The General Data Protection Regulation was adopted by the European Parliament in April 2016 and comes
into force on the 25th May 2018.
1. This policy is the response of In The Footsteps (ITF) to changes to the law, specifically the General
Data Protection Regulation (EU) 2016/679 [GDPR], and the Privacy and Electronic Communications
Regulation (EC) 2003 [PECR], which impacts on ITF in respect of the processing of personal and special
category data.
2. Under these changes ITF is required to treat the personal data of those with whom it conducts its
business fairly, responsibly, and in a transparent manner.
3. Failure of ITF, its employees, contractors and suppliers to comply with information law could result
in an investigation by the Information Commissioner's Office (ICO). The Information Commissioner has the power to serve information,
enforcement and assessment notices, issue undertakings, conduct audits, and prosecute those who commit
criminal offences under the GDPR. Any such incident could not only cause public embarrassment to ITF,
and a loss of confidence by its customers, but are likely to have financial consequences in and of
themselves. In addition, where there has been a serious breach of information law, the ICO can fine
organisations up to €20,000,000.
4. Compliance with this policy provides assurance for both the organisation and data subjects that the
personal data processed by ITF is handled legally, effectively and efficiently, with ethical best
practise at the root of decision making, in order to protect the privacy and confidentiality of our
customers, customers' group members and those with whom we do business.
Definitions
5. Articles 4 and 9 of the GDPR define the following key terms thus:
a. Personal data — Any information relating to an identified or identifiable natural
person.
b. Special category data — Personal data consisting of or regarding racial or ethnic
origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data,
biometric data, health, sex life or sexual orientation. Additionally, while they are not considered
"special category data", children's data and also data relating to criminal convictions are
afforded further protections.
c. Data subject — An identified, or identifiable natural person.
d. Processing — Any operation (or set of) which is performed on personal data.
e. Restriction of processing — The marking of stored personal data with the aim of
limiting their processing in the future.
f. Profiling — Any form of automated processing of personal data consisting of the use
of personal data to evaluate certain aspects relating to a person.
g. Pseudonymisation — Processing personal data in such a manner that the personal data
can no longer be attributed to a specific data subject without the use of additional information,
provided that such additional information is kept separately.
h. Filing system — Any structured set of personal data accessible according to
specific criteria.
i. Data Controller — The natural or legal person, public authority, agency or body
which, alone or jointly with others, determines the purposes and means of the processing of personal
data.
j. Processor — A natural or legal person, public authority, agency or body which
processes personal data on behalf of the controller.
k. Recipient — A natural or legal person, public authority, agency or another body, to
which the personal data are disclosed, whether a third party or not.
l. Third party — A body other than the data subject, controller, processor and persons
who, under the direct authority of the controller or processor, are authorised to process personal
data.
m. Personal data breach — A breach of security leading to the accidental or unlawful
destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted,
stored or otherwise processed.
n. Genetic data — Personal data relating to the inherited or acquired genetic
characteristics of a natural person which give unique information about the physiology or the health of
that natural person and which result, in particular, from an analysis of a biological sample from the
natural person in question.
o. Biometric data — Personal data resulting from specific technical processing
relating to the physical, physiological or behavioural characteristics of a natural person, which allow
or confirm the unique identification of that natural person, such as facial images or fingerprint
data.
p. Main establishment — The place of central administration in the EU, or place where
processing of personal data takes place in the EU.
q. Representative — A natural or legal person established in the EU who, designated by
the controller or processor in writing, represents that controller or processor in regard to their
respective obligations under the Regulation.
r. Enterprise — A natural or legal person engaged in economic activity, irrespective
of its legal form.
s. Supervisory authority — An independent public authority who is established by a
Member State pursuant to Article 51 of the GDPR such as the UK’s ICO.
t. Cross-border processing — Processing of personal data which takes place in the
context of the activities of establishments in more than one Member State, or which is likely to
substantially affect data subjects in more than one Member State.
u. Information society service — Any service normally provided for remuneration at a
distance, by means of electronic equipment for the processing (including digital compression) and
storage of data, at the individual request of a recipient of the service.
Purposes
6. ITF processes personal data by both manual (paper) and electronic means about its employees, customers, customers’ group members and other individuals for various purposes.
