This is the protection policy for We Are Bearwood. As part of our business we need to collect information from the people we work with. The collection of that data creates an obligation to ensure that we have informed consent to collect information and a transparent plan for managing that information within the scope of data protection regulations.
This policy sets out how we will collect information, store information and seek consent from individuals in relation to the data we store on their behalf.
This policy ensures that We Are Bearwood complies with all legal obligations to: -
- Recognise that individuals that provide us with data are the owner of that data
- To store data in a method that ensures security of that data is the most important consideration
- Provide individuals access to all information that is held by us on request
- Protect itself and individuals from the risk of data breach
This policy has been developed in order to comply with General Data Protection Regulations (GDPR) and UK data protection legislation such as the Data Protection Act 1998. As such We Are Bearwood commits to embed the five Data Protection principles in its business:
- Personal data should be processed fairly and lawfully
- Data should be collected for a clear purpose
- Collection should be adequate for that purpose
- Data shouldn’t be kept for too long
- People supplying data should understand their rights
This policy is designed to mitigate risks that might result from data breaches. Through the implementation of this policy, in its entirety, We Are Bearwood seeks to reduce the risk that:-
- Consent is not informed when data is collected ensuring that individuals know the purpose of data collection
- Breaches of confidentiality occur and that the only people, within the company that have access to data, are appropriate for the agreed processing
- Data is not being maintained in a secure environment to stop loss or theft.
This policy applies to:-
- The board
- All offices within the company
- All employed staff
- Any person acting under contract to the company
- Any person acting in a volunteer capacity for the company
The policy applies to all information/data that is collected by the company and is not restricted to electronic information. The range of information collected by the company is contained within the data schema attached within Appendix 1.
The policy also applies to data that is not obtained through direct contact with individuals. For example, this could be data that comes into the company’s possession through the operation of a contract or through a transaction with a third-party organisation. All data obtained in such a manner will be treated in the same way as that obtained directly from individuals and the company will not assume that consent for processing activities have been secured by third party organisations.
Within We Are Bearwood a number of roles in relation to data protection have been identified.
The Board of We Are Bearwood are accountable for data protection within the organisation and Marian Hills is the key board member that will be responsible for bringing issues relating to data protection to the Board and ensuring this policy is reviewed.
Access to Data
In managing data We Are Bearwood will ensure that access is restricted to staff that have a legitimate business need.
In order to access data staff must:-
- Be able to demonstrate that access is relevant to their job role.
- That access is protected by strong passwords.
- Have been provided with appropriate data protection training
- Be aware that data cannot be shared informally within the company or to third party organisations or contractors. Formal processes must be used for all transfer of data.
- Make sure to regularly review the relevance of their access to data.
- Must review the data they manage to ensure it is consistent with the consent that provided access to it in the first place.
All data that is held by We Are Bearwood must meet recognised standards of data security.
Where data is kept in paper form these steps will be taken to maintain security: -
- Data will be locked in either a filing cabinet or draw
- Where personal data is removed from company premises there will be a process to sign it out and back in again
- Personal data will be securely shredded
- Personal data will not be left in plain view
- Where data is kept in electronic form these steps will be taken to maintain security: -
- Data is kept behind secure passwords
- Software that stores data will be regularly patched with security updates
- Encryption will be used for electronic transfer
- Data will not be stored on personal electronic devices
- External removable storage, used for personal data, will be password protected and encrypted
We Are Bearwood will take steps to ensure that data held is accurate and fit for purpose. To ensure accuracy these steps will be taken:-
- Data will be periodically reviewed to ensure that it is up to date.
- A facility will be provided to allow individuals to update data
- Steps will be made to reduce data duplication
In order to be consistent with data protection regulations We Are Bearwood will seek informed consent for the collection and use of all personal data. Consent will take the form of an affirmative action on the part of the individual. Consent will not be assumed based on the method by which the data was obtained.
We Are Bearwood will ensure that the consent process is distinct from any need to set out terms and conditions in respect of contracts or transactions.
The consent process will set out in plain English: -
- Preferred means of contact
- The purpose of collecting data
- The process for withdrawing consent
- The limit on how long data will be held
In any case where We Are Bearwood is made aware of a data breach Marian Hills as the Accountable Individual, will alert the Board at the earliest opportunity. In line with Data Protection Regulations the Accountable Individual will also notify the Information Commissioners Office (ICO) of the breach and set out short term actions that will be taken to:-
- Identify the scope of the breach
- Identify individuals affected by the breach
- Identify actions to mitigate further breach
- Develop a plan to communicate with individuals
The Accountable Individual will be the main point of liaison between We Are Bearwood and the ICO. The Accountable Individual will prepare a paper for the Board outlining all the actions set out above.
Where an external body notifies We Are Bearwood of a data breach then the same actions outlines above will be taken.
Data and Third Parties
In working with data and third-party organisations We Are Bearwood will ensure that all data obtained will be treated in the same manner as if it had been obtained from individuals. Consent will not be assumed for processing and, if necessary, will be sought from the individuals.
Where working with a third-party organisation requires the transfer of personal data We Are Bearwood will ensure that explicit consent is sought from the individuals to make such a transfer.
The commitment to explicit consent will be reflected in all contracts made by We Are Bearwood.
Subject Access Requests
All individuals who have data held by We Are Bearwood have a right to:-
- Know what data is held
- Have access to data
- Remove data
- Move data to another place (data portability)
We Are Bearwood commits to meet all Subject Access Requests within the 30-day time limit set within the General Data Protection Regulations. To support Subject Access Requests there will be clear information on the We Are Bearwood about how to make a request. This information will provide a clear outline of what people can request, the time limits to meet such a request and the method for making a request.
We Are Bearwood will provide a dedicated email address for making requests as well as a phone number and correspondence address.
|Data element||Why collected||How collected||How stored||How consent is obtained|
|Mailing list information via online email app:
||To keep in touch with supporters, volunteers, partners and audiences for purposes of updates, calls to action, invitations to events.||Via mailchimp, which asks for consent to be on different segmented lists (information/updates, volunteers)||In GDPR compliant mailchimp app.||Via GDPR mailchimp permissions process.|
|Mailing list information via hardcopy at events:
|To keep in touch with supporters, volunteers, partners and audiences for purposes of updates, calls to action, invitations to events.
|Via personal interactions at events or through email or introductions.