PRIVACY POLICY

 

1.   INTRODUCTION

1.1.    The PastelGuild of Europe rf PGE is the Data Controller for the purposes of the

          EU General Data Protection Regulation GDPR.

1.2.    The PGE collects and uses certain types of personal information about the following categories of individuals:

1.2.1. Volunteers

1.2.2. Service Users

1.2.3. Artists

          and other individuals who come into contact with PGE.

1.3.    PGE will process this personal information in the following ways:

1.3.1. providing you with the information or services you have asked for

1.3.2. sending you communications with your consent that may be of interest

including information about our services and activities

1.3.3. seeking your views on the services or activities we carry on so that we

can make improvements

1.3.4. maintaining our organisational records and ensuring we know how you

prefer to be contacted

1.3.4. analysing the operation of our website and analysing your website

behaviour to improve the website and its usefulness

1.3.5. to comply with statutory and other legal obligations relating to

safeguarding.

1.4.    This policy is intended to ensure that personal information is dealt with

properly and securely and in accordance with the EU General Data Protection

Regulation GDPR and other related legislation. It will apply to

information regardless of the way it is used or recorded and applies for  as

long as the information is held.

1.5.   GDPR applies to all computerised data and manual files if they

come within the definition of a filing system. Broadly speaking, a filing

system is one where the data is structured in some way that it is searchable

on the basis of specific criteria (so you would be able to use something like

the individual’s name to find their information), and if this is the case, it does

not matter whether the information is located in a different physical location.

1.6.    This policy will be updated as necessary to reflect best practice, or

amendments made to the GDPR, and shall be reviewed every 2 years.

2.   PERSONAL DATA

2.1.    ‘Personal data’ is information that identifies an individual, and includes

information that would identify an individual to the person to whom it is

disclosed because of any special knowledge that they have or can obtain. A

sub-set of personal data is known as ‘special category personal data’. This

special category data is information that relates to:

2.1.1. race or ethnic origin;

2.1.2. political opinions;

2.1.3. religious or philosophical beliefs;

2.1.4. trade union membership;

2.1.5. physical or mental health;

2.1.6. an individual’s sex life or sexual orientation;

2.1.7. genetic or biometric data for the purpose of uniquely identifying a

natural person.

2.2.    Special Category information is given special protection, and additional

safeguards apply if this information is to be collected and used.

2.3.    Information relating to criminal convictions shall only be held and

processed where there is legal authority to do so.

3.   THE DATA PROTECTION PRINCIPLES

3.1.    The six data protection principles as laid down in the GDPR are

followed at all times:

3.1.1. personal data shall be processed fairly, lawfully and in a transparent

manner, and processing shall not be lawful unless one of the processing

conditions can be met;

3.1.2. personal data shall be collected for specific, explicit, and legitimate

purposes, and shall not be further processed in a manner incompatible with

those purposes;

3.1.3. personal data shall be adequate, relevant, and limited to what is

necessary for the purpose(s) for which it is being processed;

3.1.4. personal data shall be accurate and, where necessary, kept up to date;

3.1.5. personal data processed for any purpose(s) shall not be kept for longer

than is necessary for that purpose/those purposes;

3.1.6. personal data shall be processed in such a way that ensures

appropriate security of the data, including protection against unauthorised or

unlawful processing and against accidental loss, destruction, or damage,

using appropriate technical or organisational measures.

3.2.    In addition to this,  PGE is committed to ensuring that at all times,

anyone dealing with personal data shall be mindful of the individual’s rights

under the law (as explained in more detail in paragraphs 7 and 8 below).

3.3.    PGE is committed to complying with the principles in 3.1 at all

times. This means that PGE will:

3.3.1. inform individuals as to the purpose of collecting any information from

them, as and when we ask for it;

3.3.2. be responsible for checking the quality and accuracy of the information;

3.3.3. regularly review the records held to ensure that information is not held

longer than is necessary, and that it has been held in accordance with the

Records Retention Policy;

3.3.4. ensure that when information is authorised for disposal it is done

appropriately;

3.3.5. ensure appropriate security measures to safeguard personal

information whether it is held in paper files or on our computer system, and

follow the relevant security policy requirements at all times;

3.3.6. share personal information with others only when it is necessary and

legally appropriate to do so;

3.3.7. set out clear procedures for responding to requests for access to

personal information known as subject access requests;

3.3.8. report any breaches of the GDPR in accordance with the procedure in

paragraph 9 below.

