Data Protection Policy
Charity: Means Curb Hunger, a registered charity.
GDPR: Means the General Data Protection Regulation.
Responsible Person: Means Chief Operations Officer
Register of Sytems: Means a register of all systems or contexts in which personal data is processed by the Charity.
The EU General Data Protection Regulation or “GDPR” is the most important change to data protection and privacy law in two decades. It was approved by the EU Parliament in April 2016 and came into force in the UK on 25th May 2018. The GDPR has replaced the Data Protection Act 1998 and, while it is similar to the current regime under the 1998 Act in many ways, it is a great deal more modern, taking into account major advances in science and technology.
This Data Protection Policy sets out the rights of data subjects and the obligations of Curb Hunger as a data controller under the GDPR, laying down a number of organisational and procedural measures to ensure compliance. This document applies to all Curb Hunger staff.
In order to operate efficiently, Curb Hunger needs to collect and use information about the people with whom we work. This includes current, past and prospective employees, reviewers, professional experts, stakeholders, delegates and others with whom we communicate and Curb Hunger regards the lawful and correct treatment of personal information as integral to our successful operation, and to maintaining the confidence of the people we work with. To this end we fully endorse and adhere to the principles of GDPR.
Curb Hunger adopts four simple guidelines with regard to data protection:
- We identify valid grounds under the GDPR (known as a ‘lawful basis’) for collecting and using personal data.
- We ensure that we do not do anything with the data in breach of any other laws.
- We use personal data in a way that is fair. This means we must not process the data in a way that is unduly detrimental, unexpected or misleading to the individuals concerned.
- We are clear, open and honest with people from the start about how we will use their personal data.
Personal data – key points we acknowledge
- We understand that processing personal data is critical to understanding whether the GDPR applies to our activities.
- Personal data is information that relates to an identified or identifiable individual.
- What identifies an individual could be as simple as a name or a number or could include other identifiers such as an IP address or a cookie identifier, or other factors. If it is possible to identify an individual directly from the information WE are processing, then that information may be personal data.
- If we cannot directly identify an individual from that information, then we need to consider whether the individual is still identifiable. We take into account the information we are processing together with all the means reasonably likely to be used by either us or any other person to identify that individual. Even if an individual is identified or identifiable, directly or indirectly, from the data we are processing, it is not personal data unless it ‘relates to’ the individual.
- When considering whether information ‘relates to’ an individual, we take into account a range of factors, including the content of the information, the purpose or purposes for which we are processing it and the likely impact or effect of that processing on the individual.
- It is possible that the same information is personal data for one controller’s purposes but is not personal data for the purposes of another controller.
- Information which has had identifiers removed or replaced in order to pseudonymise the data is still personal data for the purposes of GDPR.
- Information which is truly anonymous is not covered by the GDPR.
Curb Hunger ensures that it fulfills the criteria for Lawfulness, Fairness & Transparency as outlined by the ICO as follows:
- We have identified an appropriate lawful basis (or bases) for our processing.
- If we are processing special category data or criminal offence data, we have identified a condition for processing this type of data.
- We don’t do anything generally unlawful with personal data.
- We have considered how the processing may affect the individuals concerned and can justify any adverse impact.
- We only handle people’s data in ways they would reasonably expect, or we can explain why any unexpected processing is justified.
- We do not deceive or mislead people when we collect their personal data.
- We are open and honest, and comply with the transparency obligations of the right to be informed.
1. Data protection principles
The Charity is committed to processing data in accordance with its responsibilities under the GDPR. Article 5 of the GDPR requires that personal data shall be:
- processed lawfully, fairly and in a transparent manner in relation to individuals;
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
- personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and processed in a manner that ensures appropriate security of the personal data, including protection against
unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”
2. General provisions
- This policy applies to all personal data processed by the Charity.
- The Responsible Person shall take responsibility for the Charity’s ongoing compliance with this policy.
- This policy shall be reviewed at least annually.
- The Charity shall register with the Information Commissioner’s Office as an organisation that processes personal data.
3. Lawful, fair and transparent processing
- To ensure its processing of data is lawful, fair and transparent, the Charity shall maintain a Register of Systems.
- The Register of Systems shall be reviewed at least annually.
- Individuals have the right to access their personal data and any such requests made to the charity shall be dealt with in a timely manner.
4. Lawful purposes
- All data processed by the charity must be done on one of the following lawful bases: consent, contract, legal obligation, vital interests, public task or legitimate interests (see ICO guidance for more information).
