GDPR Data Protection Policy Statement
- Policy, scope and objectives
- Responsibilities under the GDPR
- Risk Assessment
- Data protection principles
- Data subjects’ rights
- Consent and other conditions that Refugee Employment Network will use to process data
- Security of data
- Rights of access to data
- Disclosure of data
- Retention and disposal of data
- Disposal of records
1. Policy, scope and objectives
1.1 The Board of Trustees of Refugee Employment Network and its affiliated organisations, located at 54 Crewys Rd, London NW2 2AD is committed to comply with all relevant UK and EU laws in respect of personal data, and to protecting the “rights and freedoms” of individuals whose information Refugee Employment Network collects and keeps in accordance with the General Data Protection Regulation (GDPR).
1.2 GDPR EU regulations and articles are referenced within our policies from the ‘Regulation (EU) 2016/679 of The European Parliament And Of The Council’ legislation, published on 27 April 2016 on the ‘…protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)’ and can be found online by clicking this link.
1.3 The scope of this document includes all the activities of Refugee Employment Network including its fundraising aims and objectives, educational and research projects, events-based endeavours, both on and offline and using various channels. This is not an exhaustive list and may be updated from time to time in the future.
1.4 Refugee Employment Network is committed to complying with data protection legislation and holds the following policies and procedures to ensure good practice:
1.4.1 MAIN STATEMENT
Policy owner: Chair
Policies owner: Chair
Data subject consent procedure This procedure covers all situations where we require the consent of a data subject for the processing of personal data
Case study pseudonym policy For participants in our case studies communications, the partner organisation must ensure that participants have understood /signed the consent form. Real names are used unless specifically requested to be changed.
1.4.3 DATA PROCESSING & STORAGE
Policies owner: Chair
3rd party data protection agreement The agreement between us and external parties where access is needed to any organisation or personal data for processing purposes.
Asset inventory, Retention policy & Access control policy
- Asset inventory A log of all assets, along with details of the asset owner, storage location, type of data processed, retention period, security measures and who has access.
- Retention policy This policy ensures that all personal data is retained and destroyed in line with the requirements of the GDPR.
- Access control policy Rules and rights regarding the access data which Refugee Employment Network holds on staff, volunteers, supporters, and beneficiaries.
Data breach notification procedure The internal procedures and/or ICO notification required in the event of a breach of security leading to the accidental or deliberate destruction, loss, alteration, corruption or unauthorised disclosure of, or access to personal data.
Subject Access Request (SAR) procedure Any individual is entitled to request us to provide what personal data we hold / process on them. If so, we are required to provide to them with their personal data, the purposes for which it is being processed and details of who has access to it.
1.5 Refugee Employment Network has notified the Information Commissioner that it is a data controller and that it processes certain information about data subjects. Refugee Employment Network has identified all the personal data that it processes and these are contained in Refugee Employment Network’s Asset Inventory.
1.6 The ICO ‘Data protection registration’ [Registration Number: ZB309446] is set up as an ongoing annual Direct Debit, renewing on 02 March each year. All registration communications and payment confirmations are sent by email to the Chair.
1.7 The Chair is responsible, each year, for reviewing the details of notification, in the light of any changes to Refugee Employment Network’s activities (as determined by changes to the Asset Inventory and the management review) and to any additional requirements identified by means of data protection impact assessments.
1.8 The policy applies to all staff, volunteers and other interested parties of Refugee Employment Network such as outsourced suppliers. Any breach of the GDPR will be dealt with under Refugee Employment Network’s disciplinary policy and with reference to the GDPR Individual User Agreement with staff and may also be a criminal offence, in which case the matter will be reported as soon as possible to the appropriate authorities.
2. Responsibilities under the GDPR
2.1 Refugee Employment Network is a data controller under the GDPR.
2.2 Senior Management and all those in managerial or supervisory roles throughout Refugee Employment Network are responsible for developing and encouraging good information handling practices within the organisation. Key GDPR responsibilities within Refugee Employment Network are follows:
REN Coordinator GDPR Coordinator
Responsible for day-to-day GDPR procedures and policies and is the first point of contact for staff and volunteers seeking clarification on data protection compliance.
Chair Senior Information Rights Owner (SIRO)
Responsible for championing and advising on the organisation’s information risk policies and providing assurance to the board of trustees.
