Safer Waves – GDPR Policy
Under the UK General Data Protection Regulations, Safer Waves is a Data Controller. This means that we must comply with GDPR in the way that we process data.
Data Owner: The person within the organisation who is responsible for ensuring GDPR compliance. This is currently the CEO.
Data Subject: A living, identified or identifiable individual, about whom data is held.
Data Controller: Controllers are the main decision-makers – they exercise overall control over the purposes and means of the processing of personal data.
Data Processor: Processors act on behalf of, and only on the instructions of, the relevant controller. Processors are separate from the organisation, therefore employees and volunteers are not processors.
Personal Data: information that relates to an identified or identifiable individual. It is important to be aware that certain information held may indirectly identify an individual and therefore could constitute personal data. Personal data that we collect includes names, contact details, IP addresses.
Sensitive Data: data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation. Sensitive data that we may collect as an organisation includes medical data relating to volunteers, details relating to a safeguarding incident, information from service users that has been provided with identifying details.
The Key Principals of the GDPR
The GDPR sets out seven key principles:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Storage limitation
- Integrity and confidentiality (security)
Lawfulness, fairness and transparency – Data must be handled in a lawful way, it must not be used in a way that is detrimental, unexpected or misleading to the data subjects. Safer Waves will be open and clear with service users about how their data is processed and used.
Purpose Limitation – We will be clear about the purpose of processing data.
Data Minimisation – We will only hold data that is relevant to our purposes, and we will not hold more data than is necessary
Accuracy – We will ensure the accuracy of the personal data that we hold, and keep it updated as appropriate
Storage limitation – We will not keep personal data for longer than is necessary.
Integrity and Confidentiality (Security) – Any personal data that is held will be kept confidential and secure
Accountability – We will take responsibility for how we handle personal data.
The UK GDPR provides the following rights for individuals:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling.
The right to be informed – privacy information will be provided to data subjects. This information will be in plain English and specific to the data that is being provided.
The right of access – individuals have the right to make a Subject Access Request (SAR) in order to obtain a copy of the personal data we hold.
The right to rectification – individuals have the right to request that inaccurate data about themselves be corrected.
The right to erasure – an individual can request that their personal data be erased. We will comply with all such requests, providing there are no reasons why we cannot do so, for example if required by law to keep the data.
The right to restrict processing – individuals can consent to their personal data being held, but may still restrict the way it is processed.
The right to data portability – individuals can obtain copies of their data and have their data transferred from one controller to another.
The right to object – individuals can object to their data being processed in certain ways. We will not share personal data with a third party without specific consent, and we will never use personal data for marketing purposes.
Rights in relation to automated decision making and profiling – an individual can be subject to automated decision making and profiling if necessary, but they must provide explicit consent. They can also request that a such a decision be reconsidered, or a new decision made by non-automatic means.
We will respond to all requests made under the rights listed above within one calendar month.
Record of Processing Activity
We will keep a record of all data processing activity. The record will address what data is kept, why it is kept, how it is stored, and how long we will retain the data.
The record will also show how we convey this information to the data subjects, for example via privacy notices online, or before completing paper forms.
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes.
A breach can have a range of adverse effects on individuals, which include emotional distress, and physical and material damage.
Data breaches will be reported to the Information Commissioner’s Office.
If a data breach is deemed to have a “high risk to the rights and freedoms” of individuals, those individuals will be informed as soon as possible.
Individuals seeking further information, or wishing to submit a request regarding their personal data, should contact the CEO at firstname.lastname@example.org
Individuals may make complaints about how we have handled their data by contacting the Information Commissioner’s Office at:
Helpline: 0303 123 1113