1. Introduction

2. Legal framework

3. Registration

4. Definitions

5. Data protection principles

6. Responsibilities

7. Training

8. Audit

9. Privacy impact assessments

10.   Privacy notices

11. Use of data processors

12. Data breaches

13.   Rights of data subjects

14. Procedures

15. Record keeping

16.   Policy review

  1. Introduction

This policy outlines the approach taken by The Rock Youth Project (The Rock) to ensure that the organisation:

  • Complies with data protection law and follows good practice
  • Protects the rights of club members, staff, trustees and partners
  • Is open about how the organisation stores and processes individuals’ personal data
  • Makes staff and trustees and any volunteers aware of their responsibilities relating to information security
  • Protects the organisation from the risks of a data breach

2. Legal framework

Current legislation governing the use of personal data:

  • General Data Protection Regulation
  • Data Protection Act 2018, including the Law Enforcement Requirements (part 3)

This list is not exclusive.

3. Registration

Under the Data Protection (Charges and Information) Regulations 2018, individuals and organisations that process personal data need to pay a fee to the Information Commissioner’s Office (ICO), unless they are exempt.

It has been determined that The Rock is exempt from paying this fee. 

4. Definitions

For the purposes of data protection legislation:

‘personal data’ is anything that can identify a living human being.

‘data subject’ means an individual who is the subject of personal data.

‘data controller’ means a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed.

‘data processor’, in relation to personal data means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.

‘processing’ in relation to information or data means anything at all that is done with the personal data – obtaining, recording or holding it or carrying out any operation or set of operations on it.

5. Data protection principles

The principles are the rules of data protection and The Rock must comply with them. The responsible person will interpret them in accordance with legislative and professional guidance as necessary and determine their practical application.

They are that personal data be:

a) processed lawfully, fairly and in a transparent manner in relation to individuals;

b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;

c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;

d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;

e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and

f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

In addition Article 5(2) of the GDPR requires that:

“the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”

Should the United Kingdom leave the European Economic Area (EEA) and become a third country in regard to European data protection legislation, The Rock will not transfer personal data outside the United Kingdom without appropriate safeguards. The Rock does not transfer personal data outside the EEA.

6. Responsibilities

Everyone who works for or with The Rock has some responsibility for ensuring data is collected, stored and handled appropriately.

Every individual who has access to personal data must ensure that it is used in line with this policy and data protection principles.

Some individuals or groups have key areas of responsibility:

I. The Board of Trustees is ultimately responsible for:

  • Ensuring that The Rock meets its legal obligations

II. The Chair of Trustees and Project Manager are responsible for:

  • Reviewing all data protection procedures and related policies, in line with an agreed schedule;
  • Deciding whether or not a Data Protection Impact Assessment (DPIA) is required for any proposed or current processing.

III. The Project Manager is responsible for:

  • Keeping the Board updated about data protection responsibilities, risks and issues;
  • Arranging data protection training and advice for the staff, trustees and any volunteers;
  • Handling data protection questions from staff, trustees, volunteers and any other third parties;
  • Dealing with requests from individuals to see the personal data that The Rock holds about them (also called subject access requests);
  • Evaluating potential data processors to ensure that they comply with information security legislation;
  • Checking and approving any contracts or agreements with data processors;
  • Ensuring all systems, services and equipment used for storing data meet acceptable security standards;
  • Investigating any complaints about the information security of The Rock
  • Assessing and reporting any data breaches.

The Project Manager is deemed to be the person within The Rock who has overall responsibility for information security and will be known as the ‘responsible person’. They will arrange for a deputy to assume these responsibilities during periods of planned absence.

The Chair of Trustees will ensure that there is cover in the event of any unplanned absence.

7. Training

All staff, trustees and any volunteers of The Rock will be trained in data protection and their responsibilities relating to information security. This training will be delivered to new staff, trustees and volunteers as soon as possible but no longer than six months after joining the organisation.

If changes are made to legislation or legal precedents set, which in the opinion of the responsible person necessitate update training, this will take place as soon as possible.

8. Audit

The General Data Protection Regulation requires that an organisation records how personal data flows within it.

The Rock will undertake a data protection audit to determine this.

This audit will be a working document to be updated by the responsible person or their representative as appropriate and approved by the Trustees at their next scheduled meeting.

It will be used by the responsible person to assist in determining any actions that must be taken to comply with data protection regulations or improve on existing practices.

