Data Protection Policy

This document will highlight the Data protection policy for The Garioch Partnership referred to as TGP.

TGP holds information regarding Individuals, Groups and Organisations who have affiliated to TGP as described in the constitution. This allows TGP to communicate with these individuals / groups during the year in relation to information and grants to allow TGP to function and disseminate information.

Details of lapsed individuals / organisations will be held on file to allow TGP to contact these people for a period of time after their termination of membership.

General Principles

TGP is committed to meeting its obligations under the Data Protection Act of 1988 and GDPR.

TGP agrees to comply with the principles set out in the Act regarding the processing of personal data.

TGP is committed to ensuring that all personal information handled by the organisation will be processed according to legally compliant standards of data protection and data security.

The purpose of this policy is to help us achieve our data protection and data security aims by:

• Notifying you of the types of personal information that we may hold about you and what we do with that information;
• Ensuring you understand our rules and the legal standards for handling personal information relating to staff and others;
• Clarifying the responsibilities and duties of all in respect of data protection and data security.

The Board of Trustees has overall responsibility for ensuring that all personal information is handled in compliance with the law and the Chairperson has an appointed Data Protection Officer with day to day responsibility for data processing and data security.

All persons have personal responsibility to ensure compliance with this policy, to handle all personal information consistently with the principles set out here and to ensure that measures are taken to protect the data security.

Any breach of this policy will be taken seriously.

This policy covers personal information:

• Which relates to a living individual who can be identified either from that information in isolation or by reading it together with other information we possess
• Which is stored electronically or on paper in a filing system
• In the form of statements of opinion as well as facts
• Which relates to you or your organisation (present, past or future) or to any other individual whose personal information TGP handles or controls
• Which TGP obtains, holds or stores, organises, discloses or transfers, amends, retrieves, uses, handles, processes, transports or destroys.

TGP collects personal information which:

• you provide or TGP gathers before or during the contract relationship or engagement with the organisation
• is provided by third parties, such as references or information from suppliers or another party that TGP does business with
• is in the public domain.

TGP will use information to carry out its operations and to deal with any problems or concerns you may.

If in the course of carrying out TGP’s business, TGP needs to transfer personal information to a country outside the European Economic Area including to any group company or to another person with whom TGP has a business relationship. If this is the case then TGP will check that the third party is GDPR compliant and ask for safeguards if data is processed outside the EU.

The Company will take reasonable steps to ensure that information is kept secure, as described later in the Policy.

Employees whose work involves using personal data relating to others must comply with this Policy and with the eight legal Data Protection Principles which require that personal information is:

• Processed fairly and lawfully
• Processed for limited purposes
• Adequate, relevant and not excessive
• Accurate and up to date
• Kept no longer than necessary
• Processed in line with the data subject’s rights
• Secure and not transferred to other counties without adequate protection.

Some personal information needs even more careful handling. This includes information about a person’s racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health or condition or sexual life of about criminal offences. Strict conditions apply to processing this sensitive personal information and the Subject must normally have given specific and express consent to each way in which the information is used.

TGP must protect all personal information in our possession from being accessed, lost, deleted or damaged unlawfully or without proper authorisation through the use of Data Security measures.

Maintaining Data Security means making sure that:

• Only individuals who are authorised to use the information can access it

• Information is accurate and suitable for the purposes for which it is processes

• Authorised individuals can access information if they need it for authorised purposes. Personal information therefore should not be stored on individual computers but instead on TGP’s systems.

By law, TGP must use procedures and technology to secure personal information through the period that it holds or controls it, from obtaining to destroying the information.

Personal information must not be transferred to any individual to process (eg while performing service for TGP or on TGP’s behalf), unless that individual has agreed to comply with TGP’s data security procedures or TGP is satisfied that other adequate measures exist.

Security procedures include:

• Physically securing information. Any desk or cupboard containing confidential information must be kept locked. Computers should be locked and password protected or shut down when left unattended and discretion should be used when viewing personal information on a monitor to ensure that it is not visible to others

• Controlling access to premises. Employees should report immediately to their Line Manager or the Data Protection Officer if they see any person they do not recognise in an entry-controlled area.

Telephone Precautions. Particular care must be taken by employees who deal with telephone enquiries to avoid inappropriate disclosures and in particular:

• The identity of any telephone caller must be verified before any personal information is disclosed

• If the caller’s identity cannot be verified satisfactorily then they should be asked to put their query in writing

• Do not allow callers to bully the individual into disclosing information. In case of any problems or uncertainty, telephone handlers should contact the Data Protection Officer.

Data breaches are breaches of security that lead for example to the destruction, loss, alteration or unauthorised disclosure of personal data.

Breaches of personal or sensitive data shall be notified immediately to the individual(s) concerned and the ICO.

TGP will report personal data breaches to the supervisory authority without undue delay and no later than 72 hours (if feasible) after becoming aware of a breach, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals.

TGP will retain personal data for a long as is determined necessary to do so to comply with legal obligations or for employment law purposes.

Copies of personal information, whether on paper or on any physical storage device, must be physically destroyed when they are no longer needed. Paper documents should be shredded and CDs or memory sticks or similar must be rendered permanently unreadable.