The General Data Protection Regulation was adopted by the European Parliament in April 2016 and comes into force on the 25th May 2018.
1. This policy is the response of In The Footsteps (ITF) to changes to the law, specifically the General Data Protection Regulation (EU) 2016/679 [GDPR], and the Privacy and Electronic Communications Regulation (EC) 2003 [PECR], which impacts on ITF in respect of the processing of personal and special category data.
2. Under these changes ITF is required to treat the personal data of those with whom it conducts its business fairly, responsibly, and in a transparent manner.
3. Failure of ITF, its employees, contractors and suppliers to comply with information law could result in an investigation by the Information Commissioner's Office (ICO). The Information Commissioner has the power to serve information, enforcement and assessment notices, issue undertakings, conduct audits, and prosecute those who commit criminal offences under the GDPR. Any such incident could not only cause public embarrassment to ITF, and a loss of confidence by its customers, but are likely to have financial consequences in and of themselves. In addition, where there has been a serious breach of information law, the ICO can fine organisations up to €20,000,000.
4. Compliance with this policy provides assurance for both the organisation and data subjects that the personal data processed by ITF is handled legally, effectively and efficiently, with ethical best practise at the root of decision making, in order to protect the privacy and confidentiality of our customers, customers' group members and those with whom we do business.
5. Articles 4 and 9 of the GDPR define the following key terms thus:
6. ITF processes personal data by both manual (paper) and electronic means about its employees, customers, customers’ group members and other individuals for various purposes.
7. To ensure our obligations under information law are met, the processing of personal information must comply with the principles of the GDPR. Accordingly, personal data will be:
8. The Data Controller will be responsible for, and be able to demonstrate compliance with paragraph 1 (‘accountability’).
9. In line with these principles, ITF, through appropriate management and strict application of criteria and controls will:
10. Where ITF acts in its capacity as a data controller, this policy applies to all of its employees, contractors and suppliers.
11. This policy covers all aspects of personal data which are processed for any purpose and by any means, by or on behalf of ITF. It relates to personal data held both manually and electronically, and in all information systems purchased, developed and managed by, or on behalf of, ITF.
12. The Directors assume ultimate responsibility for ensuring appropriate data protection compliance within ITF. Implementation of, and compliance with this policy is delegated to the Data Protection Officer (DPO).
13. The DPO, who is the Business Administrator, is responsible for protecting the personal data held by ITF by ensuring that the business has a suitably robust information governance function, supported by appropriate policies and processes. This will include monitoring appropriate information sharing with external contractors and suppliers to facilitate coordinated provision of service. The DPO will champion Information Governance requirements and issues at the highest level within the organisation.
14. ITF requires all employees and contractors to treat personal data with strict confidentiality, in line with data protection law. This policy does not form part of the formal contract of employment, but it is a condition of employment that staff members abide by the rules and policies as set out by ITF. Failure to act in line this policy may result in disciplinary action.
15. Contractors or employees of external organisations who require access to personal data must be subject to suitable contractual arrangements, requiring them to follow the policies and processes of ITF when handling personal data. These contractual arrangements also protect and indemnify ITF against the improper use of personal data.
16. In the context of their work, employees and contractors may have access to personal data relating to customers, customers’ group members and others. Where they have concerns about data handling, or should they believe this policy has not been followed, they should raise the matter with the DPO.
17. ITF is committed to ensuring that employees aware of data protection through annual protection awareness training.
18. ITF endeavours to make its contractors and suppliers aware of data protection requirements through the communication of this policy and the related policies and processes.
19. It is a criminal offence for a person to knowingly or recklessly without the consent of the Data Controller obtain or disclose personal data. A deliberate breach of this policy will be considered a serious disciplinary matter, or breach of contract, and dealt with accordingly. Examples of offences which may be considered to be gross misconduct or a breach of contract are (the list is not exhaustive):
20. The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever you process personal data:
21. To lawfully process the personal information of a data subject, ITF relies upon contractual obligation, legitimate interest or consent. Where consent is necessary for processing, it must be explicit, freely given, specific and informed. ITF is committed to processing personal data in a fair and transparent manner.
22. Where consent is relied upon as a legitimising condition for processing:
23. ITF has developed a series of resources to give information about privacy and data protection, and support data subjects in understanding their rights and any intended processing, which data subjects will be made aware of when they give consent for us to process their personal data.