2.3 Refugee Employment Network is accountable to the Board of Trustees for the management of personal information within Refugee Employment Network and for ensuring that compliance with data protection legislation and good practice can be demonstrated. This accountability includes:
2.3.1 Development and implementation of systems to protect personal data as required by this policy;
2.3.2 Security and risk management in relation to compliance with the policy.
2.4 Compliance with data protection legislation is the responsibility of all members of Refugee Employment Network who process personal information.
2.5 Supporters, donors and other interested parties are responsible for ensuring that any personal data supplied by them, and that is about them, to Refugee Employment Network is accurate and up-to-date wherever possible.
3.1 All staff and volunteers are required to complete the online GDPR training course and ass a competency test on ‘Atlas’, Refugee Employment Network’s HR system. New staff and office volunteers who access data are required to complete the online training in the GDPR as soon as is practical.
3.2 The HR department is responsible for organising relevant training for staff and volunteers and for maintaining records of attendance, completion and assessment pass rates.
3.3 Training is an on-going requirement so the GDPR Coordinator will ensure that staff and any training materials / requirements are kept up to date.
3.4 Refugee Employment Network ensures that those with day-to-day responsibility for personal data are able to demonstrate compliance with the GDPR and good practice.
3.5 All staff and volunteers must understand their responsibility to ensure that personal information is protected and processed in accordance with Refugee Employment Network’s procedures, taking into account any related security requirements.
4. Risk Assessment
Objective: To ensure that Refugee Employment Network is aware of any risks associated with the processing of particular types of personal information.
Refugee Employment Network assesses the level of risk to individuals associated with the processing of their personal information. Assessments will also be carried out in relation to processing undertaken by other organisations on behalf of Refugee Employment Network. Refugee Employment Network shall manage any risks which are identified by the risk assessment in the Asset Inventory in order to reduce the likelihood of a non-conformance with this policy.
Where a type of processing, in particular using new technologies and taking into account the nature, scope, context and purposes of the processing is likely to result in a high risk to the “rights and freedoms” of natural persons, Refugee Employment Network shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.
Where it is clear that Refugee Employment Network is about to commence processing of personal information that could cause damage and/or distress to data subjects, the decision as to whether or not Refugee Employment Network may proceed must be escalated for review to the Chair. The Chair shall, if there are significant concerns, either as to the potential damage or distress, or the quantity of data concerned, escalate the matter to the Information Commissioner’s Office.
Appropriate controls will be selected to reduce the level of risk associated with processing individual data to an acceptable level, by reference to Refugee Employment Network documented risk acceptance criteria, the requirements of the GDPR and the advice given by the Chair.
5. Data protection principles
All processing of personal data must be done in accordance with the following data protection principles.
5.1 Personal data must be processed lawfully, fairly and transparently
5.2 Personal data must be adequate, relevant and limited to what is necessary for processing.
5.2.1 Refugee Employment Network is responsible for ensuring that information, which is not strictly necessary for the purpose for which it is to be obtained, is not collected.
5.2.2 If data is given or obtained that is excessive or not specifically required by Refugee Employment Network’s documented procedures, we are responsible for ensuring that it is securely deleted or destroyed in line with this policy.
5.3 Personal data must be accurate and kept up to date.
5.3.1 Data that is kept for a long time must be reviewed and updated as necessary. No data should be kept unless it is reasonable to assume that it is accurate.
5.3.2 Staff, supporters, donors and volunteers should notify Refugee Employment Network of any changes in circumstance to enable personal records to be updated accordingly. Refugee Employment Network will make every effort to ensure records are accurate, but cannot be held responsible for inaccurate data if the data subject has not made reasonable effort to inform the organisation. It is the responsibility of Refugee Employment Network to ensure that any notification regarding change of circumstances is noted and acted upon.
5.3.3 Refugee Employment Network is responsible for ensuring that appropriate additional steps are taken to keep personal data accurate and up to date, taking into account the volume of data collected, the speed with which it might change and any other relevant factors.
5.3.4 Refugee Employment Network will regularly review all the personal data maintained, as referenced in the Assets Inventory, and will identify any data that is no longer required in the context of the registered purpose and will arrange to have that data securely deleted / destroyed. Records will be kept to ensure this process is demonstrable. Refugee Employment Network reserves the right to keep data however that it may require to defend a legal claim.
