This policy sets out the obligations of The Greensand Trust (“the Trust”) with regard to data protection and the rights of people with whom it works in respect of their personal data under the Data Protection Act 1998 (“the Act”) and General Data Protection Regulation 2016 (GDPR)

This Policy shall set out procedures which are to be followed when dealing with personal data.  The procedures set out herein must be followed by the Trust, its employees, volunteers, contractors, any elected members of associated committees, steering groups or groups, agents, consultants, partners or other parties working on behalf of the Trust.

The Trust views the correct and lawful handling of personal data as key to its success and dealings with third parties.  The Trust shall ensure that it handles all personal data correctly and lawfully.

Contents

Definitions & Principles. 2

Definitions. 2

Data Protection Risk Management Principle. 3

Confidentiality Principle. 3

Non-competition Principle. 3

Disclosure Principle. 3

Data Protection. 3

Intro. 4

Data Protection Principles – (the eight principles which must be complied with). 4

Rights of Data Subjects. 4

Definitions of Personal Data. 5

What is Data. 5

What is Personal Data. 5

What is Sensitive Data or Special Category Data. 6

Criminal Offence Data. 7

Data Controller. 7

Data Subject. 8

DATA Processing. 8

What is Processing?. 8

Lawful basis for Processing. 8

Consent. 8

Contract. 8

Legal Obligations. 9

Vital interest. 9

Public Task. 9

Legitimate Interest. 9

Consent. 11

What must be obtained. 11

Example of Highlights Consent. 12

Fundraising; Marketing Preference / Consent. 12

Data Protection / Consent in relation to children. 12

Data Consent -  Opt Out. 13

Processing Personal Data. 13

Databases. 14

Data Protection Security. 14

CCTV Procedures. 15

Visa / Credit Card Procedures. 17

Intro. 17

The PCI Data Security Standard. 18

Protect Cardholder Data. 19

Operational Measures. 20

Our Commitment. 20

Access by Data Subjects. 21

Data Protection Register. 21

Disclosure of Data. 21

Publication of Trust Information. 22

Disposal of Records. 22

Data protection impact assessment (DPIA). 23

Data Protection Registration. 23

 

Top of Form

Definitions & Principles

Definitions

Data protection applies to all verbal, electronic and manual data collection and processing of personal and  or sensitive data.

 

This data protection policy was updated in 2018 to incorporate the new General Data Protection Regulations (GDPR), where amendments to existing policy have been made these are defined in bold.

 

The GDPR regulations applies to:

‘controllers’ and ‘processors’. 

A ‘controller’ determines the purposes and means of processing personal data.

A ‘processor’ is responsible for processing personal data on behalf of a controller.

          A ‘data subject’ is the individual whose data is being processed.

In this policy the following expressions shall have the meaning as follows:

‘user’  or ‘users’ - all employees, volunteers, contractors, any elected members of associated committees, steering groups or groups, agents, consultants, partners or other parties working or acting on behalf of the Trust. ‘user’ also covers ‘controllers’ and ‘processors’

‘Trust’ or ‘the Trust’ - The Greensand Trust

‘the Act’ - Data Protection Act 1998 / GDPR Act 2016

 

If you are a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have legal liability if you are responsible for a breach.

Data Protection Risk Management Principle

Data protection is about protection and managing the risks associated with holding data.  To meet the regulations you won’t always require consent but you will require a lawful basis to hold /process data.

All activities relating to personal or sensitive data must be risk assessed to ensure our use and measures to protect such data are both proportionate and effective. 

Confidentiality Principle

You may as a user be party to confidential information concerning the Trust or the Trusts business. 

You should not disclose or allow disclosure of any personal, sensitive or confidential information. 

The Trust will be entitled to take disciplinary action and or apply for an injunction to prevent disclosure or use and to seek any other remedy including without limitation the recovery of damages in the case of such a disclosure or use.

Non-competition Principle

In order to protect the Trust and its activities, should you cease to work or volunteer for the Trust, you should not within 12 months, solicit or seek business from any customers or clients of the Trust who were customers or clients of the Trust at any time during the preceding 2 years.

Disclosure Principle

The Trust policy is to never disclose any personal data held, to any third party. The only exemptions to this policy are detailed in the section on Disclosure of Data.

 

Data Protection

Intro

The Trust is committed to abide by the terms of the Data Protection Act 1984, revised Data Protection Act 1998 and GDPR 2016. Its purpose is to protect the rights and privacy of living individuals and to ensure that personal data is not processed without their knowledge, and wherever appropriate, is processed with their consent.

During the course of your duties it is likely that you will be dealing with information such as names/address/telephone numbers and may even be involved or overhear financial, employment, health and criminal records or other sensitive information whilst working for the Trust.  In all cases the Data Protection Act of 1998 and GDPR 2016 applies to this information, which must be collected and used fairly, stored safely and not disclosed to any other person unlawfully.

