Information Security & Data Protection Policy
This policy seeks to ensure that Culture for Climate Scotland meets best practice in information security, data protection and all relevant legislation.
Our approach to information security & data protection
Culture for Climate Scotland (CCS) needs to collect, gather and use certain information about individuals. These individuals can include subscribers, supporters, suppliers, business contacts, employees and other people with whom the organisation has a relationship or may need to contact.
The information CCS collects and holds allows CCS to deliver on its charitable objectives. This policy describes how this personal data must be collected, handled and stored to meet the company’s data protection standards and to comply with the law.
This policy ensures CCS:
- Complies with data protection law and follows good practice.
- Protects the rights of staff, supporters and partners.
- Is open about how it stores and processes individuals’ data.
- Protects itself from the risks of a data breach.
In addition, it helps to protect CCS from some very real data security risks, including:
- Breaches of confidentiality, ie information being given out inappropriately.
- Failing to offer choice, ie all individuals should be free to choose how the company uses data relating to them.
- Reputational damage, ie the company could suffer if hackers successfully gain access to sensitive data.
Legislation
The Data Protection Act 2018 controls how personal information is used by organisations, businesses or the government.
The six lawful bases for holding someone’s information are:
- Consent: the individual has given clear consent for you to process their personal data for a specific purpose (ie newsletters, marketing, recruitment and fundraising).
- Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract (partners, venues, staff).
- Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
- Vital interests: the processing is necessary to protect someone’s life.
- Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
- Legitimate interests: the processing is necessary for using people’s data in ways they would reasonably expect, and which have a minimal privacy impact, or where there is a compelling justification for the processing.
To achieve our charitable objectives, CCS will hold data using 1, 2, 3 and 6 as our legal bases.
Principles
Principles
- CCS considers the promotion of information security measures to be a mutual objective for its trustees, management and staff at all levels. CCS will work to safeguard the security of information it holds in terms of personal privacy and organisational confidentiality, and endeavours to practise a policy of information security.
- CCS regards the protection of data belonging to its staff and the people it works with as being of prime importance. CCS will attempt to ensure that a high standard of data protection is maintained in the workplace in line with the Data Protection Act 2018, which is the UK’s implementation of the General Data Protection Regulation (GDPR), and other relevant legislation.
- CCS is committed to following the principles of data protection, which state that as an employee you have legal duties to ensure that personal data is:
-
- Used fairly, lawfully and transparently.
- Used for specified, explicit purposes.
- Used in a way that is adequate, relevant and limited to only what is necessary.
- Accurate and, where necessary, kept up to date.
- Kept for no longer than is absolutely necessary.
- Handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage.
Note that there is stronger legal protection for more sensitive information, such as:
-
- Race
- Ethnic background
- Political opinions
- Religious beliefs
- Trade union membership
- Genetics
- Health
- Sexual life or orientation
- Criminal records
-
- CCS will use a privacy notice to let contacts whose personal data we hold know:
- Why we are requesting data (including the specific purpose for which we require the data).
- What we are going to do with the data.
- How we will protect the data.
- How often we will ask the data owner if they wish CCS to retain or delete the data.
- How the data owner can ask to see, correct or remove the data.
The privacy notice will constitute CCS’s legal basis for processing data – that is, by consent and for contractual purposes.
- Any contractual arrangements into which CCS enters that involve people or organisations outwith CCS being given access to the data CCS holds, must require that such contractors comply with this policy.
- CCS will publish on the CCS website material that sets out our approach to information security and data protection, and we will ensure that GDPR-appropriate text is included in standard CCS document templates – for example, event sign-up sheets and employment contracts.
- Anyone working with or for CCS is required to report any identified risks to information security, whether immediate or long term, to their line manager and their line manager must respond within 10 working days with information about how the risk is being mitigated. If the matter is not resolved, it must then be reported to the convenor.
Responsibilities
Responsibilities
Everyone who works for or with CCS has some responsibility for ensuring data is collected, stored and handled appropriately.
Each time personal data is handled, CCS staff must ensure that it is handled and processed in line with this policy and data protection principles.
However, the following groups have key areas of responsibility:
The board is ultimately responsible for ensuring that CCS meets its legal obligations.
The director is responsible for:
-
-
- Keeping the trustees updated about data protection responsibilities, risks and issues.
