BE Inspired is registered, as Data Controller, with the Information Commissioner's Office (ICO) and has submitted to the ICO the type of information it collects, holds and uses. These details are available on the ICO's website. BE Inspired has a duty to issue Privacy Notices to all of its data subjects or their legal guardian summarising the information held on them, why it is held and the other parties to whom it may be passed on.
BE Inspired is committed to protecting the rights and freedoms of data subjects and safely and securely processing their data in accordance with all of our legal obligations.
This policy sets out how we protect personal data and ensure that our staff and volunteers understand the rules governing their use of the personal data to which they have access in the course of their work. In particular, this policy requires staff to ensure that the Directors are consulted before any significant new data processing activity is initiated to ensure that relevant compliance steps are addressed.
We may use personal data for personnel, administrative, financial, safeguarding and other regulatory, payroll and business development purposes.
Business purposes include the following:
Data controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by law.
Data processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Personal data means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Personal data we gather may include individuals' name, address, phone number, email address, educational backgrounds, social and financial backgrounds, pay details, details of certificates and diplomas, education and skills, marital status, nationality, job title, job application forms and CVs.
Special categories of data include information about an individual's racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership (or non-membership), physical or mental health or condition, criminal offences, or related proceedings --- any use of special categories of personal data should be strictly controlled in accordance with this policy.
Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Supervisory authority this is the national body responsible for data protection. The supervisory authority for BE Inspired is the Information Commissioner's Office.
This policy applies to all staff and volunteers, who must be familiar with this policy and comply with its terms.
This policy supplements our other policies relating to internet and email use. We may supplement or amend this policy with additional policies and guidelines from time to time. Any new or modified policy will be circulated to staff before being adopted.
The Directors are responsible for approving and reviewing this policy. The Data Protection Lead has overall responsibility for the day-to-day implementation of this policy. You should contact the Directors for further information about this policy if necessary. Contact details: info@beinspireduk.co.uk
BE Inspired shall comply with the principles of data protection (the Principles) contained in the UK General Data Protection Regulation. We will make every effort possible in everything we do to comply with these principles. The Principles are:
To comply with data protection laws and the accountability and transparency Principle of GDPR, we must demonstrate compliance. You are responsible for understanding your particular responsibilities to ensure we meet the following data protection obligations:
We must process personal data fairly and lawfully in accordance with individuals' rights under the first Principle. This generally means that we should not process personal data unless we have a clear lawful bases to do so.
BE Inspired is classified as a data controller and processor. We must maintain our appropriate registration with the Information Commissioner's Office in order to continue lawfully controlling and processing data.
We must establish a lawful basis for processing data. Ensure that any data you are responsible for managing has a written lawful basis approved by the Data Protection Lead. It is the data processor's responsibility to check the lawful basis for any data they are working with and ensure their actions comply with the lawful basis.
If you are making an assessment of the lawful basis, you must first establish that the processing is necessary. This means the processing must be a targeted, appropriate way of achieving the stated purpose. You cannot rely on a lawful basis if you can reasonable achieve the same purpose by someother means.
Previously known as sensitive personal data, this means data about an individual which is more sensitive, so requires more protection. This type of data could create more significant risks to a person's fundamental rights and freedoms, for example by putting them at risk of unlawful discrimination.
BE Inspired will ensure that any personal data we process is accurate, adequate, relevant and not excessive, given the purpose for which it was obtained. We will not process personal data obtained for one purpose for any unconnected purpose unless the individual concerned has agreed to this or would otherwise reasonably expect this.
Individuals may ask that we correct inaccurate personal data relating to them. If you believe that information is inaccurate you should record the fact that the accuracy of the information is disputed and inform the relevant service manager or Director.
You must keep personal data secure against loss or misuse. Where other organisations process personal data as a service on our behalf, the Data Protection Lead will establish what, if any, additional specific data security arrangements need to be implemented in contracts with those third party organisations.
We must retain personal data for no longer than is necessary. What is necessary will depend on the circumstances of each case, taking into account the reasons that the personal data was obtained, but should be determined in a manner consistent with our data retention guidelines.
When information reaches the expiry date for retention, ALL copies of that information must be permanently destroyed. Where information is held in more than one media the information must be removed from all record systems, for example, paper copies -- shredded; electronic copies -- completely destroyed from any memory source or other media. All documents, including electronic documents, that are no longer relevant to the organisation's business, should be destroyed every thirty (30) days. Drafts of documents that have been finalised should not be retained.
