This document will highlight the Data protection policy for The Garioch Partnership referred to as TGP.
TGP holds information regarding Individuals, Groups and Organisations who have affiliated to TGP as described in the constitution. This allows TGP to communicate with these individuals / groups during the year in relation to information and grants to allow TGP to function and disseminate information.
Details of lapsed individuals / organisations will be held on file to allow TGP to contact these people for a period of time after their termination of membership.
TGP is committed to meeting its obligations under the Data Protection Act of 1988 and GDPR.
TGP agrees to comply with the principles set out in the Act regarding the processing of personal data.
1. Purpose of Policy
TGP is committed to ensuring that all personal information handled by the organisation will be processed according to legally compliant standards of data protection and data security.
The purpose of this policy is to help us achieve our data protection and data security aims by:
- Notifying you of the types of personal information that we may hold about you and what we do with that information;
- Ensuring you understand our rules and the legal standards for handling personal information relating to staff and others;
- Clarifying the responsibilities and duties of all in respect of data protection and data security.
The Board of Trustees has overall responsibility for ensuring that all personal information is handled in compliance with the law and the Chairperson has an appointed Data Protection Officer with day to day responsibility for data processing and data security.
All persons have personal responsibility to ensure compliance with this policy, to handle all personal information consistently with the principles set out here and to ensure that measures are taken to protect the data security.
Any breach of this policy will be taken seriously.
3. Personal Information
This policy covers personal information:
- Which relates to a living individual who can be identified either
from that information in isolation or by reading it together with other
information we possess
- Which is stored electronically or on paper in a filing system
- In the form of statements of opinion as well as facts
- Which relates to you or your organisation (present, past or future) or to
any other individual whose personal information TGP handles or
- Which TGP obtains, holds or stores, organises, discloses or
transfers, amends, retrieves, uses, handles, processes, transports or destroys.
4. Information Processed
TGP collects personal information which:
- you provide or TGP gathers before or during the contract relationship or engagement with the organisation
- is provided by third parties, such as references or information from suppliers or another party that TGP does business with
- is in the public domain.
TGP will use information to carry out its operations and to deal with any problems or concerns you may.
If in the course of carrying out TGP’s business, TGP needs to
transfer personal information to a country outside the European Economic Area including to any group company or to another person with whom TGP has a business relationship. If this is the case then TGP will check that the third party is GDPR compliant and ask for safeguards if data is processed outside the EU.
The Company will take reasonable steps to ensure that information is kept secure, as described later in the Policy.
6. Data Protection Principles
Employees whose work involves using personal data relating to others must comply with this Policy and with the eight legal Data Protection Principles which require that personal information is:
- Processed fairly and lawfully
- Processed for limited purposes
- Adequate, relevant and not excessive
- Accurate and up to date
- Kept no longer than necessary
- Processed in line with the data subject’s rights
- Secure and not transferred to other counties without adequate protection.
Some personal information needs even more careful handling. This includes information about a person’s racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health or condition or sexual life of about criminal offences. Strict conditions apply to processing this sensitive personal information and the Subject must normally have given specific and express consent to each way in which the information is used.
7. Data Security
TGP must protect all personal information in our possession from being accessed, lost, deleted or damaged unlawfully or without proper authorisation through the use of Data Security measures.
Maintaining Data Security means making sure that:
- Only individuals who are authorised to use the information can access it
- Information is accurate and suitable for the purposes for which it is processes
- Authorised individuals can access information if they need it for
authorised purposes. Personal information therefore should not be stored
on individual computers but instead on TGP’s systems.
By law, TGP must use procedures and technology to secure personal information through the period that it holds or controls it, from obtaining to destroying the information.
Personal information must not be transferred to any individual to process (eg while performing service for TGP or on TGP’s behalf), unless that individual has agreed to comply with TGP’s data security procedures or TGP is satisfied that other adequate measures exist.
Security procedures include:
- Physically securing information. Any desk or cupboard containing
confidential information must be kept locked. Computers should be locked
and password protected or shut down when left unattended and discretion
should be used when viewing personal information on a monitor to ensure
that it is not visible to others
- Controlling access to premises. Employees should report immediately
to their Line Manager or the Data Protection Officer if they see any
person they do not recognise in an entry-controlled area.
Telephone Precautions. Particular care must be taken by employees who deal with telephone enquiries to avoid inappropriate disclosures and in particular:
- The identity of any telephone caller must be verified before any personal information is disclosed
- If the caller’s identity cannot be verified satisfactorily then they should be asked to put their query in writing
- Do not allow callers to bully the individual into disclosing
information. In case of any problems or uncertainty, telephone handlers
should contact the Data Protection Officer.
8. Breach Notification
Data breaches are breaches of security that lead for example to the destruction, loss, alteration or unauthorised disclosure of personal data.
Breaches of personal or sensitive data shall be notified immediately to the individual(s) concerned and the ICO.
TGP will report personal data breaches to the supervisory authority without undue delay and no later than 72 hours (if feasible) after becoming aware of a breach, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals.
TGP will retain personal data for a long as is determined necessary to do so to comply with legal obligations or for employment law purposes.
10. Methods of Disposal
Copies of personal information, whether on paper or on any physical storage device, must be physically destroyed when they are no longer needed. Paper documents should be shredded and CDs or memory sticks or similar must be rendered permanently unreadable.