Introduction
1 Application: This Policy is aimed at Staff including temporary staff, agency workers and volunteers. It also applies to contractors and third-party agencies. It explains Wild Weekend Ltd's (WW) general approach to data protection, and provides practical guidance which will help to ensure that WW Ltd complies with the Data Protection Act 1998 (the Act) and General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679)
2 Compliance:
Compliance with this policy will help WW to meet its obligations under the Act and GDPR but it does not commit WW to a higher standard than is required by the Act or GDPR. In some circumstances, e.g. situations involving safeguarding concerns strict compliance with the Act will be subsidiary to other considerations.
3 Responsibility:
As the Data Controller, tis responsible for complying with the Act and GDPR. The day to day responsibility for compliance with the Act and GDPR to the Managing Director (MD). All staff are responsible for complying with this policy.
Please note that under GDPR as applicable from 25th May 2018, the phrase “Data Protection Officer” acquires a specific legal meaning. The Data Protection Officer (DPO) role is undertaken by the MD.
4 This policy is intended to give an overview of the Act and GDPR and staff obligations. This policy should be read alongside the following:
4.1 Information Security Policy;
4.2 Information and Document Retention Policy;
4.3 Staff IT Acceptable Use Policy;
4.4 Privacy Notice for Staff (Appendix 1); and
4.5 Privacy Notice for Participants
5 Information security is the most important aspect of data protection compliance.
Most of the fines under the Act relate to security breaches such as leaving an unencrypted memory stick in a public place, sending sensitive documents to the wrong fax recipient, disposing of confidential documents without shredding them first or accidentally uploading confidential information to the web.
Terminology
6 Terminology:
In this policy, the Adventure Soc Ltd has used the terms Personal Data, Sensitive Personal Data, Data Controller and processing in the same way as they are used in the Act.
7 Personal Data:
This policy covers the Adventure Soc Ltd's acquisition and use of the Personal Data it holds, and in particular records
about participants, parents, staff and suppliers. Personal Data is:
7.1 personal information that has been, or will be, word processed or stored electronically (e.g. computer databases and CCTV recordings);
7.2 personal information that is, or will be, kept in a file which relates to an individual or in a filing system that is organised by reference to criteria which relate to the individuals concerned (e.g. name, Adventure Soc Ltd year, Adventure Soc Ltd activities); and
7.3 some health records prepared by a doctor, nurse or other health professional (even if not held on computer or held as part of an organised file).
8 Personal information is any information about someone who can be identified (e.g. their address, medical records etc.). It makes no difference whether they can be identified directly from the record itself or indirectly using other information.
9 The Data Subject is the person the information relates to. There may be more than one Data Subject, such as when a record concerns an incident involving two participants.
10 Sensitive Personal Data: The Adventure Soc Ltd has special obligations in connection with the use of Sensitive Personal Data, namely information about an individual's race, ethnic origin, political or religious beliefs, trade union membership, health, sex life and actual or alleged criminal activity.
Acquiring and using Personal Data
11 Specific legitimate purposes:
The Adventure Soc Ltd shall only process Personal Data for specific and legitimate purposes. These are:
11.1 ensuring that the Adventure Soc Ltd provides a safe and secure environment;
11.2 providing pastoral care whilst operating under loco parentis;
11.3 providing adventurous education and learning for children;
11.4 providing additional activities for children and parents (for example activity clubs);
11.5 protecting and promoting the WW's interests and objectives - this includes fundraising;
11.6 safeguarding and promoting the welfare of children;
11.7 for personnel, administrative and management purposes. For example, to pay staff and to monitor their performance; and
11.8 to fulfil WW's contractual and other legal obligations.
12 WW staff must not process Personal Data for any other purpose without the MD’s permission.
13 No incompatible purpose:
Staff should seek advice from the MD before using Personal Data for a purpose which is different from that for which it was originally acquired. If information has been obtained in confidence for one purpose, it shall not be used for any other purpose without the MD's permission.
14 Necessary, sufficient information:
WW shall not hold unnecessary Personal Data, but shall hold sufficient information for the purpose for which it is required. WW shall record that information accurately and shall take reasonable steps to keep it up to date. This includes an individual's contact and medical details.