Principles
7. To ensure our obligations under information law are met, the processing of personal information must
comply with the principles of the GDPR. Accordingly, personal data will be:
a. Processed lawfully, fairly and in a transparent manner in relation to the data subject.
b. Collected for specified, explicit and legitimate purposes and not further processed in a manner that
is incompatible with those purposes.
c. Adequate, relevant and limited to what is necessary in relation to the purposes for which they are
processed (‘data minimisation’).
d. Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that
personal data that are inaccurate, having regard to the purpose for which they are processed, are erased
or rectified without delay.
e. Kept in a form that permits identification of data subjects for no longer than is necessary for the
purposes for which the personal data are processed.
f. Processed in a manner that ensures appropriate security of the personal data, including protection
against unauthorised or unlawful processing and against accidental loss, destruction or damage, using
appropriate technical or organisational measures (‘integrity and confidentiality’).
8. The Data Controller will be responsible for, and be able to demonstrate compliance with paragraph 1
(‘accountability’).
9. In line with these principles, ITF, through appropriate management and strict application of criteria
and controls will:
a. Observe fully conditions regarding the fair collection and use of information.
b. Specify the purposes for which information is used.
c. Be transparent with data subjects regarding use of their personal data.
d. Collect and process appropriate information, and only to the extent that it is needed.
e. Use compliant process to fulfil operational needs while complying with legal requirements.
f. Embed policy and process to ensure information quality and accuracy.
g. Develop compliant retention processes.
h. Audit and evidence compliance, where requested.
i. Ensure that the rights of data subjects can be fully accessed in line with legislation.
j. Take appropriate technical and organisational security measures to safeguard personal data.
k. Ensure that any information which is transferred outside the European Economic Area is done so with
legitimate purpose and appropriate safeguards.
l. Information share securely and appropriately to ensure a coordinated service provision.
m. Implement appropriate records management policy and process.
n. Implement effective risk management policy and process.
Scope
10. Where ITF acts in its capacity as a data controller, this policy applies to all of its employees,
contractors and suppliers.
11. This policy covers all aspects of personal data which are processed for any purpose and by any
means,
by or on behalf of ITF. It relates to personal data held both manually and electronically, and in all
information systems purchased, developed and managed by, or on behalf of, ITF.
Responsibilities
12. The Directors assume ultimate responsibility for ensuring appropriate data protection compliance
within ITF. Implementation of, and compliance with this policy is delegated to the Data Protection
Officer (DPO).
13. The DPO, who is the Business Administrator, is responsible for protecting the personal data held
by
ITF by ensuring that the business has a suitably robust information governance function, supported by
appropriate policies and processes. This will include monitoring appropriate information sharing with
external contractors and suppliers to facilitate coordinated provision of service. The DPO will champion
Information Governance requirements and issues at the highest level within the organisation.
14. ITF requires all employees and contractors to treat personal data with strict confidentiality, in
line with data protection law. This policy does not form part of the formal contract of employment, but
it is a condition of employment that staff members abide by the rules and policies as set out by ITF.
Failure to act in line this policy may result in disciplinary action.
15. Contractors or employees of external organisations who require access to personal data must be
subject to suitable contractual arrangements, requiring them to follow the policies and processes of ITF
when handling personal data. These contractual arrangements also protect and indemnify ITF against the
improper use of personal data.
16. In the context of their work, employees and contractors may have access to personal data relating to
customers, customers’ group members and others. Where they have concerns about data handling, or should
they believe this policy has not been followed, they should raise the matter with the DPO.
Data Protection Awareness
17. ITF is committed to ensuring that employees aware of data protection through annual protection
awareness training.
18. ITF endeavours to make its contractors and suppliers aware of data protection requirements through
the communication of this policy and the related policies and processes.
Consequences of a Breach of Policy
19. It is a criminal offence for a person to knowingly or recklessly without the consent of the Data
Controller obtain or disclose personal data. A deliberate breach of this policy will be considered a
serious disciplinary matter, or breach of contract, and dealt with accordingly. Examples of offences
which may be considered to be gross misconduct or a breach of contract are (the list is not
exhaustive):
a. Deliberate unlawful disclosure of personal data.
b. Inappropriate use of personal data.
c. Deliberately accessing special category personal data in the absence of a legitimate business reason
for doing so.
d. Misuse of personal data which results in a claim being made against ITF.
