Barrow & District Disability Association
Data Protection Policy
Barrow & District Disability Association (BDDA) is committed to a policy of protecting the rights and privacy of individuals, The Association needs to collect and use certain types of data in order to carry on its work. This personal information will be collected and dealt with appropriately.
The Data Protraction Act 1998 governs the use of information about people (personal data). However, this policy also complies with the European General Data Protection Regulation (GDPR).
Personal data can be held on computer or in a manual files and includes emails, minutes of meetings and photographs. GDPR extends the definition to any information that can identify an individual, e.g. genetic, metal, cultural, economic, social information or IP addresses.
Barrow & District Disability Association will remain the data for the information held. The BDDA staff, volunteers and trustees will be personally responsible for processing and using personal information in accordance with the Data Protection Act and GDPR.
Barrow & District Disability Association staff, volunteers and trustees will be expected to read and comply with this policy.
The purpose of the Policy is to set out the Barrow & District Disability Association commitment and procedures for protecting personal data. The Association regards the lawful and correct treatment or personal information as very important to successful working and to maintaining the confidence of those with whom it deals.
The Data Protection Act Legislation
The Data Protection Act provides 8 principles personal data with which Barrow & District Disability Association will comply: Personal data:
- Shall be processed fairly and lawfully and in particular shall not be proceeded with unless at least one of the conditions of schedule 2 of the Acts applies. The condition that will apply in relation to the Barrow & District Disability Association;
- The performance of a contract to which the data subject is party.
- Ensuring compliance with any other legal obligation to which the data controller is subject.
- Shall be obtained only for one or more of the purpose specified in the Act, and shall not be processed in any manner incompatible with that purpose or those purposes.
- Shall be adequate, relevant and excessive in relation to those purpose (s).
- Shall be accurate and, where necessary, kept up to date.
- Shall not be kept for longer than is necessary.
- Shall be kept secure by the Data Controller, who take appropriate technical and other measures to prevent unauthorised or unlawful or accidental loss or destruction of, or damage to, personal information.
- Shall not be transferred to a country or territory outside the European Areal unless that country or territory an adequate level of protection of the rights and freedoms of data subjects in relation to the processing of personal information.
The following list contains definitions of the technical terms we have used and is intended to aid understanding of this policy:
Data Controller: The person who, either or with others, decides what personal information the organisation will hole and how it will be held or used. The Data Controller for the Barrow & District Disability Association is Chief Executive Officer and Board of Trustees.
Data Protection Act 1998: The UK legislation that provides a framework for responsible behaviour by those using personal information.
European General Data Protection Regulation (GDPR): A regulation by which the European Parliament, the Council of the European Union and the European Commission strengthens and unifies data protection for all individuals within the European Union (EU). (The UK has committed to comply with this regulation after the UK leaves the EU).
Data Protection Officer: The person on the management committee who is responsible for ensuring that it follows its data protection policy and complies with the Data Protection Act 1998. (The Data Protection Officer for the Barrow & District Disability Association is the Chief Executive and Board of Trustees).
Data Subject/Service User: The individual whose personal information is being held or processed by the organisation (Barrow & District Disability Association).
Explicit Consent: Is freely given, specific and informed agreement by a Data Subject.
Explicit consent is needed for processing sensitive data this includes the following:
- Racial or ethnic origin of the data subject
- Physical or mental health or condition
Notification: Notifying the Information Commissioners Office (ICO) about the data processing activities of the organisation. However, not-for-profit organisation such as (Barrow & District Disability Association) are exempt from notification.
Information Commissioner: The UK Information Commissioner responsible for implementing and overseeing the Data Protection Act 1998 and GDPR.
Processing: Meaning collecting, amending, handling, storing or disclosing personal information.
Personal Information: Information about living individuals that enables them to be identified – e.g. names, address, telephone numbers and email addresses. GDPR extends this to genetic, mental, cultural, economic, social information or IP addresses. It does not apply to information about organisations, companies and agencies but applies to named places.
Applying the Data Protection Act & GDPR within the Barrow & District Disability Association
Whilst access to personal information is limited to the staff and trustees at the Barrow & District Disability Association, they may undertake additional tasks that involve the collection of personal details from members of the public.
In such circumstances the Barrow & District Disability Association will let people know why it is collecting their data and it is the responsibility of the Barrow & District Disability Association ensure the data is only used for this purpose.
