Data Protection Policy
York: Human Rights City Network – Data Protection Policy, including Key Procedures
Aims of this Policy
York: Human Rights City Network needs to keep certain information on its employees, volunteers, pledgees, mailing list subscribers, steering group members and research participants to carry out its day to day operations, to meet its objectives and to comply with legal obligations.
The network is committed to ensuring any personal data will be dealt with in line with the Data Protection Act 1998, and the General Data Protection Regulations (GDPR) that came into effect in May 2018. To comply with the law, personal information will be collected and used fairly, stored safely and not disclosed to any other person unlawfully.
The aim of this policy is to ensure that everyone handling personal data is fully aware of the requirements and acts in accordance with data protection procedures. This document also highlights key data protection procedures within the organisation.
This policy covers employees, volunteers and steering group members, including staff members of the host organisations (Centre for Applied Human Rights at the University of York, and York CVS) who, from time to time, carry out work for York: Human Rights City
In line with the Data Protection Act 1998 principles, York: Human Rights City Network will ensure that personal data will:
The definition of ‘Processing’ is obtaining, using, holding, amending, disclosing, destroying and deleting personal data. This includes some paper based personal data as well as that kept on computer.
The Personal Data Guardianship Code suggests five key principles of good data governance on which best practice is based. The organisation will seek to abide by this code in relation to all the personal data it processes, i.e.
|Type of information processed|
York: Human Rights City Network processes the following personal information:
Contact information and statements for research participants.
Personal information is kept in one or more of the following forms: paper-based, the University of York server, and computer systems including cloud-based software. Cloud-based software used: Mailchimp, Word-press admin, email systems.
Groups of people within the organisation who will process personal information are: employees, volunteers, and staff members of the host organisations (Centre for Applied Human Rights at the University of York, and York CVS) whilst performing tasks for York: Human Rights City
Under the Data Protection Guardianship Code, overall responsibility for personal data in a not for profit organisation rests with the governing body. In the case of York: Human Rights City, this is the Steering Group.
The governing body delegates implementation to the Network Co-ordinator.
All employees, volunteers and host organisation staff members who process personal information must ensure they not only understand but also act in line with this policy and the data protection principles.
Breach of this policy will result in disciplinary proceedings in the case of employees.
Breach of this policy will result in a review and possible termination of a volunteering agreement in the case of volunteers.
Breach of this policy will result in a review and possible termination of membership of the steering group in the case of a steering group member.
To meet our responsibilities, employees, volunteers and host organisation staff members will:
We will ensure that:
Training and awareness raising about the Data Protection Act and how it is followed in this organisation will take the following forms:
General training/ awareness raising:
|Gathering and checking information|
Before personal information is collected, we will consider:
We will take the following measures to ensure that personal information kept is accurate:
Personal sensitive information will not be used apart from the exact purpose for which permission was given.
The organisation will take steps to ensure that personal data is kept secure at all times against unauthorised or unlawful loss or disclosure. The following measures will be taken:
· Using lockable cupboards (restricted access to keys)
· Password protection on personal information files
· Setting up computer systems to allow restricted access to certain areas
· Password protection must be used when moving away from computers.
· Employees and volunteers must not store personal data on their own devices or on public computers. Such data should either be:
– emailed to the York: Human Rights City Network Co-ordinator for storage on the secure University of York server; once the Co-ordinator has confirmed receipt, copies of the document should be deleted/destroyed.
– Alternately, such data may be stored as a google doc and shared only with volunteers and employees working on the same project (e.g. qualitative data collected for the Indicator Report can be shared within the Indicator Report working group only).
· Password protected attachments for sensitive personal information sent by email (the password must be delivered by a different medium – for example, text message a password for an emailed attachment).
Any unauthorised disclosure of personal data to a third party by an employee may result in disciplinary proceedings.
Any unauthorised disclosure of personal data to a third party by a volunteer or steering group member may result in a review or termination of the volunteering agreement, or removal from the steering group.
Subject Access Requests
Anyone whose personal information we process has the right to know:
They also have the right to prevent processing of their personal data in some circumstances and the right to correct, rectify, block or erase information regarded as wrong.
Individuals have a right under the Act to access certain personal data being kept about them on computer and certain files. Any person wishing to exercise this right should apply in writing to the Co-ordinator, York: Human Rights City Network, c/o The Centre for Applied Human Rights, University of York, YO10 5DD or via email to email@example.com
The following information will be required before access is granted:
· Full name and contact details of the person making the request
· their relationship with the organisation (former/ current member of staff, trustee or other volunteer, service user)
· Any other relevant information- e.g. timescales involved
We may also require proof of identity before access is granted. The following forms of ID will be required:
· Passport, driving licence, or birth certificate
Queries about handling personal information will be dealt with swiftly and politely.
We will aim to comply with requests for access to personal information as soon as possible, but will ensure it is provided within the 40 days required by the Act from receiving the written request.
|This policy will be reviewed annually to ensure it remains up to date and compliant with the law.|