Volunteer Cornwall

facebook logo, please click to access our facebook page YouTube logo, please click to open our youtube page  Instagram logo, please click to open our instagram page

Data Security and Protection Policy 2018

Volunteer Cornwall

DATA SECURITY AND PROTECTION POLICY 2018

1.  Statement, Scope and Purpose of Policy

Volunteer Cornwall is committed to ensuring that all personal data it handles will be processed according to legally compliant standards of data protection and data security.

An organisation which controls processing activities, involving personal or sensitive data must comply with the General Data Protection Regulation 2016 (GDPR) and the Privacy and Electronic Communications Regulation 2003 (PECR).

The scope of this policy covers all processing activities and supporting information systems involving Personal or Sensitive Data, including data in physical form, stored in a relevant filing system.

The scope of this policy also covers all employees, volunteers, contractors, third parties, processors or others who process Personal or Sensitive Data on behalf of Volunteer Cornwall.

The purpose of this policy is to ensure that Volunteer Cornwall achieves its data protection and data security aims by: 

  • Notifying staff, volunteers and clients of the types of personal information that we may hold about them, and what we do with that information;
  • Setting out the rules on data protection and the legal conditions that must be satisfied when we collect, receive, handle, process, transfer and store personal data and ensuring that staff and volunteers understand our rules and the legal standards;
  • Clarifying the responsibilities and duties of staff in respect of data protection and security.

For the purposes of this policy:

  • Data protection laws means all applicable laws relating to the processing of Personal Data, including the General Data Protection Regulation (GDPR);
  • Data subject means the individual to whom the personal data relates;
  • Personal data means any information that relates to an individual who can be identified from that information;
  • Processing means any use that is made of data, including collecting, storing, amending, sharing, transferring, disclosing or destruction;
  • Special categories of personal data means information about an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation and biometric data.

2.  Data Protection Principles

The main purpose of this policy is to draw attention to the responsibilities and duties of Volunteer Cornwall in the collection, storage, usage and confidentiality of information held about people. Staff and volunteers whose work involves using personal data must comply with this policy and with the following data protection principles which require that personal information is: 

  • Processed lawfully, fairly and in a transparent manner. We must always have a lawful basis to process personal data, as set out in data protection laws. Personal data may be processed as necessary to perform a contract with the data subject, to comply with a legal obligation which the data controller is the subject of, or for the legitimate interest of the data controller or the party to whom the data is disclosed. The data subject must be told who controls the information, the purpose for which it is processed and to whom it may be shared/disclosed;
  • Collected only for specified, explicit and legitimate purposes. Personal data must not be collected for one purpose and then used for another. If we want to change the way we use personal data we must first tell the data subject;
  • Processed only where it is adequate, relevant and limited to what is necessary for the purposes of processing. We will only collect personal data to the extent required for the specific purpose notified to the data subject;
  • Accurate and all reasonable steps taken to ensure that information that is inaccurate is rectified or deleted without delay. Checks to personal data will be made when collected and regular checks must be made afterwards. We will make reasonable efforts to rectify or erase inaccurate information;
  • Retained only for the period necessary for processing. Information will not be kept longer than it is needed and we will take all reasonable steps to delete information when we no longer need it;
  • Processed securely, in an appropriate manner to maintain security.

3.  Roles and Responsibilities 

The Board of Directors has overall responsibility for this policy, and for reviewing the effectiveness of actions taken in response to concerns raised in the policy.

The Data Protection and Security Steering Group is authorised by the Board to support and drive the broader data protection and security agenda and provide the Board with the assurance that effective data protection mechanisms are embedded within Volunteer Cornwall. The group will be chaired by a board member and is to meet at least quarterly or more frequently if required, and report formerly to the Board at its quarterly meetings.

The Chief Executive is the Senior Information Risk Owner (SIRO) and has overall accountability for the management of information assets held by Volunteer Cornwall.

The Data Security and Protection Steering Group has decided not to formally appoint a Data Protection Officer. The Information Governance (IG) Lead takes proper responsibility for data protection compliance and has the knowledge, support and authority to do so.

