Data Protection and Privacy Policy

Transcription

1 Data Protection and Privacy Policy 1. General This policy outlines Conciliation Resources commitments to respect the privacy of people s personal information and observe the relevant data protection legislation. Conciliation Resources maintains certain personal data for the purposes of carrying out its aims and objectives as identified in its Memorandum and Articles of Association and to meet our operational needs and legal obligations. We recognise that this personal data, whether it is held on paper, electronically or in other form, is subject to the appropriate legal safeguards as specified in the UK Data Protection Act Conciliation Resources processes personal data on past, current, and prospective board members, staff, volunteers, donors, individuals and organisations we work with; and suppliers and others with whom we communicate. Attached to this policy are shorter guidelines covering Data Protection and Privacy (appendix 1) and the processing of information obtained via the Conciliation Resources website for marketing s (appendix 2). Conciliation Resources regards the lawful and correct treatment of personal information as very important and crucial to our successful operations. This involves taking precautions against physical loss or damage, and ensuring that access and disclosure are restricted. All staff are responsible for ensuring that: Any personal data held is kept securely; Personal information such as personal mobile phone numbers, personal social media handles or personal addresses, is not disclosed in anyway to any unauthorised third party, without the subject s consent - unless the information is already in the public domain (e.g. Twitter handles are mostly in the public domain). 2. Principles Conciliation Resources fully endorses and adheres to the eight principles of the UK Data Protection Act, These principles specify the legal conditions that must be satisfied in relation to obtaining, handling, processing, transportation and storage of personal data. Staff, volunteers or any other people or organisations associated or working with Conciliation Resources who obtain, handle, process, transport and store personal data for Conciliation Resources must adhere to these principles. The principles require that personal data shall: 1. Be processed fairly and lawfully and shall not be processed unless certain conditions are met; 2. Be obtained for a specified and lawful purpose and shall not be processed in any manner incompatible with that purpose; 3. Be adequate, relevant and not excessive for those purposes; 4. Be accurate and, where necessary, kept up to date; 5. Not be kept for longer than is necessary for that purpose; 6. Be processed in accordance with the data subject s rights; 7. Be kept secure from unauthorised or unlawful processing and protected against accidental loss, destruction or damage by using the appropriate technical and organisational measures; Shared_Files:Operations:Policies_Guidelines:Approved:Data_Protectection_and_Privacy:Data Protection and Privacy Policy.docx Page 1 of 8

2 8. Not be transferred to a country unless that country ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. 3. Satisfaction of Principles In order to meet the requirements of the principles, Conciliation Resources has in place appropriate management controls and use strict criteria to: Observe fully the conditions regarding the fair collection and use of personal data; Meet its obligations to specify the purposes for which personal data is used; Collect and process appropriate personal data only to the extent that it is needed to fulfill operational or any legal requirements; Ensure the quality and accuracy of personal data held to the best of Conciliation Resources ability; Apply strict checks to determine the length of time personal data is held; Ensure that the rights of individuals about whom the personal data is held, can be fully exercised under the Act; Take the appropriate technical and organisational security measures to safeguard personal data; and Ensure that personal data is not transferred outside the EC without suitable safeguards. 4. Compliance with Data Protection Regulations Conciliation Resources is registered with the UK Information Commissioner (ICO) as a Data Controller on its public register of data controllers (Registration number Z ). As identified under the Data Protection Act, Conciliation Resources holds personal data for the following six purposes: Realising the objectives of Conciliation Resources; Staff administration; Advertising, marketing and public relations; Accounts and records; Administration of membership records; and Fundraising. The section below lists the sets of personal data that Conciliation Resources stores and details how the use of the data is in accordance with the Data Protection Act. The use of the data in all cases is in order to realise the charitable aims of Conciliation Resources. 5 Applying the Policy Any breach of this policy will be taken seriously and may result in disciplinary action up-to and including dismissal. Any questions or concerns about the interpretation or operation of this policy should be raised with the Director of Operations, who is Conciliation Resources designated Data Controller. As every staff member or volunteer is expected to use Conciliation Resources databases, they are expected to adhere to the policy at all times. Any staff member or volunteer who believes that the policy has not been followed in respect of their own personal data should raise the matter with their Line Manager in the first instance, or if they are not available with the Director of Operations. Each database has a designated person responsible for the implementation of the Data Protection Policy in relation to that particular database. Members of staff who wish to use the data for mailings may do so only with the authority of the person responsible for the particular database, who will ensure compliance with this policy. The persons responsible for each database or set of personal information is as follows: Shared_Files:Operations:Policies_Guidelines:Approved:Data_Protectection_and_Privacy:Data Protection and Privacy Policy.docx Page 2 of 8