Data Protection Principles – (the eight principles which must be complied with).

This Policy aims to ensure compliance with the Act and Article 5 GDPR.  These both set out eight principles with which any party handling personal data must comply. 

All personal data:

  1. Must be processed fairly and lawfully and in a transparent manner in relation to individuals (and shall not be processed unless certain conditions are met);
  2. Must be obtained/collected only for specified, explicit and legitimate and lawful purposes and shall not further be processed in any manner which is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes.
  3. Must be adequate, relevant and not excessive with respect to the purposes for which it is processed;
    1. Must be accurate and, where appropriate, kept up-to-date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
  4. Must be kept form which permits identification of data subjects, for no longer than is necessary in light of the purpose(s) for which it is processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
  5. Must be processed in accordance with the rights of data subjects under the Act;
  6. processed in a manner that ensures appropriate security of the personal data, must be protected against unauthorised or unlawful processing, accidental loss, destruction or damage through appropriate technical and organisational measures; and
  7. Must not be transferred to a country or territory outside of the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

 

Rights of Data Subjects

Under the Act & DDPR, data subjects have the following rights:

  1. the right to be informed that their personal data is being processed;
  2. the right to access any of their personal data held by the Company within 40 days of making a request;
  3. the right to prevent the processing of their personal data in limited circumstances; and
  4. the right to rectify, block, erase or destroy incorrect personal data.
  5. the right to data portability*.
  6. the right to object: and
  7. the right not to be subject to automated decision making including profiling.

* Data portability', in accordance with the GDPR, is the right for an individual to require an organisation to give them back a copy of the personal data. It has limited application where data is on an individuals consent for the performance of a contract, and where processing is carried out by automated means.

 

Definitions of Personal Data 

What is Data

Data as identified by the Data Protection Act (DPA) means information which:

(a)    is being processed by means of equipment operating automatically in response to instructions given for that purpose,

(b)    is recorded with the intention that it should be processed by means of such equipment,

(c)    is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system,

(d)    does not fall within paragraph (a), (b) or (c) but forms part of an accessible record as defined by section 68, or

(e)    is recorded information held by a public authority and does not fall within any of paragraphs (a) to (d).

 

As defined by the Act:

What is Personal Data

Data relating to a living individual who can be identified from that information or from that data and other information in possession of the data controller. Includes name, address, telephone number, id number location data or online identifier. Also includes expression of opinion about the individual, and of the intentions of the data controller or any other person in respect of the individual.

*Id number covers bank details, passports, driving licences etc.

 

The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. This could include chronologically ordered sets of manual records containing personal data.

 

A useful test of whether something is personal data is to consider whether the individual could recognise themselves from the data held.  For instance and email, address would be personal data as it may be specific to that individual.  It may not if it’s a shared address such as [email protected] but our responsibility  is to ensure no personal data can be identified so in any databases containing email addresses we must assume it is all personal data as some could without doubt be used to identify the individual.

 

What is Sensitive Data or Special Category Data

Different from ordinary personal data (such as name, address, telephone) and relates to  genetic data, and biometric data, the racial or ethnic origin of the data subject; their political opinions; their religious (or similar) beliefs; trade union membership; their physical or mental health condition; their sexual life;

 

Under GDPR Personal data relating to criminal convictions and offences are not included, but similar extra safeguards apply to its processing (see Article 10) including the commission or alleged commission by them of any offence; or any proceedings for any offence committed or alleged to have been committed by them, the disposal of such proceedings or the sentence of any court in such proceedings.

 

The conditions or processing special category data in Article 9(2) of the GDPR:

You should choose whichever special category condition is the most appropriate in the circumstances

  1. the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject;
  2. processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;
  3. processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
  4. processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;
  5. processing relates to personal data which are manifestly made public by    the data subject;
  6. processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
  7. processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;
  8. processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;
  9. processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;
  10. processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

Criminal Offence Data

Processing of personal data relating to criminal convictions and offences or related security measures based on Article 6(1) shall be carried out only under the control of official authority or when the processing is authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects. Any comprehensive register of criminal convictions shall be kept only under the control of official authority.

[On the face of it, this means that it would not be lawful for employers to carry out criminal records checks as a matter of course, unless they are recruiting for a role for which checks are authorised by law, for example roles involving work with vulnerable adults or children where a Disclosure and Barring Service check is required.

However, the Government intends to legislate to authorise the use of criminal records checks by organisations other than those vested with official authority (the GDPR includes a derogation to allow such legislation). The Government published the Data Protection Bill on 13 September 2017, which will supplement the GDPR. The Bill includes provision for authorising the processing of criminal convictions data where necessary for the purposes of performing or exercising employment law obligations or rights. To carry out such processing, an employer would have to have in place a policy that explains its procedures for securing compliance with the principles of the GDPR in relation to the processing of the criminal records data, and that explains its policies on erasure and retention of the data. The Bill also authorises processing criminal records data in other circumstances, including where the subject has given his or her consent. This would allow employers to request a criminal records check where the prospective employee agrees to this, provided that the consent meets the specific requirements under the GDPR.

