Privacy & Data Protection Policy

1 PURPOSE AND SCOPE

The purpose of this policy is to set out New Family Social’s commitment and procedures for protecting personal data. New Family Social regards the lawful and correct treatment of personal information as very important to successful working, and to maintaining the confidence of those with whom we deal.

This policy was developed in light of the EU General Data Protection Regulation.

2 PRINCIPLES AND LAWFUL BASIS

2.1 Principles

NFS will ensure that data will be:

a) processed lawfully, fairly and in a transparent manner in relation to individuals;

b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;

c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;

d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;

e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and

f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

2.2 Lawful Basis for Processing Personal Data

There are six available lawful basis for processing personal data. The ones relevant to NFS’s work are as follows:

2.2.1 Contract

The processing is necessary for a contract NFS has with the individual. This ground of contract is relevant to NFS because:

• NFS needs to process people’s personal data to fulfill contractual obligations to them
• They have asked us to do something before entering into a contract with us
• The regulations require that the processing must be necessary to delivering NFS’s side of the contract.

2.2.2 Consent

The individual has given clear consent for NFS to process their personal data for a specific purpose.

We have made the request for consent prominent and separate from our terms and conditions.

We ask people to positively opt in.

We use clear, plain language that is easy to understand.

We specify why we want the data and what we’re going to do with it.

We name our organisation and any third party controllers who will be relying on the consent.

We tell individuals they can withdraw their consent.

We ensure that individuals can refuse to consent without detriment.

We act on withdrawals of consent as soon as we can.

We don’t penalise individuals who wish to withdraw consent.

2.3 Lawful Basis for Processing Special Category Data

There are ten grounds for processing special category data. Special category data includes ethnic origin, sexual orientation and religion. The grounds for NFS’s processing of special category data are as follows:

• The individual whom the sensitive personal data is about has given explicit consent to the processing
• The processing is carried out by a not-for-profit organisation and does not involve disclosing personal data to a third party, unless the individual consents.
• The processing is necessary for monitoring equality of opportunity, and is carried out with appropriate safeguards for the rights of individuals.

3 INDIVIDUAL RIGHTS

3.1 Right to be informed

Individuals have the right to be informed about the collection and use of their personal data. We do this through this policy and the procedures outlined herein.

3.2 Right of Access

Individuals have the right to access their personal data. This is commonly referred to as subject access. Individuals can make a subject access request verbally or in writing and NFS would usually respond within one month to a request. We will not charge a fee to deal with a request.

3.3 Right to Rectification

The GDPR includes a right for individuals to have inaccurate personal data rectified, or completed if it is incomplete. An individual can make a request to NFS for rectification verbally or in writing. NFS would usually respond within a month to a request. In certain circumstances we can refuse a request for rectification.

3.4 Right to Erasure

The GDPR introduces a right for individuals to have personal data erased.

The right to erasure is also known as ‘the right to be forgotten’. Individuals can make a request to NFS for erasure verbally or in writing. NFS will usually respond within one month to a request. The right is not absolute and only applies in certain circumstances.

3.5 Right to Restrict Processing

Individuals have the right to request the restriction or suppression of their personal data. This is not an absolute right and only applies in certain circumstances. When processing is restricted, NFS would be permitted to store the personal data, but not use it. An individual can make a request to NFS for restriction verbally or in writing.

NFS will usually respond within one month to a request.

3.6 Right to Data Portability

The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability. Doing this enables individuals to take advantage of applications and services that can use this data to find them a better deal or help them understand their spending habits.

3.7 Right to Object

The GDPR gives individuals the right to object to the processing of their personal data in certain circumstances. Individuals have an absolute right to stop their data being used for direct marketing. In other cases where the right to object applies, NFS may be able to continue processing if we can show that we have a compelling reason for doing so. An individual can make an objection to NFS verbally or in writing. NFS would usually respond within one month to an objection.

3.8 Rights Related to Automated Decision Making Including Profiling

NFS does not carry out any automated decision making or profiling.

4 REGISTER OF REQUESTS

NFS will keep a record of all subject access requests, requests for rectification, requests for erasure, requests to restrict processing, requests for data portability, objections and personal data breaches. We will do this whether requests are made verbally or in writing. All requests, whether verbally on in writing, will be passed to the chief executive.

5 DATA CONTROLLER AND DATA PROTECTION OFFICER

The data controller and data protection officer is the chief executive (currently Victoria Docherty), who can be contacted at tor.docherty@newfamilysocial.org.uk or New Family Social, Harvey’s Barn, Park End, Swaffham Bulbeck, Cambridge, CB25 0NA. The controller shall be responsible for, and be able to demonstrate, compliance with the principles.

6 SECURITY

A key principle of the GDPR is that you process personal data securely by means of ‘appropriate technical and organisational measures’ – this is the ‘security principle’.

We will take steps to ensure the ‘confidentiality, integrity and availability’ of our systems and services and the personal data we process within them, including consideration of web security and password security.

7 COMPLAINTS

If you have any concerns about NFS’s processing of your data, please contact the chief executive. You have the right to contact the information commissioner’s office (ICO) at any time.

8 PERSONAL DATA BREACHES

The GDPR introduces a duty on all organisations to report certain types of personal data breach to the relevant supervisory authority. NFS must do this within 72 hours of becoming aware of the breach, where feasible. If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, NFS must also inform those individuals without undue delay. NFS will also keep a record of any personal data breaches, regardless of whether we are required to notify.

A personal data breach can be broadly defined as a security incident that has affected the confidentiality, integrity or availability of personal data. In short, there will be a personal data breach whenever any personal data is lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable, for example, when it has been encrypted by ransomware, or accidentally lost or destroyed.

Personal data breaches can include:

• access by an unauthorised third party;
• deliberate or accidental action (or inaction) by a controller or processor;
• sending personal data to an incorrect recipient;
• computing devices containing personal data being lost or stolen;
• alteration of personal data without permission; and
• loss of availability of personal data.

9 PRIVACY NOTICE

Here at New Family Social we take your privacy seriously and will only use your personal information to administer your membership/affiliation and to provide the products and services you have requested from us.

From time to time we will also contact you with details of the following (or send you the following):

• News
• Events
• Magazines/publications
• Research and media requests
• Requests for volunteers
• Fundraising requests
• Website notifications
• Other communications that you might legitimately expect as part of your membership/affiliation.

10 SOURCES

This policy was based on information provided by the ICO.