DATA PROTECTION POLICY
1. POLICY STATEMENT
1.1 Everyone has rights which cover the way in which their personal data is handled. During the course of our activities we will collect, store and process personal data relating to our site’s visitors. Researching Reform will do this in a transparent way, and view treating your data with care as an essential aspect of its day to day duties.
1.2 Our data users are also required to comply with this policy when processing personal data on our behalf. Any breach of this policy may result in disciplinary action.
2. ABOUT THIS POLICY
2.1 The types of personal data that Researching Reform may be required to handle include information about current, past and prospective visitors to its website and other legal and child welfare professionals that we communicate with. The personal data, which may be held in a paper filing system or electronically are subject to the General Data Protection Regulation (“GDPR”) and UK data protection laws.
2.2 This policy and any other documents referred to in it sets out the basis on which we will process any personal data we collect from Data Subjects, or that is provided to us by Data Subjects or other sources.
2.3 This policy sets out rules on data protection and the legal conditions that must be satisfied when we obtain, handle, process, transfer and store personal data for the Services.
2.4 Questions about the operation of this policy or any concerns that the policy has not been followed should be referred in the first instance to Natasha Phillips, at email@example.com
3. DEFINITION OF DATA PROTECTION TERMS
3.1 Data is information which is stored electronically, on a computer or mobile device, or in certain paper-based filing systems.
3.2 Data subjects for the purpose of this policy refers to website visitors about whom we hold personal data. A data subject need not be a UK national or resident. All data subjects have legal rights in relation to their personal information.
3.3 Personal data means data relating to a living individual who can be identified directly or indirectly from that data (or from that data and other information in our possession). Personal data can be factual (for example, a name, address or date of birth) or it can be an opinion about that person, their actions and behaviour.
3.4 Data controllers are the people who, or organisations which determine the purposes for which, and the manner in which, any personal data is processed. They are responsible for establishing practices and policies in line with the Act and the GDPR. Researching Reform is the data controller of all personal data collected stored and processed for our Services.
3.5 Data users are those of our employees whose work involves processing personal data. Data users must protect the data they handle in accordance with this data protection policy and any applicable data security procedures at all times.
3.6 Data processors include any person or organisation that is not a data user that processes personal data on our behalf and on our instructions. Employees of data controllers are excluded from this definition but it could include suppliers which handle personal data on our behalf.
3.7 Processing is any activity that involves use of the data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transferring personal data to third parties.
3.8 Special category data includes information about a person’s racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health or condition or sexual life, or about the commission of, or proceedings for, any offence committed or alleged to have been committed by that person, the disposal of such proceedings or the sentence of any court in such proceedings.
4. DATA PROTECTION PRINCIPLES
Anyone processing personal data must comply with the eight enforceable principles of good practice. These provide that personal data must be:
(a) Processed fairly, lawfully and transparently.
(b) Processed for limited purposes and in an appropriate way.
(c) Adequate, relevant and not excessive for the purpose.
(e) Not kept longer than necessary for the purpose.
5. FAIR, LAWFUL AND TRANSPARENT PROCESSING
5.1 The Act and the GDPR do not prevent the processing of personal data, they are there to ensure that data processing is done fairly and without adversely affecting the rights of the data subject.
5.2 For personal data to be processed lawfully, it must be processed on the basis of one of the legal grounds set out in the Act and the GDPR. These include, among other things, the data subject’s consent to the processing, or that the processing is necessary for the performance of a contract with the data subject, for the compliance with a legal obligation to which the data controller is subject, for the interest of the public, as a vital interest to the data subject or for the legitimate interest of the data controller or the party to whom the data is disclosed.
5.3 When Researching Reform collects and process personal data, it does so only in accordance with the real and present legitimate interests of the project and taking into consideration the fundamental rights and freedoms of the relevant data subjects, in particular:
(a) our collection and processing of personal data is limited to those activities specifically permitted by the Act or the GDPR;
(b) we always endeavour to notify data subjects of our collection and processing of personal data in accordance with this policy; and
(c) data subjects have the right to request that we not collect and process their personal data at any time in accordance with this policy.
5.4 When special category data is being processed, additional conditions must be met. When processing personal data as data controllers in the course of our work, we will ensure that those requirements are met. They include seeking specific consent, to carry out an obligation, the personal data is information that has been made public by the data subject or to process a legal claim.
6. NOTIFYING DATA SUBJECTS
6.1 If we collect or process personal data, we will always endeavour to inform visitors about:
(a) The source from which we obtained their personal data;
(b) The purpose or purposes for which we intend to process that personal data;
(c) The categories of personal data;
(d) How long personal data will be retained for;
(e) The types of third parties, if any, with which we will share or to which we will disclose that personal data; and
(f) The means, if any, with which data subjects can limit or prevent our use and disclosure of their personal data.
6.2 We will also inform data subjects whose personal data we process that we are the data controller with regard to that data.
7. ACCURATE DATA
We will ensure that personal data we hold is accurate and kept up to date. We will check the accuracy of any personal data at the point of collection and at regular intervals afterwards. We will take all reasonable steps to destroy or amend inaccurate or out-of-date data.
8. TIMELY PROCESSING
We will not keep personal data longer than is necessary for the purpose or purposes for which they were collected. We will take all reasonable steps to destroy, or erase from our systems, all data which is no longer required.
9. SECURING YOUR DATA
We will take all reasonable security measures against the accidental loss of, or damage to, personal data. We will ensure that personal data is kept confidential and only accessed on a need-to-know basis, and measures will be undertaken to prevent accidental and deliberate unauthorised access.
10. TRANSFERRING PERSONAL DATA TO A COUNTRY OUTSIDE THE EEA
From time to time, we may transfer personal data we hold to a country outside the European Economic Area (EEA), provided that one of the following conditions applies:
(a) The country to which the personal data are transferred ensures an adequate level of protection for the data subjects’ rights and freedoms.
(b) The visitor has given his or her consent.
(c) The transfer is necessary for one of the reasons set out in the Act or the GDPR.
(d) The transfer is legally required on important public interest grounds or for the establishment, exercise or defence of legal claims.
11. DISCLOSURE OF PERSONAL INFORMATION
Researching reform may share a data subject’s personal data in order to comply with a legal obligation, or in order to enforce or apply any contract with the data subject; or to protect our rights, property, or safety. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.
12. SUBJECT ACCESS REQUESTS
As data subjects, website visitors must make a formal request for information we hold about them. This should be made in writing to firstname.lastname@example.org in the first instance. What information the data subject requires should be outlined in this email.
Every attempt will be made to respond to your request within one month.
13. AMENDMENTS TO THIS DATA PROTECTION POLICY
We reserve the right to change this policy at any time. Where appropriate, we will notify our visitors of those changes by email.