24. Where a data subject wishes for personal data to be disclosed to a third party, such as a family member, ITF must be notified of this in writing.
25. Disclosure of any personal data to a third party must be necessary for the original purpose for which the information was collected, and, where appropriate, undertaken with the consent of the data subject.
26. The General Data Protection Regulation gives data subjects the following rights regarding the processing of their personal data. ITF informs data subjects of their information rights by provision of our GDPR policy online both externally and internally and in privacy notices on our website.
27. ITF is committed to processing personal data in a transparent manner.
29. Privacy information must be provided in an accessible form, using clear and plain language, and providing all relevant information.
30. Where possible, ITF will rely on contractual obligation, legitimate interest and consent by preference in order to undertake any processing of personal data, and ensures that consent is explicit and informed. ITF will also seek consent where possible for any disclosure of personal data to a third party, and will keep records of all such disclosures.
31. ITF aims to provide data subjects with opportunities to monitor the processing of their own personal data.
32. Under the GDPR, data subjects have the right to receive confirmation that their data is being processed, a copy of, or access to, their personal data, and other supplementary information regarding processing (including the purposes of processing, categories of personal data involved, the recipients of any disclosure, retention periods for personal data, and the existence of automated decision-making and profiling). This information will be provided at cost or £10.00 GBP, whichever is the least, and a response will be made within one month of the receipt to the request, or receipt of confirmation of the identity of the requestor, whichever is the later.
33. Subject access requests should be directed to the DPO.
34. Data subjects are entitled to have personal data rectified if it is inaccurate or incomplete. If you have disclosed inaccurate or incomplete personal data to a third party, you must also inform them of the rectification, if possible, and inform the data subject about any third parties to whom the data has been disclosed. Rectification must take place within one month of receipt of the request, or confirmation of the identity of the requestor, whichever is the later.
35. Where possible, ITF aims to allow data subjects to access and amend their own personal data.
36. Rectification requests are dealt with by the administration department and if a rectification request requires further checks to be carried out, the personal data will be restricted until an outcome is determined. Proof of the identity of the person making the request, or of guardianship if they are not the data subject, will be required before a request for rectification can be actioned.
37. ITF keeps records of all rectification requests and their outcome.
38. The right to erasure, also known as ‘the right to be forgotten’, enables a data subject to request the deletion or removal of personal data where there is no compelling reason for its continued processing.
39. Following a request under the right to erase, personal data must be erased where:
40. If the processing causes damage or distress, this is likely to make the case for erasure stronger. If you have disclosed the personal data in question to third parties, you must also inform them about the erasure of the personal data. However, there are some circumstances where the right to erasure does not apply and you can refuse to deal with a request.
41. Erasure requests are dealt with by the administration department. Proof of the identity of the person making the request, or of guardianship if they are not the data subject, will be required before a request for erasure can be actioned.
42. ITF aims to comply with all right to erasure requests within one month of receipt, or receipt of proof of the identity of the requestor, whichever is the later.
43. ITF keeps records of all erasure requests and their outcome.
44. Under the GDPR, when processing is restricted you are permitted to store the personal data, but not further process it. You can retain just enough information about the data subject to ensure that the restriction is respected in the future.
45. You are required to restrict the processing of personal data in the following circumstances:
46. ITF aims to comply with the right to restrict processing through including restriction in records management, right to object and rectification processes.
47. Where a data subject makes a request to restrict processing, it will be handled by the administration department. Proof of the identity of the person making the request, or of guardianship if they are not the data subject, will be required before a request for restriction can be actioned.
48. Restrictions will be put into place within a month of receipt, or within a month of receipt of proof of the identity of a requestor, whichever is the later. If we have disclosed the personal data in question to third parties, we will inform them about the restriction of processing of the personal data.
49. ITF keeps a record of all restriction of processing requests and their outcome.
50. The right to data portability allows data subjects to obtain and reuse their personal data across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.
51. The right to data portability only applies to personal data a data subject has provided to a controller, where the processing is based on the data subject’s consent or for the performance of a contract, and when processing is carried out by automated means.
52. You must provide the personal data in a structured, commonly used and machine readable form, free of charge, and within one month of receiving the request or proof of the identity of the requestor, whichever is the later. If the data subject requests it, you should transmit the data directly to another organisation (if this is technically feasible).
53. Where a data subject makes a request for data portability, it will be processed by the administration department. The data subject will be required to provide proof of identity before a request for data portability can be actioned.