4.   CONDITIONS FOR PROCESSING IN THE FIRST DATA PROTECTION

PRINCIPLE

4.1.    The individual has given consent that is specific to the particular type of

processing activity, and that consent is informed, unambiguous and freely

given;

4.2.    The processing is necessary for the performance of a contract, to

which the individual is a party, or is necessary for the purpose of taking steps

with regard to entering into a contract with the individual, at their request;

4.3.    The processing is necessary for the performance of a legal obligation

to which we are subject;

4.4.    The processing is necessary to protect the vital interests of the

individual or another;  

4.5.    The processing is necessary for the performance of a task carried out

in the public interest, or in the exercise of official authority vested in us;

4.6.    The processing is necessary for a legitimate interest of the PGE or

that of a third party, except where this interest is overridden by the rights and

freedoms of the individual concerned. More details of this are given in the

Privacy Notice [or state where this information can be found if relevant].

5.   DISCLOSURE OF PERSONAL DATA

5.1.    The following list includes the most usual reasons that PGE will

authorise disclosure of personal data to a third party:

5.1.1. for the prevention or detection of crime;

5.1.2. where it is necessary to exercise a right or obligation conferred or

imposed by law upon us (other than an obligation imposed by contract)

5.1.3. for the purpose of, or in connection with, legal proceedings (including

prospective legal proceedings);

5.1.4. for the purpose of obtaining legal advice;

5.1.5. for research, historical and statistical purposes (so long as this neither

supports decisions in relation to individuals, nor causes substantial damage

or distress);

5.2.     PGE may receive requests from third parties (i.e. those other

than the data subject, the PGE, and its employees) to disclose personal

data it holds about individuals. This information will not generally be disclosed

unless one of the specific exemptions under the GDPR which allow

disclosure applies, or where disclosure is necessary for the legitimate

interests of the third party concerned or the PGE.

5.3.    All requests for the disclosure of personal data must be sent to

PGE who will review and decide whether to make the disclosure, ensuring

that reasonable steps are taken to verify the identity of the requesting third

party before making any disclosure.

6.   SECURITY OF PERSONAL DATA

6.1.    PGE will take reasonable steps to ensure that members of the board

and volunteers will only have access to personal data where it is necessary

for them to carry out their duties. All board members and volunteers will be made aware

of this Policy and their duties under the GDPR. PGE will take all

reasonable steps to ensure that all personal information is held securely and

is not accessible to unauthorised persons.

6.2.    For further details as regards security of IT systems, please refer to the

ICT Policy.

7.   SUBJECT ACCESS REQUESTS

7.1.    Anybody who makes a request to see any personal information held

about them by  PGE is making a subject access request. All information

relating to the individual, including that held in electronic or manual files

should be considered for disclosure, provided that they constitute a “filing

system” (see clause 1.5).  

7.2.    All requests should be sent to PGE within 3 working days of receipt,

and must be dealt with in full without delay and at the latest within one month

of receipt.

7.3.    Where a child or young person does not have sufficient understanding

to make his or her own request (usually those under the age of 12, or over 12

but with a special educational need which makes understanding their

information rights more difficult), a person with parental responsibility can

make a request on their behalf. PGE must, however, be satisfied that:

7.3.1. the child or young person lacks sufficient understanding; and

7.3.2. the request made on behalf of the child or young person is in their

interests.

7.4.    Any individual, including a child or young person with ownership of their

own information rights, may appoint another person to request access to their

records. In such circumstances, PGE must have written evidence that

the individual has authorised the person to make the application and

PGE must be confident of the identity of the individual making the request

and of the authorisation of the individual to whom the request relates.

7.5.    Access to records will be refused in instances where an exemption

applies, for example, information sharing may place the individual at risk of

significant harm or jeopardise police investigations into any alleged

offence(s).

7.6.    A subject access request must be made in writing. PGE may ask

for any further information reasonably required to locate the information.

7.7.    An individual only has the automatic right to access information about

themselves, and care needs to be taken not to disclose the personal data of

third parties where consent has not been given, or where seeking consent

would not be reasonable, and it would not be appropriate to release the

information. Particular care must be taken in the case of any complaint or

dispute to ensure confidentiality is protected.

7.8.    All files must be reviewed by  PGE before any disclosure takes

place. Access will not be granted before this review has taken place.

7.9.    Where all the data in a document cannot be disclosed a permanent

copy should be made and the data obscured or retyped if this is more sensible.

A copy of the full document and the altered document should be

retained, with the reason why the document was altered.

     Exemptions to Access by Data Subjects

7.10. Where a claim to legal professional privilege could be maintained in

legal proceedings, the information is likely to be exempt from disclosure

unless the privilege is waived.

8.        OTHER RIGHTS OF INDIVIDUALS

8.1.    PGE has an obligation to comply with the rights of individuals

under the law, and takes these rights seriously. The following section sets out

how PGE will comply with the rights to:

8.1.1. object to processing;

8.1.2. rectification;

8.1.3. erasure; and

8.1.4. data portability.

Right to object to processing

8.2.    An individual has the right to object to the processing of their personal

data on the grounds of pursuit of a public interest or legitimate interest

(grounds 4.5 and 4.6 above) where they do not believe that those grounds

are made out.