BE Inspired should follow these guidelines for destruction of data and documents:
There are restrictions on international transfers of personal data. You must not transfer personal data abroad, or anywhere else outside of normal rules and procedures without express permission from the Directors.
Individuals have rights to their data which we must respect and comply with to the best of our ability. We must ensure individuals can exercise their rights in the following ways:
A privacy notice must be supplied at the time the data is obtained if obtained directly from the data subject. If the data is not obtained directly from the data subject, the privacy notice must be provided within a reasonable period of having obtained the data, which means within one month.
Privacy notices must be concise, transparent, intelligible and easily accessible. They are provided free of charge and must be written in clear and plain language, particularly if aimed at Young People.
An individual has the right to receive confirmation that their data is being processed, access to their personal data and supplementary information which means the information which should be provided in a privacy notice.
We must provide an individual with a copy of the information they request, free of charge. All data subject access requests must be notified to the Data Protection Lead, who will oversee the response to the request.
We must provide the data requested in a structured, commonly used and machine-readable format. This would normally be a Comma Separated Values (CSV) file, although other formats are acceptable.
Individuals have a right to have their data erased and for processing to cease in the following circumstances:
We can only refuse to comply with a right to erasure in the following circumstances:
Individuals have the right to object to their data being used on grounds relating to their particular situation. We must cease processing unless:
We may only carry out automated profiling or decision-making that has a legal or similarly significant effect on an individual in the following circumstances:
As a data controller, we must have written contracts in place with any third party data controllers and data processors that we use. The contract must contain specific clauses which set out our and their liabilities, obligations and responsibilities.
Our contracts with data processors must comply with the standards set out by the ICO and, where possible, follow the standard contractual clauses which are available.
Any criminal record checks are justified by law. Criminal record checks cannot be undertaken based solely on the consent of the subject. We cannot keep a comprehensive register of criminal offence data. All data relating to criminal offences is considered to be a special category of personal data and must be treated as such. The authorised role holders permitted to carry out these checks are:
Regular data audits to manage and mitigate risks will inform the data register. This contains information on what data is held, where it is stored, how it is used, who is responsible and any further regulations or retention timescales that may be relevant. Regular data audits must be conducted as required by the Directors.
The Directors have overall responsibility for this policy. BE Inspired will keep this policy under review and amend or change it as required. You must notify the Data Protection Lead of any breaches of this policy. Staff and Volunteers must comply with this policy fully and at all times.
Staff and Volunteers will receive adequate training on provisions of data protection law specific for their role. Staff and Volunteers must complete all training as requested. If Staff or Volunteer roles or responsibilities change, they are responsible for requesting new data protection training relevant to the new role or responsibilities.
If Staff or Volunteers require additional training on data protection matters, they should contact their line manager or the Data Protection Lead.
Any breach of this policy or of data protection laws must be reported as soon as practically possible.
BE Inspired has a legal obligation to report any data breaches to the ICO within 72 hours.
All members of staff have an obligation to report actual or potential data protection compliance failures. This allows us to:
Any member of staff who fails to notify of a breach, or is found to have known or suspected a breach has occurred but has not followed the correct reporting procedures will be liable to disciplinary action.
We take compliance with this policy very seriously. Failure to comply puts individuals, staff, volunteers and the organisation at risk.
The importance of this policy means that failure to comply with any requirement may lead to disciplinary action under our procedures which may result in dismissal.
If you have any concerns or questions about this policy, do not hesitate to Contact the Directors.
This policy will be reviewed at least annually and evidenced in the table at the start of this document.
Guidance from the government advice on sharing information
When asked to share information from agencies such as social services, youth offending teams, education and statutory organisations, we will consider the following questions to help decide if, and when, to share. If the decision is taken to share, we will always consider how best to effectively share the information.
Information sharing agreements must take place as part of service level agreements when working in partnership with local authorities, education and statutory services. Young people and families engagement with BE Inspired is voluntary unless stated otherwise so information shared should not breach organisations ethics, values, policies and GDPR laws.
Is there a clear and legitimate purpose for sharing information?
Do you have consent to share?
Does the information enable an individual to be identified?
Have you identified a lawful reason to share information without consent?
Identify how much information to share:
All information sharing decisions and reasons must be recorded in line with your organisation or local procedures. If at any stage you are unsure about how or when to share information, you should seek advice on this. You should also ensure that the outcome of the discussion is recorded.