Data Protection

Data Protection Policy

This policy applies to the registered office of Bristol Wireless and all volunteers operating on behalf of Bristol Wireless.

Policy prepared by: Steve Woods, Company Secretary.

Date approved by Management Committee:

Date policy due for review:

Purpose of policy

The purpose of this policy is to enable Bristol Wireless to:

• comply with the law in respect of the data it holds about individuals;
• follow good practice;
• protect Bristol Wireless' supporters, staff and other individuals;
• protect the organisation from the consequences of a breach of its responsibilities.

Personal data

This policy applies to information relating to identifiable individuals, even where it is technically outside the scope of the Data Protection Act, by virtue of not meeting the strict definition of ‘data’ in the Act.

Policy statement

Bristol Wireless will:

• comply with both the law and good practice;
• respect individuals’ rights;
• be open and honest with individuals whose data is held;
• provide training and support for staff and volunteers who handle personal data, so that they can act confidently and consistently.

Bristol Wireless recognises that its first priority under the Data Protection Act is to avoid causing

• harm to individuals. In the main this means:
• keeping information securely in the right hands; and
• holding good quality information.

Secondly, the Act aims to ensure that the legitimate concerns of individuals about the ways in which their data may be used are taken into account. In addition to being open and transparent, Bristol Wireless will seek to give individuals as much choice as is possible and reasonable over what data is held and how it is used.

Key risks

Bristol Wireless has identified the following potential key risks, which this policy is designed to address:

• Breach of confidentiality (information being given out inappropriately);
• Insufficient clarity about the range of uses to which data will be put — leading to Data Subjects being insufficiently informed;
• Failure to offer choice about data use when appropriate;
• Breach of security by allowing unauthorised access;
• Failure to establish efficient systems of managing changes, resulting in personal data being not up to date;
• Harm to individuals if personal data is not up to date;
• Insufficient clarity about how volunteers’ personal data is being used, e.g. given out to the general public;
• Failure to offer choices about use of contact details for volunteers and members.

Management Committee

The Management Committee recognises its overall responsibility for ensuring that Bristol Wireless complies with its legal obligations.

Data Protection Officer

The Data Protection Officer is currently Peter Ferne, with the following responsibilities:

• Briefing the Management Committee on Data Protection responsibilities;
• Reviewing Data Protection and related policies;
• Advising other volunteers on Data Protection issues;
• Ensuring that Data Protection induction and training takes place;
• Notification;
• Handling subject access requests;
• Approving unusual or controversial disclosures of personal data.

Volunteers

All volunteers are required to read, understand and accept any policies and procedures that relate to the personal data they may handle in the course of their work.

Enforcement

Breaches of this policy will be handled under Bristol Wireless' disciplinary procedure.

Communication with Data Subjects

Bristol Wireless has a privacy statement for Data Subjects, setting out how their information will be used. This will be available on request and a version of this statement is also posted on the Bristol Wireless website.

Communication with volunteers

Volunteers are required to sign a short statement indicating that they have been made aware of their confidentiality responsibilities.

Authorisation for disclosures not directly related to the reason why data is held

Where anyone within Bristol Wireless feels that it would be appropriate to disclose information in a way contrary to the data protection policy, or where an official disclosure request is received, this will only be done with the authorisation of the Data Protection Officer. All such disclosures will be documented.

Scope

This section of the policy only addresses security issues relating to personal data. It does not cover security of the building, business continuity or any other aspect of security.

Specific risks

Bristol Wireless has identified the following risks:

• Volunteers with access to personal information could misuse it.
• Volunteers could continue to be sent information after they have stopped working for Bristol Wireless, if their records are not updated promptly.
• Poor web site security might give a means of access to information about individuals once individual details are made accessible on line.
• Volunteers may be tricked into giving away information, either about supporters or colleagues, especially over the telephone, through “social engineering”;
• Physical loss of hardware and documentation containing personal data;

Accuracy

Bristol Wireless is moving towards a single database holding basic information for all contacts and volunteers.

