Aims of this Policy
Crossing Countries needs to keep certain information on its volunteers, directors, advisors, funders, partners, consultants, suppliers, business contacts. and associates to carry out its day to day operations, to meet its objectives and to comply with its legal obligations. To the extent that this information is personal data (which means any information about an individual whose identity is apparent or can be reasonably ascertained from such information), Crossing Countries is committed to ensuring that such personal data is kept secure and that the organisation manages it in accordance with applicable data protection laws (including the Data Protection Act 1998).
To ensure that personal data is dealt with in line with applicable data privacy laws and to provide a framework for good practice within the business, we have adopted this policy to set out the principles which will apply to all staff of Crossing Countries including directors, advisors and volunteers. The aim of this policy is to ensure that everyone handling personal data is fully aware of such principles and the legal requirements to ensure that personal data is used fairly, stored safely and not disclosed unlawfully.
You must read this policy carefully as it contains important information, and failure to comply with the data protection procedures could result in disciplinary action. In addition, a failure to comply with this policy could expose Crossing Countries to enforcement action by appropriate local data protection supervisory authorities and/or to complaints or claims for compensation from affected individuals. There may also be negative publicity as a result of any breach.
The definition of ‘data subjects‘ for the purpose of this policy includes all living individuals about whom we hold personal data. A data subject need not be a UK national or resident. All data subjects have legal rights in relation to their personal data.
The definition of ‘processing’ is obtaining, using, holding, amending, disclosing, destroying and deleting personal data. This includes some paper based personal data as well as that kept on computer.
Type of personal data processed
The policy covers all personal data in any form, including but not limited to electronic data, paper documents and disks and all types of processing, whether manual or automated that is under Crossing Countries’ possession or control; and includes the following (without limitation):
- information on applicants for volunteers, including references; and
- contact details and, where relevant (and provided we have specific express written consent), medical information for volunteers / funders / associates / members.
By way of example, personal data is kept in the following forms:
- application forms
- booking, personal and travel information forms and pre and post trip questionnaires
- funders and associates spreadsheets
- digital address books
The purposes of processing personal data includes to:
- ensure appropriate individuals are selected to volunteer at Crossing Countries
- be able to communicate with funders, associates, members and volunteers as and when it is necessary
- ensure that appropriate action can be taken in the event of any incidents involving the health and safety of volunteers occur during their time at Crossing Countries
Crossing Countries will only process personal data for the specific purposes set out above or for any other purposes specifically permitted by applicable data protection law or set out in an applicable data processing notice and/or consent obtained from the relevant data subject. We will notify those purposes to the data subject when we first collect the personal data.
Data Protection Principles
In line with the Data Protection Act 1998 principles, Crossing Countries will ensure that personal data will:
- be obtained fairly and lawfully;
- be obtained for one or more specific and lawful purpose; and must not be further processed in any manner incompatible with those purposes;
- be adequate, relevant but not excessive (i.e. proportionate for the purpose for which it is required);
- be accurate and kept up to date;
- not be held longer than necessary (otherwise that data may cease to be relevant and become excessive);
- be processed in accordance with the rights of data subjects;
- be subject to appropriate technical and security measures; and
not to be transferred outside the European Economic Area (EEA), unless that other country ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
In order to comply with the principles above, Crossing Countries will abide by the: following four key principles of good data governance:
- Accountability: Crossing Countries’ staff shall follow publicised data principles and good practice guidelines to help gain public trust and safeguard personal data.
- Visibility: Data subjects should have access to the information about themselves that an organisation holds. This includes the right to have incorrect personal data corrected and to know who has access to this data.
- Consent: The collection and use of personal data must be fair and lawful. Personal data should only be used for the purposes agreed by the data subject. If personal data is to be shared with a third party or used for another purpose, the data subject’s consent should be explicitly obtained.
- Stewardship: Those collecting personal data have a duty of care to protect the data throughout the data life span.
Responsibilities and Policy Implementation
Overall responsibility for personal data rests with the director(s) of Crossing Countries. However, all staff, trustees and volunteers have responsibilities to abide by this policy. A breach of this policy will result in disciplinary proceedings.
You agree that you will:
- ensure any personal data is collected in a fair and lawful way (i.e. ensure that. (a) the data subject has given his consent to the processing; (b) the processing is necessary in order to enter into or perform a contract with the data subject; (c) the processing is necessary for the purposes of legitimate interests and/or (d) the processing is necessary for compliance with any legal obligation);
- explain why personal data is needed before it is collected, in other words, you can’t hold personal data on a ‘just-in-case’ basis;
- ensure that sensitive personal data will not be used apart from the exact purpose for which written consent was given;
- ensure that only the minimum amount of information needed is collected and used e.g. the details necessary to maintain health and safety on any trips and to promote the objects of Crossing Countries;
- ensure the personal data used is up to date and accurate – e.g. review contact information at least annually;
- review the length of time personal data is held, and not hold it for longer than is necessary – e.g. personal and travel information should only be held for three years after the trip and information contained in applications and references should be destroyed three years after collection);
- ensure personal data is kept safely and comply with the password protection programme when using Gsuite;
- ensure the rights people have in relation to their personal data can be exercised, i.e:
- a right of access to a copy of the information comprised in their personal data;
- a right to object to processing that is likely to cause or is causing damage or distress;
- a right to prevent processing for direct marketing;
- a right to object to decisions being taken by automated means;
- a right to have inaccurate personal data rectified, blocked, erased or destroyed; and
- a right to claim compensation for damages.