5.3.5 Refugee Employment Network is responsible for making appropriate arrangements that, where third party organisations may have been passed inaccurate or out-of-date personal information, for informing them that the information is inaccurate and/or out-of-date and is not to be used to inform decisions about the individuals concerned; and for passing any correction to the personal information to the Processor or Sub-Contractor where this is required.
5.4 Personal data must be kept in a form such that the data subject can be identified only as long as is necessary for processing.
5.4.1 Where personal data is retained beyond the processing date, it will be anonymised or otherwise encrypted in order to protect the identity of the data subject in the event of a data breach.
5.4.2 Personal data will be retained in line with the Retention Policy and will be reviewed every two years. Refugee Employment Network accepts that ‘Consent’ from data subjects to receive marketing and fundraising messages is not permanent and will be reviewed. Refugee Employment Network is committed to upholding the rights and freedoms of data subjects and makes every effort possible to be clear and transparent about the reasons for processing data.
5.4.3 Refugee Employment Network must specifically approve any data retention that exceeds the retention periods, and must ensure that the justification is clearly identified and in line with the requirements of the data protection legislation. This approval must be written.
5.4.4 Refugee Employment Network accepts that there may be other times where the personal data that it holds on supporters and its customers may be deleted. They are acknowledged as:
- The data is no longer necessary for the purpose for which it was collected.
- The data subject has withdrawn Consent.
- The data subject’s rights override the Legitimate Interests of Refugee Employment Network.
- The data subject has objected to marketing or other communications and Refugee Employment Network has decided to stop such messages even if it’s Legitimate Interests were proven to be valid and had not infringed the rights and freedoms of the subject or subjects in question.
- Where unlawful processing had been identified.
- Where there was a legal obligation on Refugee Employment Network but this has now ceased.
- Where there was an instruction from a joint Controller.
- This is not an exhaustive list and will be regularly reviewed by Refugee Employment Network.
5.5 Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
5.5.1 These controls have been selected on the basis of identified risks to personal data, and the potential for damage or distress to individuals whose data is being processed.
5.5.2 Refugee Employment Network’s compliance with this principle is contained in its Information Security Policy. Security controls will be subject to audit and review on a regular basis.
6. Data subjects’ rights
6.1 Data subjects have the following rights regarding data processing, and the data that is recorded about them:
6.1.1 To make subject access requests regarding the nature of information held and to whom it has been disclosed.
6.1.2 To prevent processing likely to cause damage or distress.
6.1.3 To prevent processing for purposes of direct marketing.
6.1.4 To be informed about the mechanics of automated decision-taking process that will significantly affect them.
6.1.5 Not to have significant decisions that will affect them taken solely by automated process.
6.1.6 To sue for compensation if they suffer damage by any contravention of the GDPR.
6.1.7 To take action to rectify, block, erase, including the right to be forgotten, or destroy inaccurate data.
6.1.8 To request the ICO to assess whether any provision of the GDPR has been contravened.
6.1.9 The right for personal data to be provided to them in a structured, commonly used and machine-readable format, and the right to have that data transmitted to another controller.
6.1.10 The right to object to any automated profiling without consent.
6.2 Subject Access Request
Data subjects may make data access requests as described in The Subject Access Request Procedure; this procedure also describes how Refugee Employment Network will ensure that its response to the data access request complies with the requirements of the Regulation.
Data Subjects who wish to complain to Refugee Employment Network about how their personal information has been processed may lodge their complaint directly with the REN Coordinator.
7. Consent and other conditions that Refugee Employment Network will use to process data
Refugee Employment Network understands ‘consent’ to mean that it has been explicitly and freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she by statement, or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. The consent of the data subject can be withdrawn at any time.
Refugee Employment Network understands ‘consent’ to mean that the data subject has been fully informed of the intended processing and has signified their agreement, while in a fit state of mind to do so and without pressure being exerted upon them. Consent obtained under duress or on the basis of misleading information will not be a valid basis for processing. There must be some active communication between the parties which demonstrate active consent. Consent cannot be inferred from non-response to a communication. For sensitive data, explicit written consent of data subjects must be obtained unless an alternative legitimate basis for processing exists.
In most instances consent to process personal and sensitive data is obtained routinely by Refugee Employment Network using standard consent documentation.