Barrow & District Disability Association Privacy Statement can be viewed on the Homepage of the Barrow & District Disability Association website.
Individuals have the right to have data corrected if it wrong, to prevent use that is causing them damage or distress – further details is included in the Privacy Statement.
Barrow & District Disability Association Chief Executive Officer and Board of Trustees is the Data Controller under the Act, and is legally responsible for complying with the Act, which means that it determines for what purposes personal information held will be used.
Chief Executive Officer and the Board of Trustees will take into account legal requirements, ensuring that they are properly implemented and will, through appropriate management, ensure strict application of criteria and controls:
- Observe fully conditions regarding the fair collection and use of information.
- Meet its legal obligations to specify the purposes for which information is used.
- Collect and process appropriate information, but only to the extent that it is needed to fulfil its operational needs or to comply with any legal requirements.
- Ensure the quality of information used.
- Ensure that the right of people about whom information is held, can be fully exercised under the Act. These include:
- The right to be informed that processing is being undertaken
- The right of access to one’s personal information
- The right to prevent processing in certain circumstances and
- The right to correct, rectify, block or erase information which is regarded as wrong information
- Take appropriate technical and organisational security measures to safeguard personal information.
- Ensure that personal information is not transferred abroad without suitable safeguard.
- Treat people justly and fairly whatever their age, religion, disability, gender, sexual orientation or ethnicity when dealing with request for information.
- Set out procedures for responding to request for information.
The Data Protection Officer
The Data Protection Officer will be responsible for ensuring that the policy is implemented and have overall responsibility for:
- Everyone processing personal information understands that they are contractually responsible for the following good data protection practice.
- Everyone processing personal information is appropriately trained to do so.
- Everyone processing personal information is appropriately supervised.
- Anybody wanting to make enquiries about handling personal information knows what to do.
- Dealing promptly and courteously with any enquiries about handling personal information.
- Describing clearly how it handles personal information.
- Regularly reviewing and auditing the ways Barrow & District Disability Association hold, manage and use personal information.
- Regularly assessing and evaluating the Barrow & District Disability Association methods and performance in relation to handling personal information.
- Ensuring that all staff and trustees are aware that a breach of the rules and procedures identified in this policy may lead to action being taken against them.
This policy will be updated as necessary to reflect best practice in data management, security and control and to ensure compliance with any changes or amendments made to the Data Protection Act 1998 or the GDPR.
In case of any queries or questions in relation to this policy please contact Barrow & District Disability Association Data Protection Officer.
- Information and personal records will be stored securely, in locked or password protected files, and will only be accessible to staff and trustees of the Barrow & District Disability Association.
- Personal email addresses will be used to share information with, or between, trustees of the Barrow & District Disability Association. However, emails will be password protected and not accessible by third parties.
- Information will be stored for only as long as it is needed or required by statute and will be disposed of appropriately.
The policy will be uploaded as necessary to reflect best practice in data management, security and control and to ensure compliance with any changes or amendments made to the Data Protection Act 1998, the proposed new Data Protection Act or the European General Data Protection Regulation (GDPR).
Barrow & District Disability Association may need to share data with other agencies such as the local authority or funding bodies.
The Data Subject will be made aware in most circumstances how and with whom their information will be shared. There are circumstances where the law allows the Barrow & District Disability Association disclose data (including sensitive data) without the data subject’s consent.
- Carrying out legal duty or as authorised by the Secretary of State.
- Protecting vital interests of a Data Subject or another person.
- Monitoring for equal opportunities purposes, e.g. race, disability or religion.
- Providing a confidential service where the Data Subject’s consent cannot be obtained or where it is reasonable to proceed without consent: e.g. where we would wish to avoid forcing stressed or ill Data Subjects to provide consent signatures.
Barrow & District Disability Association regards the lawful and correct treatment of personal information as very important to successful working and to maintaining the confidence of those with whom we deal. Barrow & District Disability Association intends to ensure that personal information is treated lawfully and correctly.
The consequences of breaching Data Protection can cause harm or distress to individuals if their information is unjustifiably released. Staff and trustees must be aware that they could be personally liable if they use individuals’ personal data inappropriately. This policy is designed to minimise the risks and to ensure that the reputation of Barrow & District Disability Association is not damaged by inappropriate or unauthorised use.
Name: Margaret Burrow MBE (Hon. Chief Executive Officer)
Date: 16th June 2021 Review Date: 16th June 2022