Dignity (Worldwide) (hereinafter called “Dignity”) is committed to protecting the rights and privacy of individuals, supporters, volunteers, staff, suppliers and others in accordance with The Data Protection Act 1998 [DPA] and the General Data Protection Regulation [GDPR] (effective from 28th May 2018). The policy applies to all staff, Directors and volunteers at Dignity. Any breach of DPA, GDPR or this Data Protection Policy is considered to be an offence and in that event, disciplinary procedures apply.
As an organisation we do not pass our mailing lists to others for publicity or otherwise sell our data.
Data we hold is protected by the DPA, which came into effect on 1 March 2000 and the GDPR, which came into effect on 28 May 2018. Their purpose is to protect the rights and privacy of individuals and to ensure that personal data is not processed without their knowledge, and, wherever possible, is not processed without their consent.
The DPA requires many organisations to register the fact that they hold personal data and to acknowledge the right of ‘subject access’. Supporters, employees, Directors and staff have the right to copies of their own data upon request.
Dignity is exempt from Registering with the Information Commissioner because it:
Managing Data Protection
We will ensure that your details are kept in accordance with the guidelines produced by the Information Commissioner, and in particular the Eight Principles of good practice. The UK Information Commissioner’s website is www.ico.org.uk
We have appointed a person to supervise our compliance with the Act and to carry out risk assessments at least annually regarding data security. Everyone who handles data understands they are responsible for doing so according to good practice and we will adequately supervise those handling personal details.
Types of data
The 1998 DPA provides conditions for the processing of any personal data. It also makes a distinction between personal data and “sensitive” personal data.
Personal data is defined as, data relating to a living individual who can be identified from:
“Sensitive personal data” is defined as personal data consisting of information as to:
The DPA recognises that it is sometimes appropriate to disclose personal data for certain purposes to do with criminal justice or the taxation system. In these cases, individuals’ rights may occasionally need to be restricted. In particular, the Act deals with several situations in which personal data is processed for the following “crime and taxation purposes”:
Purpose of data held by Dignity
Data may be held by us for the following purposes:
Eight Data Protection Principles
In terms of the Data Protection Act 1998, we are a ‘data controller’, and as such determine the purpose for which, and the manner in which, any personal data is, or may be, processed. We have appointed a member of staff to be our Information Officer to whom all requests for information should be given.
In compliance with the Principles in the Data Protection Act, we must ensure that we have:
1. Fairly and lawfully processed personal data
We will make it clear what the intentions on processing data are and state if, to whom, and for what reason we intend to pass personal data. We will consider the reasonable duration the data will be kept for business reasons. We will include statement to say Policy available on request.
2. Processed for limited purpose
We will not use data for a purpose other than those agreed by the people we collect it from. If the data held by us is requested by external organisations for any reason, this will only be passed in accordance with this Policy.
3. Adequate, relevant and not excessive
Dignity will regularly monitor the data held for our purposes, ensuring we hold neither too much nor too little data in respect of the individuals about whom the data is held. If data given or obtained is excessive for the purposes of our business, it will be permanently deleted or destroyed.
4. Accurate and up-to-date
We will provide contacts on our database with a basic illustration of their data once a year for information and updating where relevant. It will always be possible for people on our mailing list to alter their contact details through MailChimp communications by using the link provided. All amendments will be made as quickly as possible and data no longer required will be permanently deleted or destroyed. It is also the responsibility of individuals and third party organisations to ensure the data we have is accurate and kept up-to-date if you should make any changes we may not be aware of. Non-responses to our annual request for updates will be taken as an indication that the data contained is accurate.
Staff and volunteers should notify us of any changes to enable personnel records to be updated accordingly. It is the responsibility of Dignity to act upon notification of changes to data, amending where relevant.
5. Not kept longer than necessary
We will audit the retention of data on a regular basis to ensure we hold it no longer than it is required for business purposes. A Schedule of how long we keep various categories of information will be kept by the Dignity Office, in accordance with our data retention policy. Action taken when this becomes appropriate. Some information has to be retained for statutory reasons, such as for tax and national insurance, the Health and Safety Executive, others for organisational reasons (for example regarding disciplinary record, dealt with in the Staff Handbook).
6. Processed in accordance with the individual’s rights
All individuals that Dignity hold data on have the right to:
Reasonably appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of data.
We will carry out risk assessments regarding the security of our data and document what measures we will take to keep our records secure. As appropriate, sensitive personal data and financial records will be password protected. We will seek to minimise the amount of paper storage and keep our paper records in a locked filing cabinet after close of business each day.
Everyone managing and handling personal information will appropriately supervised.
8. Not transferred to countries outside the European Economic Area, unless the country has adequate protection for the individual.
Data must not be transferred to countries outside the European Economic Area without the explicit consent of the individual. If any data is transferred to a country outside the EEC, we will ensure that an adequate level of data protection is in place. Dignity takes particular care to be aware of this when publishing or accessing information over the Internet.
Additional Rights under the GDPR
In compliance with the Principles in the General Data Protection Regulations, all individuals that Dignity hold data on have the right to:
Dignity Data Protection Policy