privacy policy
1 INTRODUCTION
1.1 SAFE PASSAGE INTERNATIONAL is committed to privacy and respecting the rights of those whose Personal Data we collect and use. During the course of our activities we will collect, store and process Personal Data about beneficiaries, suppliers, employees, workers and other third parties in accordance with the applicable privacy notice for each group. We recognise that the correct and lawful treatment of this Personal Data will maintain confidence in the organisation and will provide for successful business operations.
1.2 You must read, understand and comply with this policy when processing Personal Data on our behalf. This policy sets out what we expect from you in order for the Company to comply with the applicable law. Your compliance with this policy is mandatory. Any breach of the obligations set out in this policy will normally result in disciplinary action up to and including dismissal.
1.3 The Company shall review and update this policy from time to time.
1.4 Should you have any questions regarding how we process Personal Data, please contact our Data Protection Officer.
1.5 In this policy:
a. GDPR shall mean Regulation 2016/679, the General Data Protection Regulation.
b. Personal Data shall mean any information relating to an individual who can be identified, directly or indirectly from such data.
c. Processing shall mean any use of Personal Data. For example: storage in databases or certain paper records, input onto systems and applications, sharing with law enforcement and creating customer accounts.
d. Special Category Data shall mean more sensitive Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying an individual, data concerning health or data concerning an individual’s sex life or sexual orientation.
2 SCOPE
2.1 This policy applies to the Personal Data processed by the Company of customers, suppliers, prospective and current employees, workers and contractors and other third parties. In particular, the principles contained in and policies referred to in this policy record the Company’s approach to processing Special Category Data and/or data relating to criminal convictions and offences.
2.2 As set out in the relevant privacy notices the Company processes Special Category Data and/or data relating to criminal convictions and offences in relation to employees and workers where (1) you have provided your explicit consent, (2) we need to do so to carry out our legal obligations, (3) it is necessary for the establishment, exercise or defense of legal claims, (4) it is necessary for the purposes of preventative or occupational medicine, for the assessment of your working capacity, medical diagnosis or provision of health care (for example, in relation to Occupational Health referrals and reports); (5) where it is needed for reasons of substantial public interest, such as for equal opportunities monitoring [or in relation to our occupational pension scheme]; (6) exceptionally, where it is necessary for vital interests relating to you or another person (for example, avoiding serious risk of harm to you or others) and where you are not capable of giving consent, or (7) where you have already made the relevant personal information public.
2.3 Our lawful grounds for processing special category or sensitive data in relation to our beneficiaries is Legitimate Interest and Legal basis our Legitimate Interest Assessment is available on request and is covered by our Beneficiaries Privacy statement available on our website.
2.4 The Company shall comply with the Data Protection Principles set out in Article 5 of GDPR (see Section 3 below) and the Company’s policies in respect of the retention and erasure of Personal Data.
3 DATA PROTECTION PRINCIPLES
3.1 The Data Protection Principles describe the main responsibilities the Company and its employees, workers and contractors have when processing Personal Data in compliance with applicable privacy and data protection law:
a. FAIRNESS/TRANSPARENCY: Personal Data should be processed in a fair, lawful and transparent manner and for specified purposes. Those purposes are set out in the relevant privacy notice which are provided when the Personal Data is collected. The privacy notices identify the controller and how and why we use the Personal Data.
b. PURPOSE LIMITATION: Personal Data should only be processed for the specific purposes set out in the relevant privacy notice and for no other purposes. Personal Data may be shared internally only with those who require access to achieve the stated purpose.
c. DATA MINIMISATION: Personal Data should only be processed where it is necessary for achieving the purposes set out in the relevant privacy notice. In particular, avoid duplicating/copying Personal Data. If Personal Data is stored on a system/ application then, to the extent possible, make use of the Personal Data from this system/application and avoid making a copy of it to store on group/personal drives.
d. ACCURACY: Personal Data that we hold must remain up-to-date and accurate.
At the point of data collection/input into our systems, double check the accuracy of the Personal Data.
If we know Personal Data is inaccurate, it should be corrected (including where an individual request us to correct their Personal Data).
Personal Data that is out of date should be updated or deleted.
e. STORAGE LIMITATION: Personal Data should only be retained/stored for as long as is necessary for the intended purpose.
The Company’s guidance on records retention must be adhered to when storing Personal Data.
You should ensure that you are not storing Personal Data unnecessarily either on paper or in your shared drives, folders or inboxes (for example, in email attachments).
You should take steps to regularly delete unnecessary Personal Data from your inboxes and shared drives, and, if retention is necessary, ensure the Personal Data is retained on the correct application/If there is value in retaining Personal Data in some form for a prolonged time, consider whether it is possible to only retain the data required (e.g. without names / other identifiers).
If the Personal Data can be anonymised or pseudonymised while maintaining its usefulness, this should be done. Anonymisation means removing all connections with the relevant individual. Pseudonymisation means replacing the identifiers with a pseudonym (e.g. hashing name).
f. SECURITY, INTEGRITY AND CONFIDENTIALITY: Protecting personal data.
Personal Data must be stored and processed securely.
You should ensure that Personal Data is not shared (internally or externally) with anyone who does not require access to the Personal Data.
Consider password protecting and encrypting Personal Data before sharing it with anyone (internally or externally), particularly if the sharing is via email, and adopt good security practices, such as using robust passwords and encrypting hardware.
When storing Personal Data in group / shared drives, ensure it is stored in a location accessible only by those who require it. Ideally: do not use shared drives where possible.
If possible, consider storing the Personal Data in a pseudonymised / hashed/de-identified form.
Ensure you are complying with the other relevant and applicable policies including our Information Security Protocol.
All transfers of data outside of the EEA are subject to review by the Data Protection Officer.
Any breach of the Data Protection Principles set out above will normally be dealt with under the Company’s disciplinary procedures and may result in dismissal.
4 REPORTING A PERSONAL DATA BREACH
4.1 If you know or suspect that a Personal Data breach has occurred, or a breach of any of the provisions contained in this Policy, do not attempt to investigate the matter yourself.
4.2 Immediately report the breach or suspected breach to the internal Data Protection Officer, the IT department, and HR.
4.3 All evidence of a Personal Data breach should be preserved.
4.4 Failure to report a breach will normally be treated as gross misconduct under the Company’s disciplinary procedure.
5 YOUR RIGHTS
You have a number of rights in relation to our handling of your data. These include the following:
5.1 Access: you are entitled to ask us if we are processing your information and, if we are, you can request access to your personal information (commonly known as a “subject access request“). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
5.2 Correction: you are entitled to request that any incomplete or inaccurate personal information we hold about you is corrected.
5.3 Erasure: you are entitled to ask us to delete or remove personal information in certain circumstances. There are also certain exceptions where we may refuse a request for erasure, for example, where the personal data is required for compliance with law or in connection with claims.
5.4 Restriction: you are entitled to ask us to suspend the processing of certain of your personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
5.5 Transfer: you may request the transfer of certain of your personal information to another party.
5.6 Objection: where we are processing your personal information based on a legitimate interest (or those of a third party) you may object to processing on this ground. However, we may be entitled to continue processing your information based on our legitimate interests.
5.7 Automated decisions: you may contest any automated decision made about you where this has a legal or similar significant effect and ask for it to be reconsidered.
If you want to exercise any of these rights, please contact HEAD OF FINANCE AND OPERATIONS in writing at info@safepassage.org.uk
If you are a Safe Passage client or beneficiary, you can find out more about how we store and process your data here.