The purpose of this policy is to enable Youth Business International to:
Brief Introduction to the Data Protection Act and General Data Protection Regulation
The Data Protection Act gives individuals the right to know what information is held about them. It provides a framework to ensure that personal information is handled properly. Anyone who processes personal information must comply with the following principles, to demonstrate information is:
The Act also provides individuals with important rights, including the right to find out what personal information is held on computer and most paper records.
The General Data Protection Regulation places conditions on the organisation’s accountability and governance of this framework. This requires YBI to keep records of processing activities, detailing the type of people whose personal data is being processed, e.g. staff, trustees, donors, etc. and the type of personal information being processed, e.g. name, age, contact details. Why the personal information is needed, how it is obtained and stored, whether and with whom it is shared, how long it is required and the process for deletion. In order to comply with the regulation YBI’s Data management Form should be used and referred to for activities in which personal data is processed.
Were a data breach to happen YBI is liable for 4% of annual income or a fine of up to €20 million.
Youth Business International will:
Youth Business International is the Data Controller and all processing of personal data will be undertaken in accordance with data protection principles. Youth Business International recognises that its first priority is to avoid causing harm to individuals. Information about individuals will be processed securely and not disclosed to any person unlawfully or unnecessarily.
For processes involving personal data, the responsible staff lead will complete a Data Management Form. This form will be authorised by the Data Protection Officer to confirm it meets the required data protection criteria:
For the avoidance of any doubt, YBI makes no automated decisions in any regard.
YBI aims to ensure that the legitimate concerns of individuals about the ways in which their data may be used are taken into account. Individuals may exercise their right to a copy of the information held concerning them, see ACCESS TO DATA.
Personal Data is any information, whether in manual or electronic form, that identifies an individual from that information alone or in combination with other information that is likely to be held by YBI.
The principle categories of individuals which YBI processes the personal data of include:
Processing means the use made of personal data including:
The Board of Trustees recognises its overall responsibility for ensuring that Youth Business International complies with its legal obligations.
The Data Protection Officer is Youth Business International’s Finance Director, Hannah Leyro-Diaz, who has the following responsibilities:
Each member of staff, volunteer and intern at Youth Business International who handles personal data will comply with the organisation’s operational procedures for handling personal data (including induction and training) to ensure that good Data Protection practice is established and followed.
All staff, volunteers and interns are required to read, understand and accept any policies and procedures that relate to the personal data they may handle in the course of their work.
Significant breaches of this policy will be handled under Youth Business International’s disciplinary procedures.
STAFF TRAINING AND ACCEPTANCE OF RESPONSIBILITIES
All staff who have access to any kind of personal data will be given copies of all relevant policies and procedures during their induction process, including the Data Protection policy, Confidentiality policy and the operational procedures for handling personal data, relevant to the execution of their responsibilities. All staff will be expected to adhere to all these policies and procedures. Data Protection will be included in the induction training for all volunteers and interns.
Youth Business International will provide opportunities for staff to explore Data Protection issues through training, team meetings, and supervisions.
This section of the policy only addresses security issues relating to personal data. It does not cover security of the building, business continuity or any other aspect of security.
Only staff who need access to personal data will be given this privilege. Access to information on the main database is controlled by a password and only those needing access are given the password.
Staff are trained in the secure handling of data, with particular attention given to personal data and sensitive personal data. Any recorded personal data will be:
Staff, volunteers and interns will use appropriate care to ensure personal data is not shared in insecure ways, e.g. via email or in file-sharing repositories without password protection and that personal data is only shared in this way when necessary.
Staff volunteers and interns will be careful about information that is displayed on their computer screen and make efforts to ensure that no unauthorised person can view the data when it is on display.
It is the responsibility of the staff member handling personal data to ensure this is done with the greatest care and adherence to this policy. Where a breach occurs or is suspected, the staff member discovering it should inform the Data Protection Office immediately.