We will be processing data wherever and whenever we believe it is lawful but always in accordance with the GDPR Article 6.
7.1 Legitimate Interest – Article 6 section (f)
Refugee Employment Network is a national development charity. The aims and objectives of Refugee Employment Network are:
- The relief of unemployment and underemployment of Beneficiaries, by: a. the provision of effective vocational and skills training, advice and support, both to Beneficiaries and, more commonly, the third parties with which they come into contact, including without limitation local authorities, central government departments, non-governmental organisations, prospective employers and charities; b. the provision of advice and guidance to employers seeking to train and recruit Beneficiaries; and c. the dissemination, to local authorities, central government departments, non-governmental organisations, prospective employers, charities and any other relevant organisation, of guidance and best practice regarding employment and self-employment as they affect Beneficiaries;
- To advance the education and training of Beneficiaries and in each case their dependants, so as to advance them in life and enable them to adapt and thrive within a new community.
- To advance the education of employers and the general public around issues relating Beneficiaries, in order to better enable such Beneficiaries to build their lives in the United Kingdom.
- To relieve financial hardship amongst Beneficiaries, particularly by the provision of legal and practical advice and guidance relating to employment and self-employment
- The relief of unemployment generally, in each case for the public benefit.
- "Beneficiaries" means (a) individuals who have at any time been granted legal refugee status in any country who are resident in the United Kingdom, (b) individuals granted leave to remain in the United Kingdom having fled conflict, persecution or any other actual or potential humanitarian crisis in another country, (c) to the extent such individuals are permitted to work in the United Kingdom, those seeking asylum in the United Kingdom, and (d) individuals who hold British citizenship but who have met one or more of these criteria in the past.
Our Legitimate Interest is to raise funds to continue our important work, to complete existing obligations to which we are committed and to extend our work to new projects. We require financial income to fund infrastructure such as our office overheads and staff costs for administrative purposes. The bulk of the monies we generate however are spent on the beneficiaries of our organisation. Our income is generated by means of fundraising, but it could also be events, educational courses, retailing goods and services and research projects.
We will pursue our Legitimate Interest whenever we see it is applicable unless it overrides the fundamental rights and freedoms of any data subjects for whom we may retain personal data or may obtain personal data for in the future. Examples of where we believe our interests may be over ridden are if our interests cause inconvenience, annoyance or intrusion. Our Legitimate Interest is also over-ridden if a subject complains or objects to our fundraising or marketing efforts. Should it be deemed that our Legitimate Interest does override the rights and freedoms of the data subject or data subjects in question, we will not use our Legitimate Interest to pursue our aims and objectives with those particular and identifiable data subjects. We will also uphold the data subjects other rights in the GDPR such as the Right to be Forgotten or the right to be Restricted and others.
If it can be demonstrated that our Legitimate Interest does not override the rights and freedoms of those data subjects with which it may have in the past, we may resume and further pursue our Legitimate Interest in the future. This will only ever be done after careful consideration and consultation with the Chair and in some cases the Supervisory Authority (ICO) according to the GDPR, Prior Consultation Article 36.
We reserve the right to pursue our Legitimate Interest with any data subject, who may in the future either, make a donation, leave us a legacy or major gift, purchase a ticket from us, engage in an educational project or be involved in a research program, that we believe may be able to help us fulfil our aims and objectives as an organisation. We will do this using all lawful conditions available to us and within the GDPR. Refugee Employment Network will document all aspects relating to our Legitimate Interest (and all other conditions described in Article 6 of the GDPR) and it will be continuously assessed to ensure that it remain valid and legitimate.
7.2 Necessary for Contract – Article 6 section (b)
From time to time we will use Article 6 section b to lawfully process the data of subjects. Mostly, this will be when a data subject has purchased a ticket from us and we believe that a legally binding contract has been established, for example attending an event. The purpose of the processing will be to uphold that contract and fulfil our obligations to the customer or supporter. We will ensure that the customer or supporter’s rights under the Sale of Goods Act are upheld, but regardless of this, their rights and freedoms will always be considered first whenever we may process their data.
We will process the data of subjects when they purchase an activity from us only where it relates to that ticket purchase or similar activity we consider relevant. We will not market or promote unrelated events or activities and will not fundraise to that data subject, promote events or educational projects to that subject unless we have a Legitimate Interest to do so.
