1. Introduction
Dorset Wildlife Trust collects personal data for a variety of reasons. This includes names and contact details for people that it works with including members, supporters, volunteers, staff, contractors, and others.
All personal data must be processed in accordance with current legislation from point of collection, throughout its use and for the duration of its storage, whether it is in paper or electronic form. This legal requirement applies to Dorset Wildlife Trust and all those who process data on our behalf, including staff and volunteers.
Dorset Wildlife Trust regards the lawful processing of personal data as vital to our successful operation and to maintaining confidence between us and those with whom we carry out business.
This Policy sets out Dorset Wildlife Trust’s commitment to protecting the 'rights and freedoms' of natural persons and details how compliance with the applicable data protection legislation, namely UK General Data Protection Regulation ('UK GDPR') and the Data Protection Act 2018 ('DPA') can be ensured.
2. Data protection legislation
For Dorset Wildlife Trust to deliver its charitable objects, it collects and processes information about its members, supporters, staff, volunteers, donors, partners and contractors. Indicatively, Dorset Wildlife Trust collects and uses personal data for the purposes of:
- Administration of memberships, donations and fundraising
- Marketing and communications about new events and programmes
- Fulfilment of contracts with clients and suppliers
- Recruitment and employment
The UK GDPR and Data Protection Act 2018 (The Act) govern the processing of personal data of living persons. The purpose of the legislation is to safeguard the rights and freedoms of individuals whose personal data is being processed by Dorset Wildlife Trust. In particular it provides for the collection and use of personal data in a responsible way, whilst protecting against unwanted or harmful uses of personal data. Under UK GDPR, Dorset Wildlife Trust is a Data Controller relying on multiple lawful bases for the processing of personal data.
3. Purpose and scope of this policy
As highlighted above, Dorset Wildlife Trust’s Data Protection Policy (this Policy) forms the statement of its commitment to protecting the rights, freedoms and privacy of individuals in accordance with the applicable legislation.
Dorset Wildlife Trust recognises that it has a responsibility to identify, assess, measure and monitor the risks and impacts of its processing of the personal data belonging to the various categories of data subjects with whom it interacts. Accountability is one of the data protection principles and it places a responsibility on Dorset Wildlife Trust to not just comply with the data protection laws but to be able to demonstrate that compliance.
Dorset Wildlife Trust acknowledges the requirement to put in place appropriate technical and organisational measures to meet the requirements under the UK GDPR and The Act. This Policy applies to all employees of Dorset Wildlife Trust including contractors and subcontractors, and any other persons that are authorised to access the personal data for which Dorset Wildlife Trust is the Data Controller. All third parties working with, or for Dorset Wildlife Trust who have or may have access to personal data are required to read, understand, and fully comply with this policy. All third parties are required to enter into a data processor or data sharing agreement prior to accessing or processing any personal data.
4. Principles relating to the processing of personal data
Dorset Wildlife Trust shall be responsible for meeting the requirements arising from, and be able to demonstrate compliance with, the principles of data protection contained in Article 5(1) and (2) of the UK GDPR. These are as follows:
- Lawfulness, fairness and transparency
Personal data shall be processed lawfully, fairly and in a transparent manner. Dorset Wildlife Trust will obtain and process personal data fairly in accordance with the fulfilment of the functions conferred upon it. Dorset Wildlife Trust will ensure a Privacy Notice is provided at the point at which personal data is collected and will be available on the website.
- Purpose limitation
Personal data shall be collected only for specified, explicit and legitimate purposes communicated at the time of collection. Dorset Wildlife Trust will process data which has been collected only in ways compatible with these purposes.
- Data minimisation
Personal data processed by Dorset Wildlife Trust will be adequate, relevant and not excessive to the purpose(s) for which it was collect. Dorset Wildlife Trust aims to process as little personal data as possible.
- Accuracy
Personal data shall be accurate, complete and up to date. Dorset Wildlife Trust will implement procedures which are adequate to ensure high levels of data accuracy, including the necessary supporting systems and staff training.
- Storage limitation
Personal data shall only be retained for as long as it is necessary to do so. Dorset Wildlife Trust has implemented retention periods for the storage of personal data as set out in the Data Retention Policy. Staff are required to be familiar with this approved schedule.
- Integrity and confidentiality
Personal data shall be processed in an appropriate manner to maintain the security of the dataset. Dorset Wildlife Trust will take appropriate security measures against unauthorised access to, alteration, disclosure, or destruction of the personal data. Dorset Wildlife Trust commits to ensuring that high standards of security are maintained when dealing with personal data by the implementation of appropriate technical and organisational measures.