Bristol Wireless will regularly review its procedures for ensuring that its records remain accurate and consistent and, in particular:

• Systems will be designed, where possible, to encourage and facilitate the entry of accurate data;
• Data on any individual will be held in as few places as necessary, and all volunteers will be discouraged from establishing unnecessary additional data sets;
• Effective procedures will be in place so that all relevant systems are updated when information about any individual changes;
• Volunteers who keep more detailed information about individuals will be given additional guidance on accuracy in record keeping; and
• Take adequate measures to ensure that data is kept physically safe by storing such data on systems that are at risk of physical loss or theft and, if such data storage is unavoidable, to ensure that the physical security of such systems that may hold personal data is maximised at all times.

Retention period

Bristol Wireless will establish retention periods for at least the following categories of data:

• Members;
• Business contacts and users of services;
• Volunteers.

For all data related to financial matters, the legally required retention period is 6 (six) years.

Procedure for making a request

Subject access requests must be in writing (hard copy or email). All volunteers are required to pass on anything which might be a subject access request to the Data Protection Officer without delay.

Identity verification procedure

Where an individual making a subject access request is not personally known to the Data Protection Officer, their identity will be verified before handing over any information.

Commitment

Bristol Wireless is committed to ensuring that in principle Data Subjects are aware that their data is being processed and

• for what purpose it is being processed;
• what types of disclosure are likely; and
• how to exercise their rights in relation to the data.

Procedure

Data Subjects will generally be informed in the following ways:

• Volunteers: during volunteer induction;
• Members: upon joining;
• Customers, business contacts when purchasing/selling services or upon first contact during the normal course of business.

Underlying principles

Consent will normally not be sought for most processing of information about volunteers, with the following exception:

• Volunteers' details will only be disclosed for purposes unrelated to their work for Bristol Wireless (e.g. employment references) with their consent.

Information about volunteers will be made public according to their role and consent will be sought for (a) the means of contact they prefer to be made public and (b) any publication of information which is not essential for their role.

Information about members will only be made public with their consent.

Bristol Wireless will treat the following unsolicited direct communication with individuals as marketing:

• those seeking donations and other financial support;
• those promoting any Bristol Wireless services;
• those promoting events;
• those promoting membership;
• those promoting sponsored events and other fundraising exercises;
• marketing on behalf of any other external company or voluntary organisation.

Opting out

Whenever data is first collected which might be used for any marketing purpose, this purpose will be made clear, and the Data Subject will be given a clear opt-out. If it is not possible to give a range of options, any opt-out which is exercised will apply to all Bristol Wireless marketing.

Sharing lists

Bristol Wireless has a policy of not sharing list data with outside bodies.

Electronic contact

Whenever e-mail addresses are collected, any future use for marketing will be identified and the provision of the address made optional.

Induction

All volunteers with access to any kind of personal data will have their responsibilities outlined during induction.

Continuing training

Bristol Wireless will provide opportunities for volunteers to explore Data Protection matters through training, meetings and supervision.

Appendix: Privacy statement

When you request information from Bristol Wireless, sign up to any of our services or buy things from us, Bristol Wireless obtains information about you. This statement explains how we look after that information and what we do with it.

We have a legal duty under the Data Protection Act to prevent your information falling into the wrong hands. We must also ensure that the data we hold is accurate, adequate, relevant and not excessive.

Normally the only information we hold comes directly from you. Whenever we collect information from you, we will make it clear which information is required in order to provide you with the information, service or goods you need. You do not have to provide us with any additional information unless you choose to. We store your information securely on our computer system, we restrict access to those who have a need to know, and we train our staff in handling the information securely.

We would also like to contact you in future to tell you about other services we provide and ways in which you might like to support Bristol Wireless. You have the right to ask us not to contact you in this way. We will always aim to provide a clear method for you to opt out. You can also contact us directly at any time to tell us not to send you any future marketing material.

You have the right to a copy of all the information we hold about you (apart from a very few things which we may be obliged to withhold because they concern other people as well as you). To obtain a copy, either ask for an application form to be sent to you, or write to the Data Protection Officer at Bristol Wireless. There is a charge of £10 for a copy of your data, as permitted by law. We aim to reply as promptly as we can and, in any case, within the legal maximum of 40 days.

_(For the web site, additional information is usually included. This would cover:

Does the web site collect IP addresses, and if so does it link them to the individual in order to track their future visits? Does the web site set any cookies, and if so what are they used for?)_