The GDPR will come into effect on 25 May 2018. It is not yet known when the Data Protection Bill will come into force.]

Data Controller

Any person (or organisation) who makes decisions with regard to particular personal data, including decisions regarding the purposes for which personal data are processed and the way in which the personal data are processed.

Data Subject

Any living individual who is the subject of personal data held by an organisation.

 

DATA Processing

What is Processing?

Processing, in relation to information or data, means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including –

  • organisation, adaptation or alteration of the information or data,
  • retrieval, consultation or use of the information or data,
  • disclosure of the information or data by transmission, dissemination or otherwise making available, or
  • alignment, combination, blocking, erasure or destruction of the information or data.

 

Lawful basis for Processing

You must have a valid lawful basis in order to process personal data.

If your purposes change, you may be able to continue processing under the original lawful basis if your new purpose is compatible with your initial purpose.

 

There are 6 lawful basis for processing data these are:

Consent

where the individual grant consent for data to be processed for a specific purpose

 

Contract

where processing is necessary for the performance of a contract to which the data  subject is party or in order to take steps at the request of the data subject prior to entering into a contract

  • Note that, in this context, a contract does not have to be a formal signed document, or even written down, as long as there is an agreement which meets the requirements of contract law. Broadly speaking, this means that the terms have been offered and accepted, you both intend them to be legally binding, and there is an element of exchange (usually an exchange of goods or services for money, but this can be anything of value).
  • If the processing is necessary for a contract with the individual, processing is lawful on this basis and you do not need to get separate consent.
  • If you are processing on the basis of contract, the individual’s right to object and right not to be subject to a decision based solely on automated processing will not apply. However, the individual will have a right to data portability. 
  • If the contract is with a child under 18, you need to consider whether they have the necessary competence to enter into a contract. If you have doubts about their competence, you may wish to consider an alternative basis such as legitimate interests, which can help you to demonstrate that the child’s rights and interests are properly considered and protected.

Legal Obligations

processing is necessary for compliance with a legal obligation to which the controller is subject

  • A contractual obligation does not comprise a legal obligation in this context. You cannot contract out of the requirement for a lawful basis
  • But for example employer needs to process personal data to comply with its legal obligation to disclose employee salary details to HMRC. Also to keep accident records to comply with H&S law.
  • Although the processing need not be essential for you to comply with the legal obligation, it must be a reasonable and proportionate way of achieving compliance. 
  • If you are processing on the basis of legal obligation, the individual has no right to erasure, right to data portability, or right to object.

Vital interest

processing is necessary in order to protect the vital interests of the data subject or of another natural person 

  • vital interests are intended to cover only interests that are essential for someone’s life. So this lawful basis is very limited in its scope, and generally only applies to matters of life and death.
  • A rare example may be if there is a medical emergency at your event and you need to get in touch with an persons emergency contact, relying on consent would be unreasonable. Instead, you are free to do this immediately as it would protect the vital interests of the data subject.

Public Task

processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

The Data Protection Bill includes a draft clause clarifying that the public task basis will cover processing necessary for:

  • the administration of justice;
  • parliamentary functions;
  • statutory functions; or
  • governmental functions.

So it may be at times we are asked to process data on behalf of statutory functions,  in these cases we should seek guidance as to whether the data collected falls into the category of public task.

Legitimate Interest

Processing is necessary for the purposes of legitimate interest pursued by the controller or by a third party, except where such interests are overridden by the interests and fundamental rights and freedoms of the data subject. 

There are three elements to the legitimate interests basis. It helps to think of this as a three-part test. You need to:

  • identify a legitimate interest;
  • show that the processing is necessary to achieve it; and
  • balance it against the individual’s interests, rights and freedoms.

The legitimate interests can be your own interests or the interests of third parties. They can include commercial interests, individual interests or broader societal benefits.

 

The processing must be necessary. If you can reasonably achieve the same result in another less intrusive way, legitimate interests will not apply.

 

You must balance your interests against the individual’s. If they would not reasonably expect the processing, or if it would cause unjustified harm, their interests are likely to override your legitimate interests.

Keep a record of your legitimate interests assessment (LIA) to help you demonstrate compliance if required.

You must include details of your legitimate interests in your privacy information.

 

Legitimate Interest Assessment  (LIA)

If you want to rely on legitimate interests, you can use the three-part test to assess whether it applies. We refer to this as a legitimate interests assessment (LIA) and you should do it before you start the processing.

An LIA is a type of light-touch risk assessment based on the specific context and circumstances. It will help you ensure that your processing is lawful. Recording your LIA will also help you demonstrate compliance in line with your accountability obligations under Articles 5(2) and 24. In some cases an LIA will be quite short, but in others there will be more to consider.