3 Contacts, Donors and Projects Database Director of Operations Web Sign-ups Communications Manager Personnel Director of Operations Recruitment Director of Operations Any request from a person asking to be removed from a mailing list or database or any other related enquiry should be forwarded to the responsible person, named above, who is responsible for ensuring any request is actioned or enquiry responded to. Any request will normally be completed within 30 calendar days. Any enquiries will be responded to in accordance with the Open Information Policy (P/11/12). Requests for access to personal information Conciliation Resources aims to comply with requests for access to personal information as quickly as possible, and will ensure that it is provided within 30 days of receipt of a request unless there is good reason for delay. In such cases, the reason for delay will be explained in writing to the individual making the request. 6. Conciliation Resources Databases Conciliation Resources Contacts Database For its own activities Conciliation Resources maintains a database of contact information about individuals and organisations that is password-protected and only accessible to Conciliation Resources staff (and office-based consultants/volunteers). This database includes people s name, address, address, telephone/fax number(s), job title and employer, plus details of their involvement with Conciliation Resources including funding, events attended and the context in which the information is held, (eg a mediator in a conflict). The information does not constitute sensitive personal data 1 as defined by the 1998 Act. However, in some cases, where such information (about health, ethnicity or gender), is processed, it is purely done for the purpose of monitoring Conciliation Resources policies, such as health and safety or equal opportunities or for the purpose of pursuing the charitable aims of the organisation. Professional and other contacts are added to this database, as and when, using information from a business card or other exchange of contact details, that Conciliation Resources staff have received during business contact with the individual. They are not sent unsolicited mass communications, for example, to publicise an event or Conciliation Resources news, unless they have indicated they would like to receive these mass mailings via Conciliation Resources website. Staff should not add or keep personal data that may be defamatory or inappropriate for the purpose for which the data is kept. Contacts may directly ask, or use the unsubscribe option in any of Conciliation Resources mass s, for their details to be removed from any of Conciliation Resources databases. Details are also removed when they are believed to be invalid or no further use to Conciliation Resources. Third Party e-bulletin system Conciliation Resources sends mass s about its news and latest work via a third party e-bulletin system, currently MailChimp. Users indicate their preferences to receive these s by actively subscribing via the Conciliation Resources website. These preferences are stored in the MailChimp database 2 and copied to the Conciliation Resources Contacts Database. All recipients are given the opportunity to opt-out of these 1 Sensitive personal data is defined as personal data consisting of information about racial or ethnic origin, political opinion, religious or other beliefs, trade union membership, physical or mental health or condition, sexual life, criminal proceedings or convictions. 2 MailChimp only has access to names and addresses of people signed up to receive mailings from Conciliation Resources none of which will be shared with a third party. Shared_Files:Operations:Policies_Guidelines:Approved:Data_Protectection_and_Privacy:Data Protection and Privacy Policy.docx Page 3 of 8

