1. Introduction, purpose and scope of the policy
The Data Protection Act 1998 has been updated with the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA 2018). The GDPR was adopted on 27th April 2016 and becomes enforceable from 25th May 2018 after a two-year transition period. Under the GDPR, the data protection principles set out the main responsibilities for organisations. The GDPR requires that personal data shall be:
- Processed fairly, lawfully and transparently.
- Collected for specified, legitimate purposes and not processed in a manner that is incompatible with those purposes.
- Adequate, relevant and not excessive.
- Accurate and up to date.
- Not kept longer than necessary unless it is anonymised.
- Processed in accordance with data subjects’ rights and held securely.
Purpose of policy:
For Toybox to function we need to gather and process certain data about individuals; this includes supporters, suppliers, business contacts, employees, volunteers and other stakeholders who Toybox has a relationship with or may need to contact. Toybox values its supporters and strives to protect personal data. This policy supports Toybox to achieve this as well as to meet legal requirements.
This policy provides the following:
- Explanation as to what type of personal data Toybox keeps and the reasons for this as well as how Toybox keeps individuals informed about the personal data it holds about them
- An outline of the measures Toybox will take to ensure that the gathering, processing, storing and deleting of data will meet legal requirements and how it follows good practice
- By ensuring Toybox protects the rights’ of employees , volunteers, supporters, suppliers, business contracts and other stakeholders
- Assistance for employees and persons associated with Toybox to understand the risks associated with data processing and to avoid and manage data breaches
- Explanation as to under what circumstances Toybox will disclose data and to whom, including how information requests will be handled
- Clarification on who has responsibilities for data protection within Toybox
Scope of policy:
This policy applies to all employees, volunteers, trustees, overseas partners, consultants and suppliers. (It also applies to the Toybox office in Costa Rica, which although closed in September 2016, the policy still relates to appropriate storage of paperwork from that office for the next five years.)
The Trustees will provide leadership, resources and active support for the implementation of this policy. They are responsible for ensuring this policy is fit for purpose and are complied with, so Toybox can meet its legal obligations.
2.2 Chief Executive Officer (CEO)
The CEO is responsible for ensuring that this policy and any related policies and procedures are implemented consistently and with clear lines of authority. The CEO will ensure that the Data Protection Officer is fulfilling their responsibilities.
2.3 Data Protection Officer
Toybox has a designated a person as the Data Protection Officer (DPO). The DPO is responsible for the following:
- Keeping the Board updated about data protection responsibilities, risks and issues;
- Reviewing all data protection procedures and related policies;
- Arranging data protection training and advice for the people covered by this policy;
- Handling data protection questions from employees and anyone else covered by this policy;
- Dealing with requests from individuals to see the personal data that Toybox holds about them;
- Checking and approving any contracts or agreements with third parties that may process personal data that Toybox holds;
- Ensuring all systems, services and equipment used for storing data meet acceptable security standards;
- Performing regular checks and scans to ensure security hardware and software is functioning properly;
- Evaluating any third party services the company is considering using to store or process data.
2.4 The Director of Marketing and Fundraising
The Director of Marketing and Fundraising is responsible for:
Monitoring and implementing any data changes which impact Toybox fundraising activities;
Approving any data protection statements attached to communications to supporters;
Addressing any data protection queries from journalists or media contacts;
Where necessary, working with other employees to ensure marketing initiatives abide by data protection legislation.
2.5 All staff
Individuals are expected to ensure any data they engage with in their work follows this policy and any related policies and procedures. They are also responsible for reporting any potential breaches of data protection.
3. Data processing
The following aspects relate to the gathering and processing of data and are in line with the GDPR requirements.
3.1 Lawful basis for processing personal data
Article 6 of the GDPR identifies six lawful bases for the processing of data. Toybox will always ensure that at least one of them is relevant before processing personal data and for supporter data this will be Legitimate Interest. The areas are listed below and reflect no order of priority:
Consent: the individual has given clear consent for Toybox to process their personal data for a specific purpose.
Contract: the processing is necessary for a contract Toybox has with the individual, or because they have asked us to take specific steps before entering into a contract.
Legal obligation: the processing is necessary for us to comply with the law (not including contractual obligations).
Vital interests: the processing is necessary to protect someone’s life.
Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law. This is less likely to apply to Toybox.
Legitimate interest: the processing is necessary for our legitimate interest or the legitimate interest of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interest
Special Category Data - Additionally to the six categories there is a Special Category Data. This is personal data which the GDPR says is more sensitive and needs more protection. In order to lawfully process special category data, you must identify both a lawful basis under Article 6 and a separate condition for processing special category data under Article 9.
