DIGITALL’S DATA PROTECTION POLICY
1. AIM
1.1 Digitall is committed to maintaining your confidence and trust and to protecting the privacy of your information.
1.2 Accordingly, Digitall is committed to processing data in accordance with its responsibilities under the UK Data Protection Act of 2018, the UK General Data Protection Regulation, and any subsequent Data Protection Acts.
2. Key Terms
- DPA 2018 – UK Data Protection Act of 2018
- UKGDPR – UK General Data Protection Principles
- SAR – Subject Access Request
- ICO - Information Commissioners Office
3. Privacy Notices
3.1 Online Privacy notice available at www.Digitall.org.uk giving details of how Digitall protects the online privacy of visitors to its website.
3.2 Staff & Volunteer Privacy Notice – This statement explains to staff and volunteers how Digitall uses personal data as an employer and as a charity that utilizes the services of volunteers.
4. Data Protection Principles
4.1 Article 5 of the UKGDPR requires that personal data shall be:
- Processed lawfully, fairly, and in a transparent manner in relation to individuals.
- Collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes shall not be considered incompatible with the initial purposes.
- Adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.
- Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes subject to the implementation of the appropriate technical and organizational measures required by the UKGDPR in order to safeguard the rights and freedoms of individuals.
- Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures.
4.2 Data subjects have inherent rights within the UKGDPR. These are:
1) The right to know whether data concerning him or her are being processed (UKGDPR Articles 13 & 14).
2) The right of access, commonly referred to as subject access (SAR), gives individuals the right to obtain a copy of their personal data, as well as other supplementary information (UKGDPR Article 15).
3) The right to rectification. When personal data are inaccurate, then controllers need to correct them (UKGDPR Article 16).
4) The right to erasure and the right to be forgotten if personal data have been made public (UKGDPR Article 17).
5) The right to restriction of processing (UKGDPR Article 18).
6) The right to be informed (UKGDPR Article 19).
7) The right to data portability (UKGDPR Article 20).
8) The right to object (UKGDPR Article 21).
9) The right not to be subject to a decision based solely on automated processing (UKGDPR Article 22).
5. General Provisions
5.1 This policy applies to all personal data processed by Digitall.
5.2 The nominated Responsible Person for data protection within Digitall is Veronika Stoyanova.
5.3 The Responsible Person shall take responsibility for Digitall’s ongoing compliance with this policy.
5.4 This policy will be reviewed at least annually.
5.5 This policy will be communicated to all staff and volunteers. Digitall expects all staff and volunteers to maintain data protection at all times. In line with General Data Protection Regulations, Digitall does not share information if not required.
5.6 Digitall is registered with the Information Commissioner’s Office as an organization that processes personal data.
6. Lawful, Fair, and Transparent Processing
6.1 To ensure its processing of data is lawful, fair, and transparent, Digitall shall maintain a Register of Data Processing.
6.2 The Register of Data Processing shall be reviewed at least annually.
6.3 Individuals have the right to access their personal data, and any such requests made to the Digitall shall be dealt with as soon as possible, with the first response being within one month. This can be obtained by emailing a request to hello@Digitall.org.uk.
7. Lawful Purposes
7.1 All data processed by Digitall must be done on one of the following lawful bases: consent, contract, legal obligation, vital interests, public task, or legitimate interests (see ICO guidance for more information).
7.2 Digitall shall note the appropriate lawful basis in the Register of Systems.
7.3 Where consent is relied upon as a lawful basis for processing data, evidence of opt-in consent shall be kept with the personal data.
7.4 Where communications are sent to individuals based on their consent, the option for the individual to revoke their consent should be clearly available, and systems should be in place to ensure such revocation is reflected accurately in Digitall’s systems.
8. Data Minimisation
8.1 Digitall shall ensure that personal data collected and processed is adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.
9. Accuracy
9.1 Digitall will take reasonable steps to ensure personal data is accurate.
9.2 Where necessary for the lawful basis on which data is processed, steps will be put in place to ensure that personal data is kept up to date.
10. Archiving / Removal
10.1 To ensure that personal data is kept for no longer than necessary, Digitall shall put in place an archiving policy for each area in which personal data is processed and review this process annually.
10.2 The archiving policy shall consider what data should/must be retained, for how long, and why.
11. Record Retention Periods
11.1 Normally, information pertaining to children and adults should not be held for longer than 12 months after the subject’s last contact with Digitall.
11.2 Personal data retained for HMRC records must not be kept for longer than necessary for its lawful purpose. The default standard retention period is 6 years plus the current year, otherwise known as 6 years + 1.
11.2.1 Exceptions to the 6-year period will occur when records:
- Need to be retained because the information is relevant to legal action that has been started.
- Are required to be kept longer by law.
- Are archived for historical purposes (e.g., where Digitall has been party to legal proceedings or involved in proceedings brought by a local authority).
- Relate to individuals or staff who have been judged unsatisfactory.
11.3 Where records are being kept for more than the 12-month period, files need to be clearly marked and the reasons for the extension period clearly identified.
12. Security
12.1 Digitall shall ensure that personal data is stored securely using modern software that is kept up-to-date.
12.2 Access to personal data shall be limited to personnel who need access, and appropriate security should be in place to avoid unauthorized sharing of information.
12.3 When personal data is deleted, this should be done safely so that the data is irrecoverable.
12.4 Appropriate back-up and disaster recovery solutions shall be in place.
13. Breach
13.1 In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data, Digitall shall promptly assess the risk to people’s rights and freedoms and, if appropriate, report this breach to affected data subjects and to ICO.
14. Further Reading
- Digitall Privacy notices
- Information Commissioner’s Office – https://ico.org.uk/for-organisations/guide-to-data-protection/
- Gov.uk - https://www.legislation.gov.uk/eur/2016/679/contents
15. Policy Revision
15.1 This policy will be reviewed at least annually and amended as necessary, or earlier in accordance with forthcoming legislation.