| “Data Protection Legislation” | means the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the Privacy and Electronic Communications Regulations (EC Directive) Regulations 2003 (SI 2426/2003 as amended), and all applicable laws and regulations, including any replacement UK or EU data protection legislation relating to the processing of personal data, including, where applicable, the guidance and codes of practice issued by the Information Commissioner’s Office (ICO). |
The Data Protection Legislation ("the Legislation") is concerned with the protection of human rights in relation to personal data. The aim of the Legislation is to ensure that personal data is used fairly and lawfully and that, where necessary, the privacy of individuals is respected. As part of regular business activities, We Are Open Co-op ("WAO") will collect, store, and process personal data about our members, clients, suppliers, and other third parties, and we recognise that the correct and lawful treatment of this data will maintain confidence in WAO. This policy sets out the basis on which we will process any personal data we collect from data subjects or that is provided to us by data subjects or other sources.
The Data Protection Officer ("DPO") is responsible for ensuring compliance with the Legislation and with this policy. The post is currently held by Doug Belshaw.
Any questions about the operation of this policy or any concerns that the policy has not been followed should be referred in the first instance to the DPO.
Personal data is defined as data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller.
All personal data should be processed in accordance with the Legislation and this policy. Any breach of this policy may result in disciplinary action such as continued membership of WAO.
Processing includes obtaining, holding, maintaining, storing, erasing, blocking, and destroying data.
Personal data is data relating to a living individual. It includes employee data. It will not include data relating to a company or organisation, although any data relating to individuals within companies or organisations may be covered. Personal data can be factual (for example, a name, address, or date of birth) or it can be an opinion about that person, their actions, and behaviour.
Examples of personal data are employee details, including employment records, names and addresses, and other information relating to individuals, including supplier details, any third-party data, and any recorded information including any recorded telephone conversations, video calls, emails, or CCTV images.
The Secretary and members who process data on behalf of WAO should assume that whatever they do with personal data will be considered to constitute processing. Individuals should only process data:
The Secretary and members who process data on WAO’s behalf have a responsibility for processing personal data in accordance with the Legislation. Anyone who has responsibility for processing personal data must ensure that they comply with the data protection principles in the Legislation. These state that personal data must:
WAO is committed to ensuring that this data protection policy is put into practice and that appropriate working practices are being followed. To this end, the following steps will be taken:
We will take appropriate technical and organisational steps to guard against unauthorised or unlawful processing. Records will be stored on on the services mentioned below. Access to these records will be restricted to account holders with passwords only. Paper-based records relating to members, clients or suppliers will be kept secure in a locked cabinet. Access to these will be restricted to the Secretary. The privacy policies of each of the cloud-based applications used by WAO can be found as follows:
We will ensure that the Secretary and members who handle personal data are adequately trained and monitored.
Security policies and procedures will be regularly monitored and reviewed to ensure data is being kept secure.
Where personal data needs to be deleted or destroyed, adequate measures will be taken to ensure data is properly and securely disposed of. This will include the destruction of files and backup files and the physical destruction of manual files. Particular care should be taken over the destruction of manual sensitive data (written records), including shredding or disposing via specialist contractors.
All data will be stored in a secure location and precautions will be taken to avoid data being accidentally disclosed. Any agent employed to process data on our behalf will be bound to comply with this data protection policy by a written contract. Personal data stored on a laptop should be password protected.
The Legislation gives individuals certain rights to know what data is held about them and what it is used for. In principle, everyone has the right to see copies of all personal data held about them. There is also a right to have any inaccuracies in data corrected or erased. Data subjects also have the right to prevent the processing of their data for direct marketing purposes.
Any request for access to data under the Legislation should be made to the DPO in writing. In accordance with the Legislation, we will ensure that written requests for access to personal data are complied with within 30 days of receipt of a valid request.
When a written data subject access request is received, the data subject will be given a description of:
a) the personal data,
b) the purposes for which it is being processed,
c) those people and organisations to whom the data may be disclosed,
d) be provided with a copy of the information in an intelligible form.Sensitive data
No sensitive data will be requested, gathered, or stored by WAO unless explicitly necessary and consented to by the data subject.
We reserve the right to change this policy at any time. Where appropriate, we will notify data subjects of those changes by mail or email.