DATA PROTECTION POLICY
1. POLICY STATEMENT
1.1 Everyone has rights which cover the way in which their personal data is handled. During the course of the Children and Families Truth Commission’s (CFTC) activities [Hereon in referred to as ‘CFTC’ or ‘the commission’] we will collect, store and process personal data relating to our site’s visitors. We will endeavour to do this in a transparent way, and view treating your data with care as an essential aspect of our work in order to run a successful platform.
1.2 Our data users are also required to comply with this policy when processing personal data on our behalf. Any breach of this policy may result in disciplinary action.
2. ABOUT THIS POLICY
2.1 The types of personal data that CFTC may be required to handle include information about current, past and prospective visitors and other editorial and media contacts and public relations professionals that we communicate with. The personal data, which may be held in a paper filing system or electronically are subject to the General Data Protection Regulation (“GDPR”) and UK data protection laws.
2.2 This policy and any other documents referred to in it sets out the basis on which we will process any personal data we collect from data subjects, or that is provided to us by data subjects or other sources.
2.3 This policy sets out rules on data protection and the legal conditions that must be satisfied when we obtain, handle, process, transfer and store personal data for the Services.
2.4 Questions about the operation of this policy or any concerns that the policy has not been followed should be referred in the first instance to Natasha Phillips at firstname.lastname@example.org
3. DEFINITION OF DATA PROTECTION TERMS
3.1 Data is information which is stored electronically, on a computer or mobile device, or in certain paper-based filing systems.
3.2 Data subjects for the purpose of this policy refers to website visitors about whom we hold personal data. A data subject need not be a UK national or resident. All data subjects have legal rights in relation to their personal information.
3.3 Personal data means data relating to a living individual who can be identified directly or indirectly from that data (or from that data and other information in our possession). Personal data can be factual (for example, a name, address or date of birth) or it can be an opinion about that person, their actions and behaviour.
3.4 Data controllers are the people who, or organisations which determine the purposes for which, and the manner in which, any personal data is processed. They are responsible for establishing practices and policies in line with the Act and the GDPR. CFTC is the data controller of all personal data collected stored and processed for its services.
3.5 Data users are those of our volunteers whose work involves processing personal data. Data users must protect the data they handle in accordance with this data protection policy and any applicable data security procedures at all times.
3.6 Data processors include any person or organisation that is not a data user that processes personal data on our behalf and on our instructions. Employees of data controllers are excluded from this definition but it could include suppliers which handle personal data on our behalf.
3.7 Processing is any activity that involves use of the data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transferring personal data to third parties.
3.8 Special category data includes information about a person’s racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health or condition or sexual life, or about the commission of, or proceedings for, any offence committed or alleged to have been committed by that person, the disposal of such proceedings or the sentence of any court in such proceedings.
4. DATA PROTECTION PRINCIPLES
Anyone processing personal data must comply with the eight enforceable principles of good practice. These provide that personal data must be:
(a) Processed fairly, lawfully and transparently.
(b) Processed for limited purposes and in an appropriate way.
(c) Adequate, relevant and not excessive for the purpose.
(e) Not kept longer than necessary for the purpose.
5. FAIR, LAWFUL AND TRANSPARENT PROCESSING
5.1 The Act and the GDPR do not prevent the processing of personal data, they are there to ensure that data processing is done fairly and without adversely affecting the rights of the data subject.
5.2 For personal data to be processed lawfully, it must be processed on the basis of one of the legal grounds set out in the Act and the GDPR. These include, among other things, the data subject’s consent to the processing, or that the processing is necessary for the performance of a contract with the data subject, for the compliance with a legal obligation to which the data controller is subject, for the interest of the public, as a vital interest to the data subject or for the legitimate interest of the data controller or the party to whom the data is disclosed.
5.3 When we collect and process personal data, we do so only in accordance with the real and present legitimate interests of the commission and taking into consideration the fundamental rights and freedoms of the relevant data subjects, in particular:
(a) our collection and processing of personal data is limited to those activities specifically permitted by the Act or the GDPR;
(b) we always endeavour to notify data subjects of our collection and processing of personal data in accordance with this policy; and
(c) data subjects have the right to request that we not collect and process their personal data at any time in accordance with this policy.
5.4 When special category data is being processed, additional conditions must be met. When processing personal data as data controllers in the course of our business, we will ensure that those requirements are met. They include seeking specific consent, to carry out an obligation, the personal data is information that has been made public by the data subject or to process a legal claim.
6. NOTIFYING DATA SUBJECTS
6.1 If we collect or process personal data, we will always endeavour to inform visitors about:
(a) The source from which we obtained their personal data;
(b) The purpose or purposes for which we intend to process that personal data;
(c) The categories of personal data;
(d) How long personal data will be retained for;
(e) The types of third parties, if any, with which we will share or to which we will disclose that personal data; and
(f) The means, if any, with which data subjects can limit or prevent our use and disclosure of their personal data.
6.2 We will also inform data subjects whose personal data we process that we are the data controller with regard to that data.
7. ACCURATE DATA
We will ensure that personal data we hold is accurate and kept up to date. We will check the accuracy of any personal data at the point of collection and at regular intervals afterwards. We will take all reasonable steps to destroy or amend inaccurate or out-of-date data.
8. TIMELY PROCESSING
We will not keep personal data longer than is necessary for the purpose or purposes for which they were collected. We will take all reasonable steps to destroy, or erase from our systems, all data which is no longer required.
9. SECURING YOUR DATA
We will take all reasonable security measures against the accidental loss of, or damage to, personal data. We will ensure that personal data is kept confidential and only accessed on a need-to-know basis; that all members of staff will securely update and maintain completeness of personal data and measures will be undertaken to prevent accidental and deliberate unauthorised access.
This section is applicable to volunteers, who will be asked to ensure compliance with these points.
10. TRANSFERRING PERSONAL DATA TO A COUNTRY OUTSIDE THE EEA
10.1 From time to time, we may transfer personal data we hold to a country outside the European Economic Area (EEA), provided that one of the following conditions applies:
(a) The country to which the personal data are transferred ensures an adequate level of protection for the data subjects’ rights and freedoms.
(b) The visitor has given his consent.
(c) The transfer is necessary for one of the reasons set out in the Act or the GDPR.
(d) The transfer is legally required on important public interest grounds or for the establishment, exercise or defence of legal claims.
10.2 Subject to the requirements in clause 10.1 above, personal data we hold may also be processed by volunteers operating outside the EEA who work on our behalf, or for one of our suppliers. That volunteer maybe engaged in, among other things, the fulfilment of projects with other volunteers, and the provision of support services.
11. DISCLOSURE OF PERSONAL INFORMATION
11.1 CFTC may share personal data it holds with any member of our group.
11.2 CFTC may also share a data subject’s personal data in order to comply with a legal obligation, or in order to enforce or apply any contract with the data subject; or to protect our rights, property, or safety of our volunteers, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.
12. SUBJECT ACCESS REQUESTS
12.1 As data subjects, website visitors must make a formal request for information we hold about them. This should be made in writing to email@example.com in the first instance. What information the data subject requires should be outlined in this email.
Every attempt will be made to respond to your request within one month.
12.2 CFTC volunteers will refer a request to the commission’s manager for assistance in difficult situations.
13. AMENDMENTS TO THIS DATA PROTECTION POLICY
We reserve the right to change this policy at any time. Where appropriate, we will notify our visitors of those changes by email.