15 Outside the EEA:
WW shall not transfer Personal Data outside the European Economic Area (EEA) without the Data Subject's permission unless it is satisfied that the Data Subject's rights under the Act will be adequately protected and the transfer has been approved by the MD. This applies even if the transfer is to a participant's parents or guardians living outside the EEA.
16 Fair:
When WW acquires personal information that will be kept as Personal Data, WW shall be fair to the Data Subject and fair to whoever provides the information (if that is someone else).
17 Retaining Personal Data:
Staff shall only keep Personal Data for as long as is reasonably necessary, and in accordance with the Information and Document Retention Policy, but staff should not delete records containing Personal Data without authorisation. Staff should consult with the MD for guidance about how long to retain different categories of Personal Data.
Informing the individual
18 Privacy Notice:
Individuals must be told what data is collected, and what it is used for, unless it is obvious. This is set out in the Medical Consent Form for Participants. The privacy notice explains what information will be collected and what it will be used for.
19 Staff are not expected to routinely provide participants, parents and others with a privacy notice as this should have already been provided on the Medical Consent Form.
20 Use:
Having said this, staff should inform the MD if they suspect that WW is using Personal Data in a way which might not be covered by an existing privacy notice. This may be the case where, for example, staff are aware that WW is collecting medical information about participants without telling their parents what that information will be used for.
Protecting confidentiality
21 Disclosing Personal Data within WW:
Personal Data should only be shared on a need to know basis. Personal Data shall not be disclosed to anyone who does not have the appropriate authority to receive such information, irrespective of their seniority within WW or their relationship to the Data Subject, unless they need to know it for a legitimate purpose. Examples include:
21.1 a WW First Aider may disclose details of a participant’s allergy to bee stings to colleagues so that they will know how to respond, but more private health matters must be kept confidentially by the group leader, if not the MD;
21.2 personal contact details for participants and members of staff (e.g. their home address and telephone number, and their private mobile telephone number and email address) shall not be disclosed to parents, participants or other members of staff unless the member of staff has given their permission.
22 Disclosing Personal Data outside of WW:
Sharing Personal Data with others is often permissible so long as doing so is fair and lawful under the Act and GDPR.
However, staff should always speak to the MD if in doubt, or if staff are being asked to share Personal Data in a new way.
23 Before sharing Personal Data outside of WW, staff should:
23.1 make sure that they are allowed to share it;
23.2 ensure adequate security. What is adequate will depend on the nature of the data. For example, if WW is sending a child protection report to social services on a memory stick then the memory stick must be encrypted; and
23.3 make sure that the sharing is covered in the privacy notice.
24 WW should be careful when using photographs, videos or other media as this is caught by the Act as well.
25 Information security and protecting Personal Data: Information security is the most important aspect of data protection compliance and most of the fines under the Act for non-compliance relate to security breaches. Please also refer to Information Security policy.
Requests for information by Data Subjects
26 Data Subject access request:
Individuals are entitled to know whether WW is holding any Personal Data which relates to them, what that information is, the source of the information, how WW uses it, and who it has been disclosed to.
27 Use of personal data:
WW does not intend to use Personal Data for direct marketing, however Individuals have a legal right to ask WW not to use their Personal Data for direct marketing purposes or in ways which are likely to cause substantial damage or distress.
28 Corrections: Individuals have a legal right to ask for incorrect Personal Data to be corrected or annotated.
29 Automatic decisions: Individuals have a legal right to ask WW not to make automatic decisions (using Personal Data) if such automatic decisions would affect them to a significant degree.
30 Receiving a request: Any member of staff who receives a request for information covered by this policy from a participant, parent or any other individual must inform the MD as soon as is reasonably possible, which should in most cases be the same day. If this request is made during an expedition, it may be impractical for expedition staff to contact the MD and so, in such a scenario, it may be that the MD is informed later in the expedition or immediately afterwards. This is important as there is a statutory procedure and timetable which WW must follow.
31 Making a request: Any member of staff wishing to exercise a right to request information covered by this policy, can do so by submitting a request in writing to the MD, and by paying the appropriate fee. The fee is adjustable and proportionate to the length required by the MD to collect requested data.