Crossing Countries will ensure that:
- everyone managing and handling personal data is trained to do so;
- anyone wanting to make enquiries about handling personal data, whether a member of staff, volunteer or service user, knows what to do;
- any disclosure of personal data will be in line with our procedures; and
- queries about handling personal data will be dealt with swiftly and politely.
Training and awareness raising about the Data Protection Act and how it is followed in this organisation will take the following forms:
On induction, new staff, directors, volunteers and advisors will be –
- issued with this policy and the ‘ten rules of data protection compliance’ via email and asked confirm receipt and understanding by email;
- informed that they must not discuss or pass on any information regarding the disability or medical history of any applicant, volunteer or advisor unless previously having been given permission by that person; and
- informed that they must not disclose any passwords accessing any Crossing Countries’ information.
- At Crossing Countries’ annual AGM, advisors will be reminded about their data protection responsibilities and issued with this policy and the ‘ten rules of data protection compliance’ as required.
Data subjects have the right to:
- know whether any personal data is being processed;
- be given a description of the personal data, the reasons it is being processed, and a note of whether it will be given to any other organisations or people;
- be given a copy of the personal data and be given details of the source of the data (where this is available); and
- prevent processing of their personal data in some circumstances and the right to correct, rectify, block or erase information regarded as wrong.
Any person wishing to exercise these rights should apply in writing to Jean Cathro (Founder); firstname.lastname@example.org ; and any requests received should be forwarded as soon as they are received.
The following information will be required before access is granted: the data subject’s full name, and relevant relationship with Crossing Countries. We may also require proof of identity before access is granted. To establish proof of ID a copy of the individual’s passport /driving licence will be required. Queries about handling personal data will be dealt with swiftly and politely, but we have to ensure it is provided within 40 days from receiving the written request as required by the Act.
Crossing Countries will maintain data security by protecting the confidentiality, integrity and availability of the personal data, and will take steps to ensure that personal data is kept secure at all times against unauthorised or unlawful loss or disclosure as follows:
- Confidentiality: ensure that only people who are authorised to use the data can access it;
- Integrity: ensure that personal data is accurate and suitable for the purpose for which it is processed;
- Availability: ensure that authorised users are able to access the data if they need it for authorised purposes and store personal data on Crossing Countries’ central computer system instead of individual PCs.
The additional following measures will also be taken, which you agree to comply with to the extent relevant to your role:
- all personal data will be password protected and, where stored physically, will be kept in locked desks;
- only personal data that is necessary for the health and safety of the volunteers on a trip can be taken off site in the form of both a paper document and on a password protected laptop;
- any unauthorised disclosure may result in dismissal or the termination of the volunteering agreement (as applicable);
- any unauthorised disclosure of personal data to a third party by a volunteer or advisor may result in the volunteer or advisor being held personally liable for any penalty arising from a breach that they have made; and
- staff must ensure that individual monitors do not show confidential information to passers-by and that they log off from their PC when it is left unattended.
Steps to take in the event of a Data Breach
A data breach is a security incident which involves an unauthorised or inappropriate disclosure of personal data. Data breaches can arise from a range of circumstances, from deliberate third party attacks on IT infrastructure designed to harvest personal data for criminal purposes, to the accidental loss of storage devices (e.g. mobile phones, laptops, USB devices) by staff.
Whilst it is not possible to account for accidental data loss due to human error or provide 100% protection against all external third party attacks which may undermine or expose the security of Crossing Countries’ systems and personal data, Crossing Countries has established a security framework designed to reduce the overall risk of security incidents arising and/or potential for a data breach. Crossing Countries’ security framework is underpinned by procedures which all members of staff are expected to be aware of and comply with as relevant to their functions.
In summary, there should be a four step approach to dealing with data breaches involving detection, assessment, response handling and review as follows:
Figure 1: Circular diagram formed from 5 circles linked by arrows: Prepare 1. Detection 2. Assessment 3. Response 4. Report and review
Your key responsibilities are to comply with this policy and be mindful of potential data breaches. If you have any concerns you should report to Jean Cathro who will liaise with legal advisors as appropriate to help deal with the breach.
This policy will be reviewed annually to ensure it remains up to date and compliant with the law, including after the General Data Protection Regulation comes into force in May 2018.