First, identify the legitimate interest(s). Consider:

  • Why do you want to process the data – what are you trying to achieve?
  • Who benefits from the processing? In what way?
  • Are there any wider public benefits to the processing?
  • How important are those benefits?
  • What would the impact be if you couldn’t go ahead?
  • Would your use of the data be unethical or unlawful in any way?

 

Second, apply the necessity test. Consider:

  • Does this processing actually help to further that interest?
  • Is it a reasonable way to go about it?
  • Is there another less intrusive way to achieve the same result?

 

Third, do a balancing test. Consider the impact of your processing and whether this overrides the interest you have identified. You might find it helpful to think about the following:

  • What is the nature of your relationship with the individual?
  • Is any of the data particularly sensitive or private?
  • Would people expect you to use their data in this way?
  • Are you happy to explain it to them?
  • Are some people likely to object or find it intrusive?
  • What is the possible impact on the individual?
  • How big an impact might it have on them?
  • Are you processing children’s data?
  • Are any of the individuals vulnerable in any other way?
  • Can you adopt any safeguards to minimise the impact?
  • Can you offer an opt-out?

 

You then need to make a decision about whether you still think legitimate interests is an appropriate basis. There’s no fool proof formula for the outcome of the balancing test – but you must be confident that your legitimate interests are not overridden by the risks you have identified.

Keep a record of your LIA and the outcome. There is no standard format for this, but it’s important to record your thinking to help show you have proper decision-making processes in place and to justify the outcome.

Consent

What must be obtained

If consent is the legal basis by which data is being processed, consent must be obtained:

  • Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of default consent.
  • Explicit consent requires a very clear and specific statement of consent.
  • Keep your consent requests separate from other terms and conditions.
  • Specify why we want the data and what we’re going to do with it. Vague or blanket consent is not enough.
  • Keep separate distinct (‘granular’) options to consent separately to different purposes and types of processing
  • Be clear and concise.
  • Name our organisation and any third party controllers who will rely on the consent.
  • Make it easy for people to withdraw consent and tell them how.
  • Keep evidence of consent – who, when, how, and what you told people.
  • Keep consent under review, and refresh it if anything changes.
  • Avoid making consent to processing a precondition of a service.
  • If offering online services directly to children, we only seek consent if we have age-verification measures (and parental-consent measures for younger children) in place.

 

All consent requests must clearly state who consented, when, how, and what they were told, which must include:

  • the name of your organisation;
  • the name of any third party controllers who will rely on the consent;
  • why you want the data;
  • what you will do with it; and
  • that individuals can withdraw consent at any time.

 

Example of Highlights Consent

The Greensand Trust will use the information you provide on this form to be in touch with you and to provide updates and marketing. Please let us know all the ways you would like to hear from us:

  • Email

You can change your mind at any time by clicking the unsubscribe link in the footer of any email you receive from us, or by contacting us at [email protected] We will treat your information with respect. For more information about our privacy practices please visit our website. By clicking below, you agree that we may process your information in accordance with these terms.

Fundraising; Marketing Preference / Consent

Unsolicited electronic marketing is a criminal offence. Therefore all fundraising and marketing preferences should be accurately recorded and respected. All direct or electronic fundraising or marketing, must clearly offer opt-ins and all e-mail and SMS messages should contain an ‘unsubscribe’ opt out at the bottom of each message. 

EXAMPLE: The Greensand Trust will use the information you provide on this form to be in touch with you and to provide updates. Please let us know all the ways you would like to hear from us:

Email         Mail                       Text

You can change your mind at any time by clicking the unsubscribe link in the footer of any email you receive from us, or by contacting us at [email protected] We will treat your information with respect. For more information about our privacy practices please visit our website. By clicking below, you agree that we may process your information in accordance with these terms.

Subscribe                    Unsubscribe

Data Protection / Consent in relation to children

Article 8 (1) states that to be able to give valid consent, an individual must be older than the age of ‘digital consent’. Member states can set this anywhere between the ages of 13 and 16, and the UK have chosen to set this as 13 years old.

 

The Greensand Trust age of consent is 16 years,  so you can only accept consent from those aged 16 or over.

 

GDPR also states that you must make a ‘reasonable effort’ to verify that parental consent has been given. In practice, that means if you allow children to enter your event, you may not be able to rely on a simple checkbox that says ‘I have parental consent’, as this can easily be bypassed by children under the age of 16 who do not have parental consent.

 

Data Consent -  Opt Out

Any individual has the right to review data held and withdraw consent for their personal data to be held.   This withdrawal of consent must be respected in all cases but where the data is held on a legal basis which has a justifiable purpose that overrides the withdrawal of consent.  Eg. Parking Pass holder must be recorded on our database to enable us to manage their pass.  

 

Processing Personal Data

The Trust should only hold personal data which is directly relevant to its dealings with a given data subject.  That data will be held and processed in accordance with the data protection principles and with this Policy.