Toybox will explain to an individual the purpose for which their personal data is being obtained and ensure that this information is accurate and kept up to date. Where an individual informs Toybox that something is inaccurate Toybox will update its records and keep a record of the communication with the individual. Additionally, if an individual requests that their data is deleted this will be actioned unless Toybox believes that there is a need to retain basic information to form a suppression file to ensure that we do not contact them in future or to ensure that Toybox can comply with any legal request. We would do this as a result of the respect that we have for our current and past supporters but also to be in line with the rights’ of individuals (as mentioned below).
An individual’s rights are:
The right to be informed
The right of access to data information
The right to rectification
The right to erasure
The right to restrict processing
The right to data portability
The right to object
The right not to be subject to automated decision making including profiling
The Toybox Privacy Statement for Supporters gives more detailed information to supporters on how Toybox will protect an individual’s data.
3.2 Toybox’s approach to consent
Toybox will ensure that consent is freely given, specific, informed and unambiguous. A positive opt-in is required. Consent cannot be inferred by silence, pre-ticked boxes or inactivity. Toybox defines a positive opt-in as: contractual agreements, a verbal or written opt-in recorded on the Customer Relationship Management system. Consent for stakeholders will be recorded in the following systems:
Supporters = Customer Relationship Management system
Employees = HR online system
Volunteers and trustees = Restricted access folders on the Toybox server
Although not required by law as Toybox’s partners are outside of the EU, we will also gather consent from partners for the processing of their data.
Consent will remain in place until withdrawn with the exception of items which need to be erased as per the current legal guidelines.
This policy applies to all data that Toybox holds relating to identifiable individuals. This includes the following types of personal data:
Names of individuals
Any other information relating to individuals
3.3 Toybox’s approach to children’s personal data
Toybox must ensure that we obtain parental permission prior to engaging with any child under the age of 13 For children between the ages of 13 and 18 we will encourage them to inform their parents or guardians concerning their engagement with Toybox and their sharing of data with us.
3.4 Data accuracy
It is the responsibility of all employees to ensure that data is kept as accurate and up to date as possible. Once data is updated, the old data must be removed. Data will be held in as few places as possible to avoid unnecessary additional data sets that may not have been updated.
3.5 Toybox’s approach to the transfer of data
Where Toybox uses other organisations to process its data it will only do so where the organisation:
Can provide sufficient guarantees about the security measures they operate
Guarantees to only act on the instructions of Toybox
Will only do so on the basis of a written data processing contract
In addition Toybox will take reasonable steps to ensure that the organisation is continuing to comply with its security measures and the latest regulations.
Transfers outside the EEA will not take place without the prior approval of the CEO except in the following circumstances:
- The data subject has given their consent to the transfer
- If the transfer is necessary for the performance of a contract between the data subject and Toybox
- Or is part of a preliminary process to entering into a contract with Toybox
A transfer may also take place if it is to fulfil a contract between Toybox and another legal person e.g. a partner, which is entered into at the request of the data subject or is in their ‘interest’. In addition a transfer may also take place if it is necessary for legal proceedings, obtaining legal advice, or defending legal rights.
4. Data protection, risk mitigation and breaches
This policy helps to protect Toybox from some very real data security risks, including: - Safe storage and sharing of data to mitigate the risk of information being accessed by unauthorised individuals
Breaches of confidentiality, e.g. information being given out inappropriately
Failing to offer choice, e.g. all individuals should be free to choose how Toybox uses data relating to them
Reputational damage, e.g. Toybox could suffer if hackers successfully gained access to personal data
4.1 Data storage and sharing
Toybox will apply secure data storage and sharing processes. These included the following: - Personal data will be stored on secure servers that are backed up and tested regularly
Paper documents are always kept in locked draws and not taken out of the office
Computers will be locked when unattended
Personal data will not be shared formally or informally with any unauthorised person
4.2 Data archiving, retention and disposal
Toybox has clear guidance on:
What information should be retained and for how long
Who is responsible
How to dispose of records
Data will only be retained for as long as is necessary and will be determined by the following:
Information that needs to be kept by law - Certain pieces of legislation set out types of information that should be kept and how long they should be kept for.
Information that has ongoing business value - This is information that is of value to Toybox, which is needed for both day to day activities and longer term strategic planning.
Information that is of archival value - Most information is scheduled to be retained for six or seven years. This is because of a concept known as the liability period, and is particularly relevant where we hold a contract with either a supplier or where we have provided a service to another organisation.
Toybox has quality archiving processes that enable the organisation to use knowledge to make better decisions and have records available to show how decisions were made in case the organisation is required to produce justification.
