- INTRODUCTION
Pro Bono Community (“PBC”) holds personal data about its staff, trustees, trainees and volunteers as well as contact details we have for individuals at universities, advice agencies, law firms, chambers and other organisations.
This policy sets out how we protect personal data and ensure that staff and trustees understand the rules governing their use of personal data to which they have access in the course of their involvement with PBC.
This policy ensures that PBC meets the requirements of the General Data Protection Regulation (“GDPR”) which applies in the UK from 25 May 2018.
2. DEFINITIONS
Personal data |
Information relating to identifiable individuals, such as current and former volunteers, staff and trustees.
Personal data we gather may include: individuals’ contact details, educational background, details of certificates and diplomas, education and skills, nationality, job title, CV, volunteer activity logs, exam papers and bank details.
|
Sensitive personal data |
Personal data about an individual’s racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership (or non-membership), physical or mental health or condition.
Any use of sensitive personal data should be strictly controlled in accordance with this policy.
|
Data subject |
The person to whom personal data relates. This will be an individual rather than a company etc. |
Data processing |
Any operation(s) performed on (sets of) personal data, including collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
|
Consent of the data subject |
Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. |
3. SCOPE
This policy applies to all staff and trustees of PBC. All staff and trustees must be familiar with this policy and comply with its terms.
We may amend this policy, or supplement it with additional policies and guidelines, from time to time. Any new or modified policies or guidelines will be circulated to staff and trustees before being adopted.
PBC’s Data Protection Manager (see section 4 below) has overall responsibility for the day-to-day implementation of this policy.
4. DATA PROTECTION MANAGER
PBC is not required by GDPR to have a Data Protection Officer. Trustees decided on April 23
rd 2018 to appoint instead a more informal Data Protection Manager (“DPM”) to take responsibility for data protection compliance.
Bill Skirrow is PBC’s DPM as of April 23
rd 2018.
The DPM’s responsibilities include:
- Conducting internal audits of data processing activities;
- Ensuring records of any high-risk processing activities are maintained;
- Keeping staff and trustees updated about data protection responsibilities, risks and issues;
- Reviewing data protection policies and procedures on a regular basis;
- Answering questions on data protection from staff and trustees and answering external queries;
- Ensuring data protection statements are attached to emails;
- Including reference to our Data Protection Policy on other marketing materials;
- Ensuring marketing initiatives adhere to data protection laws and this Data Protection Policy
- Responding to individuals such as volunteers who wish to know what data is being held on them by PBC;
- Conducting Data Protection Impact Assessments where required;
- Ensuring that robust internal personal data breach detection, investigation and reporting procedures are in place;
5. PERSONAL DATA WE HOLD
PBC conducted an information audit on 16
th May 2018 to document what personal data we hold, where it came from and who we share it with. As GDPR requires, we will now document the personal data we hold, where it came from and who we share it with by adding to and amending this information audit so that it is kept up to date.
6. LAWFUL PROCESSING
The
lawful basis for our processing of personal data in the GDPR is as follows:
Data subject |
Lawful basis |
Members of staff |
Consent; and
Necessary for the performance of a contract |
Trustees |
Consent |
Representatives of organisations who receive marketing and other communications about PBC’s activities and services |
Legitimate interests |
Individuals applying for or undertaking training and/or volunteering placements through PBC |
Legitimate interests; and
Necessary for the performance of a contract |
Alumni – individuals who have received training and/or volunteering placements through PBC |
Consent |
Our DPM has completed legitimate interest assessments (“LIA’s” in relation to the groups of data subject for whom our lawful basis for processing their personal data is legitimate interest. LIA’s are available on request by contacting the Data Protection Manager via info@probonocommunity.org.uk.
We must process personal data lawfully, fairly and in a transparent manner in accordance with individuals’ rights.
We must collect personal data only for the
purposes here specified. Those purposes are:
- Recruiting, managing and monitoring the individuals who are undertaking training/volunteering placements through PBC;
- Marking the work of individuals who have been assessed or examined as part of their training;
- Informing individuals who have been trained and placed as volunteers by PBC about the charity’s plans and activities;
- Marketing our charity;
- Recruiting and managing trustees and staff;
- Managing relationships with suppliers;
- Compliance with our legal, regulatory and corporate governance obligations and good practice;
- Gathering information as part of investigations by regulatory bodies or in connection with legal proceedings or requests;
- Investigating complaints;
- Checking references, ensuring safe working practices, monitoring and managing staff access to systems and facilities and staff absences, administration and assessments;
- Monitoring staff conduct, disciplinary matters;
- Improving services.
