The General Data Protection Regulation was adopted by the European Parliament in April 2016 and comes into force on the 25th May 2018.
1. This policy is the response of In The Footsteps (ITF) to changes to the law, specifically the General Data Protection Regulation (EU) 2016/679 [GDPR], and the Privacy and Electronic Communications Regulation (EC) 2003 [PECR], which impacts on ITF in respect of the processing of personal and special category data.
2. Under these changes ITF is required to treat the personal data of those with whom it conducts its business fairly, responsibly, and in a transparent manner.
3. Failure of ITF, its employees, contractors and suppliers to comply with information law could result in an investigation by the Information Commissioner's Office (ICO). The Information Commissioner has the power to serve information, enforcement and assessment notices, issue undertakings, conduct audits, and prosecute those who commit criminal offences under the GDPR. Any such incident could not only cause public embarrassment to ITF, and a loss of confidence by its customers, but are likely to have financial consequences in and of themselves. In addition, where there has been a serious breach of information law, the ICO can fine organisations up to €20,000,000.
4. Compliance with this policy provides assurance for both the organisation and data subjects that the personal data processed by ITF is handled legally, effectively and efficiently, with ethical best practise at the root of decision making, in order to protect the privacy and confidentiality of our customers, customers' group members and those with whom we do business.
5. Articles 4 and 9 of the GDPR define the following key terms thus:
a. Personal data — Any information relating to an identified or identifiable natural person.
b. Special category data — Personal data consisting of or regarding racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health, sex life or sexual orientation. Additionally, while they are not considered "special category data", children's data and also data relating to criminal convictions are afforded further protections.
c. Data subject — An identified, or identifiable natural person.
d. Processing — Any operation (or set of) which is performed on personal data.
e. Restriction of processing — The marking of stored personal data with the aim of limiting their processing in the future.
f. Profiling — Any form of automated processing of personal data consisting of the use of personal data to evaluate certain aspects relating to a person.
g. Pseudonymisation — Processing personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately.
h. Filing system — Any structured set of personal data accessible according to specific criteria.
i. Data Controller — The natural or legal person, public authority, agency or body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
j. Processor — A natural or legal person, public authority, agency or body which processes personal data on behalf of the controller.
k. Recipient — A natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not.
l. Third party — A body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
m. Personal data breach — A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
n. Genetic data — Personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question.
o. Biometric data — Personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or fingerprint data.
p. Main establishment — The place of central administration in the EU, or place where processing of personal data takes place in the EU.
q. Representative — A natural or legal person established in the EU who, designated by the controller or processor in writing, represents that controller or processor in regard to their respective obligations under the Regulation.
r. Enterprise — A natural or legal person engaged in economic activity, irrespective of its legal form.
s. Supervisory authority — An independent public authority who is established by a Member State pursuant to Article 51 of the GDPR such as the UK’s ICO.
t. Cross-border processing — Processing of personal data which takes place in the context of the activities of establishments in more than one Member State, or which is likely to substantially affect data subjects in more than one Member State.
u. Information society service — Any service normally provided for remuneration at a distance, by means of electronic equipment for the processing (including digital compression) and storage of data, at the individual request of a recipient of the service.
6. ITF processes personal data by both manual (paper) and electronic means about its employees, customers, customers’ group members and other individuals for various purposes.
7. To ensure our obligations under information law are met, the processing of personal information must comply with the principles of the GDPR. Accordingly, personal data will be:
a. Processed lawfully, fairly and in a transparent manner in relation to the data subject.
b. Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
c. Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’).
d. Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purpose for which they are processed, are erased or rectified without delay.
e. Kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
f. Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
8. The Data Controller will be responsible for, and be able to demonstrate compliance with paragraph 1 (‘accountability’).
9. In line with these principles, ITF, through appropriate management and strict application of criteria and controls will:
a. Observe fully conditions regarding the fair collection and use of information.
b. Specify the purposes for which information is used.
c. Be transparent with data subjects regarding use of their personal data.
d. Collect and process appropriate information, and only to the extent that it is needed.
e. Use compliant process to fulfil operational needs while complying with legal requirements.
f. Embed policy and process to ensure information quality and accuracy.
g. Develop compliant retention processes.
h. Audit and evidence compliance, where requested.
i. Ensure that the rights of data subjects can be fully accessed in line with legislation.
j. Take appropriate technical and organisational security measures to safeguard personal data.
k. Ensure that any information which is transferred outside the European Economic Area is done so with legitimate purpose and appropriate safeguards.
l. Information share securely and appropriately to ensure a coordinated service provision.
m. Implement appropriate records management policy and process.
n. Implement effective risk management policy and process.
