data protection policy - the royal parks · web viewthe general data protection regulation (gdpr)...

Data Protection PolicyThe Royal Parks

Information Services & Technology DepartmentLast Updated: September 2018Due for Review: September 2019Version 1.0

Summary of contents in this section:

Introduction

Definitions and Scope

Purpose and Aims of this Policy

Principles of Processing Personal Data

Processing Overseas

Collecting Data

Remedies, Liabilities and Penalties

TRP’s Responsibilities

Data Subject Rights

Consent

Transparency

Security

Disclosure of Personal Data

Retention and Disposal

Data Protection by Design

Third-Party Organisations

Personal Data Breach

Anonymisation

Roles and Responsibilities

The Royal Parks September 2018

Associated Policies and Documents

1. Introduction

The General Data Protection Regulation (GDPR) replaces the EU Data Protection Directive of 1995 and supersedes the laws of individual EU member states, such as the Data Protection Act 1998. Its purpose is to protect the rights and freedoms of living individuals and to ensure that personal data is not processed without an individual’s knowledge. The Data Protection Act 2018 (DPA) further establishes the GDPR in UK law and defines certain aspects of it.

The Royal Parks (TRP) is committed to compliance with all EU and UK laws (Data Protection Legislation) and this Data Protection Policy is designed to ensure that TRP fully complies with Data Protection Legislation and that personal data is fairly, lawfully and transparently processed.

TRP is registered with the Information Commissioner’s Office (ICO) and the Information Services & Technology Directorate is responsible for ensuring TRP’s compliance with the GDPR and DPA.

2. Definitions and Scope

Material scope – the GDPR applies to the processing of personal data wholly or partly by automated means (i.e. by computer) and to the processing other than by automated means of personal data (i.e. paper records) that form part of a filing system or are intended to form part of a filing system.

Personal data – any information relating to an identified or identifiable natural person (a living individual); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Special categories of personal data (sensitive personal data) – personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

Processing – any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by The Royal Parks September 2018

transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

The Data Protection Legislation applies to all personal data throughout its lifespan, from the point of collection to its eventual destruction. For the purposes of this policy references to personal data shall include sensitive personal data or special categories of personal data unless explicitly stated otherwise.

This policy applies to all staff and volunteers of the organisation and third-party contractors. Please familiarise yourself with this policy and TRP’s other information policies and comply with their terms when processing personal data on our behalf.

3. Purpose and Aims of this Policy

This policy is essential to protect the rights and freedoms of living individuals who support TRP or who work for TRP. It should ensure that personal data is not processed in any way without the data subject’s knowledge, and is processed with a lawful basis and in a fair and transparent manner.

4. Principles of Processing Personal Data

There are six principles of processing personal data underpinning the Data Protection Legislation (outlined in Article 5 of the GDPR):

1. Lawfulness, fairness, transparency: Personal data shall be processed lawfully, fairly and in a transparent manner

2. Purpose Limitation: personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes

3. Data Minimisation: personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed

4. Accuracy: Personal data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without delay

5. Storage Limitation: Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by Data Protection Legislation in order to safeguard the rights and freedoms of the data subject


6. Integrity and Confidentiality: Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

This means that when you are processing personal data, you must process it fairly, be clear with people how you will use it, store it safely and securely and not disclose it to anyone who shouldn’t have access to it. Be careful that the information you collect is relevant and you don’t collect more than you need. Make sure that you don’t keep it for longer than you need it.

5. Processing Overseas

There are restrictions on the transfer of personal data outside the EEA and information should not be transferred out of the EEA unless it meets the requirements of the Data Protection Legislation. If you wish to transfer personal data outside the EEA – including for example using Cloud services located in the US – you must speak to the Information Services & Technology Directorate as such transfers will require investigation and approval. Countries outside the EEA are often referred to as ‘third countries’.

6. Collecting Data

Many directorates at TRP collect and process personal data. Data minimisation is important to think about prior to the collection of any personal data and you should only collect information that is absolutely necessary.