4 communications at any time via an unsubscribe link contained in every e-bulletin. Conciliation Resources Publications For purposes of distribution of printed publications, postal addresses of recipients are shared with a mail house under a strict written agreement which prevents the sharing and secure storage of personal data. Only the PPC Programme Officer or a staff member providing cover for that role is authorised to share the postal addresses of Accord recipients with the company that handles distribution of Conciliation Resources publications. Likewise, only the designated staff member coordinating a mailing of any programme publication (not Accord-related) is authorised to share the postal addresses of recipients with the company handling distribution of the publication. Recruitment Conciliation Resources gathers personal data for the purpose of staff recruitment. Data obtained through recruitment is not used for any other purpose. Only relevant personal information is gathered through the application form, and candidates are informed that the personal information obtained through the form will be used according to this policy. Applicants are informed if any of the data they supply is to be checked. Information is kept secure and not disclosed to a third party except those involved in the recruitment process. Staff involved in recruitment are aware of data protection regulations and are required to handle personal information with sensitivity. Application forms of unsuccessful short-listed candidates are destroyed after twelve months of the position being filled and all score sheets and interview notes are to be passed on to the Director of Operations who will keep them securely for a period of twelve months. Electronic versions of application forms of unsuccessful short-listed candidates are also be deleted after twelve months of the position being filled. Personnel Personal information about staff, consultants and volunteers is processed primarily for statutory HR purposes. Such information includes (where applicable) contact details, next of kin details, bank account data for salary payment, time taken off for sickness, leave, etc. Accident information is kept in a Health & Safety Accident Register maintained by the Operations Officer and kept in Core and Ops. All personal information about staff, whether maintained electronically or manually, is only accessible to the person s direct Line Manager and other appropriate staff as identified in other policies and procedures. At the point that a staff member, consultant or volunteer leaves Conciliation Resources we will seek their permission to maintain their personal contact information on our contacts database. Contact information may continue to be held if the person wishes to be kept informed of Conciliation Resources work. Basic contact information (ie address) is required until at least the end of the financial year in order to send P60s to former staff. Sensitive personal data, if collected at all, is only for the purpose of monitoring HR policies such as Diversity and Inclusion policy. All other Personnel records are managed in accordance with Conciliation Resources Retention of Records Policy. Staff leaving Conciliation Resources are subject to the confidentiality clause in their employment contract whereby they are prohibited from disclosing any confidential information to which they may have had access during their employment at Conciliation Resource. Shared_Files:Operations:Policies_Guidelines:Approved:Data_Protectection_and_Privacy:Data Protection and Privacy Policy.docx Page 4 of 8

5 7. Access to data Staff, volunteers and other subjects of personal data held by Conciliation Resources have the right to access any personal data that is being kept about them in electronic form. They also have access to paper-based data held in physical filing systems. Any person who wishes to exercise this right should make the request in writing to the Director of Operations. Conciliation Resources reserves the right to charge a modest fee payable for each subject access request. If personal details are inaccurate, they will be amended upon receipt of a written request detailing the inaccuracies that need to be corrected along with the correct information. The computer systems and all information held on them remain Conciliation Resources property at all times. A staff member s , files or telephone messages may be accessed in their absence by another member of staff if necessary for Conciliation Resources activities and with the permission of the Line Manager or, if unavailable, an EMC Director. Computer hard drives and server accounts are also accessed by IT staff for maintenance and admin purposes. 8. Retention of Data Conciliation Resources will keep some forms of information for longer than others. As part of our Risk Management Strategy, Conciliation Resources carries out regular backups of data held on its internal databases and of files held on its server such as s and document files. The backups are either done externally or on our servers on a regular basis and at any point in time, data that is up to two years old can be retrieved. Only designated staff have access to the old data. In the event that data is restored from the backup the staff member carrying out the procedure must be sensitive to the data protection implications of this action. 9. Data Protection/Privacy Statement For the purposes of this policy, to safeguard individual privacy, various statements will be used in the communications. These are as follows: For all s sent from a Conciliation Resources address This is intended only for the named addressee(s) and may contain confidential and/or privileged material. If you have received this in error, please notify Conciliation Resources immediately on cr@c-r.org and delete the message. For e-bulletins (MailChimp system) You are receiving this because you subscribed via the Conciliation Resources website ( or expressed an interest in receiving such mailings. The above statement appears next to an unsubscribe from this list option and an update subscription preferences option, where users can decide on which types of mailings they want to receive, eg programme-specific, job opportunities. June 2013 Shared_Files:Operations:Policies_Guidelines:Approved:Data_Protectection_and_Privacy:Data Protection and Privacy Policy.docx Page 5 of 8

