Data Management Policy

Context and overview

Key details: 

• Policy prepared by: Jason Jones-Hall, (Director)

• Approved by board/management 

• Policy became operational on: 1 January 2021

• Next review date: 1 April 2022

Introduction

Five10Twelve Ltd needs to gather and use certain information about individuals. These can include customers, suppliers, business contacts, employees and other people the organisation has a relationship with or may need to contact. This policy describes how this personal data must be collected, handled and stored to meet the company’s data protection standards – and to comply with the law.

Why this policy exists

This data management policy ensures Five10Twelve Ltd 

• Complies with data protection law and follows good practice 

• Protects the rights of customers, staff and partners 

• Is transparent about how it stores and processes individuals’ data 

• Protects itself from the risks of a data breach

Data protection law

The UK General Data Protection Regulation (UKGDPR) applies in the UK from January 2021. It requires personal data shall be: 

1. Processed lawfully, fairly and in a transparent manner in relation to individuals; 

2. Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research or statistical purposes shall not be considered to be incompatible with the initial purposes; 

3. Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed; 

4. Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay; 

5. Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by GDPR in order to safeguard the rights and freedoms of individuals; 

6. Processed in a manner that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. 

7. The controller shall be responsible for, and be able to demonstrate, compliance with the principles.

Who? People and responsibilities


Everyone at Five10Twelve Ltd contributes to compliance with UKGDPR. Key responsibilities of the Directors include:

  • Keeping senior management and board updated about data protection issues, risks and responsibilities 
  • Documenting, maintaining and developing the organisation’s data protection policy and related procedures, in line with agreed schedule
  • Embedding ongoing privacy measures into corporate policies and day-to-day activities, throughout the organisation and within each business unit that processes personal data. The policies themselves will stand as proof of compliance.
  • Dissemination of policy across the organisation, and arranging training and advice for staff
  • Dealing with subject access requests, deletion requests and queries from clients, stakeholders and data subjects about data protection related matters
  • Checking and approving contracts or agreements with third parties that may handle the company’s sensitive data
  • Ensuring all systems, services and equipment used for storing data meet acceptable security standards
  • Performing regular checks and scans to ensure security hardware and software is functioning properly
  • Evaluating any third party services the company is considering using to store or process data, to ensure their compliance with obligations under the regulations
  • Developing privacy notices to reflect lawful basis for fair processing, ensuring that intended uses are clearly articulated, and that data subjects understand how they can give or withdraw consent, or else otherwise exercise their rights in relation to the companies use of their data
  • Ensuring that audience development, marketing, fundraising and all other initiatives involving processing personal information and/or contacting individuals abide by the UKGDPR principles

Data Protection Officer (DPO) – the person responsible for fulfilling the tasks of the DPO in respect of Five10Twleve Ltd is Jason Jones-Hall, Director. Tasks of the DPO include:

  • To inform and advise the organisation and its employees about their obligations to comply with the UKGDPR and other data protection laws
  • To monitor compliance with the UKGDPR and other data protection laws, including managing internal data protection activities, advise on data protection impact assessments; train staff and conduct internal audits
  • To be the first point of contact for supervisory authorities and for individuals whose data is processed (employees, customers, stakeholders, participants etc)

Scope of personal information to be processed

Scope of personal information to be processed may vary from project to project, depending on the requirements of the funders, clients, stakeholders etc, but may include – for example:

  • Names of individuals
  • Postal addresses of individuals
  • Email addresses
  • Telephone numbers
  • Online identifiers
  • Data specific to the project for evaluation purposes

Data collection

Data may be collected from a variety of sources, including but not limited to:

  • Forms/surveys (online, by phone, in person)
  • Online event attendee data – including registrations, live attendee data (e.g. webinars, Zoom)
  • Other forms or formats to be discussed and agreed with stakeholders at project inception and with relevant and appropriate safeguarding and risk mitigation measures

Data storage

Data will be stored on secure, UK-based servers. In any and all cases, Five10Twelve will ensure that the data collection is: 

  • Relevant to the purpose
  • Not excessive
  • Up-to-date
  • Not kept for longer than is necessary
  • Lawful
  • Collected with dated, evidenced and informed consent

Consent

Consent shall be on the basis of ‘soft opt-in’ by default, unless otherwise discussed and agreed during project inception. Soft opt-in consent shall include at all times: 

  • Notification statement detailing the intended use of personal information given at the point of collection
  • Opportunity for users/participants to opt-out by default, with an active opt-in consent option
  • Opportunity for users/participants to unsubscribe with every following communication

Privacy Impact Assessments

Where data collection and processing is likely to result in a high risk to individuals, Five10Twelve will conduct a Data Protection Impact Assessment (DPIA) using the Information Commissioner’s Office (ICO) DPIA Template. Each DPIA must: 

  • Describe the nature, scope, context and purposes of the processing;
  • Assess necessity, proportionality and compliance measures;
  • Identify and assess risks to individuals; and
  • Identify any additional measures to mitigate those risks. 

We consider carrying out a DPIA in any major project involving the use of personal data.

Requirement for DPIA is assessed according to the following screening checklist:

We consider whether to do a DPIA if we plan to carry out any other:

  • evaluation or scoring;
  • automated decision-making with significant effects;
  • systematic monitoring;
  • processing of sensitive data or data of a highly personal nature;
  • processing on a large scale;
  • processing of data concerning vulnerable data subjects;
  • innovative technological or organisational solutions;
  • processing that involves preventing data subjects from exercising a right or using a service or contract.