When you collect personal data, think about why you are collecting it. You need to have a lawful basis for processing personal data. There are six lawful bases for processing:

Consent: the data subject has given consent to the processing of his or her personal data for one or more specific purpose

Contractual obligations: processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract

Legal obligation: processing is necessary for compliance with a legal obligation to which the controller is subject

Vital interests: processing is necessary in order to protect the vital interests of the data subject or of another natural person

Public interest: processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller


Legitimate interests: processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party.

Before using legitimate interests as a basis for processing, it is necessary to undertake a legitimate interests assessment (LIA) to ensure that the rights of the individual are balanced against the interests of the organisation. Please see the Information Services & Technology Directorate for assistance with an LIA. All processing undertaken using legitimate interests must have an LIA recorded.

When collecting and processing special categories of data, there are stricter rules to follow: as well as having one of the above lawful bases of processing, you need to have an exception to the prohibition on processing special categories of data. The exceptions are:

Explicit consent: the data subject has given explicit consent to the processing of those personal data for one or more specified purposes

Employment obligations: processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security

Vital interests: processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent

Legitimate activities of certain organisations: processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects

Made public by the data subject: processing relates to personal data which are manifestly made public by the data subject

Public interest: processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.

If you are processing special categories of data and are unsure as to whether you lawfully can, please see the Information Services & Technology Directorate.

7. Remedies, Liabilities and Penalties

TRP could be fined up to €20 million if you use or disclose information about data subjects without their consent or another lawful basis for processing. In order to help keep data secure, ensure that you follow the Information Security Policy and attend regular training. If TRP suffers a data breach, any data subjects affected have got the right to sue the organisation: data breaches do not just cause financial hardship, they can also cause irreversible reputational damage.


If you maliciously or recklessly misuse personal data, you could be committing a criminal offence and the ICO may prosecute you personally.

Any breach of this policy will be dealt with under TRP’s disciplinary policy and will be reported to the appropriate authorities.

8. TRP’s Responsibilities

TRP is a data controller under Data Protection Legislation. A data controller is a person/organisation that determines the purposes for which and the manner in which any personal data is processed. TRP may employ other organisations to process the data on its behalf: these are data processors. A data processor means any person/organisation (other than an employee of the data controller) who processes the data on behalf of the data controller.

Accountability is part of the Data Protection Legislation. Part of the concept of accountability is ensuring that everyone in the organisation, up to the board level, takes responsibility for data protection. The board and all those in managerial roles throughout TRP are responsible for developing and encouraging good information handling practices within the organisation. The Data Protection Compliance Manager in particular has responsibility for ensuring that the organisation complies with the Data Protection Legislation, as do managers in respect of processing that takes place within their area of responsibility.

The Data Protection Compliance Manager is the first point of call if you are seeking clarification of any aspect of TRP’s data protection compliance.

You are responsible for ensuring that any personal data supplied by you to TRP is accurate and up-to-date.

9. Data Subject Rights

Data subjects have 8 rights under Data Protection Legislation, and, as a data controller, TRP must help data subjects exercise these rights:

The right to be informed about how we process their personal data The right to access their personal data The right to rectify their personal data The right to have their personal data erased The right to restrict processing The right to have a copy of their personal data in a portable form (data portability) The right to object Rights in relation to automated decision-making and profiling.

None of these rights are absolute: any requests to exercise them must be taken on a case-by-case basis, but all requests must be dealt with transparently and efficiently. If you receive a request in relation to any of these rights, please forward it immediately to the Information Services & Technology Directorate ([email protected]): by law TRP only has one month to respond to a request so it is imperative that you send any requests received on as quickly as possible.


mailto:[email protected]

TRP has separate policies on each of these data subject rights. Please take the time to familiarise yourself with these policies, in particular the Data Subject Access Request policy (DSAR policy).