We will not process personal data obtained for one purpose for any unconnected purpose unless the individual concerned has agreed to this or would otherwise reasonably expect this.
7. SENSITIVE PERSONAL DATA
In most cases where we process sensitive personal data we will require the data subject’s
explicit consent to do this unless exceptional circumstances apply or we are required to do this by law (e.g. to comply with legal obligations to ensure health and safety at work). Any such consent will need to clearly identify what the relevant data is, why it is being processed and to whom it will be disclosed.
8. ACCURACY AND RELEVANCE
We will ensure that any personal data we process is accurate, up to date, adequate, relevant and limited to what is necessary in relation to the purpose(s) for which they were obtained.
Individuals may ask that we correct inaccurate or incomplete personal data relating to them. If you believe that information is inaccurate you should record the fact that the accuracy of the information is disputed and inform the DPM. We will rectify the information within one month where the request is straightforward.
Where we have disclosed the inaccurate personal data to third parties, we will inform them of the rectification where possible so that they can correct their own records, and where appropriate we will inform the data subject of those third parties to whom their personal data has been disclosed.
9. STAFF AND TRUSTEES’ PERSONAL DATA
All staff and trustees must take reasonable steps to ensure that personal data we hold about them is accurate and updated as required. For example, if the personal circumstances of a staff member or trustee changes, that individual is to inform the DPM so that records can be updated.
10. DATA SECURITY
All staff and trustees must keep personal data secure against loss or misuse. Where other organisations process personal data as a service on our behalf, the DPM will establish what, if any, additional specific data security arrangements need to be implemented in contracts with those third party organisations.
Data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
11. STORING DATA SECURELY
The steps which PBC currently takes to ensure data security include:
Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which it is kept.
- In cases when data is stored on printed paper, it should be kept in a secure place where unauthorised personnel cannot access it.
- Printed data should be shredded when it is no longer needed.
- Data stored on a computer should be protected by strong passwords that are changed regularly. We encourage all staff to use a password manager to create and store their passwords.
- Data stored on memory sticks must be locked away securely when they are not being used.
- The DPM must approve any cloud used to store data.
- Servers containing personal data must be kept in a secure location, away from general office space.
- Data should be regularly backed up in line with the company’s backup procedures.
- All servers containing sensitive data must be approved and protected by security software and strong firewall.
12. DATA RETENTION
We must retain personal data for no longer than is necessary. What is necessary will depend on the circumstances of each case, taking into account the reasons that the personal data was obtained, but should be determined in a manner consistent with our data retention policy.
13. TRANSFERRING DATA INTERNATIONALLY
There are restrictions in GDPR on transfers of personal data outside the EU. Such transfers may only take place where specific conditions are met.
PBC does not currently transfer data internationally. However, we understand that were this to change, the DPM must be notified before personal data is transferred anywhere outside the UK. The DPM will ensure the conditions are met before the transfer takes place.
14. SUBJECT ACCESS REQUESTS
Under GDPR, individuals are entitled, subject to certain exceptions, to request access to information held about them and certain supplementary information.
Requests should be made to info@probonocommunity.org.uk.
We will provide this free of charge (in most cases), without delay and at the latest within one month of receipt for simple requests.
If a request is manifestly unfounded or excessive we may either impose a charge or refuse the request. Where a request is refused, we will tell the individual why, inform them of their right to complain to the Information Commissioner and of their right to a judicial remedy. We will do this without undue delay and at the latest within one month.
If a staff member or trustee receives a request from an individual to access their data (a “Subject Access Request”), that staff member should refer that request immediately to the DPM. We may ask the staff member or trustee to help us comply with that request. We will provide data electronically and in a commonly used format.
Members of staff and trustees should contact the DPM if they would like to correct or request information that PBC holds about them.
15. PROCESSING DATA IN ACCORDANCE WITH INDIVIDUALS’ RIGHTS
Members of staff and trustees must abide by any request from an individual not to use their personal data for direct marketing purposes and notify the DPM about any such request.
Members of staff and trustees should contact the DPM for advice on direct marketing before starting any new direct marketing activity. The DPM will ensure that the right to object to direct marketing is explicitly, clearly and separately brought to an individual’s attention at the first point of communication and in the Privacy Notice (see section 19 below).
16. CHILDREN’S DATA
PBC does not process the data of anyone aged under 18 years old.