Any and all personal data collected by the Trust is collected in order to ensure that the Trust can facilitate efficient transactions with third parties including, but not limited to, its customers, partners, associates and affiliates and efficiently manage its employees, volunteers, contractors, agents and consultants.  Personal data shall also be used by the Company in meeting any and all relevant obligations imposed by law.

Personal data may be disclosed within the Trust.  Personal data may be passed from one department to another in accordance with the data protection principles and this Policy.  Under no circumstances will personal data be passed to any department or any individual within the Trust that does not reasonably require access to that personal data with respect to the purpose(s) for which it was collected and is being processed.

The Trust and users shall ensure that:

  • All personal data collected and processed for and on behalf of the Trust by any party is collected and processed fairly and lawfully;

Those responsible for processing personal data must ensure that data subjects are informed of the identity of the data controller, the purpose(s) of the processing, any disclosures to third parties that are envisaged and an indication of the period for which the data will be kept.

  • Data subjects are made fully aware of the reasons for the collection of personal data and are given details of the purpose for which the data will be used;

Data obtained for specified purposes must not be used for a purpose that differs from those

  • Personal data is only collected to the extent that is necessary to fulfil the stated purpose(s);

Information, which is not strictly necessary for the purpose for which it is obtained, should not be collected. If data are given or obtained which is excessive for the purpose, they should be immediately deleted or destroyed.

  • All personal data is accurate at the time of collection and kept accurate and up-to-date while it is being held and / or processed;

Data, which are kept for a long time, must be reviewed and updated as necessary. No data should be kept unless it is reasonable to assume that they are accurate. It is the responsibility of individuals to ensure that data held by the Trust are accurate and up-to-date. Completion of an appropriate information or application form etc will be taken as an indication that the data contained therein is accurate. Individuals should notify the Trust of any changes in circumstance to enable personal records to be updated accordingly. It is the responsibility of the Trust to ensure that any notification regarding change of circumstances is noted and acted upon.

  • No personal data is held for any longer than necessary in light of the stated purpose(s);

See Retention and Disposal of Data

  • All personal data is held in a safe and secure manner, taking all appropriate technical and organisational measures to protect the data. See Data protection Procedures
  • All personal data is transferred using secure means, electronically or otherwise;

See Security of Data

  • No personal data is transferred outside of the UK or EEA (as appropriate) without first ensuring that appropriate safeguards are in place in the destination country or territory; and
  • All Data Subjects can exercise their rights set out above (see data Subject Rights) and more fully in the Act.

Databases

Databases are likely areas where personal data may be found.  All databases should be recorded in the Trust data protection register and reviewed as part of the data protection policy on an annual basis.

 

A fundamental principle of data protection is fair ‘obtaining and processing’.  Therefore the individual providing the data must be made fully aware that the Trust is collecting it; how long it will be held; to what use it will be put, to whom if anyone that information will be disclosed. This is good practice where any personal data is being recorded, regardless of whether consent is required or the data is be held under another legal basis.

 

An example may be for a donation database, where a message to a donor could state: 

 

Thank you for your donation, at the Greensand Trust we are committed to protecting your privacy, we will use your data solely for the purpose for which it was given, it will be held for a maximum period of 7 years as required by the Companies Act and Charities Act.  We also wish to assure you that our privacy policy has always and remains that we never pass details to any third party without your prior consent, nor would we ever sell or rent out any databases or personal information. 

 

Please tick here ☐  if you would like to give consent for the Greensand Trust to retain your contact details to be able to keep you informed of our activities, you can change your mind at any time by contacting [email protected]

 

Data Protection Security

Article 5(1)(f) of the GDPR states:

‘Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures'

 

The Trust shall ensure that all of its ‘users’ employees, volunteers contractors, agents, consultants, partners or other parties working on behalf of the Company comply with the following when processing and / or transmitting personal data:

Personal Data access must always be restricted on a need to know basis:

All emails containing personal data must be encrypted;

Personal data may be transmitted over secure networks only – transmission over unsecured networks is not permitted in any circumstances; All such networks must have a fully installed, operational and maintained firewall;

Secure network must be password protected, do not use vendor supplied defaults for system passwords and other security parameters.

Each user of Trust IT / E-mail systems should have a unique user code and password, which are issued and accessible to the IT administrator or senior staff only; passwords should not be disclosed without prior authorisation if you suspect your user account /password has been compromised you must inform IT administrator or senior staff immediately.

Personal data may not be transmitted over an unsecured wireless network;

Personal data contained in the body of an email, whether sent or received, should be copied from the body of that email and stored securely.  The email itself should be deleted.  All temporary files associated therewith should also be deleted;

Where Personal data is to be sent by facsimile transmission the recipient should be informed in advance of the transmission and should be waiting by the fax machine to receive the data;

Where Personal data is to be transferred in hardcopy form it should be passed directly to the recipient.  Using an intermediary is not permitted;

All hardcopies of personal data should be stored securely in a locked box, drawer, cabinet or similar;

Or processed immediately and the hard copy destroyed or personal details obscured using a ID guard tool provided at Trust offices.

