Privacy Policy | East Birmingham Community Forum Limited

Privacy Policy

1. Introduction

EBCF (thereafter to be termed ‘the Organisation’) reputation and future growth are dependent on the way the Organisation manages and protects personal data. Protecting the confidentiality and integrity of personal data is a key responsibility of everyone within the Organisation.

As an Organisation that collects, uses, and stores personal data about its employees, students, employer and visitors, the Organisation recognises that having controls around the collection, use, retention and destruction of personal data is important in order to comply with the Organisation obligations under Data Protection Laws and in particular article 5 of the General Data Protection Regulation (GDPR):

The Organisation has implemented this policy to ensure all organisation personnel are aware of what they must do to ensure the correct and lawful treatment of personal data. This will maintain confidence in the Organisation and will provide for a successful working and learning environments for all.

Organisation personnel will receive a copy of this policy when they start and may receive periodic revisions of the policy. This policy does not form part of any member of the Organisation’s personnel contract of employment and the Organisation reserves the right to change this policy at any time, but it is a condition of employment that organisational personnel will abide by the rules and polices made by the Organisation. Any failures to follow the policy may result in disciplinary action.

2. About this Policy

This policy (and the other policies and documents referred to in it) sets out the basis on which the Organisation will collect and use personal data either where the Organisation collects it from individuals itself or where it is provided to the Organisation by third parties.

It also sets out rules on how the Organisation uses, transfers, and stores personal data.

It applies to all personal data stored electronically, in paper form or otherwise.


3. Definitions

3.1 Organisation – is made up of EBCF.

3.2 Organisation Personnel – any employee, worker or contractor of the Organisation who accesses any of the Organisation’s personal data and will include employees, consultants, contractors, and temporary personnel hired to work on behalf of the Organisation.

3.3 Controller – any entity (e.g., company, organisation, or person) that makes its own decisions about how it is going to collect and use personal data.

A Controller is responsible for compliance with Data Protection Laws. Examples of personal data the Organisation is the Controller of include employee details or information the organisation collects relating to students. The Organisation will be viewed as a Controller of personal data if it decides what personal data the Organisation is going to collect and how it will use it.

A common misconception is that individuals within organisations are the Controllers. This is not the case it is the organisation itself which is the Controller.

3.4 Data Protection Laws – GDPR (Regulation (EU) 2016/679) and all applicable laws relating to the collection and use of personal data and privacy, and any applicable codes of practice issued by a regulator including in the UK, the Data Protection Act 2018.

3.5 Data Protection Officer (DPO) – our DPO is Suliman Khan suliman@ebcf.org.uk

3.6 Information Commissioner’s Office (ICO) – the ICO is the UK’s data protection regulator.

3.7 Individuals/data subject – living individuals who can be identified, directly or indirectly, from information that the Organisation has. For example, an individual could be identified directly by name, or indirectly by gender, job role and office location if you can use this information to work out who they are. Individuals include employees, students, parents, visitors, and potential students. Individuals also include partnerships and sole traders.

3.8 Personal Data – any information about an individual (see 3.7) which identifies them or allows them to be identified in conjunction with other information that is held. It includes information of this type, even if used in a business context.

Personal data is defined broadly and covers things such as name, address, email address (including a business context, email address of individuals in companies such as firstname.surname@organisation.com), IP address and also more sensitive types of data such as trade union membership, genetic data and religious beliefs. These more sensitive types of data are called ‘Special Categories of Personal Data’ and are defined in 3.10. Special categories of personal data are given extra protection by Data Protection Laws.

3.9 Processor – any entity (e.g., company, organisation, or person) which accesses or uses personal data on the instruction of a Controller.

A Processor is a third party that processes personal data on behalf of the Controller. This is usually as a result of the outsourcing of a service by the Controller or the provision of services by the Processor which involve access to or use of personal data. Examples include where software support for a system, which contains personal data, is provided by someone outside the business; cloud arrangements; and mail fulfilment services.

3.10 Special Categories of Personal Data – personal data that reveals a person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data (i.e. information about their inherited or acquired genetic characteristics), biometric data (i.e. information about their physical, physiological or behavioural characteristics such as facial images and fingerprints), physical or mental health, sexual life or sexual orientation and criminal record. Special categories of personal data are subject to additional controls in comparison to ordinary personal data.

4. Organisational Personnel’s General Obligations

4.1 All Organisational personnel must comply with this policy.

4.2 Organisation personnel must ensure that they keep confidential personal data that they collect, store, use and come into contact with during the performance of their duties.