The Lawful basis for processing Data
20. The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must
apply whenever you process personal data:
a. Consent — The data subject has given clear consent for you to process their
personal data for a specific purpose.
b. Contract — The processing is necessary for a contract you have with the data
subject, or because they have asked you to take specific steps before entering into a contract.
c. Legal obligation — The processing is necessary for you to comply with the law (not
including contractual obligations).
d. Vital interests — The processing is necessary to protect someone’s life.
e. Public task — The processing is necessary for you to perform a task in the public
interest or for your official functions, and the task or function has a clear basis in law.
f. Legitimate interests — The processing is necessary for your legitimate interests or
the legitimate interests of a third party unless there is a good reason to protect the data subject’s
personal data which overrides those legitimate interests. (This cannot apply if you are a public
authority processing data to perform your official tasks.)
Contractual Obligation, Legitimate Interest and Consent
21. To lawfully process the personal information of a data subject, ITF relies upon contractual
obligation, legitimate interest or consent. Where consent is necessary for processing, it must be
explicit, freely given, specific and informed. ITF is committed to processing personal data in a fair
and transparent manner.
22. Where consent is relied upon as a legitimising condition for processing:
a. ITF will clearly and explicitly inform the data subject of all anticipated processing activities at
the point of collection (or when the first contact is made if the personal data was not received from
the data subject).
b. Give the data subject the opportunity to consent to processing prior to undertaking the specified
activity.
c. Specify a simple means by which the data subject can exercise their right to "opt out" at any
time, should they wish to withdraw consent.
d. Personal data will only be processed in accordance with the activities to which the data subject has
consented.
23. ITF has developed a series of resources to give information about privacy and data protection, and
support data subjects in understanding their rights and any intended processing, which data subjects
will be made aware of when they give consent for us to process their personal data.
24. Where a data subject wishes for personal data to be disclosed to a third party, such as a family
member, ITF must be notified of this in writing.
25. Disclosure of any personal data to a third party must be necessary for the original purpose for
which the information was collected, and, where appropriate, undertaken with the consent of the data
subject.
Data Subject Rights
26. The General Data Protection Regulation gives data subjects the following rights regarding the processing of their personal data. ITF informs data subjects of their information rights by provision of our GDPR policy online both externally and internally and in privacy notices on our website.
The right to be informed
27. ITF is committed to processing personal data in a transparent manner.
28. To this end, a privacy policy is available on our website. Data subjects are also provided with fair
processing information and information about how to exercise their information rights at the point of
first contact.
29. Privacy information must be provided in an accessible form, using clear and plain language, and
providing all relevant information.
30. Where possible, ITF will rely on contractual obligation, legitimate interest and consent by
preference in order to undertake any processing of personal data, and ensures that consent is explicit
and informed. ITF will also seek consent where possible for any disclosure of personal data to a third
party, and will keep records of all such disclosures.
31. ITF aims to provide data subjects with opportunities to monitor the processing of their own personal
data.
Right of access
32. Under the GDPR, data subjects have the right to receive confirmation that their data is being
processed, a copy of, or access to, their personal data, and other supplementary information regarding
processing (including the purposes of processing, categories of personal data involved, the recipients
of any disclosure, retention periods for personal data, and the existence of automated decision-making
and profiling). This information will be provided at cost or £10.00 GBP, whichever is the least, and a
response will be made within one month of the receipt to the request, or receipt of confirmation of the
identity of the requestor, whichever is the later.
33. Subject access requests should be directed to the DPO.
Right to rectification
34. Data subjects are entitled to have personal data rectified if it is inaccurate or incomplete. If you
have disclosed inaccurate or incomplete personal data to a third party, you must also inform them of the
rectification, if possible, and inform the data subject about any third parties to whom the data has
been disclosed. Rectification must take place within one month of receipt of the request, or
confirmation of the identity of the requestor, whichever is the later.
35. Where possible, ITF aims to allow data subjects to access and amend their own personal data.
36. Rectification requests are dealt with by the administration department and if a rectification
request requires further checks to be carried out, the personal data will be restricted until an outcome
is determined. Proof of the identity of the person making the request, or of guardianship if they are
not the data subject, will be required before a request for rectification can be actioned.