The Accounts and Administration Manager is the Data Security and Protection Lead and will advise on Volunteer Cornwall’s compliance with data protection legislation, providing advice, assistance and recommendations to the Senior Information Risk Owner (SIRO).

The designated Data Security and Protection Lead and senior managers in Volunteer Cornwall are responsible for overseeing day to day Data Protection and Security issues. This includes developing and maintaining policies, standards, procedures and guidance, coordinating Data Security and Protection in Volunteer Cornwall, raising awareness of Data Security and Protection and ensuring that there is ongoing compliance with the policy and its supporting standards and guidelines.

Senior and Line Managers are designated as Information Asset Owners and are to ensure that their Information Assets are managed in compliance with Volunteer Cornwall’s Data Protection and Security Framework. They are also to ensure that employees and volunteers are made aware of their responsibilities and they comply with this and associated data protection, information security, information management and information technology processes and procedures.

All staff and volunteers have personal responsibility to ensure compliance with this policy, to handle all personal data consistently with the principles set out in this policy and to ensure that measures are taken to protect the data security.

All individuals and organisations that process information on behalf of Volunteer Cornwall have a responsibility to comply with this and associated data protection, information security, information management and information technology processes and procedures.

4.  Personal Data and Activities

This policy covers personal data which:

  • Relates to a natural living individual who can be identified either from that information in isolation or by reading it with other information we possess;
  • Is stored electronically or on paper in a filing system;
  • Is in the form of statements of opinion as well as facts;
  • Relates to staff or volunteers (present, past or future) or to any other individual whose data we handle or control;
  • We obtain, is provided to us, which we hold or store, organise, disclose or share/transfer, amend, retrieve, use, handle, process, transport or destroy.

5.  Lawfulness of Processing Data

Senior and Line Managers are to ensure that their processing is lawful and document the lawful grounds for processing on their respective Data Flows. Once a lawful basis is decided it cannot normally be changed.

Where processing involves the data of children, parental consent must be sought, provided and documented.

With the exception of storage, processing must cease immediately where there are no longer lawful grounds for processing.

6.  Data Protection by Design and Default

Data protection by design and default are key principles in the GDPR, recognising the need for privacy to be ensured through design and maintenance of information systems. It is an approach to project management that promotes privacy and data protection from the start, requiring that appropriate technical and organisational measures are put in place to implement the data protection principles and safeguard individual rights. It is now a legal requirement.

Data protection by design is an approach that ensures we consider privacy and data protection issues at the design phase of any system, service, product or process and then throughout the lifecycle. This means that we must integrate and embed data protection into our processing activities and business practices from the very start of an activity or project.

A Data Protection Impact Assessment (DPIA) is a key component of a “data protection by design” approach and senior and line managers are to ensure that a DPIA is completed for all new projects and activities. A copy should be given to the Data Security and Protection Lead.

Data protection by default requires us to ensure that we only process the data that is necessary to achieve our specific purpose. It links to the fundamental data protection principles of data minimisation and purpose limitation. Because we have to process some personal data to achieve our purpose, data protection by default means that we need to specify this data before the processing starts, appropriately inform individuals and only process the data that is needed for the purpose.    

Our data flow information capture process is a key component of a “data protection by default” approach as the personal data to be processed can be identified at the start of the new project or activity. Senior and line managers are to ensure that a data flow chart is completed for all new projects and activities. A copy should be given to the Data Security and Protection Lead.

Pseudonymisation is a method of ensuring that the principle of data minimisation is satisfied. It is an approach that satisfies the requirements of privacy by design and by default with respect to ensuring the security of data held. Pseudonymised data involves replacing one attribute in a record by another. The natural person is therefore still likely to be identified indirectly. This is often achieved using hashing, encryption or tokenisation of an identifier. For example, in its simplest terms a person’s name is replaced by a number. The question of whether data can be pseudonymised is to be included and considered as part of the Data Protection Impact Assessment process.    

 7.  Privacy Notices

Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the GDPR.

