Data Protection Policy

1.1
BBOWT is committed to meeting its responsibilities under the Data Protection Act 2018 (“DPA 2018”) and the UK General Data Protection Regulations (GDPR) and will take all reasonable steps to ensure appropriate processing, accuracy and confidentiality of personal data. It is worth noting that after Brexit, the requirements of the GDPR were retained in domestic law as the UK GDPR. The key principles, rights and obligations as detailed in this policy remain the same.

1.2
BBOWT needs to gather and use certain information about individuals, including members, volunteers, business contacts, employees, and other people with whom we have a relationship. This data, if it relates to a living individual and can be used to identify the subject either directly or in combination with other information which is in, or is likely to come into, BBOWT possession is personal data.

1.3
This policy describes the key principles around how personal data must be collected, handled and stored to meet BBOWT’s data protection standards and to comply with the law. It must be read in conjunction with our Data Protection Handbook, which sets out the detail of how we implement these principles in BBOWT, and our Use of ICT policy, which gives more detail on the security of our ICT systems.

1.4
The policy is intended to ensure BBOWT:

• Complies with data protection law and follows good practice
• Protects the rights of staff, volunteers, members and other stakeholders
• Is open about how it stores and processes individuals’ data
• Protects itself from the risks of a data breach

1.5
By signing their Contract of Employment and the Staff Privacy Notice, employees are consenting to the recording, processing, use, disclosure and transfer by BBOWT of their personal data. They are also agreeing to abide by BBOWT’s policies and procedures, including this policy.

2.1
Together, DPA 2018 and GDPR describe how organisations must collect, handle and store personal information. These rules apply regardless of whether data is stored electronically, on paper or on other materials.

2.2
The DPA 2018 is underpinned by six important principles of good practice, which BBOWT are committed to. These state that personal data must:

1. be processed lawfully and fairly;
2. be processed only for purposes that are specified, explicit and legitimate;
3. be adequate, relevant and not excessive;
4. be accurate and kept up to date;
5. not be held for any longer than necessary;
6. be processed in a secure manner.

2.3
As well as complying with these principles, BBOWT must be able to robustly demonstrate its compliance i.e. through adequately designed and applied processes and procedures.

2.4
The DPA 2018 requires that data be processed in line with the rights of individual data subjects. Data subject rights include the right of access to their own data (see section 8), right to erasure (section 5), the right to information (section 10), and the right to rectification and the right to object to processing (section 10).

2.5
The DPA 2018 prohibits the transfer of personal data outside of the European Economic Area (EEA) unless that country or territory also ensures an adequate level of protection.

2.6
At least one of the following conditions must be met whenever personal data is processed:

Consent - The individual whom the personal data is about has consented to the processing.

Contractual - The processing is necessary:

• in relation to a contract which the individual has entered into; or
• because the individual has asked for something to be done, so they can enter into a contract.

Legal obligation - The processing is necessary in order to enable you to comply with a legal obligation (except an obligation imposed by a contract).

Vital Interest - The processing is necessary to protect the individual’s “vital interests”. This condition only applies in cases of life or death, such as where an individual’s medical history is disclosed to a hospital’s A&E department treating them after a serious road accident.

Public task - The processing is necessary for administering justice, or for exercising statutory, governmental, or other public functions.

Legitimate Interest - The processing is in accordance with the “legitimate interests” condition.

2.7
In practice, BBOWT will rely primarily on legitimate interest or consent for its processing for most personal data, although contractual and legal obligations also justifying our processing of data in some circumstances. Vital interest would be relevant to situations involving medical emergencies.

3.1
This policy applies to all staff, volunteers, members and contractors and other people working on behalf of BBOWT. It applies to all data that BBOWT holds relating to identifiable individuals.

3.2
As described above, personal data means any information relating to an identified or identifiable living individual. This includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual. Personal data include IP addresses and internet cookies.

4.1
Everyone who works for or with BBOWT has responsibility for ensuring data is collected, stored and handled appropriately. The Data Protection Handbook sets out specific roles which have additional organisation-wide responsibilities but all staff are responsible for ensuring that they are handling personal data in line with this policy. Directors are accountable for the implementation of this policy across their directorates.

4.2
Individuals handling personal data must keep all personal data secure by taking sensible precautions and following the guidelines below. Personal data should only be accessed by those who need it for their work. Failing to observe data protection requirements may be a disciplinary offence and significant or deliberate breaches of policy may constitute gross misconduct.

4.3
Employees should request help from their line manager or the Finance and Governance Director if they are unsure about any aspect of data protection. 

5.1
BBOWT must only hold personal data for as long as the data is needed and individuals have the right to have their data deleted once it is no longer necessary for us to hold the data for the purpose we originally collected or processed it. Our Data Protection Handbook sets out the minimum lengths of time that we will ordinarily hold certain classes of data but also the maximum lengths of time for which we have a reason to hold the data. We manage against this policy proactively as well as reactively.

5.2
Individuals’ rights to have their data deleted are broader than this however and they have the right to request that we delete the data we hold on them. Even when the data held falls within our data retention limits, a person has the right to have their data deleted in certain circumstances. Any requests to be deleted from our systems require a response within one month. Procedures to follow in such situations are in our Data Protection Handbook. Specific guidance on how to action such a request within the ThankQ database is maintained by the Membership Team.

6.1
BBOWT is committed to maintaining high standards of data security - this includes paying particular attention to the security of the personal data that we hold.