10. Where ITF acts in its capacity as a data controller, this policy applies to all of its employees, contractors and suppliers.
11. This policy covers all aspects of personal data which are processed for any purpose and by any means, by or on behalf of ITF. It relates to personal data held both manually and electronically, and in all information systems purchased, developed and managed by, or on behalf of, ITF.
12. The Directors assume ultimate responsibility for ensuring appropriate data protection compliance within ITF. Implementation of, and compliance with this policy is delegated to the Data Protection Officer (DPO).
13. The DPO, who is the Business Administrator, is responsible for protecting the personal data held by ITF by ensuring that the business has a suitably robust information governance function, supported by appropriate policies and processes. This will include monitoring appropriate information sharing with external contractors and suppliers to facilitate coordinated provision of service. The DPO will champion Information Governance requirements and issues at the highest level within the organisation.
14. ITF requires all employees and contractors to treat personal data with strict confidentiality, in line with data protection law. This policy does not form part of the formal contract of employment, but it is a condition of employment that staff members abide by the rules and policies as set out by ITF. Failure to act in line this policy may result in disciplinary action.
15. Contractors or employees of external organisations who require access to personal data must be subject to suitable contractual arrangements, requiring them to follow the policies and processes of ITF when handling personal data. These contractual arrangements also protect and indemnify ITF against the improper use of personal data.
16. In the context of their work, employees and contractors may have access to personal data relating to customers, customers’ group members and others. Where they have concerns about data handling, or should they believe this policy has not been followed, they should raise the matter with the DPO.
Data Protection Awareness
17. ITF is committed to ensuring that employees aware of data protection through annual protection awareness training.
18. ITF endeavours to make its contractors and suppliers aware of data protection requirements through the communication of this policy and the related policies and processes.
Consequences of a Breach of Policy
19. It is a criminal offence for a person to knowingly or recklessly without the consent of the Data Controller obtain or disclose personal data. A deliberate breach of this policy will be considered a serious disciplinary matter, or breach of contract, and dealt with accordingly. Examples of offences which may be considered to be gross misconduct or a breach of contract are (the list is not exhaustive):
a. Deliberate unlawful disclosure of personal data.
b. Inappropriate use of personal data.
c. Deliberately accessing special category personal data in the absence of a legitimate business reason for doing so.
d. Misuse of personal data which results in a claim being made against ITF.
The Lawful basis for processing Data
20. The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever you process personal data:
a. Consent — The data subject has given clear consent for you to process their personal data for a specific purpose.
b. Contract — The processing is necessary for a contract you have with the data subject, or because they have asked you to take specific steps before entering into a contract.
c. Legal obligation — The processing is necessary for you to comply with the law (not including contractual obligations).
d. Vital interests — The processing is necessary to protect someone’s life.
e. Public task — The processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
f. Legitimate interests — The processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the data subject’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
Contractual Obligation, Legitimate Interest and Consent
21. To lawfully process the personal information of a data subject, ITF relies upon contractual obligation, legitimate interest or consent. Where consent is necessary for processing, it must be explicit, freely given, specific and informed. ITF is committed to processing personal data in a fair and transparent manner.
22. Where consent is relied upon as a legitimising condition for processing:
a. ITF will clearly and explicitly inform the data subject of all anticipated processing activities at the point of collection (or when the first contact is made if the personal data was not received from the data subject).
b. Give the data subject the opportunity to consent to processing prior to undertaking the specified activity.
c. Specify a simple means by which the data subject can exercise their right to "opt out" at any time, should they wish to withdraw consent.
d. Personal data will only be processed in accordance with the activities to which the data subject has consented.
23. ITF has developed a series of resources to give information about privacy and data protection, and support data subjects in understanding their rights and any intended processing, which data subjects will be made aware of when they give consent for us to process their personal data.
24. Where a data subject wishes for personal data to be disclosed to a third party, such as a family member, ITF must be notified of this in writing.
25. Disclosure of any personal data to a third party must be necessary for the original purpose for which the information was collected, and, where appropriate, undertaken with the consent of the data subject.
Data Subject Rights
26. The General Data Protection Regulation gives data subjects the following rights regarding the processing of their personal data. ITF informs data subjects of their information rights by provision of our GDPR policy online both externally and internally and in privacy notices on our website.
The right to be informed
27. ITF is committed to processing personal data in a transparent manner.
29. Privacy information must be provided in an accessible form, using clear and plain language, and providing all relevant information.
30. Where possible, ITF will rely on contractual obligation, legitimate interest and consent by preference in order to undertake any processing of personal data, and ensures that consent is explicit and informed. ITF will also seek consent where possible for any disclosure of personal data to a third party, and will keep records of all such disclosures.