If a DSAR is received, a data subject is requesting all their personal data that is processed by TRP. After the DSAR is received, you cannot in any way change the information that you have on them: if you would not want them to see the personal data in the first place, then do not process it. All email communication is subject to a DSAR and deleting it or amending it is a criminal offence.

10. Consent

As stated in section 5, consent is one lawful basis for processing personal data. If you are using consent as your lawful basis, you need to ensure that it is GDPR-compliant consent.

In the GDPR, consent is defined as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”. Further guidance has been given on consent by the ICO, but it is worth remembering that:

- A pre-ticked box is no longer valid: the data subject has to tick it themselves- The action to which the data subject is consenting has to be clear; the phrasing of the

consent should inform the data subject (i.e. no double negatives)- The burden is on TRP to prove that consent was given- Written consent has to be easily accessible and intelligible- The relationship between the controller and data subject has to be an equal one, or the

consent is not judged valid.

Verbal consent is still valid, but bear in mind that it is up to TRP to prove that consent was given if there is a dispute: it is always preferable to gain consent in writing.

Data subjects also have the right to withdraw consent at any time: if you are using consent to process personal data you need to be aware of this and able to comply.

11. Transparency

Regardless of the lawful basis of processing, data subjects have to be provided with a privacy notice informing them of how their personal data is handled. This also applies when you receive the personal data from a third party, e.g. organisations that buy marketing lists have to send privacy notices to the data subjects that include details of where they got the personal data from. When you have received the personal data from a third party, the data subject should be provided with a privacy notice at the point of first contact or within one calendar month at the latest.

A privacy notice contains information as to how personal data is being processed, including:

The purposes of processing The lawful basis of processing If the lawful basis is legitimate interests, what those interests are Who the personal data is shared with


Whether it is processed outside the EEA The retention period of that personal data The rights of the data subject The right to complain to the ICO Whether any automated decision-making or profiling is used.

Privacy notices can be provided in different formats: one of the easiest ways is placing a link to TRP’s privacy notice in an email. A privacy notice is usually provided in the same media that the personal data is collected in.

12. Security

All staff are responsible for ensuring that any personal data which TRP holds and for which they are responsible is kept securely and is not disclosed to any third party unless that third party has been specifically authorised by TRP to receive that information and has entered into a confidentiality agreement.

Do not remove personal data from TRP’s premises either in electronic or paper form unless it is really necessary and you have received permission from your manager. In instances where personal data is taken out of TRP premises, such data should be fully encrypted and password protected. If personal data is in hard copy, ensure that it is kept securely at all times.

Staff must comply at all times with the ICT Security Policies and Procedures.

13. Disclosure of Personal Data

TRP staff must ensure that personal data is not disclosed to unauthorised third parties which includes family members, friends, government bodies and, in certain circumstances, the police. All staff should exercise caution when asked to disclose personal data held on another individual to a third party.

14. Retention and Disposal

Personal data can only be retained for as long as necessary. TRP has a retention policy and this must be adhered to. Personal data should not be kept “just in case”. Retaining personal data for longer than necessary is a breach of Data Protection Legislation.

When disposing of personal data, it must be disposed of in a way that protects the rights and freedoms of the data subjects (e.g. shredding, secure electronic deletion) and in line with TRP’s retention policy.

Personal data may need to be kept for a certain period of time under other legislation such as accounting or tax laws. In such cases reasonable efforts must be taken to ensure it is kept securely in accordance with TRP’s ICT Security Policy and Procedures.

Duplicate copies of personal data should not be kept as doing so increases the risk of that data being compromised. Where there is a need to have two copies of personal data for a short timeframe to complete a task one copy should be deleted as soon as it is no longer needed. The Salesforce and DotMailer systems should be the central record of personal data for TRP supporters and their


personal data should not be held elsewhere.

15. Data Protection by Design

Data Protection Legislation requires data protection to be taken into account whenever a new system or process is introduced or where a system or process is changed that involves processing personal data.

