This is the data protection policy for Ideal Directions. As part of our work we need to collect information from the people we work with and who wish to be in contact with us. The collection of that data creates an obligation to ensure that we have informed consent to collect information and a transparent plan for managing that information within the scope of data protection regulations.
This policy sets out how we will collect information, store information and seek consent from individuals in relation to the data we store on their behalf.
This policy ensures that Ideal Directions complies with all legal obligations to: –
- Recognise that individuals that provide us with data are the owner of that data
- To store data in a method that ensures security of that data is the most important consideration
- Provide individuals access to all information that is held by us on request
- Protect itself and individuals from the risk of data breach
This policy has been developed in order to comply with General Data Protection Regulations (GDPR) and UK data protection legislation such as the Data Protection Act 1998. As such Ideal Directions commits to embed the five Data Protection principles in its business:
- Personal data should be processed fairly and lawfully
- Data should be collected for a clear purpose
- Collection should be adequate for that purpose
- Data shouldn’t be kept for too long
- People supplying data should understand their rights
This policy is designed to mitigate risks that might result from data breaches. Through the implementation of this policy, in its entirety, Ideal Directions seeks to reduce the risk that:-
- Consent is not informed when data is collected ensuring that individuals know the purpose of data collection
- Breaches of confidentiality occur and that the only people, within the company that have access to data, are appropriate for the agreed processing
- Data is not being maintained in a secure environment to stop loss or theft.
This policy applies to:-
- The board
- All offices within the company
- All employed staff
- Any person acting under contract to the company
- Any person acting in a volunteer capacity for the company
The policy applies to all information/data that is collected by the company and is not restricted to electronic information. The range of information collected by the company is contained within the data schema attached within Appendix 1.
The policy also applies to data that is not obtained through direct contact with individuals. For example, this could be data that comes into the company’s possession through the operation of a contract or through a transaction with a third-party organisation. All data obtained in such a manner will be treated in the same way as that obtained directly from individuals and the company will not assume that consent for processing activities have been secured by third party organisations.
Within Ideal Directions a number of roles in relation to data protection have been identified.
The owner of Ideal Directions are accountable for data protection within the organisation and Marieanne Delaney is the individual responsible for responding to issues relating to data protection and ensuring this policy is reviewed.
Access to Data
In managing data Ideal Directions will ensure that access is restricted to staff or volunteers that have a legitimate business need.
In order to access data staff and volunteers must:-
- Be able to demonstrate that access is relevant to their job role.
- That access is protected by strong passwords.
- Have been provided with appropriate data protection training
- Be aware that data cannot be shared informally within the company or to third party organisations or contractors. Formal processes must be used for all transfer of data.
- Make sure to regularly review the relevance of their access to data.
- Must review the data they manage to ensure it is consistent with the consent that provided access to it in the first place.
All data that is held by Ideal Directions must meet recognised standards of data security.
Where data is kept in paper form these steps will be taken to maintain security: –
- Data will be locked in either a filing cabinet or draw
- Where personal data is removed from company premises there will be a process to sign it out and back in again
- Personal data will be securely shredded
- Personal data will not be left in plain view
- Where data is kept in electronic form these steps will be taken to maintain security: –
- Data is kept behind secure passwords
- Software that stores data will be regularly patched with security updates
- Encryption will be used for electronic transfer
- Data will not be stored on personal electronic devices
- External removable storage, used for personal data, will be password protected and encrypted
Ideal Directions will take steps to ensure that data held is accurate and fit for purpose. To ensure accuracy these steps will be taken:-
- Data will be periodically reviewed to ensure that it is up to date.
- A facility will be provided to allow individuals to update data
- Steps will be made to reduce data duplication
In order to be consistent with data protection regulations Ideal Directions will seek informed consent for the collection and use of all personal data. Consent will take the form of an affirmative action on the part of the individual. Consent will not be assumed based on the method by which the data was obtained.
Ideal Directions will ensure that the consent process is distinct from any need to set out terms and conditions in respect of contracts or transactions.
The consent process will set out in plain English: –
- Preferred means of contact
- The purpose of collecting data
- The process for withdrawing consent
- The limit on how long data will be held
In any case where Ideal Directions is made aware of a data breach Marieanne Delaney as the Accountable Individual, will alert the stakeholders at the earliest opportunity. In line with Data Protection Regulations the Accountable Individual will also notify the Information Commissioners Office (ICO) of the breach and set out short term actions that will be taken to:-
- Identify the scope of the breach
- Identify individuals affected by the breach
- Identify actions to mitigate further breach
- Develop a plan to communicate with individuals
The Accountable Individual will be the main point of liaison between Ideal Directions and the ICO. The Accountable Individual will prepare a paper for stakeholders outlining all the actions set out above.
Where an external body notifies Ideal Directions of a data breach then the same actions outlines above will be taken.
Data and Third Parties
In working with data and third-party organisations Ideal Directions will ensure that all data obtained will be treated in the same manner as if it had been obtained from individuals. Consent will not be assumed for processing and, if necessary, will be sought from the individuals.
Where working with a third-party organisation requires the transfer of personal data Ideal Directions will ensure that explicit consent is sought from the individuals to make such a transfer.
The commitment to explicit consent will be reflected in all contracts made by Ideal Directions.
Subject Access Requests
All individuals who have data held by Ideal Directions have a right to:-
- Know what data is held
- Have access to data
- Remove data
- Move data to another place (data portability)
Ideal Directions commits to meet all Subject Access Requests within the 30-day time limit set within the General Data Protection Regulations. To support Subject Access Requests there will be clear information on the Ideal Directions about how to make a request. This information will provide a clear outline of what people can request, the time limits to meet such a request and the method for making a request.
Ideal Directions will provide a dedicated email address for making requests as well as a phone number and correspondence address.
Appendix one is available to view here.