Data Management

Learning Space  will ensure that all personal data that it holds will be:

  • processed lawfully, fairly and in a transparent manner;

  • collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;

  • adequate, relevant and limited to what is necessary;

  • accurate and kept up to date;

  • kept in a form which permits identification of data subjects for no longer than is necessary;

  • processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.

 

Data Protection Policy

1.Introduction to the GDPR

Under the EU General Data Protection Regulations (GDPR) Learning Space (herein after referred to as “the Charity”) is required to comply with the GDPR and undertakes to do so.

 

2          The definitions of terms used in this policy:

Data Subject

A data subject is an identifiable individual person about whom the Charity holds personal data.

Contact Information

For the purposes of this Policy, “Contact Information” means any or all of the person’s:
full name (including any preferences about how they like to be called);
full postal address;
telephone and/or mobile number(s);
e-mail address(es);
social media IDs/UserNames (eg: Facebook, Skype, Hangouts, WhatsApp)

Principles of the GDPR

The Charity will ensure that all personal data that it holds will be:

  1. processed lawfully, fairly and in a transparent manner in relation to individuals;

  2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;

  3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;

  4. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;

  5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and

  6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Lawful Processing

The Charity will obtain, hold and process all personal data in accordance with the GDPR for the following lawful purposes.

In all cases the information collected, held and processed will include Contact Information

By Consent

  1. People who are interested in, and wish to be kept informed of, the activities of the Charity.

  2. Subject to the person’s consent, this may include information selected and forwarded by the Charity on activities relevant to those of the Charity by other organisations.
    Note: this will not involve providing the person’s personal data to another organisation.

The information collected may additionally contain details of any particular areas of interest about which the person wishes to be kept informed.

The information provided will be held and processed solely for the purpose of providing the information requested by the person.

By Contract

People who sell goods and/or services to, and/or purchase goods and/or services from the Charity.

The information collected will additionally contain details of:

  1. The goods/services being sold to, or purchased from the Charity;

  2. Bank and other details necessary and relevant to the making or receiving of payments for the goods/services being sold to, or purchased from the Charity.

The information provided will be held and processed solely for the purpose of managing the contract between the Charity and the person for the supply or purchase of goods/services.

By Legal Obligation

People where there is a legal obligation on the Charity to collect, process and share information with a third party – eg: the legal obligations to collect, process and share with HM Revenue & Customs payroll information on employees of the Charity.

The information provided will be held, processed and shared with others solely for the purpose meeting the Charity’s legal obligations.

By Vital Interest

The Charity undertakes no activities which require the collection, holding and/or processing of personal information for reasons of vital interest.

By Public Task

The Charity undertakes no public tasks which require the collection, holding and/or processing of personal information.

Volunteers, Including Trustees

In order to be able to operate efficiently, effectively and economically, it is in the legitimate interests of the Charity to hold such personal information on its volunteers and trustees as will enable the Charity to communicate with its volunteers on matters relating to the operation of the charity, eg:

the holding of meetings;

providing information about the Charity’s activities – particularly those activities which, by their nature, are likely to be of particular interest to individual volunteers/trustees;

seeking help, support and advice from volunteers/trustees, particularly where they have specific knowledge and experience;

ensuring that any particular needs of the volunteer/trustee are appropriately and sensitively accommodated when organising meetings and other activities of the Charity.

 

Individual Rights

Note:  The following clauses are taken primarily from the guidance provided by the Office of the Information Commissioner,
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-be-informed/

The right to be informed 

When collecting personal information the Charity will provide to the data subject free of charge, a Privacy Policy written in clear and plain language which is concise, transparent, intelligible and easily accessible containing the following information:

Identity and contact details of the controller
Note: where the organisation has a controller’s representative and/or a data protection officer, their contact details should also be included

Purpose of the processing and the lawful basis for the processing

The legitimate interests of the controller or third party, where applicable

Categories of personal data
Not applicable if the data are obtained directly from the data subject

Any recipient or categories of recipients of the personal data

Details of transfers to third country and safeguards

       Retention period or criteria used to determine the retention period

The existence of each of data subject’s rights

The right to withdraw consent at any time, where relevant

The right of access

The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him/her are being processed, and, where that is the case, access to his/her personal data and the information detailed in the Charity’s relevant Privacy Policy:

The right to rectification 

The data subject shall have the right to require the controller without undue delay to rectify any inaccurate or incomplete personal data concerning him/her.

The right to erase  {The right to be forgotten}

Except where the data are held for purposes of legal obligation or public task the data subject shall have the right to require the controller without undue delay to erase any personal data concerning him/her. 

 

The right to restrict processing

Where there is a dispute between the data subject and the Controller about the accuracy, validity or legality of data held by the Charity the data subject shall have the right to require the controlled to cease processing the data for a reasonable period of time to allow the dispute to be resolved.

The right to data portability 

Where data are held for purposes of consent or contract the data subject shall have the right to require the controller to provide him/her with a copy in a structured, commonly used and machine-readable format of the data which he/she has provided to the controller, and have the right to transmit those data to another controller without hindrance.

The right to object

  1. The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him/her which is based Public Task or Legitimate Interest (4.5 or 4.6), including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

  2. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him/her for such marketing, which includes profiling to the extent that it is related to such direct marketing.

  3. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

  4. At the latest at the time of the first communication with the data subject, the right referred to in paragraphs a) and d) shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.