Data Protection Impact Assessments (DPIAs) must be completed and approved by the Data Protection Compliance Manager for any significant changes to how personal data is processed at TRP that are likely to result in a high risk to the rights and freedoms of natural persons and where any new technologies or systems are used. Examples of when you may need to do a DPIA include a new project processing special categories of data, starting to use profiling or automated decision-making, or implementing a new CRM system.

For further information about DPIAs and how and when to perform one, please see the DPIA Policy.

16. Third-Party Organisations

Whenever TRP enters into agreements with third-party organisations which involve personal data, due diligence should be done as to how the third party handles personal data. A statement clarifying each organisation’s role with regard to Data Protection Legislation should be made, i.e. is TRP a data controller, joint controller or a data processor?

If TRP is engaging a third party as a data processor, that third party has specific obligations that it must meet and that TRP should include in the contract before the third party is engaged. All new contracts with third party partners or suppliers with whom TRP are sharing personal data need to be authorised by the Information Services & Technology Directorate which is responsible for ensuring that the contract meets the requirements of the Data Protection Legislation.

Partners and any third parties working with or for the organisation, and who have or may have access to personal data, will be expected to comply with this policy, and that agreement be given in writing. No third party may access personal data held by TRP without having first entered into a third party agreement which imposes on the third party obligations at the same level as those to which TRP is committed and which gives TRP the right to audit compliance with the agreement.

17. Personal Data Breach

The Data Breach Policy provides details about the steps that need to be taken when a personal data breach occurs, for example the accidental deletion of a dataset or a confidential email sent to the wrong recipient. A personal data breach is defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.

Where the breach is likely to result in a risk to individuals, the ICO must be informed without undue delay and within 72 hours of TRP becoming aware of the breach. If the risk of the breach is high the individuals who are affected must be informed directly and without undue delay. It should be remembered that this is the risk to the data subjects, not the risk to TRP.The Royal Parks September 2018

If you do discover a data breach please follow the steps given in the Data Breach Policy immediately.

18. Anonymisation

If personal data is anonymised, then it is taken outside the scope of Data Protection Legislation as there is no directly or indirectly identifiable personal data. Anonymisation is part of data protection by design, and helps secure the privacy of the data subjects. However, complete anonymisation can be difficult, as certain bits of indirectly identifiable information can, in some circumstances, lead to a data subject becoming identifiable.

It is good practice to anonymise data wherever possible, but unless you can be sure that the data is completely anonymised maintain the same security levels and retention period.

19. Roles and Responsibilities

Overall responsibility for compliance with Data Protection Legislation rests with the CEO. The CEO is responsible for ensuring that the Data Protection function is fully resourced to meet the needs of TRP. The Board should also be kept informed and up-to-date as to the progress of the GDPR compliance project.

The Information Services & Technology Directorate monitor and review the operation of this policy and receive feedback from other directorates. The Data Protection Compliance Manager is responsible for:

Understanding and communicating obligations under the Data Protection Legislation Identifying potential problem areas or risks Producing effective procedures Assisting data subjects wishing to exercise their rights.

It is the responsibility of managers to promote data protection and awareness and compliance with Data Protection Legislation and this policy. It is the responsibility of all staff, volunteers and trustees to ensure they understand and act in accordance with this policy and Data Protection Legislation. Staff, volunteers and trustees should also ensure that they keep the Data Protection Compliance Manager updated if they become aware of any proposed changes or changes to the way in which personal data is being processed by their team.

Staff, volunteers or trustees found to be acting contrary to this policy may be subject to disciplinary action. This is because any breach of the Data Protection Legislation could result in TRP facing legal action.

20. Associated Documents and Policies

This policy should be read in conjunction with:

ICT Security Policies and Procedures Data Breach Reporting Process Consent Management Policy


Data Retention Policy Data Subject Access Request Procedure Data Subjects Requests Procedure DPIA Policy Removable Media Policy.
