Data Protection Policy

Introduction

The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the European Council and the European Commission intend to strengthen and unify data protection for individuals within the European Union (EU). It also addresses the export of personal data outside the EU. The primary objectives of the GDPR are to give citizens back control of their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. When the GDPR takes effect it will replace the data protection directive (officially Directive 95/46/EC) from 1995. The regulation was adopted on 27 April 2016 and applies from 25 May 2018 after a two-year transition period. This has now been promulgated in UK law in the 2018 Data Protection Act, which amends the Data Protection Act 1998

The following guidance is not a definitive statement on the Regulations but seeks to interpret relevant points where they affect the BDA.

The Regulations cover both written and computerised information and the individual’s right to see such records.

It is important to note that the Regulations also cover records relating to staff. All BDA staff and associates are required to follow this Data Protection Policy at all times.

The Directors have overall responsibility for data protection within BDA, but each individual processing data is acting on the controller’s behalf and therefore has a legal obligation to adhere to the Regulations.

Definitions

Processing of information – how information is held and managed.

Information Commissioner – formerly known as the Data Protection Commissioner.

Notification – formerly known as Registration.

Data Subject – used to denote an individual about whom data is held.

Data Controller – used to denote the entity with overall responsibility for data collection and management. BDA is the Data Controller for the purposes of the Act.

Data Processor – an individual handling or processing data

Personal data – any information which enables a person to be identified

Special categories of personal data – information under the Regulations which requires the individual’s explicit consent for it to be held by the Charity.

Data Protection Principles

As data controller, BDA is required to comply with the principles of good information handling.

These principles require the Data Controller to:

  1. Process personal data fairly, lawfully and in a transparent manner.
  2. Obtain personal data only for one or more specified and lawful purposes and to ensure that such data is not processed in a manner that is incompatible with the purpose or purposes for which it was obtained.
  3. Ensure that personal data is adequate, relevant and not excessive for the purpose or purposes for which it is held.
  4. Ensure that personal data is accurate and, where necessary, kept up-to-date.
  5. Ensure that personal data is not kept for any longer than is necessary for the purpose for which it was obtained.
  6. Ensure that personal data is kept secure.
  7. Ensure that personal data is not transferred to a country outside the European Economic Area unless the country to which it is sent ensures an adequate level of protection for the rights (in relation to the information) of the individuals to whom the personal data relates.

Consent

For the purposes of the Regulations, personal data collected by BDA covers information relating to:

  1. Name and contact details for webinar users
  2. Name contact details for ILM programme candidates, and other training courses and also the gender age racial or ethnic origin of the Data Subject.
  3. Online identifiers such as an IP address
  4. Name and contact details of those involved in Board reviews and similar processes

Special Category information Data is collected on gender age and ethnicity are held confidentially for ILM programmes for statistical purposes.

Consent is not required to store information that is not classed as special category of personal data as long as only accurate data that is necessary for a service to be provided is recorded such as boards training Webinars or board reviews .

As a general rule BDA will always seek consent where special categories of personal information is to be held. In relation to the names and email addresses of webinar subscribers, and those involved in Board reviews and similar processes, board members consent will be deemed if provided by the subscribing organisation.

It should also be noted that where it is not reasonable to obtain consent at the time data is first recorded, retrospective consent should be sought at the earliest appropriate opportunity.

Obtaining Consent

Consent obtained for one purpose cannot automatically be applied to all uses e.g. where consent has been obtained from a service user about a webinar subscriber in relation to information needed for the provision of that service, separate consent would be required if, for example, direct marketing of our products and services or third party products was to be under taken. We will not pass contact details on to a third party for marketing purposes.

Specific consent for use of any photographs and/or videos taken should be obtained in writing. Such media could be used for, but not limited to, publicity material, press releases, social media, and website. Consent should also indicate whether agreement has been given to their name being published in any associated publicity. If the subject is less than 18 years of age, then parental/guardian consent should be sought.

Individuals have a right to withdraw consent at any time.

Ensuring the Security of Personal Information

Unlawful disclosure of personal information

  1. It is an offence to disclose personal information “knowingly and recklessly” to third parties.
  2. Service users may also consent for us to share personal or special categories of personal information with ILM if they are in receipt of an ILM endorsed programme.
  3. Where such consent does not exist information may only be disclosed if it is in connection with criminal proceedings
  4. Personal information should only be communicated within BDA’s staff and associates on a strict need to know basis.

Use of Files, Books and Paper Records

In order to prevent unauthorised access or accidental loss or damage to personal information, it is important that care is taken to protect personal data. Paper records should be kept in locked cabinets/drawers overnight and care should be taken that personal and special categories of personal information is not left unattended and in clear view during the working the day. If Directors, staff or Associates work involves having personal/and/or special categories of personal data at home or in the car, the same care needs to be taken.

Disposal of Scrap Paper, Printing or Photocopying Overruns

Be aware that names/addresses/phone numbers and other information written on scrap paper are also considered to be confidential. Please do not keep or use any scrap paper that contains personal information but ensure that it is shredded.

If you are transferring papers this should be done as soon as possible and not left in a car for a period of time. When transporting documents, they should be carried out of sight in the boot of your car.

Computers

Firewalls and virus protection to be employed at all times to reduce the possibility of hackers accessing our system and thereby obtaining access to confidential records.

Documents will be stored on drop box, cloud-based systems and on individual computers.

Where computers or other mobile devices are taken for use off the premises the device must be password protected.

Cloud Computing

When commissioning cloud-based systems, BDA will satisfy ourselves as to the compliance of data protection principles and robustness of the cloud-based providers.