- Accountability
Dorset Wildlife Trust will demonstrate our compliance with Data Protection Law and our obligations under the UK GDPR Data Protection Act 2018 by implementing data protection policies, implementing technical and organisational measures, as well as adopting techniques such as data protection by design and by default, Data Protection Impact Assessment (DPIAs) as appropriate, breach notification procedures and incident response plans. All appropriate technical and organisational measures are in place, and all records are kept demonstrating data protection compliance.
5. Governance and responsibility for data protection
The Board of Dorset Wildlife Trust has overall responsibility for ensuring compliance with any applicable Data Protection Legislation. However, all employees, agents or representatives of Dorset Wildlife Trust who are involved in the processing of, collection and/or controlling the contents and use of personal data are also responsible for compliance with Data Protection Legislation at an individual level.
Dorset Wildlife Trust will provide support, assistance, advice and training to all staff to ensure it is able to comply with its obligations under any relevant Data Protection Legislation.
The Director of Fundraising and Marketing is responsible for ensuring that membership and supporter data is secure and managed in accordance with this policy.
The Head of HR and Resources will ensure that the personal data of all staff and volunteers is secure and managed in accordance with this policy and that IT systems are adequate to protect and store all personal data held by Dorset Wildlife Trust.
The postholders will be the first point of contact with the ICO and the main point of contact for data subjects where required. Their contact details will be communicated to all staff and supporters as necessary. Any staff member may contact the postholders in confidence to raise a concern, seek guidance or report an issue.
Dorset Wildlife Trust will ensure that:
a) everyone processing personal data understands that they are contractually responsible for adhering to this policy;
b) data protection training is provided to all staff, both as part of the induction process and as a refresher;
c) the principles of data protection are integrated into all of Dorset Wildlife Trust’s data processing activities from the outset – this is 'data protection by design;
d) our approach to processing personal data is documented, regularly assessed and evaluated for compliance with The Act.
6. Designation of a Data Protection Officer
Dorset Wildlife Trust has assessed the need for a Data Protection Officer via the ICO online test (https://ico.org.uk/for-organisations/does-my-organisation-need-a-data-protection-officer-dpo/) and determined that this role is not required at this time. This decision is reviewed on an annual basis.
7. Role of the National Supervisory Authority
The Information Commissioner’s Office (ICO) oversees compliance with the terms of both the UK GDPR and The Act as the National Authority. The ICO has a wide range of enforcement powers, including the investigation of processing of personal data and record-keeping practices as well as the ability to levy fines, issue warnings and impose restrictions on any processing of personal data. In all matters where Dorset Wildlife Trust has any dealings with the ICO, the Board and its staff commit to full cooperation and transparency. Contact details for the ICO will be included on the website.
8. Lawful processing
Collecting, processing and using personal data is only permitted where it first satisfies one of a number of legal conditions of Article 6 of UK GDPR. One of these conditions must also be met in circumstances where the purpose for the processing of collected data changes from that for which it was originally collected. Key conditions relevant to Dorset Wildlife Trust’s operations include:
8.1 Consent of the data subject
Personal data can be processed where the data subject has provided their freely given, specific, informed and clear agreement. The data subject must be able to withdraw consent at any time. Where consent is given in writing, it must be clear and capable of being distinguished from other matters. Consent can in some cases also be given verbally. Wherever consent is given, a record of the consent should be kept. For example, consent may be provided when a member or attendee of an event or conference completes a form or gives their contact details to receive communication from Dorset Wildlife Trust.
8.2 Legitimate interests
Processing might be necessary for the purposes of the legitimate interests pursued by Dorset Wildlife Trust or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject. When legitimate interest is used as a condition for processing data, a three-stage test is applied to test the balance between Dorset Wildlife Trust’s interests and the rights of those who may be identified by such data. A wide range of interests may be legitimate interests. The UK GDPR specifically mentions use of client or employee data, marketing, fraud prevention, intra-group transfers, or IT security as potential legitimate interests. Personal data of data subjects such as authors, customers or third parties may be processed to form, execute, perform and terminate a contact.
8.3 Legal obligation
According to the UK GDPR processing might be necessary for compliance with a legal obligation to which Dorset Wildlife Trust as a Controller is subject. The legal obligation must be laid down by UK law or have a sufficiently clear basis in common law.
8.4 Contract
Processing might be also necessary for the performance of a contract. This lawful basis can be used when Dorset Wildlife Trust needs to deliver a contractual service to an individual. For example, Dorset Wildlife Trust will enter into a contract with a data subject when they pay a membership subscription to Dorset Wildlife Trust or if they provide their bank details to donate to the charity. Also, Dorset Wildlife Trust may process personal data for employment or recruitment purposes.