54. ITF keeps a record of all requests for data portability and their outcome.
55. Data subjects have the right to object to processing based on legitimate interests, or the performance of a task in the public interest/exercise of official authority (including profiling); direct marketing (including profiling); and processing for the purposes of scientific/historical research and statistics.
56. Where a data subject objects to the processing of their personal data based on any of those grounds, you must stop unless:
57. Upon receiving an objection, ITF will immediately restrict processing of the personal data. If a determination is necessary regarding whether or not to stop processing, it will be referred to the DPO. A determination will be made one month from receipt of the request, or proof of the identity of the requestor, whichever is the later. The data subject, or their guardian, may be required to provide proof of identity before an objection can be actioned.
58. You must stop processing personal data for direct marketing purposes as soon as you receive an objection. There are no exemptions or grounds to refuse. Should such a request be made, ITF will, in a timely manner, restrict the personal data and stop processing; no determination will be necessary. Stopping processing for direct marketing purposes requests will be handled by the Business Administrator.
59. We will aim to make the right to object possible through online means via the ITF website. However, data subjects can also object by contacting ITF direct.
60. ITF keeps a record of all objections to processing and their outcome.
61. Data subjects have the right not to be subject to a decision when it is based on automated processing and it produces a legal effect or a similarly significant effect on the data subject. You must ensure that data subjects can obtain human intervention, express their point of view, and obtain an explanation of the decision and challenge it.
62. ITF does not undertake any decision-making based on personal data by automated processing. All processing is subject to human intervention and oversight.
63. Where information about automated decision making is requested, it should be provided by the DPO, and records of such requests and their outcome maintained. Proof of identity may be required before a person-specific response can be provided. Responses will be provided within one month of receipt of the request (or proof of identity of) the requestor.
64. In certain circumstances, it is appropriate that ITF shares or discloses personal data. Where possible and appropriate, the data subject’s consent will be sought prior to any sharing or disclosure.
65. Personal data will only be shared without the subject’s consent in the following circumstances:
66. If personal data will be used for legitimate business purposes by a third party, it will first be anonymised or pseudonymised. Where this is not possible, data subjects will be informed at the point of collection that their personal data will be used for that purpose. Special category personal data will never be used for the purposes of legitimate business interests.
67. Where personal data will be shared with a data processor, an appropriate contractual agreement is in place which specifies how personal data may be processed, for what purposes, and under what security conditions. Such a contract sets out the obligations of both parties and indemnifies ITF against risk in the case of the misuse of personal data by a contracted processor.
68. Records of all data sharing and disclosures, data sharing requests, the conditions for sharing or disclosure, and the outcomes of such activities, are maintained by ITF.
69. Principle (f) of the GDPR states that organisations must ensure “appropriate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures”. With continual changes to both technology and the demand for ever-easier ways by which information can be accessed and shared, it is important that a consistent approach be adopted to safeguard information.
70. ITF will ensure that appropriate technical and organisational measures are in place, supported by privacy impact and risk assessments, to ensure a high level of security for personal and confidential data, and a secure environment for information held both manually and electronically.
71. Records management refers to a set of activities required for systematically controlling the creation, distribution, use, maintenance, and disposition of recorded information maintained as evidence of business activities and transactions. It is impossible to be compliant with information law without robust records management policies and practises.
72. Good records management practises ensure not only record quality, but that personal data is only kept for as long as necessary for its original purpose, and help support data minimisation. They are integral to information security methodology, and to ensuring the integrity and confidentiality of personal data. It is a key feature of risk management.
73. ITF is committed to implementing robust records management policy, process and practises to ensure compliance with the GDPR.
74. An understanding of risk and the application of risk assessment methodology is essential to being able to effectively create a secure environment for personal data. The information held by an organisation is not only one of its greatest assets, but also a potential liability. Information compliance therefore requires a proactive approach to risk management both to limit liability and protect information assets.
75. While it is not possible to eliminate all elements of threat, risk management aims to identify and classify risks to information systems and personal data, and find ways of mitigating, eliminating and managing those risks. In addition, it looks at ways to manage and control incidents. It should form the backbone of all other compliance measures. With reporting regulations under the GDPR, this becomes increasingly important to insulate ITF from sanctions and prosecution.
76. ITF approaches risk management through risk evaluation and incident management processes, and where practicable by the use of privacy impact assessments.