17. TRAINING
All staff and trustees received training on this policy and on the legal changes under GDPR on 16
th May 2018. New joiners will receive training as part of the induction process. Further training will be provided at least every two years or whenever there is a substantial change in the law or our policy and procedure.
18. DATA PROTECTION STATEMENTS
Our data protection statement is included in all external emails. It reads as follows:
The lawful basis under GDPR for our external communications including direct marketing is legitimate interests.
You can opt out of further emails at any time by emailing info@probonocommunity.org.uk.
Individuals whose data we hold have a right of access to the personal data that we hold about them. They also have a right to have that data deleted. Requests can be made to info@probonocommunity.org.uk.
Our Privacy Notice is at section 19 of our Data Protection Policy available here: [link to be included].
We may occasionally be required to give information to third parties such as professional advisers.
19. PRIVACY NOTICE
Being transparent and providing accessible information to individuals about how we will use their personal data is important for our charity. We recognise that individuals have the right to be informed of the data we hold about them.
We are mindful of the fact that the best way to provide information to an individual about how we will use their data will depend upon the context. In most situations we provide a link to our Privacy Notice in our email footer.
The information we provide in our Privacy Notice must be:
- Concise, transparent, intelligible, easily accessible;
- In clear and plain language; and
- Free of charge
19.1 Privacy Notice for Corporate, Professional and Other Contacts
What information is being collected? |
Contact details of representatives of corporate, professional and other relevant organisations including name, address, title, telephone number and email address. |
Who is collecting it? |
Pro Bono Community – a charity which has developed a series of specialised training programmes for law students, trainees and junior lawyers aimed at preparing them for volunteering in Law Centres and other advice agencies.
The Data Protection Manager is Bill Skirrow (info@probonocommunity.org.uk). |
How is it collected? |
In some cases, the information has been obtained directly from the individual but in others it has been obtained indirectly from sources such as websites or mailing lists. |
Why is it being collected and on what lawful basis? |
The lawful basis is legitimate interest.
The purpose of collecting the data is to deliver marketing communications to organisations such as law firms and universities informing them of PBC’s activities and the benefits they may derive from those activities. |
How will it be used? |
It will be used to engage with organisations who may wish to participate in activities or receive services which enable the charity to meet its objectives. |
Who will it be shared with? |
It will not be shared with any third parties. |
Details of transfers to third country and safeguards |
There will be no transfers to third countries. |
Retention period (or how this will be determined) |
The data will be retained until the individual or organisation the individual represents ceases to operate in such a way that they might derive benefit from knowledge of PBC’s activities and services. |
Your rights as the data subject |
You have the right at any time to withdraw consent to the use of the data, the right to object to direct marketing, and the right to complain to the Information Commissioner if you think there is a problem with the way we are handling your data. |
Whether the provision of the data is required by statute or contract and possible consequences of failing to provide the data |
The provision of the data is not required by statute or contract. |
The existence of automated decision making including profiling |
Pro Bono Community does not use automated decision making. |
19.2 Privacy Notice for Trainees and Volunteers
What information is being collected? |
Contact details and other personal data such as CVs and personal statements of individuals; online logs completed by volunteers providing details of their activities during their placements. |
Who is collecting it? |
Pro Bono Community – a charity which has developed a series of specialised training programmes for law students, trainees and junior lawyers aimed at preparing them for volunteering in Law Centres and other advice agencies.
The Data Protection Manager is Bill Skirrow (info@probonocommunity.org.uk). |
How is it collected? |
In some cases, the information has been obtained directly from the individual whilst in others it has been obtained indirectly from the universities or employers with whom PBC is working. |
Why is it being collected and on what lawful basis? |
The lawful basis is legitimate interest and, in some cases, because it is necessary to do so for the performance of a contract.