8.3.    Where such an objection is made, it must be sent to PGE within

2 working days of receipt, and PGE will assess whether there are

compelling legitimate grounds to continue processing which override the

interests, rights and freedoms of the individuals, or whether the information is

required for the establishment, exercise or defence of legal proceedings.

8.4.    PGE shall be responsible for notifying the individual of the

outcome of their assessment within ten working days of receipt of the

objection.

8.5.    Where personal data is being processed for direct marketing purposes

an individual has the right to object at any time to processing of personal data

concerning him or her for such marketing (which includes profiling to the

extent that it is related to such direct marketing) and their personal data shall

no longer be processed by the PGE for direct marketing purposes.

Right to rectification

8.6.    An individual has the right to request the rectification of inaccurate data

without undue delay. Where any request for rectification is received, it should

be sent to the PGE within 2 working days of receipt, and where adequate

proof of inaccuracy is given, the data shall be amended as soon as

reasonably practicable, and the individual notified.

8.7.    Where there is a dispute as to the accuracy of the data, the request

and reasons for refusal shall be noted alongside the data, and communicated to the individual.

The individual shall appeal direct to the Information Commissioner.

8.8.    An individual also has a right to have incomplete information completed

by providing the missing data, and any information submitted in this way shall

be updated without undue delay.

Right to erasure

8.9.    Individuals have a right, in certain circumstances, to have data

permanently erased without undue delay. This right arises in the following

circumstances:

8.9.1. where the personal data is no longer necessary for the purpose or

purposes for which it was collected and processed;

8.9.2. where consent is withdrawn and there is no other legal basis for the

processing;

8.9.3. where an objection has been raised under the right to object and found

to be legitimate;

8.9.4. where personal data is being unlawfully processed (usually where one

of the conditions for processing cannot be met);

8.9.5. where there is a legal obligation on the PGE to delete.

8.10.   PGE will make a decision regarding any application for erasure

of personal data, and will balance the request against the exemptions

provided for in the law. Where a decision is made to erase the data, and this

data has been passed to other controllers or processors, and/or has been

made public, reasonable attempts to inform those controllers of the request

shall be made.

Right to restrict processing

8.11. In the following circumstances, processing of an individual’s personal

data may be restricted:

8.11.1. where the accuracy of data has been contested, during the period

when PGE is attempting to verify the accuracy of the data;

8.11.2. where processing has been found to be unlawful, and the individual

has asked that there be a restriction on processing rather than erasure;

8.11.3. where data would normally be deleted, but the individual has

requested that their information be kept for the purpose of the establishment,

exercise or defence of a legal claim;

8.11.4. where there has been an objection made under 8.2 above, pending

the outcome of any decision.

     Right to portability

8.12. If an individual wants to send their personal data to another organisation

they have a right to request that you provide their information in a structured,

commonly used, and machine readable format. If a request for this is made,

it should be forwarded to PGE within 2 working days of receipt, and

PGE will review and revert as necessary.

9.   BREACH OF ANY REQUIREMENT OF THE GDPR

9.1.    Any and all breaches of the DPA, including a breach of any of the data

protection principles shall be reported as soon as it is discovered, to the

PGE.

9.2.    Once notified, PGE shall assess:

9.2.1. the extent of the breach;

9.2.2. the risks to the data subjects as a consequence of the breach;

9.2.3. any security measures in place that will protect the information;

9.2.4. any measures that can be taken immediately to mitigate the risk to the

individuals.

9.3.    Unless PGE concludes that there is unlikely to be any risk to

individuals from the breach, it must be notified to the the Office of the Data Protection Ombudsman

 within 72 hours of the breach having come to the attention of PGE, unless a delay can be justified.

9.4.    The Office of the Data Protection Ombudsman shall be told:

9.4.1. details of the breach, including the volume of data at risk, and the

number and categories of data subjects;

9.4.2. the contact point for any enquiries (which shall usually be PGE);

9.4.3. the likely consequences of the breach;

9.4.4. measures proposed or already taken to address the breach.

9.5.    If the breach is likely to result in a high risk to the rights and freedoms

of the affected individuals then PGE shall notify data subjects of the

breach without undue delay unless the data would be unintelligible to those

not authorised to access it, or measures have been taken to mitigate any risk

to the affected individuals.

9.6.    Data subjects shall be told:

9.6.1. the nature of the breach;

9.6.2. who to contact with any questions;

9.6.3. measures taken to mitigate any risks.

9.7.    PGE shall then be responsible for instigating an investigation

into the breach, including how it happened, and whether it could have been

prevented. Any recommendations for further training or a change in

procedure shall be reviewed by the Director and a decision made about

implementation of those recommendations.

10.       CONTACT

If anyone has any concerns or questions in relation to this policy they should

contact the PastelGuild of Europe rf.