When you collect personal information from the individual it relates to you must provide them with information at the time you obtain their data. You must provide individuals with information including: your purposes for processing their personal data, your retention periods for that personal data, and who it will be shared with. This is called “Privacy Information”.

You must provide privacy information to individuals at the time their personal data is collected. If you obtain personal data from other sources you must provide individuals with privacy information within a reasonable period of obtaining the data and no later than one month.

You must actively provide privacy information to individuals. You can meet this requirement by putting the information on our website but individuals must be made aware of it and given an easy way to access it.

Privacy information must be regularly reviewed and updated.

8.  Subject Access Request

Individuals have the right to access their personal data and this is referred to as a Subject Access Request. Individuals can make a subject access request verbally or in writing, and a request can be made to any part of our organisation, including by social media. Requests can also be made via the website. The request does not have to be in any particular format, it just has to be clear that the individual is asking for their own personal data. Any request must be responded to within one month of receipt.

Senior managers are to ensure that their staff and volunteers receive appropriate training on how to process subject access requests. All requests are to be logged and forwarded to senior managers for their action. Any response is to be co-ordinated with the Data Security and Protection Lead, but should normally include:

  • Whether or not their personal data is processed by us, and if so why;
  • The type or categories of data being processed, and the source of the data if not collected direct from the individual;
  • To whom the data is or may be disclosed or shared;
  • For how long the personal data is stored, or how that period is decided;
  • Their right of rectification or erasure of data, or to restrict or object to processing;
  • Their right to complain to the Information Commissioner if they think we have failed to comply with their data protection rights;
  • A copy of the personal data undergoing processing.

If a request is manifestly unfounded or excessive we may not be obliged to comply with it.

9.  Data Breaches

A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.

A personal data breach can be broadly defined as a security incident that has affected the confidentiality, integrity or availability of personal data. In short, there will be a personal data breach whenever any personal data is lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable, for example, when it has been encrypted by ransomware, or accidently lost or destroyed.

The GDPR makes it clear that when a security incident takes place, we must quickly establish whether a data breach has occurred and, if so, promptly take steps to address it, including telling the Information Commissioner if required.

All data breaches are to be dealt with in accordance with Volunteer Cornwall’s Incident Reporting Procedures and senior managers are to ensure that their staff and volunteers receive appropriate training on how to deal with and report data breaches.

Senior Managers are also to ensure that following a breach, dependent on the likelihood and severity of any resulting risk to people’s rights and freedoms, notifiable breaches are reported to the Information Commissioner within 72 hours of their becoming aware of the breach.

10.  Information Systems

All information systems containing personal or sensitive data and exposed to the Internet or a third party are to be the subject of an independent risk-based penetration test at least annually. Senior Managers and the IT Officer are to ensure that measures are put in place to mitigate any issues identified as a result of the test.

11.  Training

All staff and volunteers are to receive training about their data protection responsibilities as part of the induction process and at regular intervals thereafter.

Senior Managers are responsible for the implementation the policies, procedures and guidance. As well as formal training, data security and protection is to be included on all meeting agendas and the practicalities and relevance of the policies, and how they apply to “real work situations” is to be discussed and minuted at these meetings.

12.  Policy Approval  

 This policy, and its supporting standards and work instruction, are fully endorsed by the Board of Directors through the production of these documents and their formal approval.

Any breach of this policy will be taken seriously and may result in disciplinary action up to and including dismissal.

13.  Related Policies and Guidance

This policy should not be read in isolation. The following policies also include specific and supporting requirements:

  • Information Security Policy;
  • Incident Management and Reporting Procedures;
  • Change Control and DPIA Policy;
  • Data Sharing Code of Practice;
  • Procedure for the Secure Transfer and Receipt of Information:
  • Monitoring and Audit Procedures;
  • Business Continuity Plan;
  • Data Quality Policy;
  • ICT Policies and Procedures.

 

Signed:                                                        Date: 22 May 2018

Ian Jones

Chief Executive

On behalf of Volunteer Cornwall               Review Date: 01/19