Personnel

Data Protection Officer

Data Protection Officer is LS Manager  (Gill North)

Data Controller

The Board of Trustees is the Data Controller for the Charity.

Training

The Board of Trustees and Data Processors will periodically undergo appropriate training commensurate with the scale and nature of the personal data that the Charity holds and processes under the GDPR.

Collecting & Processing Personal Data

The Charity collects a variety of personal data commensurate with the variety of purposes for which the data are required in the pursuit of its charitable objects.

All personal data will be collected, held and processed in accordance with the relevant Data Privacy Notice provided to data subjects as part of the process of collecting the data.

A Data Privacy Notice will be provided, or otherwise made accessible, to all persons on whom the Charity collects, holds and processes data covered by the GDPR.   The Data Privacy Notice provided to data subjects will detail the nature of the data being collected, the purpose(s) for which the data are being collected and the subjects rights in relation to the Charity’s use of the data and other relevant information in compliance with the prevailing GDPR requirements.

Information Technology

In as much as:

  1. none of the Charity’s volunteer Trustees are data protection professionals;

  2. it would be a disproportionate use of charitable funds to employ a data protection professional, given the scale and nature of the personal data held by the Charity;

the Trustees will seek appropriate professional advice commensurate with its data protection requirement whenever:

Data Backups

To protect against loss of data by accidental corruption of the data or malfunction of a removable data storage device (including by physical damage), all the Charity’s personal data shall be backed up periodically and whenever any significant changes (additions, amendments, deletions) are made to the data.

Backup copies of the data shall be held in separate secure locations which are not susceptible to common risks (eg: fire, flood, theft).

Obsolete or Dysfunctional Equipment

(Disposal of Removable Storage Media)

Equipment used to hold personal data, whether permanently or as interim working copies, which come to the end of their useful working life, or become dysfunctional, shall be disposed of in a manner which ensures that any residual personal data held on the equipment cannot be recovered by unauthorised persons.

Inasmuch as:

  1. this will be a relatively infrequent occurrence;

  2. techniques for data recovery and destruction are constantly evolving;

  3. none of the Trustees have relevant up-to-date expert knowledge of data cleansing;

equipment which becomes obsolete or dysfunctional shall not be disposed immediately.   Instead it will be stored securely while up-to-date expert advice on the most appropriate methods for its data cleansing and disposal can be sought and implemented.

Data Retention Policy

Personal data shall not be retained for longer than ten years:

  1. In the case of data held by subject consent:
    the period for which the subject consented to the Charity holding their data;

  2. in the case of data held by legitimate interest of the charity:
    the period for which that legitimate interest applies.   For example: in the case of data subjects who held a role, such as a volunteer, with the Charity the retention period is that for which the Charity reasonably has a legitimate interest in being able to identify that individual’s role in the event of any retrospective query about it;

  3. in the case of data held by legal obligation:
    the period for which the Charity is legally obliged to retain those data.

The Charity shall regularly – not less than every 6 months – review the personal data which it holds and remove any data where retention is no longer justified.  

Third Party Access to Data

Under no circumstance will the Charity share with, sell or otherwise make available to Third Parties any personal data except where it is necessary and unavoidable to do so in pursuit of its charitable objects as authorised by the Data Controller.

Whenever possible, data subjects will be informed in advance of the necessity to share their personal data with a Third Party in pursuit of the Charity’s objects.

Before sharing personal data with a Third Party the Charity will take all reasonable steps to verify that the Third Party is, itself, compliant with the provisions of the GDPR and confirmed in a written contract.   The contract will specify that:

The Charity is the owner of the data;

The Third Party will hold and process all data shared with it exclusively as specified by the instructions of the Data Controller;

The Third Party will not use the data for its own purposes;

The Third Party will adopt prevailing industry standard best practice to ensure that the data are held securely and protected from theft, corruption or loss;

The Third Party will be responsible for the consequences of any theft, breach, corruption or loss of the Charity’s data (including any fines or other penalties imposed by the Information Commissioner’s Office) unless such theft, breach, corruption or loss was a direct and unavoidable consequence of the Third Party complying with the data processing instructions of the Data Controller

The Third Party will not share the data, or the results of any analysis or other processing of the data with any other party without the explicit written permission of the Data Controller;

The Third Party will securely delete all data that it holds on behalf of the Charity once the purpose of processing the data has been accomplished.

Data Breach

In the event of any data breach coming to the attention of the Data Controller the external response will be for Trustees to immediately notify the Information Commission’s Office.  The internal response will be to notify immediately the affected users.

In the event that full details of the nature and consequences of the data breach are not immediately accessible (eg: because Data Processors do not work on every normal weekday) the Trustees will bring that to the attention of the Information Commissioner’s Office and undertake to forward the relevant information as soon as it becomes available.

Privacy Policy & Privacy Notices

The Charity will have a Privacy Policy and appropriate Privacy Notices which it will make available to everyone on whom it holds and processes personal data.

In the case of data obtained directly from the data subject, the Privacy Notice will be provided at the time the data are obtained.

In the case that the data are not obtained directly from the data subject, the Privacy Notice will be provided within a reasonable period of the Charity having obtained the data (within one month), or,
if the data are used to communicate with the data subject, at the latest, when the first communication takes place; or
if disclosure to another recipient is envisaged, at the latest, before the data are disclosed.

 

 

Next Review:   November 2021