4.3 Organisation personnel must not release or disclose any personal data:

4.3.1 Outside the Organisation.

4.3.2 Inside the Organisation-to-Organisation personnel not authorised to access the personal data, without specific authorisation from their manager or the Data Protection Officer; this includes by phone calls or in emails.

4.4 Organisation personnel must take all steps to ensure there is no unauthorised access to personal data whether by other Organisation personnel who are not authorised to see such personal data or by people outside the Organisation.

4.5 Organisation personnel must ensure they abide by the Organisations Clean Desk Policy (ref EBCF-DP-20) to ensure that any personal data they come in contact with is processed securely and confidentially.


5. Data Protection Principles

5.1 When using personal data, Data Protection Laws require that the Organisation complies with the following principles. These principles require Personal Data to be:

5.1.1 Processed lawfully, fairly and in a transparent manner.

5.1.2 Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.

5.1.3 Adequate, relevant, and limited to what is necessary for the purposes for which it is being processed.

5.1.4 Accurate and kept up to date, meaning that every reasonable step must be taken to ensure that personal data that is inaccurate is erased or rectified as soon as possible.

5.1.5 Kept for no longer than is necessary for the purposes for which it is being processed.

5.1.6 Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures.

5.2 These principles are considered in more detail in the remainder of this policy.

5.3 In addition to complying with the above requirements the Organisation also has to demonstrate in writing that it complies with them. The Organisations has a number of policies and procedures in place, including this policy and the documentation referred to in it, to ensure that the Organisation can demonstrate its compliance.


6. Lawful use of Personal Data

6.1 In order to collect and/or use personal data lawfully, the Organisation needs to be able to show that its use meets one of a number of legal grounds:

6.1.1 Consent – the individual has given clear consent for the Organisation to process their personal data for a specific purpose.

6.1.2 Contract – the processing is necessary for a contract the Organisation has with the individual or because they have asked the Organisation to take specific steps before entering into a contract.

6.1.3 Legal Obligation – the processing is necessary for the Organisation to comply with the law (not including contractual obligations)

6.1.4 Vital interests – the processing is necessary for the Organisation to protect someone’s life.

6.1.5 Public task – the processing is necessary for the Organisation to perform a task in the public interest or for official functions, and the task or function has a clear basis in law.

6.1.6 Legitimate interests – the processing is necessary for the Organisation’s legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests (this cannot apply to public authorities processing data to perform official tasks)

6.2 In addition, when the Organisation collects and/or uses special categories of personal data, the Organisation has to show that one of a number of additional conditions is met:

6.2.1 The data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition may not be lifted by the data subject.

6.2.2 Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject.

6.2.3 Processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent

6.2.4 Processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects.

6.2.5 Processing relates to personal data which are manifestly made public by the data subject

6.2.6 Processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity.

6.2.7 Processing is necessary for reasons of substantial public interest, on the basis of Union Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

6.2.8 Processing is necessary for purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and the services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards.

6.2.9 Processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy.

6.2.10 Processing is necessary for archiving purposes in the public interest scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

6.3 The Organisation has carefully assessed how it uses personal data and how it complies with the obligations set out in 6.1 and 6.2. If the Organisation changes how it uses personal data, the Organisation needs to update this record and may also need to notify individuals about the change. If Organisation Personnel, therefore, intend to change how they use personal data at any point they must notify the DPO who will decide whether their intended use requires amendments to be made and any other controls which need to apply.

7. Transparent Processing – Privacy Notices

7.1 Where the Organisation collects personal data directly from individuals, the Organisation will inform them about how the Organisation uses their personal data. This is in a privacy notice, which is issued at the point of collection

7.2 If the Organisation receives personal data about an individual from other sources, the Organisation will provide the individual with a privacy notice about how the Organisation will use their personal data. This will be provided as soon as reasonably possible and in any event within one month.

7.3 If the Organisation changes how it uses personal data, the Organisation may need to notify individuals about the change. If Organisational personnel, therefore, intend to change how they use personal data the DPO must be notified. The DPO will then assess whether there is an appropriate lawful basis for changing the way in which the personal data is used, if amendments to the privacy notice are required and if amendments are required to any other controls which apply.