The Data Protection Officer is responsible for ensuring the correct procedures are followed in order to understand, mitigate or minimise the harm of a data breach and to inform the relevant authorities.
DATA RECORDING AND STORAGE
Youth Business International has a single database, protected by password, holding basic information about a limited number of data subjects.
Youth Business International will regularly review its procedures for ensuring that its records are adequate and limited to only that which YBI needs to carry out the tasks required:
Youth Business International stores archived paper records of donors and volunteers securely in the office only for the durations that these are needed.
Consideration will be made of the lawful basis for personal data to be processed, e.g. whether YBI has a legitimate interest and does not require consent to be granted for it to process personal data or whether consent is deemed appropriate. The decision of the lawful basis being applied and the rationale for that decision shall be recorded in the Data Management Form.
Information about donors will only be made public with their consent. This includes photographs.
Consent will be freely given and explicit, although the form of consent may vary according to the situation, e.g. verbal consent may be accepted for personal data use where written consent is impractical or otherwise inappropriate. Regardless of the form, consent will be recorded with sufficient detail to reasonably corroborate its validity, e.g. time and date of consent, and any further details as necessary.
Youth Business International acknowledges that, once given, consent can be withdrawn, see Access to Data for guidance on YBI’s approach. YBI is committed to fulfilling its obligations for the removal of personal information following withdrawal.
ACCESS TO DATA
Subject Access Requests can be made to YBI’s Data Protection Officer at firstname.lastname@example.org.
When requesting personal information from YBI, the following information should be included:
Upon receipt of the required information to help YBI identify all personal data held, YBI commits to responding within 1 month (our legal obligation). We do endeavour to respond to queries as soon as is practicable.
Whilst the most efficient way to make a Subject Access Request is to contact YBI at email@example.com, all requests that YBI can corroborate as genuine are valid. This includes but is not limited to postal, email, telephone and social media requests. Verbal requests are also valid if this is the most appropriate means of communication with us.
If YBI does not receive all the information required for the identification of personal data we shall revert for this.
YBI takes the use and security of personal data seriously and will meet all reasonable requests for information. If YBI considers the request to be unreasonable, impractical or is otherwise unable to meet the request, we will revert providing our reasons with the expectation of being able to meet the Subject Access Rights without disproportionate effort in terms of:
YBI is committed to providing access to your personal data in the most suitable form. Please make clear in your Subject Access Request if you require the information in a specific format (e.g. Braille, large print, email or audio format) in order for YBI to meet our obligations in this regard and under the Equality Act.
Any issues regarding Subject Access Rights request should be made via email to firstname.lastname@example.org or in the most appropriate manner according to the circumstances of the subject.
If we are unable to satisfactorily resolve the issue complaints should be directed to the Information Commissioner’s Office (ICO)
Because confidentiality applies to a much wider range of information than Data Protection, Youth Business International has a separate Confidentiality Policy. This Data Protection Policy should be read in conjunction with Youth Business International’s Confidentiality Policy.
Staff, volunteers and interns are required to sign a short statement indicating that they have been made aware of their confidentiality responsibilities. (See Confidentiality Policy).
In order to provide some services, Youth Business International will need to share client’s personal data with other agencies (Third Parties).
Where anyone within Youth Business International feels that it is necessary to disclose information in a way contrary to the confidentiality policy, or where an official disclosure request is received, this will only be done after discussions with the Data Protection Officer. All such disclosures will be documented.
Youth Business International is committed to ensuring that individuals are aware that their data is being processed and:
Individuals will generally be informed in the following ways:
Standard statements will be provided to staff for use on forms where data is collected.
The policy will be reviewed at the first quarterly governance and risk meeting of the year by the Chief Executive and approved by the Board of Trustees. It will also be reviewed in response to changes in relevant legislation, contractual arrangements, good practice or in response to an identified failing in its effectiveness.
Please click here to read the full document.