31. ITF aims to provide data subjects with opportunities to monitor the processing of their own personal data.
Right of access
32. Under the GDPR, data subjects have the right to receive confirmation that their data is being processed, a copy of, or access to, their personal data, and other supplementary information regarding processing (including the purposes of processing, categories of personal data involved, the recipients of any disclosure, retention periods for personal data, and the existence of automated decision-making and profiling). This information will be provided at cost or £10.00 GBP, whichever is the least, and a response will be made within one month of the receipt to the request, or receipt of confirmation of the identity of the requestor, whichever is the later.
33. Subject access requests should be directed to the DPO.
Right to rectification
34. Data subjects are entitled to have personal data rectified if it is inaccurate or incomplete. If you have disclosed inaccurate or incomplete personal data to a third party, you must also inform them of the rectification, if possible, and inform the data subject about any third parties to whom the data has been disclosed. Rectification must take place within one month of receipt of the request, or confirmation of the identity of the requestor, whichever is the later.
35. Where possible, ITF aims to allow data subjects to access and amend their own personal data.
36. Rectification requests are dealt with by the administration department and if a rectification request requires further checks to be carried out, the personal data will be restricted until an outcome is determined. Proof of the identity of the person making the request, or of guardianship if they are not the data subject, will be required before a request for rectification can be actioned.
37. ITF keeps records of all rectification requests and their outcome.
Right to erasure (Right to be forgotten)
38. The right to erasure, also known as ‘the right to be forgotten’, enables a data subject to request the deletion or removal of personal data where there is no compelling reason for its continued processing.
39. Following a request under the right to erase, personal data must be erased where:
a. It is no longer necessary in relation to the purpose for which it was originally processed.
b. When the data subject withdraws consent.
c. When the data subject objects to the processing and there is no overriding legitimate interest for continuing the processing.
d. Where the personal data was unlawfully processed (i.e. otherwise in breach of the GDPR).
e. It is necessary in order to comply with a legal obligation.
40. If the processing causes damage or distress, this is likely to make the case for erasure stronger. If you have disclosed the personal data in question to third parties, you must also inform them about the erasure of the personal data. However, there are some circumstances where the right to erasure does not apply and you can refuse to deal with a request.
41. Erasure requests are dealt with by the administration department. Proof of the identity of the person making the request, or of guardianship if they are not the data subject, will be required before a request for erasure can be actioned.
42. ITF aims to comply with all right to erasure requests within one month of receipt, or receipt of proof of the identity of the requestor, whichever is the later.
43. ITF keeps records of all erasure requests and their outcome.
Right to restrict processing
44. Under the GDPR, when processing is restricted you are permitted to store the personal data, but not further process it. You can retain just enough information about the data subject to ensure that the restriction is respected in the future.
45. You are required to restrict the processing of personal data in the following circumstances:
a. Where a data subject contests the accuracy of the personal data, you should restrict the processing until you have verified the accuracy of the personal data.
b. Where a data subject has objected to the processing (where it was necessary for the performance of a public interest task or purpose of legitimate interests), and you are considering whether your organisation’s legitimate grounds override those of the data subject.
c. When processing is unlawful and the data subject opposes erasure and requests restriction instead.
d. If you no longer need the personal data but the data subject requires the data to establish, exercise or defend a legal claim.
46. ITF aims to comply with the right to restrict processing through including restriction in records management, right to object and rectification processes.
47. Where a data subject makes a request to restrict processing, it will be handled by the administration department. Proof of the identity of the person making the request, or of guardianship if they are not the data subject, will be required before a request for restriction can be actioned.
48. Restrictions will be put into place within a month of receipt, or within a month of receipt of proof of the identity of a requestor, whichever is the later. If we have disclosed the personal data in question to third parties, we will inform them about the restriction of processing of the personal data.
49. ITF keeps a record of all restriction of processing requests and their outcome.
Right to data portability
50. The right to data portability allows data subjects to obtain and reuse their personal data across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.
51. The right to data portability only applies to personal data a data subject has provided to a controller, where the processing is based on the data subject’s consent or for the performance of a contract, and when processing is carried out by automated means.
52. You must provide the personal data in a structured, commonly used and machine readable form, free of charge, and within one month of receiving the request or proof of the identity of the requestor, whichever is the later. If the data subject requests it, you should transmit the data directly to another organisation (if this is technically feasible).
53. Where a data subject makes a request for data portability, it will be processed by the administration department. The data subject will be required to provide proof of identity before a request for data portability can be actioned.