- Reviewing all data protection procedures and related policies, in line with an agreed schedule.
- Overseeing any contracts or agreements with third parties that may handle the company’s sensitive data.
-
The senior operations manager is responsible for:
-
-
- Ensuring all systems, services and equipment used for storing data meet acceptable security standards.
- Performing regular checks and scans to ensure security hardware and software is functioning properly.
- Arranging data protection training and advice for the people covered by this policy.
- Handling data protection questions from staff and anyone else covered by this policy.
- Dealing with requests from individuals to see the data CCS holds about them (also called ‘subject access requests’).
- Working with our external IT partners to ensure data protection compliance is followed by them for our website, database and cloud-based services.
- Approving any data protection statements attached to communications such as emails and letters.
-
The communications manager is responsible for:
-
-
- Ensuring the necessary permissions are in place for any images used to promote CCS activity.
- Addressing any data protection queries from journalists or media outlets.
- Where necessary, working with other staff to ensure marketing initiatives abide by data protection principles.
-
General staff guidelines
CCS grants access permissions to certain records on a ‘need-to-know’ basis to its staff, ie for HR processing (for ease of reference and clarity ‘staff’ includes salaried employees and freelance consultants).
All staff must follow the CCS data protection principles, namely:
- Data must not be shared informally with anyone. When access to confidential information is required, staff must request access from their line managers.
- CCS will provide training to all staff to help them understand their responsibilities when handling data.
- All staff must keep all data secure, by taking sensible precautions and following this guidance:
- Use strong passwords.
- Do not disclose personal data to unauthorised people, either within the company or externally.
- Regularly review data and update it if it is found to be out of date. If it is no longer required, it is appropriate for it to be deleted and disposed of.
- Request help from the senior operations manager if unsure about any aspect of data protection.
Data use
Personal data is of no value to CCS unless the charity can make use of it. However, it is when personal data is accessed and used that it can be at the greatest risk of loss, corruption or theft, so staff are required to:
- Ensure, when working with personal data, that the screens of their computers are always locked when left unattended.
- Not share personal data informally; staff must access this information via the secure database.
- Never transfer personal data or give it to anyone outside of the organisation.
- Always access and update the central copy of any data and NOT save copies of personal data to their own computers.
Data accuracy
The GDPR requires CCS to take reasonable steps to ensure data is kept accurate and up to date. It is the responsibility of all staff who work with data to take reasonable steps to ensure it is kept as accurate and up to date as possible.
- Data will be held in the centralised CRM to avoid duplication.
- CCS will make it easy for data subjects to update their information via the website and contact email address.
- Data will be updated as inaccuracies are discovered. For instance, if a contact can no longer be reached on their stored telephone number, it will be removed from the CRM.
CCS will operate a regular audit schedule to ensure that data held is current and accurate. Any data deemed, because of the audit, to be unnecessary for business purposes will be deleted immediately.
Subject access requests
All individuals who are the subject of personal data held by CCS are entitled to:
- Ask what information the company holds about them and why.
- Ask how to gain access to it.
- Be informed how to keep it up to date.
- Be informed how the company is meeting its data protection obligations.
- Request a copy of this information.
- Request the right to be forgotten.
Individuals may request, via email to [email protected], copies of the information CCS stores in electronic and paper form. CCS will not charge for these requests but reserves the right to charge a reasonable fee should the request be manifestly excessive or unfounded, particularly if it is repetitive. Requests should be made for the attention of the senior operations manager and, once the identity of the individual has been verified, CCS will aim to provide the relevant data within four weeks.
Data breach
In the unlikely event that CCS suffers a data breach, the charity undertakes to advise all affected individuals as quickly as possible as to what information has been taken and when.
Disclosing data for other reasons
In certain circumstances, the GDPR allows personal data to be disclosed to law enforcement agencies without the consent of the data subject.
Under these circumstances, CCS will disclose the requested data. However, CCS will ensure the request is legitimate with the director seeking assistance from the trustees and the company’s legal advisers where necessary.
Providing information
CCS aims to ensure that individuals are aware that their data is being processed, and that they understand how the data is being used and how to exercise their rights.
To these ends, CCS has a privacy statement, setting out how data relating to individuals is used by the company. This statement will be added to the website as soon as possible.
Contact
If you have any questions regarding this policy, or other concerns over privacy, please email the senior operations manager at [email protected].