This document will be reviewed at least annually and a report made to Trustees.

9. Privacy impact assessments

It is the duty of The Rock to undertake a privacy impact assessment if it is unclear whether any processing of personal data, on balance is harmful to the rights and freedoms of the data subjects, or before beginning any processing for a new purpose.

The responsible person and Chair of Trustees will decide if a privacy impact assessment is required for any processing. All decisions will be recorded.

If a privacy assessment indicates that it has not been possible to determine whether the processing is harmful to the rights and freedoms of the data subjects the matter will be referred to the Information Commissioner’s Office (ICO). Any decision made by the ICO regarding such processing will be binding.

10. Privacy notices

The Rock will produce a general privacy notice which will be available on its website and in paper form if requested. Amongst other things, this will inform people why and how The Rock collects their personal data, who it is shared with and how long it will be kept. Providing people with this information is a key element of the principle of transparency and can also help to build trust with individuals.

In addition, wherever and whenever personal data is collected there will be a privacy notice specific to the purpose for which the form is being used.

All The Rock’s privacy notices will be reviewed at least annually by the responsible person.

11. Use of data processors

Whenever The Rock uses a processor it will put a written contract in place.

The contract is important so that both parties understand their responsibilities and liabilities.

The Rock is liable for its compliance with the GDPR and will only appoint processors who can provide ‘sufficient guarantees’ that the requirements of the GDPR will be met and the rights of data subjects protected.

Processors must only act on the documented instructions of The Rock and penalties may be written into the contract in the event of a breach. They will however have some direct responsibilities under the GDPR and may be subject to fines or other sanctions if they do not comply.

Where The Rock is a data processor the above provisions will also apply.

12. Data breaches

The term ‘data breach’ refers to a breach of security or failure to adhere to data protection legislation which has led to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

Should a data breach be discovered or suspected, however reported, the responsible person will immediately assess the situation following The Rock’s Data Breach Procedure and determine whether or not the incident should be reported to the ICO.

All notifiable breaches will be reported to the ICO within 72 hours of The Rock becoming aware of them.

13. Rights of data subjects

All data subjects, including children have the right to:

  • be provided with a transparent and clear privacy notice which explains who you are and how their data will be processed.
  • be given a copy of their personal data;
  • have inaccurate personal data rectified and incomplete data completed;
  • exercise the right to be forgotten and have personal data erased.
  • restrict the processing in specified circumstances;
  • data portability;
  • object to processing carried out under the lawful bases of public task or legitimate interests, and for the purposes of direct marketing.
  • not be subject to automated individual decision-making, including profiling which produces legal effects concerning him or her or similarly affects him or her; See 
  • complain to the ICO or another supervisory authority;
  • appeal against a decision of a supervisory authority;
  • bring legal proceedings against a controller or processor; and
  • claim compensation from a controller or processor for any damage suffered as a result of their non-compliance with the GDPR.

The Rock will assist all its data subjects to exercise their rights where appropriate.

The general rule adopted by The Rock is that no child under the age of 12 is competent to fully understand their rights and that it is appropriate to let the holder of parental responsibility exercise the child’s rights on their behalf.

However, The Rock recognises that occasionally this is not in the best interests of the child therefore the responsible person will review every right exercised on behalf of a child and decide whether or not to agree to a request.

The responsible person will then inform trustees of the decision immediately and the matter added to the agenda at the next scheduled meeting of trustees.

14. Procedures

There shall be procedures for all activities related to the processing of personal data by The Rock.

Currently these are:

  • Data subject access request procedure
  • Privacy impact assessment procedure
  • Setting up a data processor
  • Overarching safeguarding statement
  • Complaints procedure
  • Child protection procedure
  • Procedure for using children’s images
  • Staff code of conduct
  • *Retention and disposal procedures
  • Data breach procedure

This list is not exhaustive and procedures may be added at any time.

*There are policies as well as procedures for these subjects

15. Record keeping

Article 5(2) of the GDPR requires that:

“the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”

In order to demonstrate compliance, The Rock will keep records of all processing of personal data.

This includes but is not limited to:

  • Audit document
  • Disclosure log
  • List of data subjects’ rights exercised
  • Minutes of all meetings where data protection and information privacy is discussed

16. Policy review

This policy will be reviewed every two years by the responsible person and the Chair of Trustees.

The next scheduled review date for this policy is Jan 2021.