The Act gives individuals the right to know what information is held about them. It provides a framework to ensure that personal information is handled properly. The Act works in two ways. Firstly, it states that anyone who processes personal information must comply with eight principles, which make sure that personal information is:
The second area covered by the Act provides individuals with important rights, including the right to find out what personal information is held on computer and most paper records.
Youth Business International will:
Youth Business International recognises that its first priority under the Act is to avoid causing harm to individuals. Information about staff, volunteers and donors will be used fairly, securely and not disclosed to any person unlawfully. Secondly, the Act aims to ensure that the legitimate concerns of individuals about the ways in which their data may be used are taken into account. In addition to being open and transparent, Youth Business International will seek to give individuals as much choice as is possible and reasonable over what data is held and how it is used. Youth Business International is the Data Controller and all processing of personal data will be undertaken in accordance with the data protection principles.
Personal Data is any information, whether in manual or electronic form, that identifies the Data Subject from that information or other information that is likely to be held by the Data Controller. The Data Subject is the individual whose personal data is being processed. Examples include:
Processing means the use made of personal data including:
The Data Controller is the legal ‘person’, or organisation, that decides why and how personal data is to be processed. The data controller is responsible for complying with the Act. The Data Processor - the data controller may get another organisation to be their data processor, in other words to process the data on their behalf. Data processors are not subject to the Act. The responsibility of what is processed and how remains with the data controller. There should be a written contract with the data processor who must have appropriate security. The Data Protection Officer is the name given to the person in organisations who is the central point of contact for all data compliance issues.
The Board of Trustees recognises its overall responsibility for ensuring that Youth Business International complies with its legal obligations. The Data Protection Officer is Youth Business International's Finance Director, Hannah Leyro-Diaz, who has the following responsibilities:
Each member of staff and volunteer at Youth Business International who handles personal data will comply with the organisation’s operational procedures for handling personal data (including induction and training) to ensure that good Data Protection practice is established and followed. All staff and volunteers are required to read, understand and accept any policies and procedures that relate to the personal data they may handle in the course of their work. Significant breaches of this policy will be handled under Youth Business International’s disciplinary procedures.
Because confidentiality applies to a much wider range of information than Data Protection, Youth Business International has a separate Confidentiality Policy. This Data Protection Policy should be read in conjunction with Youth Business International’s Confidentiality Policy. Youth Business International has a privacy statement for donors, setting out how their information will be used. This is available on request, and a version of this statement will also be used on the Youth Business International web site. Staff, volunteers and seasonal workers are required to sign a short statement indicating that they have been made aware of their confidentiality responsibilities. (See Confidentiality Policy). In order to provide some services, Youth Business International will need to share client’s personal data with other agencies (Third Parties). Verbal or written agreement will always be sought from the client before data is shared. Where anyone within Youth Business International feels that it would be appropriate to disclose information in a way contrary to the confidentiality policy, or where an official disclosure request is received, this will only be done after discussions with a manager or the Data Protection Officer. All such disclosures will be documented.
This section of the policy only addresses security issues relating to personal data. It does not cover security of the building, business continuity or any other aspect of security. Any recorded information on donors, volunteers and staff will be:
Access to information on the main database is controlled by a password and only those needing access are given the password. Staff and volunteers should be careful about information that is displayed on their computer screen and make efforts to ensure that no unauthorised person can view the data when it is on display. Notes regarding personal data of donors should be shredded or destroyed.
Youth Business International has a single database holding basic information about all donors and volunteers, protected by password. Youth Business International will regularly review its procedures for ensuring that its records remain accurate and consistent and, in particular:
Youth Business International stores archived paper records of donors and volunteers securely in the office.
All donors and customers have the right to request access to all information stored about them. Any subject access requests will be handled by the Data Protection Officer within the required time limit. Subject access requests must be in writing. All staff and volunteers are required to pass on anything which might be a subject access request to the Data Protection Officer without delay. All those making a subject access request will be asked to identify any other individuals who may also hold information about them, so that this data can be retrieved. Where the individual making a subject access request is not personally known to the Data Protection Officer their identity will be verified before handing over any information. The required information will be provided in permanent form unless the applicant makes a specific request to be given supervised access in person. Youth Business International will provide details of information to service users who request it unless the information may cause harm to another person. Staff have the right to access their file to ensure that information is being used fairly. If information held is inaccurate, the individual must notify the Chief Executive so that this can be corrected on file.
Youth Business International is committed to ensuring that Data Subjects are aware that their data is being processed and:
Data Subjects will generally be informed in the following ways:
Standard statements will be provided to staff for use on forms where data is collected. Whenever data is collected, the number of mandatory fields will be kept to a minimum and Data Subjects will be informed which fields are mandatory and why.
Where necessary, consent will be sought for processing of information about staff. Information about volunteers will be made public according to their role, and consent will be sought for (a) the means of contact they prefer to be made public, and (b) any publication of information which is not essential for their role. Information about donors will only be made public with their consent. (This includes photographs.) ‘Sensitive’ data about donors (including health information) will be held only with the knowledge and consent of the individual. Consent may be implied in many cases but can also be given in writing. All Data Subjects will be given the opportunity to opt out of their personal data being used in particular ways, such as the right to opt out of direct marketing (see below). Youth Business International acknowledges that, once given, consent can be withdrawn, but not retrospectively. There may be occasions where Youth Business International has no choice but to retain data for a certain length of time, even though consent for using it has been withdrawn.
All staff who have access to any kind of personal data will be given copies of all relevant policies and procedures during their induction process, including the Data Protection policy, Confidentiality policy and the operational procedures for handling personal data. All staff will be expected to adhere to all these policies and procedures. Data Protection will be included in the induction training for all volunteers. Youth Business International will provide opportunities for staff to explore Data Protection issues through training, team meetings, and supervisions.
The policy will be reviewed at the first quarterly governance and risk meeting of the year by the Chief Executive and approved by the Board of Trustees. It will also be reviewed in response to changes in relevant legislation, contractual arrangements, good practice or in response to an identified failing in its effectiveness. Date this policy was approved by the Senior management team: February 2nd 2017
When you request information from Youth Business International, sign up to any of our services or buy things from us, Youth Business International obtains information about you. This statement explains how we look after that information and what we do with it. We have a legal duty under the Data Protection Act to prevent your information falling into the wrong hands. We must also ensure that the data we hold is accurate, adequate, relevant and not excessive. Normally the only information we hold comes directly from you. Whenever we collect information from you, we will make it clear which information is required in order to provide you with the information, service or goods you need. You do not have to provide us with any additional information unless you choose to. We store your information securely on our computer system, we restrict access to those who have a need to know, and we train our staff in handling the information securely. If you have signed up to an event or other service we will also pass your details to the professional worker providing that service. That worker may hold additional information about your participation in these activities. We would also like to contact you in future to tell you about other services we provide, to keep you informed of what we are doing and ways in which you might like to support Youth Business International. You have the right to ask us not to contact you in this way. We will always aim to provide a clear method for you to opt out. You can also contact us directly at any time to tell us not to send you any future marketing material. You have the right to a copy of all the information we hold about you (apart from a very few things which we may be obliged to withhold because they concern other people as well as you). To obtain a copy, either ask for an application form to be sent to you, or write to the Data Protection Officer at Youth Business International. We aim to reply as promptly as we can and, in any case, within the legal maximum of 40 days.