8. Data Quality
Ensuring the use of accurate, up to date and relevant Personal Data

8.1 Data Protection Laws require that the Organisation only collects and processes personal data to the extent that it is required for the specific purpose(s) notified to the individual in a privacy notice (section 7.0) and as set out in the Organisation’s record of how it uses personal data. The Organisation is also required to ensure that the personal data it holds is accurate and kept up to date.

8.2 All Organisation personnel that collect and record personal data shall ensure that the personal data is recorded accurately, kept up to date and shall also ensure that they limit the collection and recording of personal data to that which is adequate, relevant and limited to what is necessary in relation to the purpose for which it is collected and used.

8.3 All Organisation personnel that obtain personal data from sources outside the Organisation shall take reasonable steps to ensure that the personal data is recorded accurately, is up to date and limited to that which is adequate, relevant, and limited to what is necessary in relation to the purpose for which it is collected and used. This does not require Organisation personnel to independently check the personal data obtained.

8.4 In order to maintain the quality of personal data, all Organisation personnel that access personal data shall ensure that they review, maintain and update it to ensure that it remains accurate, up to date, adequate, relevant and limited to what is necessary in relation to the purpose for which it is collected and used. Please note that this does not apply to personal data which the Organisation must keep in its original form (e.g., for legal reasons or that which is relevant to an investigation).

8.5 The Organisation recognises the importance of ensuring that personal data is amended, rectified, erased or its use restricted where this is appropriate under Data Protection Laws. The Organisation has a Data Subject Individual Rights Procedure, which sets out how the Organisation responds to requests relating to individual rights:

• The right to be informed.
• The right of access
• The right to rectification
• The right to erasure
• The right to restrict processing.
• The right to data portability
• The right to object
• Rights in relation to automated decision making and profiling.

Any request from an individual for any of the above rights in relation to their personal data should be dealt with in accordance with the Data Subject Individual Rights procedure. 
9. Retention of Personal Data

9.1 Data Protection Laws require that the Organisation does not keep personal data longer than is necessary for the purpose or purposes for which the Organisation collected it.

9.2 The Organisation has assessed the types of personal data that it holds and the purposes it uses it for and has set retention periods for the different types of personal data processed by the Organisation, the reasons for those retention periods and how the Organisation securely deletes/disposes of personal data at the end of those periods. These are set out in the Data Retention Policy.

9.3 If Organisation personnel feel that a particular item of personal data needs to be kept for more or less time than the retention period set out in the Data Retention, for example because there is a requirement of law, or if the Organisation personnel have any questions about this policy or the Organisation’s personal data retention practices, they should contact the DPO for guidance.

9.4 The business holds a Data Asset Register. This document clearly defines each process a department is involved in, what personal data is processed along with the required storage, retention and method of disposal of such data. Managers are required to ensure the Organisation personnel they line manage are aware of this document and where to locate it.

10. Data Security

The Organisation takes information security very seriously and the Organisation has security measures against unlawful or unauthorised processing of personal data and against the accidental loss of, or damage to, personal data. The Organisation has in place the Information Security Policy and technologies to maintain the security of all personal data from the point of collection to the point of destruction.


11. Data Breach

11.1 Whilst the organisation takes information security very seriously, unfortunately, in today’s environment, it is possible that a security breach could happen which may result in the unauthorised loss of, access to, deletion of or alteration of personal data. If this happens there will be a personal data breach and Organisation personnel must comply with the with the Organisation’s Data Breach Policy and Data Breach Notification Process. Please see paragraphs 11.2 and 11.3 for examples of what can be a personal data breach.

11.2 Personal data breach is defined very broadly and is effectively any failures to keep personal data secure, which leads to the accidental or unlawful loss (including loss of access to), destruction, alteration or unauthorised disclosure of personal data. Whilst most personal data breaches happen as a result of something someone internal does.

11.3 There are three main types of personal data breach which are as follows:

11.3.1 Confidentiality breach – where there is an unauthorised or accidental disclosure of, or access to, personal data e.g. hacking, accessing internal systems that an Organisational personnel is not authorised to access, accessing personal data stored on a lost laptop, phone or other device, people “blagging” access to personal data they have no right to access, putting the wrong letter in the wrong envelope, sending an email to the wrong student or disclosing information over the phone to the wrong person.

11.3.2 Availability breach – where there is an accidental or unauthorised loss of access to or destruction of personal data, e.g., loss of a memory stick, laptop or device, denial of service attack, infection of systems by ransom ware, deleting personal data in error, loss of access to personal data stored on systems, inability to restore access to personal data from back up, or loss of encryption key.