We always carry out a DPIA if we plan to:

  • use systematic and extensive profiling or automated decision-making to make significant decisions about people;
  • process special-category data or criminal-offence data on a large scale;
    systematically monitor a publicly accessible place on a large scale;
  • use innovative technology in combination with any of the criteria in the UKGDPR guidelines;
  • use profiling, automated decision-making or special category data to help make decisions on someone’s access to a service, opportunity or benefit;
  • carry out profiling on a large scale;
  • process biometric or genetic data in combination with any of the criteria in the UKGDPR guidelines;
  • combine, compare or match data from multiple sources;
  • process personal data without providing a privacy notice directly to the individual in combination with any of the criteria in the UKGDPR guidelines;
  • process personal data in a way that involves tracking individuals’ online or offline location or behaviour, in combination with any of the criteria in the UKGDPR guidelines;
  • process children’s personal data for profiling or automated decision-making or for marketing purposes, or offer online services directly to them;
  • process personal data that could result in a risk of physical harm in the event of a security breach.

We carry out a new DPIA if there is a change to the nature, scope, context or purposes of our processing.

If we decide not to carry out a DPIA, we document our reasons.

Data Sharing

Data Sharing agreements will be put in place where necessary with any and all third party organisations on a project-by-project basis, including details of the specific aims of the data sharing agreement, why data sharing is necessary to achieve these aims and the benefits we hope to bring to individuals or to society more widely. 

Requests by third parties to share data should be recorded, including all necessary safeguarding and risk mitigation, and should include the following as a minimum: 

  • Name of organisation
  • Name and position of person requesting data
  • Date of request
  • Description of data requested
  • Data controller relationship (joint/separate)
  • Purpose of sharing
  • Does processing involve any special category data (or sensitive processing under DPA 2018)?
  • Are there any specific arrangements for retention/deletion of data?
  • Are there any circumstances in the proposed sharing that might result in a risk to individuals? 
  • Date(s) provision of data is required

Decisions to share data and the reasons for doing so will be recorded using ICO data sharing decision form templates

Security Measures

Five10Twelve has established appropriate measures to protect personal information and data stored from breach, including: 

  • Dedicated boundary firewall protecting the company network
  • Strong password protection on all devices
  • Two factor authentication on all high risk accounts and services
  • Access to data controlled through named administrator accounts and privileges
  • Up-to-date anti malware measures
  • All devices, software and apps automatically updated and patched

Subject access requests

Five10Twelve recognises that all individuals who are the subject of data held by the company are entitled to: 

  • Ask what information the company holds about them and why
  • Ask how to gain access to it
  • Be informed how to keep it up to date
  • Be informed how the company is meeting its data protection obligations

All subject access requests should be directed to data@fivetentwelve.com and will be handled by the Data Protection Officer. Contact details and access to the company data protection policy will be clearly identified in any and all data capture forms, requests and company websites. 

Right to Erasure

A data subject right to erasure request is a written or verbal request for personal information (known as personal data) held about an individual by Five10Twelve. Data subjects have the right to have their personal data erased if: 

  • The controller no longer needs the data for the purpose that it was originally collected; 
  • The individual withdraws consent; 
  • The individual objects to the processing and the organisation has no overriding legitimate interest in the data; 
  • The controller or processor collected the data unlawfully; 
  • The data must be erased to comply with a legal obligation; or 
  • The data was processed in relation to the offer of information society services to a child. 

Five10Twelve can refuse to comply with a request for erasure if: 

  • The processing is protected by the right to freedom of expression; 
  • Processing the data is necessary to comply with a legal obligation for the performance of a public interest task or exercise of official authority; 
  • The data is for health purposes in the public interest; 
  • The data is being used for archiving purposes in the public interest, scientific or historical research, or statistical purposes; or 
  • The processing is necessary to exercise or defend legal claims. 

Five10Twelve can also refuse to comply with a request for erasure if it is manifestly unfounded or excessive, taking into account whether the request is repetitive in nature. If we consider that a request is manifestly unfounded or excessive we reserve the right to request a “reasonable fee” to deal with the request or refuse to deal with the request. 

Right to erasure requests should be directed to the Data Protection Officer at data@fivetentwelve.com 

What do we do when we receive a valid right to erasure request? 

We will first check that we have enough information to be sure of your identity. Usually we will have no reason to doubt a person’s identity. However, in rare cases we may request additional evidence we reasonably need to confirm your identity. We do this to ensure that the correct data will be identified for erasure. We will then check that we have enough information to find the records you requested for erasure. If we feel we need more information, then we will promptly ask you for this. 

Next, we will conduct a full search of all our relevant databases and filing systems and locate all data relevant to the data subject. We will identify all third-party processors that may also have the personal data and instruct them to completely remove the data from their environments and confirm erasure. At this point we remove the personal data from our digital and physical environments. 

Finally, we will respond to the data subject to confirm data erasure from our environment and all associated third parties.

All valid right to erasure requests, accompanied by valid proof of identity, received by Five10Twelve will be dealt with within 30 days of the latest of the following: 

  • Our receipt of your request; or 
  • Our receipt of any further information we may ask you to provide to enable us to comply with your request.

Privacy Notices

Five10Twelve aims to ensure that individuals are aware that their data is being processed, and that they understand: 

  • Who is processing their data 
  • What data is involved 
  • The purpose for processing that data 
  • The outcomes of data processing 
  • How to exercise their rights. 

To these ends the company has a privacy statement, setting out how data relating to these individuals is used by the company.