6.2
Physical controls include:

• Secure access to our premises e.g. pin entrypoints on offices or supervised reception areas.
• Supervision of all visitors.
• Confidential waste disposal for all documents containing personal data or other sensitive data.
• Monitored alarm systems (where possible).
• Hard copy personnel records stored in locked filling cabinet.

6.3
Technical controls include:

• Complex passwords to log-in to BBOWT system (changed every 60 days).
• Sophos Central anti-virus and anti-ransomware live monitoring system performs self-scans of all hardware.
• Firewall protection and email scanning provided by Sophos Security Gateways.
• Remote desktop solution for offsite access to data controlled by BBOWT i.e. personal data is not stored on individual laptops. Our Remote Desktop connection is only allowed via a secure VPN connection.
• Emails only function on mobile devices when additional security measures are activated (e.g. passcodes on phones).
• Restricted access to individual drives within the BBOWT environment but also additional password controls on software with contains personal data i.e. ThankQ, Xledger.
• Secure payment processors used for processing financial information e.g. Bottomline PT-X which requires dual factor authorisation.

6.4
Behaviours

• Staff should not store personal data on removable media (like a USB drive) unless unavoidable. Where this is unavoidable then USBs must be stored securely and wiped as soon as possible. If USBs or other removable media are being used to store personal data in bulk then these must be encrypted.
• Personal data should only be stored on designated drives and servers, and should only be uploaded to approved cloud computing services.
• Staff must take care to be appropriate custodians of personal data i.e. not leaving this in shared office areas, photocopiers or out on desks. Where appropriate personal data must be locked away, for example all HR records will be stored securely.
• Employees should not save copies of personal data to their own computers. Always access and update the central copy of any data.
• Personal data should never be transferred outside of the European Economic Area* unless that country or territory also ensures an adequate level of protection. The Finance and Governance Director can advise if you are uncertain about where you are transferring or storing data.
• All bulk data transfers must be transferred in an encrypted form electronically - the ICT Manager can explain how to send data to authorised external contacts if a secure portal is not available. Staff should be aware that free encrypted data transfer services (e.g. WeTransfer) are available to use.
• Staff must not share passwords.

*Under the UK GDPR as the UK Government has stated that transfers of data from the UK to the EEA are permitted although this will be kept under review.

7.1
The law requires BBOWT to take reasonable steps to ensure data is kept accurate and up to date. The more important it is that the personal data is accurate, the greater the effort BBOWT should put into ensuring its accuracy.

• It is the responsibility of all employees who work with data to take reasonable steps to ensure it is kept as accurate and up to date as possible.
• Data will be held in as few places as necessary. Staff should not 
  create any unnecessary additional data sets.
• Staff should take every opportunity to ensure data is updated. For instance, by confirming an individual’s details when they call.
• Data should be updated as inaccuracies are discovered. For instance, if an individual can no longer be reached on their stored telephone number, it should be removed from the database.
• It is the responsibility of the Head of Membership, Marketing & Communications to ensure marketing databases are checked against industry suppression files on a regular basis.

8.1
All individuals who are the subject of personal data held by BBOWT are entitled to:

• Ask what information BBOWT holds about them and why.
• Ask how to gain access to it.
• Be informed how to keep it up to date.
• Be informed how BBOWT is meeting its data protection obligations.

8.2
If an individual contacts BBOWT requesting this information, this is called a subject access request. Subject Access Requests (SARs) should be made in writing.

8.3
From the day we receive the request, we have one month to respond and provide the requested information. We can extend this time period to two months but only if we write to let them know that we will need this additional time. If, as is often the case, the request is vague, we are entitled to ask for further information as to what they require; in this case, we are entitled to one month from the date they respond to our request for further information. Further information on our process for responding to Subject Access Requests is available within our Data Protection Handbook.

8.4
BBOWT can only refuse to respond to a request (or charge a fee for responding if) the SAR is ‘manifestly unfounded or excessive’ (Data Protection Act 2018, 53:1). If we are going to charge a fee we must set this at a reasonable level based on the cost of complying with the request and inform the individual promptly. We do not need to comply with request until the fee is received.

9.1
A data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes.

9.2
The General Data Protection Regulations stipulate that an organisation must maintain a breach register. Further, organisations should have internal breach notification procedures, including incident identification systems and incident response plans. Our full procedure is detailed in the data protection handbook. When a breach occurs, and you become aware of it, this must be reported to the Director of Finance and Governance within 48 hours.

9.3
Individuals whose data was affected will be notified within 72 hours if the breach is identified as high risk. If there is any ambiguity as to who requires notification and when, the advice of the Information Commissioner’s Office (ICO) will be sought. Further details of our data breach management procedure are within the Data Protection Handbook.

9.4
All high risk breaches will be reported to Trustees as soon as possible. This should be within 72 hours of such an assessment being made.

9.5
In certain circumstances, the DPA 2018 allows personal data to be disclosed to law enforcement agencies without the consent of the data subject. Under these circumstances, BBOWT will disclose requested data. Any such disclosures will be authorised by the Chief Executive who will ensure that appropriate action has been taken to ensure that the request is legitimate.

10.1
BBOWT aims to ensure that individuals are aware that their data is being processed, and that they understand:

• how the data is being used;
• how to exercise their rights.

10.2
To these ends, BBOWT has a Privacy Policy, setting out how data relating to individuals is used.

10.3
Individuals have the right to object to our processing their data for specific purposes (e.g. marketing) and they also have the right to correct the data we hold if it is incorrect. For further information on how to handle such requests or amendments, see the Data Protection Handbook.