Statement and Purpose of policy
- Hayat Humanitarian Aid (the Charity) is committed to ensuring that all personal data handled by us will be processed according to legally compliant standards of data protection and data security.
- We confirm for the purposes of the data protection laws, that the Charity is a data controller of the personal data in connection with your information. This means that we determine the purposes for which, and the manner in which, your personal data is processed.
- The purpose of this policy is to help us achieve our data protection and data security aims by:
- notifying our staff of the types of personal information that we may hold about them, our customers, suppliers and other third parties and what we do with that information;
- setting out the rules on data protection and the legal conditions that must be satisfied when we collect, receive, handle, process, transfer and store personal data and ensuring staff understand our rules and the legal standards; and
- clarifying the responsibilities and duties of staff in respect of data protection and data security.
- This is a statement of policy only and does not form part of your contract of employment. We may amend this policy at any time, in our absolute discretion.
For the purposes of this policy:
- Criminal records data means information about an individual’s criminal convictions and offences, and information relating to criminal allegations and proceedings.
- Data protection laws means all applicable laws relating to the processing of Personal Data, including, for the period during which it is in force, the UK General Data Protection Regulation.
- Data subject means the individual to whom the personal data relates.
- Personal data means any information that relates to an individual who can be identified from that information.
- Processing means any use that is made of data, including collecting, storing, amending, disclosing, or destroying it.
- Special categories of personal data means information about an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation and biometric data.
Data protection principles
Staff whose work involves using personal data relating to Staff or others must comply with this policy and with the following data protection principles which require that personal information is:
- processed lawfully, fairly and in a transparent manner. We must always have a lawful basis to process personal data, as set out in the data protection laws. Personal data may be processed as necessary to perform a contract with the data subject, to comply with a legal obligation which the data controller is the subject of, or for the legitimate interest of the data controller or the party to whom the data is disclosed. The data subject must be told who controls the information (us), the purpose(s) for which we are processing the information and to whom it may be disclosed.
- collected only for specified, explicit and legitimate purposes. Personal data must not be collected for one purpose and then used for another. If we want to change the way we use personal data, we must first tell the data subject.
- processed only where it is adequate, relevant and limited to what is necessary for the purposes of processing. We will only collect personal data to the extent required for the specific purpose notified to the data subject.
- accurate and the Charity takes all reasonable steps to ensure that information that is inaccurate is rectified or deleted without delay. Checks to personal data will be made when collected and regular checks must be made afterwards. We will make reasonable efforts to rectify or erase inaccurate information.
- kept only for the period necessary for processing. Information will not be kept longer than it is needed and we will take all reasonable steps to delete information when we no longer need it. For guidance on how long particular information should be kept, contact the Data Protection Officer, or request a copy of our Data retention policy.
- secure, and appropriate measures are adopted by the Charity to ensure as such.
Who is responsible for data protection and data security?
- Maintaining appropriate standards of data protection and data security is a collective task shared between us and you. This policy and the rules contained in it apply to all staff of the Charity, irrespective of seniority, tenure and working hours, including all employees, directors and officers, consultants and contractors, casual or agency staff, trainees, homeworkers and fixed-term staff and any volunteers (Staff).
- Questions about this policy, or requests for further information, should be directed to the Data Protection Officer.
- All Staff have personal responsibility to ensure compliance with this policy, to handle all personal data consistently with the principles set out here and to ensure that measures are taken to protect the data security. Managers have special responsibility for leading by example and monitoring and enforcing compliance. The Data Protection Officer must be notified if this policy has not been followed, or if it is suspected this policy has not been followed, as soon as reasonably practicable.
- Any breach of this policy will be taken seriously and may result in disciplinary action up to and including dismissal. Significant or deliberate breaches, such as accessing Staff or customer personal data without authorisation or a legitimate reason to do so, may constitute gross misconduct and could lead to dismissal without notice.
What personal data and activities are covered by this policy?
- This policy covers personal data:
- which relates to a natural living individual who can be identified either from that information in isolation or by reading it together with other information we possess;
- is stored electronically or on paper in a filing system;
- in the form of statements of opinion as well as facts;
- which relates to Staff (present, past or future) or to any other individual whose personal data we handle or control;
- which we obtain, is provided to us, which we hold or store, organise, disclose or transfer, amend, retrieve, use, handle, process, transport or destroy.
- This personal data is subject to the legal safeguards set out in the data protection laws.
What personal data do we process about Staff?
We collect personal data about you which:
- you provide or we gather before or during your employment or engagement with us;
- is provided by third parties, such as references or information from suppliers or another party that we do business with; or
- is in the public domain.