37. ITF keeps records of all rectification requests and their outcome.
Right to erasure (Right to be forgotten)
38. The right to erasure, also known as ‘the right to be forgotten’, enables a data subject to request
the deletion or removal of personal data where there is no compelling reason for its continued
processing.
39. Following a request under the right to erase, personal data must be erased where:
a. It is no longer necessary in relation to the purpose for which it was originally processed.
b. When the data subject withdraws consent.
c. When the data subject objects to the processing and there is no overriding legitimate interest for
continuing the processing.
d. Where the personal data was unlawfully processed (i.e. otherwise in breach of the GDPR).
e. It is necessary in order to comply with a legal obligation.
40. If the processing causes damage or distress, this is likely to make the case for erasure stronger.
If
you have disclosed the personal data in question to third parties, you must also inform them about the
erasure of the personal data. However, there are some circumstances where the right to erasure does not
apply and you can refuse to deal with a request.
41. Erasure requests are dealt with by the administration department. Proof of the identity of the
person making the request, or of guardianship if they are not the data subject, will be required before
a request for erasure can be actioned.
42. ITF aims to comply with all right to erasure requests within one month of receipt, or receipt of
proof of the identity of the requestor, whichever is the later.
43. ITF keeps records of all erasure requests and their outcome.
Right to restrict processing
44. Under the GDPR, when processing is restricted you are permitted to store the personal data, but not
further process it. You can retain just enough information about the data subject to ensure that the
restriction is respected in the future.
45. You are required to restrict the processing of personal data in the following circumstances:
a. Where a data subject contests the accuracy of the personal data, you should restrict the processing
until you have verified the accuracy of the personal data.
b. Where a data subject has objected to the processing (where it was necessary for the performance of a
public interest task or purpose of legitimate interests), and you are considering whether your
organisation’s legitimate grounds override those of the data subject.
c. When processing is unlawful and the data subject opposes erasure and requests restriction
instead.
d. If you no longer need the personal data but the data subject requires the data to establish, exercise
or defend a legal claim.
46. ITF aims to comply with the right to restrict processing through including restriction in records
management, right to object and rectification processes.
47. Where a data subject makes a request to restrict processing, it will be handled by the
administration department. Proof of the identity of the person making the request, or of guardianship if
they are not the data subject, will be required before a request for restriction can be actioned.
48. Restrictions will be put into place within a month of receipt, or within a month of receipt of proof
of the identity of a requestor, whichever is the later. If we have disclosed the personal data in
question to third parties, we will inform them about the restriction of processing of the personal
data.
49. ITF keeps a record of all restriction of processing requests and their outcome.
Right to data portability
50. The right to data portability allows data subjects to obtain and reuse their personal data across
different services. It allows them to move, copy or transfer personal data easily from one IT
environment to another in a safe and secure way, without hindrance to usability.
51. The right to data portability only applies to personal data a data subject has provided to a
controller, where the processing is based on the data subject’s consent or for the performance of a
contract, and when processing is carried out by automated means.
52. You must provide the personal data in a structured, commonly used and machine readable form, free of
charge, and within one month of receiving the request or proof of the identity of the requestor,
whichever is the later. If the data subject requests it, you should transmit the data directly to
another organisation (if this is technically feasible).
53. Where a data subject makes a request for data portability, it will be processed by the
administration department. The data subject will be required to provide proof of identity before a
request for data portability can be actioned.
54. ITF keeps a record of all requests for data portability and their outcome.
Right to object
55. Data subjects have the right to object to processing based on legitimate interests, or the
performance of a task in the public interest/exercise of official authority (including profiling);
direct marketing (including profiling); and processing for the purposes of scientific/historical
research and statistics.
56. Where a data subject objects to the processing of their personal data based on any of those grounds,
you must stop unless:
a. You can demonstrate compelling legitimate grounds for the processing, which override the interests,
rights and freedoms of the data subject; or
b. Processing is for the establishment, exercise or defence of legal claims.
57. Upon receiving an objection, ITF will immediately restrict processing of the personal data. If a
determination is necessary regarding whether or not to stop processing, it will be referred to the DPO.
A determination will be made one month from receipt of the request, or proof of the identity of the
requestor, whichever is the later. The data subject, or their guardian, may be required to provide proof
of identity before an objection can be actioned.
