DATA PROTECTION
Our Commitment:
Mini Mermaid and Young Tritons UK is committed to the protection of all personal and sensitive data for which it holds responsibility as the Data Controller and the handling of such data in line with the data protection principles and the Data Protection Act (DPA).
https://ico.org.uk/for-organisations/guide-to-data-protection/data-protection-principles/
Changes to data protection legislation shall be monitored and implemented in order to remain compliant with all requirements.
The member(s) of staff responsible for data protection is: Hannah Corne
The organisation is also committed to ensuring that its staff and volunteers are aware of data protection policies, legal requirements and adequate training is provided to them.
The requirements of this policy are mandatory for all staff and volunteers employed by the organisation and any third party contracted to provide services for them.
Notification:
Our data processing activities will be registered with the Information Commissioner’s Office (ICO) as required of a recognised Data Controller. Details are available from the ICO:
https://ico.org.uk/about-the-ico/what-we-do/register-of-data-controllers/
Changes to the type of data processing activities being undertaken shall be notified to the ICO and details amended in the register.
Breaches of personal or sensitive data shall be notified immediately to the individual(s) concerned and the ICO.
Personal and Sensitive Data:
All data within the organisations control shall be identified as personal, sensitive or both to ensure that it is handled in compliance with legal requirements and access to it does not breach the rights of the individuals to whom it relates.
The definitions of personal and sensitive data shall be as those published by the ICO for guidance: https://ico.org.uk/for-organisations/guide-to-data-protection/key-definitions/
The principles of the Data Protection Act shall be applied to all data processed:
1. Processed fairly and lawfully
2. Obtained only for lawful purposes, and is not further used in any manner incompatible with those original purposes
3. Accurate and, where necessary, kept up to date,
4. Adequate, relevant and not excessive in relation to the purposes for which it is processed
5. Not kept for longer than is necessary for those purposes
6. Processed in accordance with the rights of data subjects under the DPA
7. Protected by appropriate technical and organisational measures against unauthorised or unlawful processing and against accidental loss, destruction or damage
8. Not transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection of the personal information
Fair Processing / Privacy Notice:
We shall be transparent about the intended processing of data and communicate these intentions via notification to staff, volunteers, parents and participants prior to the processing of individual’s data.
The intention to share data relating to individuals to an organisation outside of ours shall be clearly defined within notifications and details of the basis for sharing given. Data will be shared with external parties in circumstances where it is a legal requirement to provide such information.
Any proposed change to the processing of individual’s data shall first be notified to them.
Data Security:
In order to assure the protection of all data being processed and inform decisions on processing activities, we shall undertake an assessment of the associated risks of proposed processing and equally the impact on an individual’s privacy in holding data related to them.
Risk and impact assessments shall be conducted in accordance with guidance given by the ICO:
https://ico.org.uk/for-organisations/guide-to-data-protection/principle-7-security/
https://ico.org.uk/for-organisations/guide-to-data-protection/principle-7-security/
https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2014/02/privacy-impact-assessments-code-published/
Security of data shall be achieved through the implementation of proportionate physical and technical measures. Nominated staff shall be responsible for the effectiveness of the controls implemented and reporting of their performance.
The security arrangements of any organisation with which data is shared shall also be considered and these organisations shall provide evidence of the competence in the security of shared data.
Data Access Requests (Subject Access Requests):
All individuals whose data is held by us, has a legal right to request access to such data or information about what is held. We shall respond to such requests within 40 days and they should be made in writing to: Hannah Corne at hannah@minimermaidrunningclub.org
A charge may be applied to process the request.
https://ico.org.uk/media/for-organisations/documents/1586/personal_information_online_small_business_checklist.pdf
https://ico.org.uk/media/for-organisations/documents/1235/definition-document-schools-in-england.pdf
Photographs and Video:
Images of staff/volunteers and participants may be captured at appropriate times and as part of activities for use in marketing which will include social media, leaflets, videos, and other promotional materials.
Unless prior consent from parents/participants/staff/volunteers has been given, the organisation shall not utilise such images for publication or communication to external sources. Full policy here.
Data Disposal:
The organisation recognises that the secure disposal of redundant data is an integral element to compliance with legal requirements and an area of increased risk.
All data held in any form of media (paper, tape, electronic) shall only be disposed in a secure and appropriate way.