BDA currently uses Drop Box, OneDrive and Sage cloud-based data management systems to hold and manage information about its service users.

Direct Marketing

Direct Marketing is a communication that seeks to elicit a measurable response (such as a booking, a visit to a website, sign up to webinars and training etc.). The communication may be in any of a variety of formats including mail, telemarketing and email. The responses should be recorded to inform the next communication. BDA will not share or sell its database(s) with outside organisations.

If you are an existing customer of BDA, such as a governance officer, we will from time to time send copies of our newsletters, events, training, services and other activities where for example you have subscribed or contracted to buy a similar products or services from us and would reasonable expect to receive these.

We recognise that customers, and their staff and associates, for whom we hold records have the right to unsubscribe from our mailing lists. This wish will be recorded on their records and will be excluded from future contacts. We will give you the opportunity to refuse or opt out of the marketing, both when first collecting contact details from you and in every message after that.

The following statement is to be included on any forms used to obtain personal data for the first time:

As a customer of BDA, we will from time to time send copies of our newsletters, events, training, services and other activities about similar products or services provided by BDA to those you have subscribed to and would reasonable expect to receive from us these.

We promise never to share or sell your information to other organisations or businesses and you can opt out of our communications at any time by telephoning 0117 963 1333, writing to BDA, 45 South Street, Bedminster, Bristol BS3 3AU or by sending an email to enquiriesboardagency.org.uk

Privacy Statements

Any documentation which gathers personal and/or special categories of personal data should contain the following Privacy Statement information:

  • Explain who we are
  • What we will do with their data
  • Who we will share it with
  • Consent for marketing notice
  • How long we will keep it for
  • That their data will be treated securely
  • How to opt out
  • Where they can find a copy of the full notice

Personnel Records

The Regulations apply equally to staff and associates records. BDA may at times record special categories of personal data with their consent or as part of a staff and associates member’s contract of employment.

Confidentiality

When working from home, or from some other off-site location, all data protection and confidentiality principles still apply.

Retention of Records

Paper records should be retained for the following periods at the end of which they should be shredded:

  • Client records – 6 years after ceasing to be a client.
  • Staff and associates records – 6 years after ceasing to be a member of staff or associates.
  • Unsuccessful staff and associates application forms – 6 months after vacancy closing date.
  • Timesheets and other financial documents – 7 years.
  • Employer’s liability insurance – 40 years.
  • Other documentation should be destroyed as soon as it is no longer needed for the task in hand.

What to Do If There Is a Breach

If you discover, or suspect, a data protection breach you should report this to the company secretary who will decide what action to take and outcomes to determine whether it needs to be reported to the Information Commissioner and also for reporting to the Board. There is a time limit for reporting breaches to ICO so the Company Secretary should be informed without delay.

Any deliberate or reckless breach of this Data Protection Policy by an employee may result in disciplinary action which may result in dismissal.

The Rights of an Individual

Under the Regulations an individual has the following rights with regard to those who are processing his/her data:

  • Personal and special categories of personal data cannot be held without the individual’s consent (however, the consequences of not holding it can be explained and a service withheld).
  • Data cannot be used for the purposes of direct marketing of any goods or services if the Data Subject has declined their consent to do so.
  • Individuals have a right to have their data erased and to prevent processing in specific circumstances:
    • Where data is no longer necessary in relation to the purpose for which it was originally collected
    • When an individual withdraws consent
    • When an individual objects to the processing and there is no overriding legitimate interest for continuing the processing
    • Personal data was unlawfully processed
    • An individual has a right to restrict processing. Where processing is restricted, BDA is permitted to store the personal data but not further process it. BDA can retain just enough information about the individual to ensure that the restriction is respected in the future.
    • An individual has a “right to be forgotten”.

Data Subjects can ask, in writing to the Company Secretary, to see all personal data held on them, including e-mails and computer or paper files. The Data Processor (BDA) must comply with such requests within 30 days of receipt of the written request.

Powers of the Information Commissioner

The following are criminal offences, which could give rise to a fine and/or prison sentence

  • The unlawful obtaining of personal data.
  • The unlawful selling of personal data.
  • The unlawful disclosure of personal data to unauthorised persons.

Further Information

Further information is available at www.informationcommissioner.gov.uk

Details of the Information Commissioner

The Information Commissioner’s office is at:

Wycliffe House

Water Lane

Wilmslow

Cheshire SK9 5AF

Switchboard: 01625 545 700

Email: mail@ico.gsi.gov.uk

Data Protection Help Line: 01625 545 745

Notification Line: 01625 545 740

Revision History

Revision date

Summary of Changes

Other Comments

11 March 2016

Routine review board

 

1 March 2019

Approved by Board

Updated July 2022

 

Annexe

Privacy Statements

Any documentation which gathers personal and/or special categories of personal data should contain the following Privacy Statement information:

  • BDA is Registered in England and Wales Company Number 5029426. Its registered office is e) 45 South Street, Bedminster, Bristol BS3 3AU (
  • : We use your data to provide services to you that you have requested or to tell you about similar products and services you would reasonably expect to receive from us
  • We will not share your data to a third party except the ILM where you have purchase ILM programmes from us.
  • : Please tick as appropriate: :I/we consent to receive information about similar products and services from BDA that we would reasonably expect to receive

Yes/No

  • We keep your information for 6 years or until you request us to delete it.
  • I understand I/we can opt out of BDA communications at any time by telephoning 07854337092, writing to BDA 45 South Street, Bedminster, Bristol BS3 3AU or by sending an email to alicepearce@boardagency.org.uk
  • We confirm that your data will be treated securely
  • You can find a copy of our full notice on www.boardagency.org.uk