54. ITF keeps a record of all requests for data portability and their outcome.
Right to object
55. Data subjects have the right to object to processing based on legitimate interests, or the performance of a task in the public interest/exercise of official authority (including profiling); direct marketing (including profiling); and processing for the purposes of scientific/historical research and statistics.
56. Where a data subject objects to the processing of their personal data based on any of those grounds, you must stop unless:
a. You can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the data subject; or
b. Processing is for the establishment, exercise or defence of legal claims.
57. Upon receiving an objection, ITF will immediately restrict processing of the personal data. If a determination is necessary regarding whether or not to stop processing, it will be referred to the DPO. A determination will be made one month from receipt of the request, or proof of the identity of the requestor, whichever is the later. The data subject, or their guardian, may be required to provide proof of identity before an objection can be actioned.
58. You must stop processing personal data for direct marketing purposes as soon as you receive an objection. There are no exemptions or grounds to refuse. Should such a request be made, ITF will, in a timely manner, restrict the personal data and stop processing; no determination will be necessary. Stopping processing for direct marketing purposes requests will be handled by the Business Administrator.
59. We will aim to make the right to object possible through online means via the ITF website. However, data subjects can also object by contacting ITF direct.
60. ITF keeps a record of all objections to processing and their outcome.
61. Data subjects have the right not to be subject to a decision when it is based on automated processing and it produces a legal effect or a similarly significant effect on the data subject. You must ensure that data subjects can obtain human intervention, express their point of view, and obtain an explanation of the decision and challenge it.
62. ITF does not undertake any decision-making based on personal data by automated processing. All processing is subject to human intervention and oversight.
63. Where information about automated decision making is requested, it should be provided by the DPO, and records of such requests and their outcome maintained. Proof of identity may be required before a person-specific response can be provided. Responses will be provided within one month of receipt of the request (or proof of identity of) the requestor.
Data Sharing & Disclosure
64. In certain circumstances, it is appropriate that ITF shares or discloses personal data. Where possible and appropriate, the data subject’s consent will be sought prior to any sharing or disclosure.
65. Personal data will only be shared without the subject’s consent in the following circumstances:
a. In the vital interests of the data subject or another person.
b. Where the subject lacks capacity and the data is being shared with a legal guardian.
c. Under court order or for the purposes of prevention or detection of crime.
d. Seeking legal advice or representation.
e. In order to comply with a legal obligation.
66. If personal data will be used for legitimate business purposes by a third party, it will first be anonymised or pseudonymised. Where this is not possible, data subjects will be informed at the point of collection that their personal data will be used for that purpose. Special category personal data will never be used for the purposes of legitimate business interests.
67. Where personal data will be shared with a data processor, an appropriate contractual agreement is in place which specifies how personal data may be processed, for what purposes, and under what security conditions. Such a contract sets out the obligations of both parties and indemnifies ITF against risk in the case of the misuse of personal data by a contracted processor.
68. Records of all data sharing and disclosures, data sharing requests, the conditions for sharing or disclosure, and the outcomes of such activities, are maintained by ITF.
69. Principle (f) of the GDPR states that organisations must ensure “appropriate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures”. With continual changes to both technology and the demand for ever-easier ways by which information can be accessed and shared, it is important that a consistent approach be adopted to safeguard information.
70. ITF will ensure that appropriate technical and organisational measures are in place, supported by privacy impact and risk assessments, to ensure a high level of security for personal and confidential data, and a secure environment for information held both manually and electronically.
71. Records management refers to a set of activities required for systematically controlling the creation, distribution, use, maintenance, and disposition of recorded information maintained as evidence of business activities and transactions. It is impossible to be compliant with information law without robust records management policies and practises.
72. Good records management practises ensure not only record quality, but that personal data is only kept for as long as necessary for its original purpose, and help support data minimisation. They are integral to information security methodology, and to ensuring the integrity and confidentiality of personal data. It is a key feature of risk management.
73. ITF is committed to implementing robust records management policy, process and practises to ensure compliance with the GDPR.
74. An understanding of risk and the application of risk assessment methodology is essential to being able to effectively create a secure environment for personal data. The information held by an organisation is not only one of its greatest assets, but also a potential liability. Information compliance therefore requires a proactive approach to risk management both to limit liability and protect information assets.
75. While it is not possible to eliminate all elements of threat, risk management aims to identify and classify risks to information systems and personal data, and find ways of mitigating, eliminating and managing those risks. In addition, it looks at ways to manage and control incidents. It should form the backbone of all other compliance measures. With reporting regulations under the GDPR, this becomes increasingly important to insulate ITF from sanctions and prosecution.
76. ITF approaches risk management through risk evaluation and incident management processes, and where practicable by the use of privacy impact assessments.