The use felt tips it not advisable for the recording of personal details.

All electronic copies of personal data should be stored securely using passwords and suitable data encryption, where possible on a drive or server which cannot be accessed via the internet; and

All passwords used to protect personal data should be changed regularly and should not use words or phrases which can be easily guessed or otherwise compromised.

 

CCTV Procedures

The Greensand Trust regularly evaluate whether CCTV is necessary and proportionate to continue using it.

The purpose for which the Greensand Trust use CCTV is for the prevention of crime and safety of staff and visitors.

The legal basis of Greensand Trust CCTV is not consent but ‘legitimate interest’ that the use of CCTV is to help when an incident has been identified/reported to review for the protection and safety of staff and visitors and verify reported site management problems that may require a response.   Given the data is held securely on site for less than a fixed period and not shared unless exceptional circumstances are approved; the risk of harm to any persons through the collection of this data is significantly less than the benefit they may incur.

As our CCTV systems are not consent based, we do not offer the right to view that information  to those who may have been recorded.  This is both to protect the identity of others, but also as it would be impractical to do so as the purpose of the system is not to record individuals or any personal details that may identify them, nor to process such data, therefore there is no practical means to index the system.

The Greensand Trust only operated ‘in house’ CCTV facilities, where all data is recorded and held on the premises.

The CCTV data is stored on secure hard drives, which are only accessible via a secure password only accessible to named operators.  The hard drives automatically overwrite data, with a maximum data retention period less than 3 months, which is an appropriate period to allow an incident to be reported either via the Greensand Trust or a Police investigation.

CCTV data will not be shared with any third party under any circumstances, other than if requested by the police in the legal course of their duties.

Where CCTV live images are displayed on screens, such screens be positioned so that they are only visible to staff and members of the public should not be allowed access to the area where staff can view them.

No real time monitoring takes place other than a Rushmere where CCTV can be used as  a means to identify an issue such as a barrier failure through congestion.

Recorded images should also be viewed in a restricted area, such as a designated secure office. The monitoring or viewing of images from areas where an individual would have an expectation of privacy should be restricted to authorised personnel.

It is acceptable to disclose information to law enforcement agencies if failure to do so would be likely to prejudice the prevention and detection of crime. Any other requests for information should be approached with care as wider disclosure may be unfair to the individuals concerned. In some limited circumstances it may be appropriate to release information to a third party, where their needs outweigh those of the individuals whose information is recorded but such requests would need to be in writing and be approved by Senior Management.

Example: A member of the public requests CCTV footage of a car park, which shows their car being damaged. They say they need it so that they, or their insurance company, can take legal action. You should consider whether their request is genuine and whether there is any risk to the safety of the other people involved. This request would need approval by Senior Management.

Letting people know

You must let people know when they are in an area where a surveillance system is in operation. The most effective way of doing this is by using prominently placed signs at the entrance to the surveillance system’s zone and reinforcing this with further signs inside the area.

Signs should:

  • be clearly visible and readable;
  • contain details of the organisation operating the system, the purpose for using the surveillance system and who to contact about the scheme (where these things are not obvious to those being monitored);
  • include basic contact details such as a simple website address, telephone number or email contact; and be an appropriate size depending on context. For example, whether they are viewed by pedestrians or car drivers.

 

 

Visa / Credit Card Procedures

Intro

The PCI Data Security Standard (PCI DSS) sets the standards in order to protect cardholder data and sensitive authentication data wherever it is processed, stored or transmitted. The security controls and processes required by PCI DSS are vital for protecting all payment card account data, including the PAN – the primary account number printed on the front of a payment card.

Merchants, service providers, and other entities involved with payment card processing must never store sensitive authentication data after authorization.

Defining “sensitive cardholder data”:

  • This includes the 3- or 4- digit security code printed on the front or back of a card
  • The data stored on a card’s magnetic stripe or chip (also called “Full Track Data”)
  • The personal identification numbers (PIN) entered by the cardholder. This chapter presents the objectives of PCI DSS and related

 

Everything at the end of a red arrow is sensitive cardholder data. Anything on the back side and CID must never be stored. Everything else you store must be for a good business reason, and that data must be protected. PCI DSS explains how. 

 

The PCI Data Security Standard

PCI DSS is the global data security standard adopted by the payment card brands for all entities that process, store or transmit cardholder data and/or sensitive authentication data. It consists of steps that mirror security best practices.