Employees will create, use, manage and preserve all records in accordance with all statutory requirements including the Freedom of Information Act 2000. Directors will be accountable for ensuring that depositing and disposing of archive records happens effectively within their business area as well as ensuring that legislative requirements are being applied. Responsibility for records created by or for Board members lies with the CEO. Toybox may decide to retain data for less than the legal requirements if the data value is reduced, as this also saves storage costs.
The retention period will be computed from the end of the financial year to which the records relate. All documents will then be destroyed confidentially. Toybox will be provided with a certificate to say that the records have been securely shredded. More detail is given in the separate Data Archiving, Retention and Disposal Policy and Guidance for each type of data.
4.3 Data breaches
A data breach is a security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorised to do so. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.
In the case of a data breach Toybox will assess the extent of the breach and the effect on individuals including emotional distress, and physical or material damage. Toybox’s Data Protection Officer will notify the ICO within 24 hours of becoming aware of a data breach with the essential facts. Where a breach is likely to adversely affect the personal data of individuals Toybox will notify all those involved.
A report will be made even if further facts are outstanding and will be added subsequently to the report. The report will meet ICO reporting requirements including information on: the number of individuals and personal data records concerned; the potential consequences of the breach; and the measures being taken or proposed to handle the breach and mitigate the adverse effects.
Toybox will then take steps to contain the breach, where possible. If the breach is likely to result in a significant risk to the rights and freedoms of individuals then Toybox will inform those individuals as soon as possible so they can take steps to protect themselves. Toybox will inform any corporate or institutional donor of a breach if, after and assessment, it is deemed that the data breach may have an impact on them. Also we will also consider notifying third parties such as the police, insurers, professional bodies, or bank or credit card companies who can help reduce the risk of financial loss to individuals.
Information of the breach will be kept in accordance with Toybox’s Data Archiving, Retention and Disposal Policy and Guidance as well as adjustments made to the organisations systems, policies and procedures to reduce the risk of a future breach.
4.4 Digital security
Digital security is increasingly important as more information is stored digitally. Therefore, Toybox has an Electronic Data Security Policy. Toybox has procedures relating to the following:
Confidentiality – ensuring that information can only be accessed by those properly authorised.
Integrity – ensuring information is accurate, not excessive, not kept for longer than is reasonably required
Protection – ensuring that appropriate controls are in place to guard against unauthorised access.
Availability – ensuring information is available when and where required to support its legitimate use.
All staff must follow the Electronic Data Security policy including the Code of Conduct as a means to ensure data protection. This covers all aspects of use of IT systems, software and equipment, use of passwords, secure storage of equipment, internet usage, remote access, and indecent or obscene material. There is also an e-mail policy with guidance on how a breach should be handled.
Third parties to whom data is being sent (always sent electronically) must sign the Toybox Data Protection and Security Policy as well as the Data Processing Agreement before any data is transmitted.
5. The right to access to information (Subject Access Requests)
All individuals who are the subject of personal data held by Toybox are entitled to:
- Ask what information Toybox holds about them
- The reason for Toybox to hold the information
- Whether it has been giving to another other organisation or people
Individuals have the right of access to personal information held about them under the GDPR and any individual wishing to access the personal information Toybox holds on them should send a description of the information they want to see and proof of their identity in writing to the Toybox Data Protection Officer. Toybox will not charge to provide this information, unless it is excessive, repetitive or requesting copies of the same data.
Toybox will then collate the data and provide a written copy to the individual within one month of receipt of the request. Data will include data in manual records as well as digital data, including backup data and mailing lists. The data will be provided along with an explanation of that information where it cannot be easily understood. If the applicant agrees a copy can be emailed to them. Toybox will include information on where the personal data was obtained from and who else the information may have been given to. If there are any inaccuracies identified by the applicant, Toybox will remove them.
The GDPR allows for some exemptions for when data does not need to be provided, even if requested. The following are those exemptions that may be relevant to Toybox:
If the data is linked to a criminal investigation
Data that is processed for organisational management forecasting and planning
Confidential references that Toybox gives in connection with education, training or employment for current or previous staff
Also if a third party requests information concerning the individual then Toybox will not usually release that information unless the individual expressly consents. And if the records would disclose information about another individual who has not given permission for the information to be released, then it does not have to be released.
6. Monitoring and review
This policy will be reviewed every two years or after a significant change in operations, the law or a significant incident, whichever is sooner. Additionally the DPO will carry out regular reviews of the compliance to this policy.
7. Related policies and Procedures
- Data Protection and Security Policy – for third parties
- Privacy statements for Employees and Supporters
- Consent forms for Supporters, Partners and Beneficiaries
- Data Archiving, Retention and Disposal Policy and Guidance
- Data Security Breach Policy and Guidance
- Subject Access Request Policy and Guidance
- Electronic Data Security Policy