Our intentions will be clearly explained in our privacy notices issued at the time. We will write specific notices relating to each condition we may rely upon under Article 6 of the GDPR. We will uphold the rights and freedoms of data subjects at all times but especially if they object to our processing. We will only ever rely upon disproportionate effort to not comply with a data subjects wishes when it is absolutely necessary.
We fully understand our obligations under the Privacy and Electronic Communications Regulation (PECR) in this respect. Our social media initiatives/marketing will be reviewed upon issue of an updated and revised version of the PECR. Until then we will take every reasonable effort to ensure the identity of data subjects is carefully protected when we use social media as channels to promote the aim and objectives of our organisation.
We may from time to time use other conditions under Article 6 of the GDPR that we see are lawful and fair. We see that it is lawful to use any of the six conditions for processing data and we reserve the right to so as long as it does not infringe the rights of data subjects for whom we hold personal data. We undertake to stop processing data should the data subject object wish to be forgotten, wish for their data to be restricted or if the purpose for which the data was collected is no longer valid. We reserve the right to change the condition for processing data if we see fit.
8. Security of data
All staff are responsible for ensuring that any personal data which Refugee Employment Network holds and for which they are responsible, is kept securely and is not under any conditions disclosed to any third party unless that third party has been specifically authorised by Refugee Employment Network to receive that information and has entered into a confidentiality agreement and a data processor contract.
All personal data should be accessible only to those who need to use it, and access may only be granted in line with the Access Control Policy. Refugee Employment Network has carefully considered the sensitivity and value of the information in question. Therefore it has been decided that personal data will be kept:
- If paper based, in a lockable room with controlled access.
- If computerised, password protected in line with Refugee Employment Network’s policies. Care must be taken to ensure that PC screens and terminals are not visible except to authorised staff of Refugee Employment Network.
- Paper records may not be left where they can be accessed by unauthorised personnel and may not be removed from business premises without explicit written authorisation.
- Personal data may only be deleted or disposed of in line with the Data Retention Policy. Manual records that have reached their retention date are to be shredded and disposed of as ‘confidential waste’ by an approved data processor. Hard drives of redundant PCs are to be removed and immediately destroyed before disposal.
- Processing of personal data ‘off-site’ presents a potentially greater risk of loss, theft or damage to personal data. Staff must be specifically authorised to process data off- site.
9. Rights of access to data
Data Subjects have the right to access any personal data (i.e. data about them) which is held by Refugee Employment Network in electronic format and manual records which form part of a relevant filing system. This includes the right to inspect confidential personal references received by Refugee Employment Network, and information obtained from third-party organisations about that person.
10. Disclosure of data
Refugee Employment Network must ensure that personal data is not disclosed to unauthorised third parties which includes family members, friends, government bodies, and in certain circumstances, the Police. All staff should exercise caution when asked to disclose personal data held on another individual to a third party. It is important to bear in mind whether or not disclosure of the information is relevant to, and necessary for, the conduct of Refugee Employment Network‘s business.
The GDPR permits certain disclosures without consent so long as the information is requested for one or more of the following purposes:
- to safeguard national security;
- prevention or detection of crime including the apprehension or prosecution of offenders;
- assessment or collection of tax duty;
- discharge of regulatory functions (includes health, safety and welfare of persons at work);
- to prevent serious harm to a third party;
- to protect the vital interests of the individual, this refers to life and death situations.
All requests to provide data for one of these reasons must be supported by appropriate paperwork and all such disclosures must be specifically authorised.
11. Retention and disposal of data
Personal data may not be retained for longer than it is required. Refugee Employment Network fully understands its obligations under the GDPR to securely delete data no longer required for the purpose it was collected, or where a data subject has required to be forgotten. However, it reserves the right under the GDPR to retain the data in an encrypted form should it require the data for a legal purpose or reason or for research purposes. Refugee Employment Network fully understands that to contact the data subject for any reason other than these would be a breach of data protection and an infringement of that data subject’s rights and freedoms. Refugee Employment Network‘s Data Retention and Secure Disposal Procedures will apply in all cases.
12. Disposal of records
Personal data must be disposed of in a way that protects the “rights and freedoms” of data subjects (e.g. shredding, disposal as confidential waste, secure electronic deletion) and in line with our Information Systems policy.