Goals

PCI DSS Requirements

Build and Maintain a Secure Network and Systems

1.    Install and maintain a firewall configuration to protect cardholder data

2.    Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

3.    Protect stored cardholder data

4.    Encrypt transmission of cardholder data across open, public  networks

Maintain a Vulnerability Management Program

5.    Protect all systems against malware and regularly update anti- virus software or programs

6.    Develop and maintain secure systems and applications

Implement Strong Access Control Measures

7.    Restrict access to cardholder data by business need to know

8.    Identify and authenticate access to system components

7.    Restrict physical access to cardholder data

Regularly Monitor and Test Networks

10.    Track and monitor all access to network resources and cardholder data

11.    Regularly test security systems and processes

Maintain an Information Security Policy

12.    Maintain a policy that addresses information security for all personnel

 

Protect Cardholder Data

Cardholder data refers to any information printed, processed, transmitted or stored in any form on a payment card. Entities accepting payment cards are expected to protect cardholder data and to prevent its unauthorized use – whether the data is printed or stored locally, or transmitted over an internal or public network to a remote server or service provider.

Cardholder data should not be stored unless it’s necessary to meet the needs of the business. Sensitive data on the magnetic stripe or chip must never be stored after authorization. If your organization stores PAN, it is crucial to render it unreadable (see 3.4, and table below for guidelines).

  1. Limit cardholder data storage and retention time to that which is required for business, legal, and/ or regulatory purposes, as documented in your data retention policy. Purge unnecessary stored data at least quarterly.
  2. Do not store sensitive authentication data after authorization (even if it is encrypted). See table below. Render all sensitive authentication data unrecoverable upon completion of the authorization process. Issuers and related entities may store sensitive authentication data if there is a business justification, and the data is stored securely.
  3. Mask PAN when displayed (the first six and last four digits are the maximum number of digits you may display), so that only authorized people with a legitimate business need can see the full PAN. This does not supersede stricter requirements that may be in place for displays of cardholder data, such as on a point-of-sale receipt
  4. Render PAN unreadable anywhere it is stored – including on portable digital media, backup media, in logs, and data received from or stored by wireless networks. Technology solutions for this requirement may include strong one-way hash functions of the entire PAN, truncation, index tokens with securely stored pads, or strong cryptography. (See PCI DSS Glossary for definition of strong cryptography.)

Guidelines for Cardholder Data Elements

 

 

 

Data Element

 

Storage Permitted

Render Stored Data Unreadable per Requirement 3.4

 

 

Cardholder Data

Primary Account Number (PAN)

Yes

Yes

Cardholder Name

Yes

No

Service Code

Yes

No

Expiration Date

Yes

No

 

 

Sensitive Authentication Data[1]

Full Track Data[2]

No

Cannot store per Requirement 2 above

CAV2/CVC2/CVV2/CID[3]

No

Cannot store per Requirement 2 above

PIN/PIN Block[4]

No

Cannot store per Requirement 2 above

[1]    Sensitive authentication data must not be stored after authorization (even if encrypted)

[2]    Full track data from the magnetic stripe, equivalent data on the chip, or elsewhere.

[3]   The three- or four-digit value printed on the front or back of a payment card

[4] Personal Identification Number entered by cardholder during a transaction, and/or encrypted PIN block present within the transaction message

 

Operational Measures

Our Commitment

 

The Trust and users shall ensure that the following measures are taken with respect to the collection,

holding and processing of personal data:

  • All employees, volunteers, contractors, agents, consultants, partners or other parties working on behalf of the Trust are made fully aware of both their individual responsibilities and the Trust’s responsibilities under the Act and shall be furnished with a copy of this Policy.
  • All employees, volunteers, contractors, agents, consultants, partners or other parties working on behalf of the Trust handling personal data will be appropriately trained to do so.
  • All employees, volunteers, contractors, agents, consultants, partners or other parties working on behalf of the Trust handling personal data will be appropriately supervised.
  • Methods of collecting, holding and processing personal data shall be regularly evaluated and reviewed.
  • The Performance of those employees, volunteers, contractors, agents, consultants, partners or other parties working on behalf of the Trust handling personal data shall be regularly evaluated and reviewed.
  • All employees, volunteers, contractors, agents, consultants, partners or other parties working on behalf of the Trust handling personal data will be bound to do so in accordance with the principles of the Act and this Policy by contract. Failure by any employee or volunteer to comply with the principles or this Policy shall constitute a disciplinary offence.  Failure by any contractor, agent, consultant, partner or other party to comply with the principles or this Policy shall constitute a breach of contract.  In all cases, failure to comply with the principles or this Policy may also constitute a criminal offence under the Act.
  • All contractors, agents, consultants, partners or other parties working on behalf of the Trust handling personal data must ensure that any and all of their employees who are involved in the processing of personal data are held to the same conditions as those relevant employees of the Trust arising out of this Policy and the Act.
  • Where any contractor, agent, consultant, partner or other party working on behalf of the Trust handling personal data fails in their obligations under this Policy that party shall indemnify and hold harmless the Trust against any costs, liability, damages, loss, claims or proceedings which may arise out of that failure.
  • An annual Data Security Risk Assessment will be completed by all teams who are Data Controllers, (effectively any team that deals with personal or sensitive data) to ensure they are complying with all elements of Trust policies,  this will be overseen and logged by the Finance and Admin.

