Charity Number: 1175385

Introduction

SECH takes its responsibilities with regard to the management of the requirements of the General Data Protection Regulation (GDPR) very seriously. This policy sets out how SECH manages those responsibilities.

SECH obtains, uses, stores and otherwise processes personal data relating to staff, volunteers, potential staff and volunteers, former staff and volunteers, general public, contractors and other organisations. When processing personal data, SECH is obliged to fulfil individuals’ reasonable expectations of privacy by complying with GDPR and other relevant data protection legislation (data protection law).

This policy therefore seeks to ensure that we:

  1. Are clear about how personal data must be processed and SECH’s expectations for all those who process person data on its behalf;
  2. Comply with the data protection law and with good practice;
  3. Protect SECH’s reputation by ensuring the personal data entrusted to us is processed in accordance with data subjects’ rights
  4. Protect SECH from risks of personal data breaches and other breaches of data protection law.

Scope

This policy applies to all personal data we process regardless of the location of where that personal data is stored (e.g on an employee’s device) and regardless of the data subject. All staff and others processing personal data on SECH’s behalf must read it.
The Chief Operating Director and Hub Coordinator are responsible for ensuring that all SECH staff within their area of responsibility comply with this policy and should implement appropriate practices, processes, controls and training to ensure that compliance.

Personal Data Protection Principles

When you process personal data, you should be guided by the following principles, which are set out in the GDPR. SECH is responsible for, and must be able to demonstrate compliance with, the data protection principles listed below:

Those principles require personal data to be:

  1. Processed lawfully, fairly and in a transparent manner (Lawfulness, fairness and transparency).
  2. Collected only for specified, explicit or legitimate purposes and and not further processed in a manner incompatible with those purposes (Purpose limitation).
  3. Adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed (Data minimisation).
  4. Accurate and where necessary kept up to date (Accuracy).
  5. Not kept in a form which permits identification of data subjects longer than is necessary for the purposes for which the personal data is processed (Storage limitation).
  6. Processed in a manner that ensures its security, using appropriate technical and organisational measures to protect against unauthorised or unlawful processing and against accidental loss, destruction or damage (Security, integrity and confidentiality).

Data Subjects’ Rights

Data subjects have rights in relation to the way we handle their personal data. These include the following rights:

  1. Where the legal basis of our processing is Consent, to withdraw that Consent at any time;
  2. To ask for access to the personal data that we hold
  3. To prevent our use of the personal data for direct marketing purposes
  4. To object to our processing of personal data in limited circumstances
  5. To ask us to erase personal data without delay:

a. If it is no longer necessary in relation to the purposes for which it was collected or otherwise processed;
b. If the only legal basis of processing is Consent and that Consent has been withdrawn and there is no other legal basis on which we can process that personal data;
c. If the data subject objects to our processing where the legal basis is the pursuit of a legitimate interest or the public interest and we can show no overriding legitimate grounds or interest;
d. If the data subject has objected to our processing for direct marketing purposes;
e. If the processing is unlawful.

  1. To ask us to rectify inaccurate data or to complete incomplete data;
  2. To restrict processing in specific circumstances e.g. where there is a complaint about accuracy.
  3. To ask us for a copy of the safeguards under which personal data is transferred outside of the EU;
  4. The right not to be subject to decisions based solely on automated processing, including profiling, except where necessary for entering into; or performing, a contract, with SECH; it is based on the data subjects’ explicit consent and is subject to safeguards; or is authorised by law and is also subject to safeguards;
  5. To prevent processing that is likely to cause damage or distress to the subject data or anyone else;
  6. To be notified of a personal data breach which is likely to result in high risk to their rights and freedoms;
  7. To make a complaint to the ICO; and
  8. In limited circumstances, receive or ask for their personal data to be transferred to a third party, in a structured, commonly used and machine readable format.

You must verify the identity of an individual requesting data.

Staff Responsibilities

Staff members who process personal data must comply with the requirements of this policy. Staff members must ensure that:

(a) All personal data is kept securely;
(b) No personal data is disclosed either verbally or in writing, accidentally or otherwise, to any unauthorised third party;
(c) Personal data is kept in accordance with SECH’s retention schedule;
(d) Any queries regarding data protection, including subject access requests and complaints, are promptly directed to the Chief Operating Manager;
(e) Any data protection breaches are swiftly brought to the attention of the Chief Operating Manager;
(f) Where there is uncertainty around a data protection matter advice is sought from the Chief Operating Manager.

Third-Party Data Processors

Where external companies are used to process personal data on behalf of SECH, responsibility for the security and appropriate use if that data remains with SECH.

Where a third-party data processor is used:

(a) A data processor must be chosen which provides sufficient guarantees about its security measures to protect the processing of personal data;
(b) Reasonable steps must be taken that such security measures are in place;
(c) A written contract establishing what personal data will be processed and for what purpose must be set out;
(d) A data processing agreement, available from the Information Compliance Team, must be signed by both parties.

Data Subject Access Requests

Data subjects have the right to receive a copy of their personal data which is held by SECH. In addition, an individual is entitled to receive further information about SECH’s processing of their personal data as follows:

  1. The purposes
  2. The categories of personal data being processed
  3. Recipients/categories of recipient
  4. Retention periods
  5. Information about their rights
  6. The right to complain to the Chief Operating Manager
  7. Details of the relevant safeguards where personal data is transferred outside the EEA
  8. Any third-party source of the personal data

You should not allow third parties to persuade you into disclosing personal data without proper authorisation.

You should not alter, conceal, block or destroy personal data once a request for access has been made. You should contact the Chief Operating Manager before any changes are made to personal data which is the subject of an access request.

Reporting a Personal Data Breach

The GDPR requires that we report any personal data breaches to the Chief Operating Manager, where there is a risk to the rights and freedoms of the data subject.

South Essex Community Hub (SECH)
Registered in England, Registered Charity Number: 1175385
ICO Number: Z6590250
Registered Office: 1st Floor Victoria Shopping Center, Help In Hub, 324-325 Chartwell Square, SS2 5SP
Tel: 01702 611199