Policy Prepared by: Ayushman Kaul (Chief Data Protection Officer)
Approved by board/management on: 19.01.2018
Policy operational on: 20.01.2018
Next Review Date: 20.04.2018
The International Observatory of Human Rights needs to gather and use certain information about inpiduals.
This data can include customers, suppliers, business contacts, employees and other people the organisation has a relationship with or may need to contact.
The policy describes how this personal data must be collected, handled and stored to meet the company’s data protection standards – and to comply with the law.
AIMS AND REASONING
This data protection policy ensures that The International Observatory of Human Rights
• Complies with the data protection law and adheres to standards to good practice
• Protects the rights of staff, sponsors and partners
• Is open about how it stores and processes inpidual’s data
• Protects itself from the risks of a data breach
WHO THIS POLICY APPLIES TO
This policy applies to the general public, our guests, sponsors and partners as well. All employees of IOHR working in our office and studio are required to adhere to this policy. It protects the personal data of our data subjects which include our members, supporters, volunteers, employees and the people that we help.
The Data Protection Act 1998 describes how organisations -including International Observatory of Human Rights – must collect, handle and store personal information. Consequently, IOHR has implemented processes and procedures to ensure that we comply with the Act. All employees and our office and volunteers are responsible for following this policy and the agreed processes and procedures.
The eight principles of the Act require that:
1. Personal data shall be processed fairly and lawfully
2. Personal data shall only be processed for the purposes for which it was obtained
3. Personal data shall be adequate, relevant, and not excessive in relation to its purpose
4. Personal data shall be accurate and kept up to date
5. Personal data shall not be kept for longer than is necessary
6. Personal data shall be processed in accordance with the rights of Data Subjects
7. Appropriate technical and organisational measures shall be taken against unlawful processing or accidental loss
8. Personal data shall not be transferred outside the European Economic Area (EEA) unless the country has equivalent Data Protection standards IOHR has implemented appropriate physical, technical and organisational measures and controls to ensure that the personal information that we process is secure, accurate and up to date. We only keep personal information for as long as is reasonable and necessary.
Additionally, we provide data protection guidance and training for our employees and volunteers so that they are aware of their data protection responsibilities. This is provided when they join us and subsequently once a year as refresher training.
DATA PROTECTION RISKS
This policy helps to protect the International Observatory of Human Rights from some very real data security risks, including:
• Breaches of Confidentiality – Information being given out inappropriately
• Reputational Damage – The organisation could suffer if hackers successfully gained access to sensitive data
• Leaking of Video Content – Utilise the interviews and video material produced by the International Observatory without our express consent.
GENERAL STAFF GUIDELINES
• The only people able to access data covered by this policy should be those who need it for their work.
• Data should not be shared in an informal manner. When access to confidential information is required, employees can request access from their supervisor.
• The International Observatory of Human Rights will provide training to all employees to help them understand their responsibilities when handling data.
• Employees should keep all data secure, by taking sensible precautions and following the guidelines below.
• It is the responsibility of each employee to utilise a strong password which must never be shared.
• Personal data collected by the organisation must not be disclosed to unauthorised people, either within the company or externally.
• Data should be regularly reviewed and updated if it is found to be out of date. If the data is no longer required, it should be deleted and disposed of immediately.
• Employees should request help from their supervisor or the data protection officer if they are unsure about any aspect of data protection.
DATA STORAGE PRACTICES
These rules describe how and where data should be safely stored. Questions about storing data safely can be directed to the IT manager or Data Controller and in extreme cases to an employees direct supervisor.
When data is stored on paper, it should be kept in a secure place where unauthorised people cannot see it.
The following guidelines are also applicable to data that is usually stored electronically but has been printed out for any reason:
• When not required, the paper or files should be kept in a locked drawer or filing cabinet.
• Employees should make paper and printouts are not left where unauthorised people could see them, like on a printer.
• Data printouts should be shredded and disposed of securely when no longer required.
When data is stored electronically, it must be protected from authorised access. Accidental deletion and malicious hacking attempts:
• Data should be protected by strong passwords that are changed regularly and never shared between employees.
• If data is stored on removable media (like a CD or DVD, Removable Hard-drives), these should be kept locked away securely when not in use.
• Data should only be stored on designated drives and servers, and should only be uploaded to an approved cloud computing services.
• Servers containing personal data should be sited in a secure location, away from the general office space.
• Data should be backed up every week. Those backups should be tested regularly, in line with IOHR’s standard backup procedures. This process will be overseen by Data Protection Officer.
• Data should never be saved directly to laptops or other mobile devices like tablets or smart phones unless under explicit guidance from the Data Protection Officer.
• All servers and computers containing data should be protected by approved security software and firewall.
USE OF DATA
We may use the personal information that we collect to:
• Provide our members, supporters, and the people that we help with the services, products or information that they ask for
• Provide our members, supporters, and the people that we help with information about us and the work that we do, including fundraising and campaigns
• Administer membership payments, donations and other financial transactions, including processing gift aid
• Keep a record of our relationships with members, supporters and the people that we help
• Manage supporters and members’ marketing and communication preferences
• Target online advertising effectively, reaching people who share similar interests and characteristics to our supporters
• Undertake equal opportunities monitoring
• Undertake ethical screening to inform decision-making regarding the solicitation, acceptance and refusal of donations and any other partnerships that IOHR might enter We may share your information with social media providers to help us ensure our posts reach inpiduals that are likely to be interested in them — saving us money and helping us to achieve the greatest impact.
We may analyse or hire the services of third parties to analyse supporters’ personal information. This may involve carrying out research on the number and characteristics of supporters that live in particular areas, their interests and behaviours. This helps us to gain a better understanding and create profiles of interests and preferences, so that we can improve our marketing, communications and service, contacting supporters with information that is relevant to them. We will never sell the personal data of our members, supporters, the people that we help, volunteers or employees.
We will never share personal data with organisations outside of IOHR for their own use unless we have prior consent to do so or are required to do so by law. Where we need to use third party organisations to process personal data on our behalf, for example a mailing house, we will put in place a contract with the company to ensure that the data is properly protected and treated in accordance with the Act.
If we transfer personal information to countries or jurisdictions which may not provide the same level of data protection as the UK, we will comply with our legal obligations as a data controller under the Act.
We will put in place a contract with the company that we transfer the information to in order to ensure that the data is properly protected. We respect the privacy of our members, supporters, and volunteers and their right to decide how and if International Observatory of Human Rights contacts them.
Those within the general public, are able to choose how they want to hear from us, and if they ask us not to contact them we won’t, unless it is a legal or administrative requirement to do so. Anyone may inform us of changes to their personal information or request more detail about the personal information that we hold and how we use it by calling the Supporter Communications Team on +4407340794920 or emailing – [email protected]
‘Personal information’ includes personal and sensitive personal data. It is information which identifies a living inpidual.
A ‘Data Subject’ is someone whose personal information we hold and process, for example, a supporter or member.
‘Processing’ includes the concepts of obtaining, holding, recording, retrieval, consultation and disclosure.
‘The Principles’ are the rules that must be followed when processing personal information and in order to comply with the Data Protection Act 1998
‘Data Controller’ is an organisation which determines the purposes for which and the manner in which personal data is processed
A ‘Data Processor’ is a third-party organisation such as mailing house which IOHR uses to process personal data in its behalf