Context and overview
As part of our day to day business, Legacy Link Consultancy Ltd (Legacy Link) needs to gather and use certain information about individuals.
These can include customers, suppliers, business contacts, employees, consultants and other people the organisation has a relationship with or may need to contact as part of the legacy administration process for our charity clients.
This policy describes how this personal data must be collected, handled and stored to meet the company’s data protection standards — and to comply with the law.
Legacy Link respects personal privacy and is committed to protecting it. This data protection policy ensures that Legacy Link:
- Complies with data protection law and follows good practice
- Protects the rights of staff, consultants, charity partners, legators and any other people involved in the legacy administration process
- Is open about how it stores and processes individuals’ data
- Protects itself and its charity clients from the risk of a data breach.
The purpose of this policy is to help us achieve our data protection and data security aims by:
- ensuring staff and consultants understand our rules and the legal standards for handling personal information relating to staff and charity data: and
- clarifying the responsibilities and duties of staff and consultants in respect of data protection and data security.
On May 25, 2018, the most significant piece of European data protection legislation in 20 years will come into force when the European Union’s (EU) General Data Protection Regulation (GDPR) replaces the Data Protection Act 1998 (DPA). We know that preparing for this regulatory change is a priority for our charity clients. It is a priority for us, too.
GDPR, like the DPA, describes how organisations — including Legacy Link and all of its staff and consultants— must collect, handle and store personal information.
These rules apply regardless of whether data is stored electronically, on paper or on other materials.
To comply with the law, personal information must be collected and used fairly, stored safely and not disclosed unlawfully.
GDPR is underpinned by a set of important principles. These are similar to those in the DPA, with added detail at certain points and a new accountability requirement – which means Legacy Link must proactively show how we comply with the principles.
The principles say that personal data must:
a) Be processed fairly and lawfully, and in a transparent manner in relation to individuals;
b) Be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
c) Be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
d) Be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay
e) Be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
f) Not be transferred outside the European Economic Area (EEA), unless that country or territory also ensures an adequate level of protection
Article 5(2) requires that
“the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”
People, risks and responsibilities
This policy applies to:
- The head office of Legacy Link
- All staff and volunteers of Legacy Link
- All consultants, contractors, suppliers and other people working on behalf of Legacy Link
It applies to all data that the company holds relating to identifiable individuals, even if that information technically falls outside of the GDPR. This can include:
- Names of individuals
- Postal addresses
- Email addresses
- Telephone numbers
- IP Addresses
- plus any other information relating to living individuals
This policy helps to protect Legacy Link from data security risks, including:
- Breaches of confidentiality. For instance, information being given out inappropriately.
- Failing to offer choice. For instance, all individuals should be free to choose how the company uses data relating to them.
- Reputational damage. For instance, the company could suffer if hackers successfully gained access to sensitive data.
Everyone who works for or with Legacy Link has some responsibility for ensuring data is collected, stored and handled appropriately and processed in a lawful way.
Each member of staff and consultant that handles personal data must ensure that it is handled and processed in line with this policy and data protection principles.
However, these people have key areas of responsibility:
The board of directors is ultimately responsible for ensuring that Legacy Link meets its legal obligations.
The Managing Director, Ashley Rowthorn, acts as the Data Protection Officer and is responsible for:
- Keeping the board updated about data protection responsibilities, risks and issues.
- Reviewing all data protection procedures and related policies, in line with an agreed schedule.
- Arranging data protection training and advice for the people covered by this policy.
- Handling data protection questions from staff and anyone else covered by this policy.
- Dealing with requests from individuals to see the data Legacy Link holds about them (also called ‘subject access requests’).
- Checking and approving any contracts or agreements with third parties that may handle the company’s sensitive data.
- Ensuring all systems, services and equipment used for storing data meet acceptable security standards.
- Performing regular checks and scans to ensure security hardware and software is functioning properly.
- Evaluating any third-party services the company is considering using to store or process data. For instance, cloud computing services.
- Approving any data protection statements attached to communications such as emails and letters.
- Where necessary, working with other staff to ensure marketing initiatives abide by data protection principles.
General staff and consultants guidelines
- The only people able to access data covered by this policy should be those who need it for their work.
- Data should not be shared informally.
- Legacy Link will provide training to all employees and consultants to help them understand their responsibilities when handling data.
- Employees should keep all data secure, by taking sensible precautions and following the guidelines below.
- In particular, strong passwords must be used and they should never be shared.
- Personal data should not be disclosed to unauthorised people, either within the company or externally.
- Data should be regularly reviewed and updated if it is found to be out of date. If no longer required, it should be deleted and disposed of.
- Employees and consultants should request help from the data protection officer if they are unsure about any aspect of data protection.
These rules describe how and where data should be safely stored. Questions about storing data safely can be directed to the data controller.
When data is stored on paper, it should be kept in a secure place where unauthorised people cannot see it.
