Haslemere Community Station and Signal Box Trust (HCS&SBT)
Data Protection Policy
IN REVIEW
1 Definitions
Data Controller: Jock Gardner
Personal Data: information where an individual can be identified from the data and the information is at least partly about or involving an individual.
Personal Sensitive Information: information about ethnic origin, political opinions, religious beliefs, membership of a trade union, physical or mental health, criminal convictions.
Processing: includes obtaining, holding, using, amending, disclosing, destroying and deleting. Applies to paper information as well as electronic information.
Valid Identification: Passport, UK driving licence or Birth Certificate.
Disciplinary Procedures: the processes and procedures set out in the HCS&SBT Disciplinary and Grievance Policies.
2 Policy Statement
HCS&SBT is committed to ensuring any personal data will be dealt with in line with the Data Protection Act. The aim of this policy is to ensure that everyone handling personal data is fully aware of the requirements and acts in accordance with data protection procedures.
HCS&SBT will ensure that personal data is:
In addition, HCS&SBT will ensure that:
3. Responsibilities
3.1 The HCS&SBT Board has overall responsibility to ensure that the HCS&SBT complies with its legal obligations.
3.2 The Data Protection Officer and HCS&SBT Chairperson are the responsible Data Controllers for their respective people. They have the following responsibilities:
3.3 All volunteers who process personal information must ensure they not only understand, but also abide by this policy and the Data Protection Principles.
3.4 Any volunteer who knowingly or recklessly breaches this policy will be subject to our Disciplinary Procedures.
4 Electronic Information
4.1 Emails Emails which hold personal information and are processed or printed are subject to Data Protection Act principles and must be processed in accordance with these principles. Email information on volunteers is held electronically under Friends of Haslemere Signal Box and is GDPR compliant and password protected. Other email correspondence wholly or partially in the name of HCS&SBT should always meet the highest standards of data handling.
4.2 Website Content details – We exercise the right of editorial control over material published, but give suppliers of information the assurance that any reasonable changes they subsequently request will be made at the earliest opportunity
4.3 Portable Devices HCS&SBT may use portable USB devices to back up information and transport files between computers.
4.4 Management Email Account The HCS&SBT Chairperson will have access to the management email account. No volunteer will have access to this email account.
5 Training
5.1 On induction, volunteers receive a copy of this Data Protection Act policy, together with all documentation it makes reference to and sign a copy of the declaration form to confirm they have read and understood this policy.
5.2 General training/awareness training: volunteers’ meetings are held every 6 months when volunteers are reminded about this policy and have their attention drawn to any changes or data protection issues that may have arisen.
6 Data Security
6.1 To ensure that personal data is kept secure at all times against unauthorised or unlawful loss or disclosure HCS&SBT will ensure that:
6.1.1 personal data may not be taken out of the premises in portable devices unless they are password protected.
6.1.2 important data is backed up to the ‘cloud’.
6.2 Any unauthorised disclosure of personal data to a third party by a volunteer may result in the volunteer no longer being able to operate in the role currently held.
7 Oral Communications
7.1 Confidential or personal information is not to be disclosed over the telephone.
7.2 Personal data will only be disclosed to a third party where there is a bona fide emergency i.e. when there is risk to life or health, criminal activity or where non-disclosure would result in danger to a user, volunteer or other person.
7.3 Conversations about users, or volunteers, or about disciplinary matters will not take place where they may be overheard.
8 Written Communications
8.1 Information of a personal nature sent by post must be in an envelope addressed to an individual and clearly marked ‘private and confidential’.
9 Subject Access Request
9.1 Anyone whose personal information the HCS&SBT processes, has the right to know what information we hold and process on them, how to gain access to this information, how to keep it up to date and what we do to comply with the Act.
9.2 They also have the right to prevent processing of their personal data in some circumstances and the right to correct, rectify, block or erase information regarded as wrong.
9.3 Individuals have a right under the Act to access certain personal data being kept about them on computer and certain files.
9.4 The data controller is responsible for ensuring that subject access requests are handled within the legal timeframe of 40 days.
10 Review
This policy will be reviewed every 3 years to ensure it remains up to date and compliant with the law.
Declaration
I have read and understood the Haslemere Signal Box Trust Data Protection Policy
I am connected with HCS&SBT in the following capacity:
Committee member
Volunteer
Board Member
Other
Signature:…………………………………………..
Print Name:………………………………………….
Date:………………………….
Data Controller: Jock Gardner
Personal Data: information where an individual can be identified from the data and the information is at least partly about or involving an individual.
Personal Sensitive Information: information about ethnic origin, political opinions, religious beliefs, membership of a trade union, physical or mental health, criminal convictions.
Processing: includes obtaining, holding, using, amending, disclosing, destroying and deleting. Applies to paper information as well as electronic information.
Valid Identification: Passport, UK driving licence or Birth Certificate.
Disciplinary Procedures: the processes and procedures set out in the HCS&SBT Disciplinary and Grievance Policies.