Further information
32 ICO website:
WW has registered its use of Personal Data with the Information Commissioner's Office and further details of the Personal Data it holds, and how it is used, can be found in WW's register entry on the Information Commissioner's website at www.ico.org.uk under registration number Z8224556. This website also contains further information about data protection.
33 Contact: If you would like any further information about anything within this policy, please contact the MD.
Breach of this policy
34 A member of staff who deliberately or recklessly discloses Personal Data held by WW without proper authority could be guilty of a criminal offence and gross misconduct. This could result in summary dismissal. All data breaches must be reported to the MD, regardless of the magnitude of impact. All data breaches are recorded in a folder in the MD’s office.
Complaints
35 Complaints will be dealt with in accordance with WW’s Complaints Policy. Complaints relating to information handling may be referred to the Information Commissioner (the statutory regulator).
Appendix 1
Privacy Notice for staff Introduction
During the course of Wild Weekend Ltd's activities WW will process Personal Data about staff. This notice is aimed at all WW staff and explains how WW uses Personal Data that is covered by the Data Protection Act 1998 (the Act) and General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679). The Adventure Soc Ltd may amend this statement at any time.
The purpose of the Act and GDPR is to safeguard information about individuals. The Act covers issues such as data security, an individual's rights to access their Personal Data and use and the disclosure of Personal Data.
WW is a Data Controller under the Act and GDPR. This means that it is responsible for compliance with the Act and GDPR.
Personal Data is information about identifiable individuals that is held on a computer or is held in a file by reference to specific criteria concerning the individual. It also applies to some other records such as certain medical records.
The Governing Body has delegated day to day responsibility for compliance with the Act and GDPR to the MD. Any questions you have in relation to this policy should be directed to the MD.
What Personal Data WW holds and how it is acquired
Examples of the Personal Data which WW holds about staff include:
information gathered during the recruitment process such as information about education and qualifications, professional achievements and suitability for the position applied for;
information about job performance. This includes information about skills, achievements, career progression and disciplinary related matters; and
other information about staff such as financial information, photographs, expressions of opinion or indications as to intentions regarding staff.
WW may process sensitive personal data relating to staff including:
information about staff physical or mental health conditions in order to monitor sick leave and take decisions regarding fitness for work; and
information about protected characteristics of staff in accordance with WW's Equal Opportunities Policy in order to monitor compliance with equal opportunities legislation.
WW may acquire Personal Data in a number of ways. For example:
staff may provide WW with Personal Data about themselves, for example, during the recruitment process;
Personal Data may be created internally by WW during the course of employment. An email from the MD to a member of staff complimenting them on class management would be an example of this; and
Personal Data may be acquired from outside of the WW community such as from other WW, public authorities, public sources and in connection with references
How WW uses Personal Data:
In respect of staff, WW commonly uses Personal Data for:
ensuring that WW provides a safe and secure work environment;
providing employment services (such as payroll and references);
providing training and support;
protecting and promoting our interests and objectives - this includes fundraising;
personnel, administrative and management purposes and to enable WW to meet its legal obligations as an employer. For example, to pay staff and to monitor their performance;
safeguarding and promoting the welfare of all staff and participants; and
fulfilling our contractual and other legal obligations.
WW may use Personal Data for other purposes where the Act and GDPR allows and where providing an explanation would not be appropriate. For example, this includes sharing Personal Data about staff with the relevant statutory agencies investigating allegations of misconduct or for the prevention and investigation of crime and the prosecution of offenders. WW will not use Personal Data for any other purpose unless it has first communicated the other purposes or it considers it is reasonable and fair to do so.
Specific examples
- Photographs and video recordings:
- WW may use photographs and video recordings of staff and participants for marketing and promotion purposes including in WW publications, in social media and on the WW website. WW may also allow external publication of media where appropriate (for example, in a local newspaper). WW may also make recordings for teaching purposes, for example, recording an activity in order to provide feedback to participants and staff.
Processing in line with your rights
You have the right to:
- request access to any Personal Data the Adventure Soc Ltd holds about you;
- ask to have inaccurate data held about you amended;
- prevent processing that is likely to cause unwarranted substantial damage or distress to you or anyone else;
- object to any decision that significantly affects you, from being taken solely by a computer or other automated process.
Further Information
Contact: If you would like any further information about anything within this notice please contact the MD.