These guidelines also apply to data that is usually stored electronically but has been printed out for some reason:
- When not required, the paper or files should be kept in a locked drawer or filing cabinet.
- Employees and consultants should make sure paper and printouts are not left where unauthorised people could see them, like on a printer.
- Data printouts should be shredded and disposed of securely when no longer required.
When data is stored electronically, it must be protected from unauthorised access, accidental deletion and malicious hacking attempts:
- Data should be protected by strong passwords that are changed regularly and never shared between employees.
- If data is stored on removable media (like a CD or DVD or USB memory), these should be encrypted and kept locked away securely when not being used.
- Data should only be stored on designated drives and servers, and should only be uploaded to an approved cloud computing services.
- Servers containing personal data should be sited in a secure location, away from general office space.
- Data should be backed up frequently. Those backups should be tested regularly, in line with the company’s standard backup procedures.
- Data should never be saved directly to laptops or other mobile devices like tablets or smart phones.
- All servers and computers containing data should be protected by approved security software and a firewall.
Legacy Link will keep some forms of information for longer than others. Information should not be kept indefinitely, unless there are specific requirements. In line with the principles of the Data Protection Act and the EU GDPR, information should not be kept longer than is necessary.
Our Data Retention Policy gives a breakdown of timescales for the retention of various types of information.
When data is no longer required it should be returned to the charity client and safely destroyed.
Data that is needed to be retained for a long period of time, or indefinitely, should be securely archived, minimized to only retaining the data that is required, and pseudo-anonymised where possible.
When working onsite at a charity, or accessing their IT systems remotely, all staff and consultants are bound by the individual charity’s policies and procedures. Data should not be removed from the site or onto any non-charity computers or devices.
Where working for a charity that are outsourcing their legacy administration to Legacy Link, all staff and consultants must follow these guidelines:
- When working with personal data, employees and consultants should ensure the screens of their computers are always locked when left unattended.
- Personal data should not be shared informally.
- Data must be encrypted before being transferred electronically. The IT manager can explain how to send data to authorised external contacts.
- Personal data should never be transferred outside of the European Union unless in compliance with Chapter V of the GDPR.
- Consultants saving copies of personal data to their own computers must ensure that the drives are encrypted, password protected and not accessed by any unauthorized people.
- A secure cloud based storage will be provided to all staff and consultants as a means of safely and securely storing electronic data.
- Consultants and staff must only use official Legacy Link email addresses or the charity’s official email addresses for email correspondence, and must never use a personal email address.
The law requires Legacy Link to take reasonable steps to ensure data is kept accurate and up to date.
The more important it is that the personal data is accurate, the greater the effort Legacy Link should put into ensuring its accuracy.
It is the responsibility of all employees and consultants who work with data to take reasonable steps to ensure it is kept as accurate and up to date as possible.
- Data will be held in as few places as necessary. Staff and consultants should not create any unnecessary additional data sets.
- Staff and consultants should take every opportunity to ensure data is updated.
- Legacy Link will make it easy for data subjects to update the information Legacy Link holds about them. For instance, via the company website.
- Data should be updated as inaccuracies are discovered. For instance, if a customer can no longer be reached on their stored telephone number, it should be removed from our records.
All individuals who are the subject of personal data held by Legacy Link are entitled to:
- Ask what information the company holds about them and why.
- Ask how to gain access to it.
- Be informed how to keep it up to date.
- Ask to be forgotten
- Ask to restrict processing
- Be informed how the company is meeting its data protection obligations.
If an individual contacts the company requesting this information, this is called a subject access request.
Subject access requests from individuals should be made by email, addressed to the data controller at email@example.com. The data controller can supply a standard request form, although individuals do not have to use this.
Individuals will not be charged to access their data, unless a request it manifestly unfounded or excessive. Further copies of the same information will be charged at £10 per request.
The data controller will aim to provide the relevant data within 14 days and at the latest within one month of receipt.
The data controller will always verify the identity of anyone making a subject access request before handing over any information.
In certain circumstances, GDPR allows personal data to be disclosed to law enforcement agencies without the consent of the data subject.
Under these circumstances, Legacy Link will disclose requested data. However, the data controller will ensure the request is legitimate, seeking assistance from the board and from the company’s legal advisers where necessary.
Legacy Link aims to ensure that individuals are aware that their data is being processed, and that they understand:
- How the data is being used
- How to exercise their rights
To these ends, the company has a privacy statement, setting out how data relating to individuals is used by the company.
This is available on our website.
Legacy Link is responsible for any breach of personal data. A breach of data means a breach of security leading to the destruction, loss, alteration, unauthorized disclosure of, or access to personal data.
Any staff of consultants that identify a breach or possible breach of data must report the nature of the personal data breach to the data protection officer within 24 hours, including where possible:
- The nature of the personal data breach:
- the categories and approximate number of individuals concerned; and
- the categories and approximate number of personal data records concerned;
The data protection officer for Legacy Link is responsible for evaluating the data breach and reporting any high risk breaches to the relevant authorities within 72 hours.