Disposal of IT assets holding data shall be in compliance with ICO guidance:
https://ico.org.uk/media/for-organisations/documents/1570/it_asset_disposal_for_organisations.pdf
Mini Mermaid and Young Tritons UK is committed to the protection of all personal and sensitive data for which it holds responsibility as the Data Controller and the handling of such data in line with the data protection principles and the Data Protection Act (DPA).
https://ico.org.uk/for-organisations/guide-to-data-protection/data-protection-principles/
Changes to data protection legislation shall be monitored and implemented in order to remain compliant with all requirements.
The member(s) of staff responsible for data protection is: Hannah Corne
The organisation is also committed to ensuring that its staff and volunteers are aware of data protection policies, legal requirements and adequate training is provided to them.
The requirements of this policy are mandatory for all staff and volunteers employed by the organisation and any third party contracted to provide services for them.
Notification:
Our data processing activities will be registered with the Information Commissioner’s Office (ICO) as required of a recognised Data Controller. Details are available from the ICO:
https://ico.org.uk/about-the-ico/what-we-do/register-of-data-controllers/
Changes to the type of data processing activities being undertaken shall be notified to the ICO and details amended in the register.
Breaches of personal or sensitive data shall be notified immediately to the individual(s) concerned and the ICO.
Personal and Sensitive Data:
All data within the organisations control shall be identified as personal, sensitive or both to ensure that it is handled in compliance with legal requirements and access to it does not breach the rights of the individuals to whom it relates.
The definitions of personal and sensitive data shall be as those published by the ICO for guidance: https://ico.org.uk/for-organisations/guide-to-data-protection/key-definitions/
The principles of the Data Protection Act shall be applied to all data processed:
1. Processed fairly and lawfully
2. Obtained only for lawful purposes, and is not further used in any manner incompatible with those original purposes
3. Accurate and, where necessary, kept up to date,
4. Adequate, relevant and not excessive in relation to the purposes for which it is processed
5. Not kept for longer than is necessary for those purposes
6. Processed in accordance with the rights of data subjects under the DPA
7. Protected by appropriate technical and organisational measures against unauthorised or unlawful processing and against accidental loss, destruction or damage
8. Not transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection of the personal information
Fair Processing / Privacy Notice:
We shall be transparent about the intended processing of data and communicate these intentions via notification to staff, volunteers, parents and participants prior to the processing of individual’s data.
The intention to share data relating to individuals to an organisation outside of ours shall be clearly defined within notifications and details of the basis for sharing given. Data will be shared with external parties in circumstances where it is a legal requirement to provide such information.
Any proposed change to the processing of individual’s data shall first be notified to them.
Data Security:
In order to assure the protection of all data being processed and inform decisions on processing activities, we shall undertake an assessment of the associated risks of proposed processing and equally the impact on an individual’s privacy in holding data related to them.
Risk and impact assessments shall be conducted in accordance with guidance given by the ICO:
https://ico.org.uk/for-organisations/guide-to-data-protection/principle-7-security/
https://ico.org.uk/for-organisations/guide-to-data-protection/principle-7-security/
https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2014/02/privacy-impact-assessments-code-published/
Security of data shall be achieved through the implementation of proportionate physical and technical measures. Nominated staff shall be responsible for the effectiveness of the controls implemented and reporting of their performance.
The security arrangements of any organisation with which data is shared shall also be considered and these organisations shall provide evidence of the competence in the security of shared data.
Data Access Requests (Subject Access Requests):
All individuals whose data is held by us, has a legal right to request access to such data or information about what is held. We shall respond to such requests within 40 days and they should be made in writing to: Hannah Corne at hannah@minimermaidrunningclub.org
A charge may be applied to process the request.
https://ico.org.uk/media/for-organisations/documents/1586/personal_information_online_small_business_checklist.pdf
https://ico.org.uk/media/for-organisations/documents/1235/definition-document-schools-in-england.pdf
Photographs and Video:
Images of staff/volunteers and participants may be captured at appropriate times and as part of activities for use in marketing which will include social media, leaflets, videos, and other promotional materials.
Unless prior consent from parents/participants/staff/volunteers has been given, the organisation shall not utilise such images for publication or communication to external sources. Full policy here.
Data Disposal:
The organisation recognises that the secure disposal of redundant data is an integral element to compliance with legal requirements and an area of increased risk.
All data held in any form of media (paper, tape, electronic) shall only be disposed in a secure and appropriate way.
Disposal of IT assets holding data shall be in compliance with ICO guidance:
https://ico.org.uk/media/for-organisations/documents/1570/it_asset_disposal_for_organisations.pdf