8.5 Special categories of personal data
The UK GDPR singles out some types of personal data as likely to be more sensitive and gives them extra protection. For example:
- personal data revealing racial or ethnic origin;
- personal data revealing political opinions;
- personal data revealing religious or philosophical beliefs;
- personal data revealing trade union membership;
- genetic data;
- biometric data (where used for identification purposes);
- data concerning health;
- data concerning a person’s sex life; and
- data concerning a person’s sexual orientation.
Article 9 of UK GDPR prohibits the processing of special category data. However, there are 10 exceptions to this general prohibition, usually referred to as ‘conditions for processing special category data’ (explicit consent, processing in the context of employment, social security and social protection etc.). When special categories of personal data are being processed, then Dorset Wildlife Trust needs to identify a lawful basis of article 6 as well as one of these 10 special conditions. The Data Protection Act 2018 supplements and tailors the UK GDPR conditions for processing special category data.
9. Incidents and breaches
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data. All staff are obliged to report any incidents regarding the incorrect or accidental processing of personal data directly to the Director of Fundraising and Marketing or the Head of HR without delay. This is to assist Dorset Wildlife Trust to report any breaches, where necessary, to the ICO within 72 hrs of staff becoming aware of the issue. The Director of Fundraising and Marketing or the Head of HR is responsible for the assessment of incidents and the mandatory reporting of any data breaches where necessary.
10. Subject Access Requests
Where a Subject Access Request is received, in any format, Dorset Wildlife Trust will make every effort to respond to such requests within one calendar month. Subject access requests should follow the ICO guidelines, and clearly identify the type of data requested and any relevant dates to be used as search criteria. Likewise, any other rights that a data subject may wish to exercise will be addressed within a similar time frame.
11. Location of processing and international data transfers
Dorset Wildlife Trust processes personal data as far as is possible within the UK. Where personal data may be transferred outside the UK to a third country or an international organisation, Dorset Wildlife Trust will adopt appropriate safeguards and put in place transfer mechanisms such as the UK Addendum and the IDTA as required by UK data protection law and in accordance with the guidance of the ICO.
12. Data retention and disposal
Dorset Wildlife Trust will not retain personal data for longer than is necessary. Dorset Wildlife Trust recognises the difference between certain types of data subjects for which it may processing identifiable personal information. Personal data must be kept and deleted in accordance with Dorset Wildlife Trust’s stated Data Retention Policy requirements.
13. Disclosure and sharing of personal data
Dorset Wildlife Trust must take all reasonable steps to ensure that personal data is not disclosed to unauthorised Third Parties including family members, friends, government bodies and in certain circumstances, relevant law enforcement bodies.
Dorset Wildlife Trust will only share personal information to comply with a legal obligation, or to fulfil a contract or with a service provider who undertakes processing of personal data on behalf of Dorset Wildlife Trust under contract. Dorset Wildlife Trust may also share personal data to protect Dorset Wildlife Trust’s rights, its property, or to ensure the safety of our employees. This includes exchanging information for the purposes of fraud protection or the investigation of other criminal offences.
13. Third-party Processors (where applicable)
In its role as a Data Controller, Dorset Wildlife Trust may also engage third-party service providers, or data processors, to process personal data on its behalf. Dorset Wildlife Trust is committed to ensuring that the use of such providers does not diminish the protections and safeguards conferred by law. In each case, Dorset Wildlife Trust will ensure that appropriate contractual arrangements as required under UK GDPR (Art. 28, 3) are in place with the processor, setting out their obligations in relation to the personal data, the specific purposes for which they are engaged, and the understanding that they will only process the data in compliance within the data protection legislation and the UK GDPR. To ensure that contractual stipulations are observed, where feasible, the contractual arrangements will also make clear that Dorset Wildlife Trust as Data Controller is entitled to audit or inspect the data management activities of the data processor to ensure that they remain compliant with the legislation and with the terms of the contract. It will also stipulate that in the event of a data security breach, the data processor will notify the data controller without undue delay.
15. Data security
All employees of Dorset Wildlife Trust are personally responsible for keeping secure any personal data controlled by Dorset Wildlife Trust and for which they are responsible. Under no circumstances may any personal data be disclosed to any third party unless Dorset Wildlife Trust has provided explicit authorisation and has entered into a confidentiality agreement, a data processor agreement, or a data sharing agreement with the third party. The Data Controller is responsible for this activity.
16. Review and update
This Policy will be reviewed at least annually and updated when required in light of any regulatory developments, legislative developments or any other relevant indicators. The Director of Fundraising and Marketing and the Head of HR are responsible for supporting this review process and will report any proposed amendments or additional sections to this Policy.