6 Appendix 1 Data Protection and Privacy Policy: Guidelines for staff Conciliation Resources is registered with the UK Information Commissioner (ICO) as a Data Controller on the public register of data controllers. We meet the requirements of the Data Protection Act 1988 and have our own detailed policy in place (see Data Protection and Privacy Policy). The following guidelines are provided for staff as a quick guide to complying with this policy: 1. Contacts Database a. Do not enter personal data that may be considered, or is, defamatory or inappropriate for the purpose served by the contacts database. Inappropriate data includes information about racial or ethnic origin, political opinion, religious or other beliefs, trade union membership, physical or mental health or condition, sexual life, criminal proceedings or convictions. b. Be attentive to previous comments in the Contacts Database and ensure that comments are deleted or edited as required. c. If a contact asks for their details to be removed from the database, this request must be passed on to the person responsible for the relevant database (see section 5 of the Data Protection Policy). If the contact is subscribed to Conciliation Resources ing lists (via website sign-up, information is recorded on the contacts database), the staff member who receives the request must inform the Communications Manager so that they can be unsubscribed. d. Staff must not give out personal information, eg personal telephone numbers, personal addresses, or personal social media handles without permission of the individual concerned, or unless the information is already in the public domain. 2. Conciliation Resources Publications a. Only the PPC Programme Officer or a staff member providing cover for that role is authorised to share the postal addresses of Accord recipients with the company that handles distribution of Conciliation Resources publications. b. Likewise, only the designated staff member coordinating a mailing of any programme publication (not Accord-related) is authorised to share the postal addresses of recipients with the company handling distribution of the publication. 3. Recruitment a. Information provided by individuals on application forms can only be kept on a Conciliation Resources database if the applicant gives permission for that data to be retained. b. Staff involved in recruitment should ensure personal information is handled with sensitivity. c. Paper application forms of unsuccessful short-listed candidates must be shredded within twelve months of the position being filled along with any score sheets and interview notes. These should be passed to the Director of Operations or Operations Officer who will keep them securely for the period. d. Electronic versions of application forms of unsuccessful short-listed candidates will also be deleted twelve months after the position has been filled. 4. Personnel a. Personal information about staff, consultants and volunteers is processed primarily for statutory HR purposes and should only be available to the staff member concerned, their Line Manager, the Operations Officer or the Director of Operations. No such information should be kept on Shared Files or in the contacts database. Conciliation Resources HR information system is the web based Shared_Files:Operations:Policies_Guidelines:Approved:Data_Protectection_and_Privacy:Data Protection and Privacy Policy.docx Page 6 of 8