The processing enables PBC to recruit, contact, manage and assess individuals who are undertaking training and/or volunteering placements through PBC and to monitor their activities through the PBC online volunteer portal. |
How will it be used? |
PBC uses the data in order to meet the needs of individuals who have applied and/or been selected for training and volunteering placements. Monitoring individuals’ activities during placements enables PBC to receive early warning of any potential problems and improve their overall experience as volunteers. |
Who will it be shared with? |
The data will not be shared with any third parties other than the organisations with which the individuals are associated such as universities, advice agencies and law firms. Some of the data in the volunteer activity logs may also be used to populate promotional material describing the charity’s activities. |
Details of transfers to third country and safeguards |
There will be no transfers to third countries. |
Retention period (or how this will be determined) |
Contact details will be retained until the individual ceases to be a trainee or volunteer and their data is transferred to the charity’s alumnus database. All data relating to unsuccessful applicants for training and/or placements will be retained for no longer than three months after the individual has been informed. Data such as CV’s or personal statements of successful applicants will be retained for no longer than six months after completion of the training and/or placements. Exam papers, details of marks and other data relating to assessment will be retained for two years. |
Your rights as the data subject |
You have the right at any time to withdraw consent to the use of the data, the right to object to direct marketing, and the right to complain to the Information Commissioner if you think there is a problem with the way we are handling your data. |
Whether the provision of the data is required by statute or contract and possible consequences of failing to provide the data |
The provision of exam papers, marks and other data relating to assessment may be required under the terms of contracts with associated organisations such as universities or law firms. |
The existence of automated decision making including profiling |
Pro Bono Community does not use automated decision making. |
19.3 Privacy Notice for Alumni
What information is being collected? |
Contact details of alumni including name, address, title, telephone number and email address. |
Who is collecting it? |
Pro Bono Community – a charity which has developed a series of specialised training programmes for law students, trainees and junior lawyers aimed at preparing them for volunteering in Law Centres and other advice agencies.
The Data Protection Manager is Bill Skirrow (info@probonocommunity.org.uk). |
How is it collected? |
The information has been obtained directly from the individual in some cases and through third parties such as the individuals’ university or employer in others. |
Why is it being collected and on what lawful basis? |
The lawful basis is consent.
The purpose of collecting the data is to deliver communications to individuals who have been trained and/or undertaken volunteering placements through PBC (“alumni”) informing them of PBC’s plans and activities. |
How will it be used? |
It will be used to engage with alumni who may wish to stay in touch with PBC and encourage their employers or other organisations to participate in activities or receive services which enable the charity to meet its objectives. |
Who will it be shared with? |
It will not be shared with any third parties. |
Details of transfers to third country and safeguards |
There will be no transfers to third countries. |
Retention period (or how this will be determined) |
The data will be retained until the individual is unlikely to derive benefit from knowledge of PBC’s activities and services. |
Your rights as the data subject |
You have the right at any time to withdraw consent to the use of the data, the right to object to direct marketing, and the right to complain to the Information Commissioner if you think there is a problem with the way we are handling your data. |
Whether the provision of the data is required by statute or contract and possible consequences of failing to provide the data |
The provision of the data is not required by statute or contract. |
The existence of automated decision making including profiling |
Pro Bono Community does not use automated decision making. |
Our data protection statement is included in all external emails and specifically refers to these Privacy Notices using the following text:
Our Privacy Notice is at section 19 of our Data Protection Policy available here: [link to be included].
20. CONDITIONS FOR PROCESSING
GDPR provides that processing is lawful if and only if one or more of the six conditions of process apply (listed in Article 6(1)).
We will ensure any use of personal data is justified using at least one of the conditions for processing and this will be specifically documented. This will generally be the lawful bases set out in section 6 above. However, additional bases may also apply (eg compliance with our own legal obligations).
All staff who are responsible for processing personal data will be aware of the conditions for processing. The conditions for processing will be available to data subjects in the form of a privacy notice.
We will document the additional justification for the processing of sensitive data.
21. CONSENT
Certain data we collect is subject to active, opt-in consent by the data subject (eg trustees’ personal data). We will make sure that this consent is freely given, clear, specific, informed through our Privacy Notice and an unambiguous indication of the individual’s wishes. All consent will be properly documented by us. This consent can be revoked at any time.
22. CRIMINAL RECORD CHECKS
Any criminal record checks are justified by law. Criminal record checks cannot be undertaken based solely on the consent of the subject.
23. DATA PORTABILITY
Where we are processing data by automated means, a data subject has the right (upon request) to receive a copy of their data which they have previously provided to us with their consent. They have the right to receive it in a safe and structured machine-readable format so that the data subject can reuse it for their own purposes, provided this does not compromise the privacy of other individuals. These requests will be processed without undue delay and within one month, provided there is no undue burden. A data subject may also request that their data is transferred directly to another system. This must be done for free.
24. RIGHT TO RECTIFICATION AND ERASURE
A data subject may request that any information held on them be rectified. They may also request that it be deleted or removed, and any third parties who process or use that data will usually need to be told and must also comply with the request. An erasure request can only be refused if an exemption applies. We recognise that data subjects have a stronger right to have their data deleted by us because we use consent as our lawful basis for processing.