11.3.3 Integrity breach – where there is an unauthorised or accidental alteration of personal data.

11.4 All data breaches must be reported to the DPO using the Data Breach Notification form (ref DP-DB-02). It is the responsibility of all organisational personnel to report a data breach no matter how big or small.

11.5 All data breaches must be documented on an internal data breach register held by the DPO. 
12. Training of Organisation Personnel

12.1 All Organisation personnel who process personal data will receive data protection training. Training is important to reduce the likelihood of misuse of personal data. All Organisational personnel at induction will receive training about data protection and will be required to undertake annual refresher training.

12.2 All Data Protection Policies, Procedures and Documents are accessible to organisational personnel within a dedicated central location on the staff portal for ease of access and reference.

13. Contractors who access the Organisation’s Personal Data

13.1 If the Organisation appoints a contractor who is a processor of the Organisation’s personal data, Data Protection Laws require the Organisation only appoints them where the Organisation has carried out sufficient due diligence and only where the Organisation has appropriate contracts in place.

13.2 One requirement of GDPR is that a controller must only use processor who meet the requirements of the GDPR and protect the rights of individuals. This means that data protection due diligence should be undertaken on both new and existing suppliers. Once a processor is appointed, they should be audited periodically to ensure that they are meeting the requirements of their contract in relation to Data Protection.

13.3 Any contract where an organisation appoints a processor must be in writing.

13.4 You are considered as having appointed a processor where you engage someone to perform a service for you and as part of it, they may get access to your personal data. Where you appoint a processor the Organisation, as controller, remains responsible for what happens to the personal data.

13.5 GDPR requires the contract with the processor to contain the following obligations as a minimum:

13.5.1 To only act on the written instructions of the controller
13.5.2 To not export personal data without the controller’s instruction.
13.5.3 To ensure staff are subject to confidentiality obligations.
13.5.4 To take appropriate security measures.
13.5.5 To only engage sub-processors with the prior consent (specific or general) of the controller and under a written contrac.t

13.5.6 To keep the personal data secure and assist the controller to do so.
13.5.7 To assist with the notification of data breaches and data protection impact assessments.
13.5.8 To assist with subject access/individual rights requests.
13.5.9 To delete/return all personal data as requested at the end of the contract.
13.5.10 To submit to audits and provide information about the processing.
13.5.11 To tell the controller if any instruction is in breach of the GDPR or other EU or member state data protection law.

13.6 In addition the contract should set out:

13.6.1 The subject matter and duration of the processing
13.6.2 The nature and purpose of the processing
13.6.3 The type of personal data and categories of individuals
13.6.4 The obligations and rights of the controller

14. Individuals’ Rights

14.1 GDPR gives individuals more control about how their data is collected and stored and what is done with it. See clause 8.5 for more detail. The Data Subject Individual Rights Procedure details the process for data subjects exercising their rights.

14.2 The Organisation will ensure that individuals (data subjects) can exercise their rights in accordance with procedure.

15. Marketing and Consent

15.1 The Organisation will sometimes contact individuals to send them marketing or to promote the Organisation. Where the Organisation carries out any marketing, Data Protection Laws require that this is only done in a legally compliant manner.

15.2 Marketing consists of any advertising or marketing communication that is directed to particular individuals.

15.3 Where an individual is contacting for marketing purposes, consent must be obtained. Consent is central to electronic marketing. Best practice is to provide an un-ticked opt-in box.

16. Automated Decision Making and Profiling

16.1 Under Data Protection Laws there are controls around profiling and automated decision making in relation to individuals:

Automated Decision Making – happens where the Organisation makes a decision about an individual solely by automated means without any human involvement and the decision has legal or other significant effects.

Profiling – happens where the Organisation automatically uses personal data to evaluate certain things about an individual.

16.2 Any automated decision making or profiling which the Organisation carries out can only be done once the Organisation is confident that it is complying with Data Protection Laws. If Organisation personnel, therefore, wish to carry out any automated decision making or profiling they must inform and gain approval of the DPO.

16.3 The Organisation does not carry out automated decision making or profiling in relation to Organisational personnel or students.

17. Conclusion

Compliance with the GDPR and the Data Protection Act 2018 is the responsibility of all Organisation personnel. Any deliberate breach of this GDPR Policy may lead to disciplinary action being taken or even criminal prosecution. Any questions or concerns about the interpretation or operation of this policy should be referred to the Data Protection Officer.