2 Policy Statement
HCS&SBT is committed to ensuring any personal data will be dealt with in line with the Data Protection Act. The aim of this policy is to ensure that everyone handling personal data is fully aware of the requirements and acts in accordance with data protection procedures.
HCS&SBT will ensure that personal data is:
- recorded factually and in a non-discriminatory manner;
- obtained only for the purpose of carrying out functions and responsibilities;
- adequate, relevant and kept to the minimum necessary;
- kept for no longer than necessary for the purpose it is being used and data held on staff or volunteers who have left is kept for no longer than 6 months;
- processed in line with the rights of individuals and in accordance with good data protection practice and kept secure;
- not transferred out of the organisation.
- Is only used for the exact purpose for which it was given.
In addition, HCS&SBT will ensure that:
- Individuals about whom information is collected are informed why it is being collected, what it will be used for and who will have access to it.
- Every 12 months it will send reminders to all data subjects asking them to check their details are up-to-date and correct.
- Only the minimum personal information will be held. Namely: Name, address, next of kin, contact telephone number and contact e-mail address.
3. Responsibilities
3.1 The HCS&SBT Board has overall responsibility to ensure that the HCS&SBT complies with its legal obligations.
3.2 The Data Protection Officer and HCS&SBT Chairperson are the responsible Data Controllers for their respective people. They have the following responsibilities:
- Brief the Board on Data Protection responsibilities and any breach of this policy;
- Review this policy in accordance with Paragraph 10 ‘ Review’;
- Advise volunteers on any Data Protection issues;
- Ensure that Data Protection induction and training is given to volunteers;
- Ensure volunteers understand and accept any policies relating to Data Protection and the obligations it imposes;
- Ensure staff are aware of the procedures relating to Personal Data they may handle in the course of their work/role;
- Identify any potential problem areas or risks relating to data protection.
3.3 All volunteers who process personal information must ensure they not only understand, but also abide by this policy and the Data Protection Principles.
3.4 Any volunteer who knowingly or recklessly breaches this policy will be subject to our Disciplinary Procedures.
4 Electronic Information
4.1 Emails Emails which hold personal information and are processed or printed are subject to Data Protection Act principles and must be processed in accordance with these principles. Email information on volunteers is held electronically under Friends of Haslemere Signal Box and is GDPR compliant and password protected. Other email correspondence wholly or partially in the name of HCS&SBT should always meet the highest standards of data handling.
4.2 Website Content details – We exercise the right of editorial control over material published, but give suppliers of information the assurance that any reasonable changes they subsequently request will be made at the earliest opportunity
4.3 Portable Devices HCS&SBT may use portable USB devices to back up information and transport files between computers.
4.4 Management Email Account The HCS&SBT Chairperson will have access to the management email account. No volunteer will have access to this email account.
5 Training
5.1 On induction, volunteers receive a copy of this Data Protection Act policy, together with all documentation it makes reference to and sign a copy of the declaration form to confirm they have read and understood this policy.
5.2 General training/awareness training: volunteers’ meetings are held every 6 months when volunteers are reminded about this policy and have their attention drawn to any changes or data protection issues that may have arisen.
6 Data Security
6.1 To ensure that personal data is kept secure at all times against unauthorised or unlawful loss or disclosure HCS&SBT will ensure that:
6.1.1 personal data may not be taken out of the premises in portable devices unless they are password protected.
6.1.2 important data is backed up to the ‘cloud’.
6.2 Any unauthorised disclosure of personal data to a third party by a volunteer may result in the volunteer no longer being able to operate in the role currently held.
7 Oral Communications
7.1 Confidential or personal information is not to be disclosed over the telephone.
7.2 Personal data will only be disclosed to a third party where there is a bona fide emergency i.e. when there is risk to life or health, criminal activity or where non-disclosure would result in danger to a user, volunteer or other person.
7.3 Conversations about users, or volunteers, or about disciplinary matters will not take place where they may be overheard.
8 Written Communications
8.1 Information of a personal nature sent by post must be in an envelope addressed to an individual and clearly marked ‘private and confidential’.
9 Subject Access Request
9.1 Anyone whose personal information the HCS&SBT processes, has the right to know what information we hold and process on them, how to gain access to this information, how to keep it up to date and what we do to comply with the Act.
9.2 They also have the right to prevent processing of their personal data in some circumstances and the right to correct, rectify, block or erase information regarded as wrong.
9.3 Individuals have a right under the Act to access certain personal data being kept about them on computer and certain files.
9.4 The data controller is responsible for ensuring that subject access requests are handled within the legal timeframe of 40 days.
10 Review
This policy will be reviewed every 3 years to ensure it remains up to date and compliant with the law.
Declaration
I have read and understood the Haslemere Signal Box Trust Data Protection Policy
I am connected with HCS&SBT in the following capacity:
Committee member
Volunteer
Board Member
Other
Signature:…………………………………………..
Print Name:………………………………………….
Date:………………………….