Requests should be made to info@probonocommunity.org.uk.
25. RIGHT TO RESTRICT PROCESSING
We recognise that individuals have the right to restrict the processing of personal data, and we will do this in the following circumstances:
- While we are in the process of verifying the accuracy of personal data, where accuracy has been contested
- Where processing is unlawful and the individual requests restriction rather than erasure
- Where we no longer need the personal data but the individual requires it in relation to a legal claim.
Where possible, in these circumstances we will inform any third parties to whom we have disclosed the data of the restriction.
Requests should be made to info@probonocommunity.org.uk.
26. AUTOMATED DECISION MAKING
In the event that, in future, any of the processing operations of PBC should constitute automated decision making, this section shall apply. We recognise that in relation to certain decisions based on automatic processing, individuals have the right not to be subject to those decisions where they produce a legal effect or a similarly significant effect on the individual. We will ensure that individuals are able to obtain human intervention, express their point of view, obtain an explanation of the decision and challenge it. Should any of PBC’s automated processing constitute profiling (the evaluation of certain personal characteristics in order to make predictions about an individual), Origami will ensure that appropriate safeguards are in place.
27. PRIVACY BY DESIGN AND DEFAULT
Privacy by design is an approach which promotes privacy and data protection compliance from the start. The DPM will be responsible for conducting Data Protection Impact Assessments if they become required and ensuring that all IT projects commence with a privacy plan. Impact Assessments will only be required where data processing is likely to result in high risk to individuals, which is not currently envisaged.
When relevant, and when it does not have a negative impact on the data subject, privacy settings will be set to the most private by default.
28. COOKIES
Our website may use cookies to distinguish you from other users of our website. This helps us to provide you with a good experience when you browse our website and also allows us to improve our site. By continuing to browse the site, you are agreeing to our use of cookies.
A cookie is a small file of letters and numbers that we store on your browser or the hard drive of your computer if you agree. Cookies contain information that is transferred to your computer’s hard drive. We use the following cookies:
· Strictly necessary cookies: These are cookies that are required for the operation of our website.
· Analytical/performance cookies: These allow us to collect information about how the user uses the site, and helps us to improve the way our website works.
· Functionality cookies: These cookies remember choices made by the user e.g. your choice of language or region.
29. DATA AUDIT AND REGISTER
Our data register contains information on:
- what data is held;
- where it came from;
- where it is stored;
- how it is used;
- who it is shared with;
- who is responsible;
- any further regulations or retention timescales that may be relevant.
The DPM is responsible for all data held by PBC unless otherwise stated on the data register.
Regular data audits to manage and mitigate risks will inform and update the data register.
Our data register enables us to comply with the GDPR’s accountability principle, which requires us to be able to show how we comply with the GDPR’s data protection principles.
30. RECORDING HIGH RISK PROCESSING
The DPM shall ensure that records of activities related to higher risk processing are maintained and include the requisite information. This would include the processing of personal data that could result in a risk to the rights and freedoms of an individual, the processing of sensitive personal data, or the processing of data on criminal convictions and offences.
31. REPORTING PERSONAL DATA BREACHES
PBC will follow the following procedure in the event of a personal data breach.
All members of staff and trustees must understand what a personal data breach is in order properly to be able to identify one. It means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This means that a breach is more than just losing personal data.
All members of staff and trustees have an obligation to report personal data breaches to the DPM. This allows us to:
- Investigate the failure and take remedial steps if necessary, taking advice where appropriate;
- Maintain a register of compliance failures;
- Notify the ICO within 72 hours of any personal data breach which is likely to result in a risk to the rights and freedoms of individuals;
- Notify the individuals concerned where a breach is likely to result in a high risk to the rights and freedoms of those individuals;
- Notification to the public if sufficiently serious;
We understand that failure to notify a data breach can attract a fine, in addition to the fine for the breach itself.
32. MONITORING
All members of staff must observe this policy. The DPM has overall responsibility for this policy and will monitor it regularly to make sure it is being adhered to.
33. FAILURE TO COMPLY
We take compliance with this policy very seriously. Failure to comply puts members of staff, trustees, volunteers, the organisation and others at risk.
The importance of this policy means that failure to comply with any requirement may lead to disciplinary action. This may result in dismissal of a member of staff or the removal of a trustee. A solicitor or barrister in breach of her data protection responsibilities under the law or the applicable Code of Conduct may be struck off.
If staff members, trustees or anyone else has any questions or concerns about anything in this policy, they should contact the DPM.