 

Access by Data Subjects

A data subject may make a subject access request (“SAR”) at any time to see the information which the Trust holds about them.

  • SARs must be made in writing
  • No fee is payable under normal circumstances.
  • Upon receipt of a SAR the Trust shall have a maximum period of 30 days within which to respond.

The following information will be provided to the data subject:

  • Whether or not the Trust holds any personal data on the data subject;
  • A description of any personal data held on the data subject;
  • Details of what that personal data is used for;
  • How long we hold your personal data;
  • Details of any third-party organisations that personal data is passed to; and
  • Details of any technical terminology or codes.
  • Details of your rights under the GDPR including, but not limited to, your rights to withdraw your consent to our use of your personal data at any time and/or to object to our processing of it.

 

Data Protection Register

All data users and processors must ensure that any data held or processed is recorded at least in principle in the Greensand Trust data protection register.  The purpose of this register is to allow the Trust in its role as a data controller to regularly audit and review its data protection responsibilities. 

The register is also used to locate and remove personal or sensitive data held under consent which an individual has unsubscribed to.

 

Disclosure of Data

This policy determines that personal data may be legitimately disclosed where one of the following conditions apply:

  1. The individual has given their consent
  2. Where the disclosure is in the legitimate interests of the institution (eg disclosure to staff - personal information can be disclosed to other Trust employees if it is clear that those members of staff require the information to enable them to perform their jobs);
  3. Where the institution is legally obliged to disclose the data
  4. Where disclosure of data is required for the performance of a contract

 

The Act permits certain disclosures without consent so long as the information is requested for one or more of the following purposes:

 

  1. To safeguard national security*;
  2. Prevention or detection of crime including the apprehension or prosecution of offenders*;
  3. Assessment or collection of tax duty*;
  4. Discharge of regulatory functions (includes health, safety and welfare of persons at work)*;
  5. To prevent serious harm to a third party;
  6. To protect the vital interests of the individual, this refers to life and death situations.

*Requests must be supported by appropriate paperwork.

 

Publication of Trust Information

All members of the Trust should note that from time to time the Trust publishes a number of items that include personal data, and will continue to do so. These personal data are:

 

Names, job titles and contact details

Telephone Number

Staff Structure

Information for publishing purposes (including photographs), annual reports, staff newsletters, etc.

Staff/ volunteer information on the Trust website (including photographs)>

 

Retention and Disposal of Data

The Trust discourages the retention of personal data for longer than they are required. However, the Trust is also legally required to retain appropriate data for minimum periods for matters such financial audits or legal claims. 

 

The actual period records are kept will depend on a number of factors including:

  • Legal and related requirements;
  • Costs;
  • The organisation’s own need to access the document; and
  • Historical value.

Each type of document needs to be assessed separately. In the case of many types of document, it will be sufficient to keep them only for the period required by statute; others will be essential reference material in future years and the organisation might, therefore, decide to keep them longer than the period required by law.

The Retention of Data Guidelines – Updated 2015, sets out the suggested retention period for documents most commonly held.  If unsure users should refer the matter to a member of the Trusts Management Team or Senior Management for guidance.

Disposal of Records

Personal data must be disposed of in a way that protects the rights and privacy of data subjects (eg, shredding, disposal as confidential waste, secure electronic deletion).

 

Data protection impact assessment (DPIA)

 

  • A data protection impact assessment (DPIA) is a process to help you identify and minimise the data protection risks of a project.
  • You must do a DPIA for certain listed types of processing, or any other processing that is likely to result in a high risk to individuals’ interests. You can use our screening checklist to help you decide when to do a DPIA.
  • It is also good practice to do a DPIA for any other major project which requires the processing of personal data.
  • Your DPIA must:
    • describe the nature, scope, context and purposes of the processing;
    • assess necessity, proportionality and compliance measures;
    • identify and assess risks to individuals; and
    • identify any additional measures to mitigate those risks.
  • To assess the level of risk, you must consider both the likelihood and the severity of any impact on individuals. High risk could result from either a high probability of some harm, or a lower possibility of serious harm.

Data Protection Registration

The Data Protection Act 1998 requires every data controller (eg organisation, sole trader) who is processing personal information to register with the ICO (Information Commissioner’s Office), unless they are exempt.

Not-for-profit organisation are exempt from registration on the terms that they:

  • only process information necessary to establish or maintain membership or support; and
  • only process information necessary to provide or administer activities for people who are members of the organisation or have regular contact with it; and
  • only share the information with people and organisations necessary to carry out the organisation’s activities. Important - if individuals give you permission to share their information, this is OK (you can still answer ‘yes’); and
  • only keep the information while the individual is a member or supporter or as long as necessary for member/supporter administration

 

Whilst the Greensand Trust has met the exemption for many years, it now is required to register as some aspects of our data such as the use of CCTV require our registration.