- The Charity shall note the appropriate lawful basis in the Register of Systems.
- Where consent is relied upon as a lawful basis for processing data, evidence of opt-in consent shall be kept with the personal data.
- Where communications are sent to individuals based on their consent, the option for the individual to revoke their consent should be clearly available and systems should be in place to ensure such revocation is reflected accurately in the Charity’s systems.
5. Data minimisation
- The Charity shall ensure that personal data retention is adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
- The Charity shall take reasonable steps to ensure personal data is accurate.
- Where necessary for the lawful basis on which data is processed, steps shall be put in place to ensure that personal data is kept up to date.
7. Archiving / removal
- To ensure that personal data is kept for no longer than necessary, the Charity shall put in place an archiving policy for each area in which personal data is processed and review this process annually.
- The archiving policy shall consider what data should/must be retained, for how long, and why.
- The Charity shall ensure that personal data is stored securely using modern
software that is kept-up-to-date.
- Access to personal data shall be limited to personnel who need access and
appropriate security should be in place to avoid unauthorised sharing of information.
- When personal data is deleted this should be done safely such that the data is irrecoverable.
- Appropriate back-up and disaster recovery solutions shall be in place.
In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, the Charity shall promptly assess the risk to people’s rights and freedoms and if appropriate report this breach to the ICO.
Responsibility for Curb Hunger compliance with GDPR
The Responsibility for day to day operational compliance with GDPR lies with the Responsible Person however the Trustees have overall responsibility for compliance by the Charity with GDPR. Individual members of staff / representatives and partnering agencies are responsible for the proper use of the data they process.
Curb Hunger will ensure that everyone managing and handling personal information understands that they are responsible for following good data protection practice and that this policy is available to each member of staff / representatives and partnering agencies.
All staff have a responsibility to ensure that they respect confidential information in their possession and maintain information security. Disclosure of confidential information gained as part of any employment, representation or partnering to a third party, or assisting others in disclosure, will be viewed by Curb Hunger with the utmost seriousness. All staff are responsible for ensuring personal information is kept no longer than is necessary.
Curb Hunger respects privacy. The information that is provided to us, our representatives or partners or that is gathered automatically, helps us to monitor our services and provide a tailored service where and when necessary.
Subject Access Requests (SAR)
Under GDPR individuals have the right to access personal information Curb Hunger may hold about them. The procedure for making a Subject Access Request (SAR) under the GDPR is similar to that under the Data Protection Act 1998 (DPA) albeit with some key changes as set out below.
The GDPR makes the following changes to the SAR regime:
- Fee: an organisation will not be able to charge for complying with a request unless the request is ‘manifestly unfounded or excessive’. The data controller may charge a reasonable administrative-cost fee if further copies are requested.
- Excessive requests: if a request is ‘manifestly unfounded or excessive’ data controllers can charge a fee or refuse to respond but will need to be able to provide evidence of how the conclusion that the request is manifestly unfounded or excessive was reached.
- Electronic access: it must be possible to make requests electronically (e.g. by email). Where a request is made electronically, the information should be provided in a commonly-used electronic form, unless otherwise requested by the individual.
- Content of response: the request should allow the individual to know what information is held about them and what processing is being carried out. In responding to a request, data controllers may need to provide further information such as the relevant data retention period and the right to have inaccurate data corrected.
- Time to respond: the data controller must respond to these requests within a month, with a possibility to extend this period for particularly complex requests. Under the DPA, the response time is 40 days.
- Right to withhold: data controllers can withhold personal data if disclosing it would ‘adversely affect the rights and freedoms of others’. This is reflective of the current position under the DPA. The recitals to the GDPR note that this could extend to intellectual property rights and trade secrets. Member States may introduce further examples such as legal privilege.
Data protection complaints procedure
Curb Hunger aims to comply fully with its obligations under GDPR. Any questions or concerns regarding Curb Hunger ‘s management of personal data, including right to access data, or if it is felt that Curb Hunger holds inaccurate information about an individual, please contact Curb Hunger at Unit 3 Old Dalby Trading Estate, Station Road, Old Dalby, Leicestershire, LE14 3NJ or by email at [email protected]
If it is felt that questions or concerns have not been dealt with adequately or that a subject access request that has been made to Curb Hunger has not been fulfilled, you have the right to contact the office of the Information Commissioner, the independent body overseeing compliance with GDPR: http://ico.org.uk/.