58. You must stop processing personal data for direct marketing purposes as soon as you receive an
objection. There are no exemptions or grounds to refuse. Should such a request be made, ITF will, in a
timely manner, restrict the personal data and stop processing; no determination will be necessary.
Stopping processing for direct marketing purposes requests will be handled by the Business
Administrator.
59. We will aim to make the right to object possible through online means via the ITF website. However,
data subjects can also object by contacting ITF direct.
60. ITF keeps a record of all objections to processing and their outcome.
Automated decision-making
61. Data subjects have the right not to be subject to a decision when it is based on automated processing
and it produces a legal effect or a similarly significant effect on the data subject. You must ensure
that data subjects can obtain human intervention, express their point of view, and obtain an explanation
of the decision and challenge it.
62. ITF does not undertake any decision-making based on personal data by automated processing. All
processing is subject to human intervention and oversight.
63. Where information about automated decision making is requested, it should be provided by the DPO,
and records of such requests and their outcome maintained. Proof of identity may be required before a
person-specific response can be provided. Responses will be provided within one month of receipt of the
request (or proof of identity of) the requestor.
Data Sharing & Disclosure
64. In certain circumstances, it is appropriate that ITF shares or discloses personal data. Where
possible and appropriate, the data subject’s consent will be sought prior to any sharing or
disclosure.
65. Personal data will only be shared without the subject’s consent in the following circumstances:
a. In the vital interests of the data subject or another person.
b. Where the subject lacks capacity and the data is being shared with a legal guardian.
c. Under court order or for the purposes of prevention or detection of crime.
d. Seeking legal advice or representation.
e. In order to comply with a legal obligation.
66. If personal data will be used for legitimate business purposes by a third party, it will first be
anonymised or pseudonymised. Where this is not possible, data subjects will be informed at the point of
collection that their personal data will be used for that purpose. Special category personal data will
never be used for the purposes of legitimate business interests.
67. Where personal data will be shared with a data processor, an appropriate contractual agreement is in
place which specifies how personal data may be processed, for what purposes, and under what security
conditions. Such a contract sets out the obligations of both parties and indemnifies ITF against risk in
the case of the misuse of personal data by a contracted processor.
68. Records of all data sharing and disclosures, data sharing requests, the conditions for sharing or
disclosure, and the outcomes of such activities, are maintained by ITF.
Information Security
69. Principle (f) of the GDPR states that organisations must ensure “appropriate security of personal
data, including protection against unauthorised or unlawful processing and against accidental loss,
destruction or damage, using appropriate technical or organisational measures”. With continual changes
to both technology and the demand for ever-easier ways by which information can be accessed and shared,
it is important that a consistent approach be adopted to safeguard information.
70. ITF will ensure that appropriate technical and organisational measures are in place, supported by
privacy impact and risk assessments, to ensure a high level of security for personal and confidential
data, and a secure environment for information held both manually and electronically.
Records Management
71. Records management refers to a set of activities required for systematically controlling the
creation, distribution, use, maintenance, and disposition of recorded information maintained as evidence
of business activities and transactions. It is impossible to be compliant with information law without
robust records management policies and practises.
72. Good records management practises ensure not only record quality, but that personal data is only
kept for as long as necessary for its original purpose, and help support data minimisation. They are
integral to information security methodology, and to ensuring the integrity and confidentiality of
personal data. It is a key feature of risk management.
73. ITF is committed to implementing robust records management policy, process and practises to ensure
compliance with the GDPR.
Risk Management
74. An understanding of risk and the application of risk assessment methodology is essential to being
able to effectively create a secure environment for personal data. The information held by an
organisation is not only one of its greatest assets, but also a potential liability. Information
compliance therefore requires a proactive approach to risk management both to limit liability and
protect information assets.
75. While it is not possible to eliminate all elements of threat, risk management aims to identify and
classify risks to information systems and personal data, and find ways of mitigating, eliminating and
managing those risks. In addition, it looks at ways to manage and control incidents. It should form the
backbone of all other compliance measures. With reporting regulations under the GDPR, this becomes
increasingly important to insulate ITF from sanctions and prosecution.
76. ITF approaches risk management through risk evaluation and incident management processes, and where
practicable by the use of privacy impact assessments.
Return to previous page
Page last updated: 25 October 2020.