whenever personal data is being collected we will document and provide a Privacy Notice in line with the requirements of Article 13 of the GDPR.

5.4 Conditions for processing

We will ensure any use of personal data is justified using at least one of the conditions for processing (described further below) and this will be specifically documented in the ISMS.online platform. All staff who are responsible for processing personal data will be aware of the conditions for processing. The conditions for processing will be available to data subjects in the form of a privacy notice.

5.5 Justification for personal data

We will process personal data in compliance with all eight data protection principles.

We will document the additional justification for the processing of sensitive data, and will ensure any biometric and genetic data is considered sensitive.

6 Sensitive personal data

In most cases where we process sensitive personal data we will require the data subject's explicit consent to do this unless exceptional circumstances apply or we are required to do this by law (e.g. to comply with legal obligations to ensure health and safety at work). Any such consent will need to identify clearly what the relevant data is, why it is being processed and to whom it will be disclosed.

6.1 Fair and lawful processing

We must process personal data fairly and lawfully in accordance with individuals’ rights. This generally means that we should not process personal data unless the individual whose details we are processing has consented to this happening.

Under GDPR, processing of personal data is lawful only if at least one of the following apply:

a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps

c) at the request of the data subject prior to entering into a contract;

d) processing is necessary for compliance with a legal obligation to which the controller is subject;

e) processing is necessary in order to protect the vital interests of the data subject or of another natural person;

f) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official

g) authority vested in the controller;

h) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party,

i) except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

The processing of all personal data must be:

• Necessary to deliver our services

• In our legitimate interests and not unduly prejudice the individual's privacy

• In most cases this provision will apply to routine business data processing activities.

Our Terms of Business contains a Privacy Notice to clients on data protection.

The notice:

• Sets out the purposes for which we hold personal data on customers and employees

• Highlights that our work may require us to give information to third parties such as expert witnesses and other professional advisers

• Provides that customers have a right of access to the personal data that we hold about them

Consent

The data that we collect is subject to active consent by the data subject. This consent can be revoked at any time.

Accuracy and relevance

We will ensure that any personal data we process is accurate, adequate, relevant and not excessive, given the purpose for which it was obtained. We will not process personal data obtained for one purpose for any unconnected purpose unless the individual concerned has agreed to this or would otherwise reasonably expect this.

6.2 Data Portability

Upon request, a data subject should have the right to receive a copy of their data in a structured format. These requests should be processed within one month, provided there is no undue burden and it does not compromise the privacy of other individuals.

6.3 Right to be forgotten

A data subject may request that any information held on them is deleted or removed, and any third parties who process or use that data must also comply with the request. An erasure request can only be refused if an exemption applies.

6.4 Privacy by design and default

Privacy by design is an approach to projects that promote privacy and data protection compliance from the start. The Data Protection Officer will be responsible for conducting Privacy Impact Assessments (PIA) and ensuring that all IT and other relevant projects commence with a privacy plan. ISMS.online provides a PIA framework that is used for managing the process and documenting the approach.

When relevant, and when it does not have a negative impact on the data subject, privacy settings will be set to the most private by default.

6.5 International data transfers

No data may be transferred outside of the EEA without first discussing it with the data protection officer. Specific consent from the data subject must be obtained prior to transferring their data outside the EEA.

7 Data security

We must keep personal data secure against loss or misuse. Where other organisations process personal data as a service on our behalf, the Data Protection Officer will establish what, if any, additional specific data security arrangements need to be implemented in contracts with those third party organisations.

The organisation has a documented “Information Security Policy” and a set of subordinate security policies and controls relating to our management of data and information security. These are held within the ISMS.online platform.

7.1 Data retention

We must not retain personal data for longer than is necessary. What is “necessary” will depend on the circumstances of each case, taking into account the reasons that the personal data was obtained, but should be determined in a manner consistent with our data retention guidelines.

Data retention schedules will be maintained showing the minimum and maximum periods of retention for each data set.

7.2 Data audit and register

Regular data audits to manage and mitigate risks will inform the data register. This contains information on what data is held, where it is stored, how it is used, who is responsible and any further regulations or retention timescales that may be relevant.

8 Staff Responsibilities

All individual staff members are responsible for playing their part in maintaining the confidentiality, integrity and availability of personal data in compliance with the GDPR, DPA and organisational policies, standards and procedures.

Staff must familiarise themselves with the requirements contained in this policy and any other relevant security policy and comply with any requirements relating to the proper handling and security of personal data.

8.1 Handling others’ personal data

Staff must familiarise themselves with the organisational responsibilities detailed above and ensure that they comply with these whenever they are handling personal data. Special care and attention must be given when handling sensitive personal data.

8.2 Processing data in accordance with the individual's rights

Staff must abide by any request from an individual not to use their personal data for direct marketing purposes. Notify the Data Protection Officer about any such request if it falls outside of the normal processes or they have any reason to be unsure about the appropriate practice.

Staff must contact the Data Protection Officer for advice on direct marketing before starting any new direct marketing activity to ensure compliance with all relevant data protection and other legislation.

8.3 Reporting breaches

All members of staff have an obligation to report actual or potential data protection weaknesses, events and incidents where compliance may be breached. This allows us to:

• Investigate the failure and take remedial steps if necessary

• Maintain a register of compliance failures

• Notify the Supervisory Authority (SA) of any compliance failures that are material either in their own right or as part of a pattern of failures

The reporting of such weaknesses, events and incidents will be managed through our Information Security Incident Management processes.

8.4 Monitoring

Everyone must observe this policy. The Data Protection Officer has overall responsibility for this policy. They will monitor it regularly to make sure it is being adhered to.

9 Annex A – Key Definitions

Data Subject

“Data subject” means an individual who is the subject of personal data. [source DPA]

Personal Data

“Personal Data” is any information relating to an identified or identifiable natural person (‘data subject’). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. [source GDPR]

Sensitive Personal Data

“Sensitive Personal Data” is any information about an individual's racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership (or non-membership), physical or mental health or condition, criminal offences, or related proceedings—any use of sensitive personal data should be strictly controlled in accordance with this policy.[source DPA]

Controller

“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. [source GDPR]

Processor

“Processor” means a natural or legal person, public authority, agency or other body, which processes personal data on behalf of the controller. [source GDPR]

Recipient

“Recipient” means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients. The processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing. [source GDPR]

Processing

“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. [source GDPR]

Profiling

“Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements. [source GDPR]

Anonymisation

“Anonymisation” means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person. [source GDPR]

Filing System

“Filing system” means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis. [source GDPR]

Consent

“Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. [source GDPR]

Personal Data Breach

“Personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. [source GDPR]