7 Appendix 1 BreatheHR. b. Staff leaving Conciliation Resources are subject to the confidentiality clause in their employment contract whereby they are prohibited from disclosing any confidential information that they may have had access to during their employment at Conciliation Resources. c. Staff leaving Conciliation Resources are entitled to employment references. Personal information relating to Standards of Conduct policies/procedures will be kept on the HR files for the duration stated in those policies or the Retention of Records policy. 5. Information on computers a. The computer systems and all information held on them remain Conciliation Resources property at all times. Staff must not make or keep copies of any Conciliation Resources database on a computer that does not belong to Conciliation Resources. Staff who leave Conciliation Resources must not make or keep copies of any Conciliation Resources database. b. Any non-business-related data stored on Conciliation Resources computer systems (such as personal photographs or music) may be deleted at any time; it is the staff member s responsibility to back up such data if desired. c. A staff member s , files or telephone messages may be accessed by another member of staff if necessary for Conciliation Resources activities and with the permission of the Line Manager or, in their absence, an EMC Director. IT staff have access to all desktops (ie they can see your screen), your s, the contents of desktop and laptop computers including hard drives, and all data stored on Conciliation Resources servers, domain and cloud-based storage, for maintenance, security and admin purposes. 6. Signatures in electronic communications a. The following appears as a footer in all s sent from Conciliation Resources addresses to addresses outside the Conciliation Resources domain: This is intended only for the named addressee(s) and may contain confidential and/or privileged material. If you have received this in error, please notify Conciliation Resources immediately on cr@c-r.org and delete the message. b. For e-bulletins You are receiving this because you subscribed via the Conciliation Resources website or expressed an interest in receiving such mailings. This statement appears next to an unsubscribe from this list option and an update subscription preferences option, where users can decide on which types of mailings they want to receive, eg programme-specific, job opportunities 7. Applying the Policy a. Any breach of this policy will be taken seriously and may result in formal action upto including dismissal. Any questions or concerns about the interpretation or operation of this policy should be raised with the Director of Operations, who is Conciliation Resources designated Data Controller. June 2013 Shared_Files:Operations:Policies_Guidelines:Approved:Data_Protectection_and_Privacy:Data Protection and Privacy Policy.docx Page 7 of 8

8 Appendix 2 Mass s: Guidelines for staff Conciliation Resources adheres to the legal framework outlined by the Information Commissioner s Office (ICO) for marketing s. Our approach also ensures relevant and regular outreach to promote our messages. ing contacts These guidelines do not affect the day-to-day ing of your contacts, which you should do from your Conciliation Resources account. You can send s in this way to groups of contacts together, as long as there is a mutual understanding of relevance to all recipients (ie you are not spamming 3 people) eg joint working on projects, organising small meetings. To larger groups of contacts to highlight recent news or with event invitations, the mailing must be done via the Communications Team using the third party e-bulletin system. Mass s You cannot opt contacts in to receive marketing s from Conciliation Resources they must choose to opt-in. You can help your contacts opt-in to receive mass s by filling out their name and address on this page of our website: o Select Conciliation Resources E-News plus the programme/interest area they have. o The contact will be sent an automatically generated explaining they have been added to our subscriber list following some recent communication they would have had with Conciliation Resources. They will be asked to confirm their subscription by clicking on a link. o You will be able to find out if the contact has agreed to the subscription by checking the contact entry on Conciliation Resources Contacts database, which is updated monthly by the IT Officer for new or amended preferences. o If they do not confirm the subscription, we cannot send mass s to them. You can them personally if you wish. You must not help people subscribe to mass mailings if you have not had any personal contact with them. The ICO would consider this as spamming and would investigate Conciliation Resources if we were found to be doing this. The complaint systems on third party e-bulletin platforms are now very rigorous to prevent spamming. Tips If you have large lists of contacts who you think should be subscribed to Conciliation Resources mailings (but the list is too long to make subscribing them individually viable), contact the Communications Team to discuss the options. If you know you will want to send a mass to a considerable number of people you have had no previous personal contact with, you will need to build an approach to tackle this into your forward planning time. You should personally each contact as soon as possible to explain what you would like to them about and that you would like to initiate the subscription process. If they agree, follow the subscription steps in Mass s above to help them subscribe to the mailing. You must continue to add contacts to Conciliation Resources contacts database as well as following the subscription steps above to continue to build Conciliation Resources organisational knowledge. June Spam is unsolicited s sent to groups of people. You are spamming individuals when they did not consent to receiving group s. Shared_Files:Operations:Policies_Guidelines:Approved:Data_Protectection_and_Privacy:Data Protection and Privacy Policy.docx Page 8 of 8