The Naval Children’s Charity (NCC) is committed to the safe protection of the personal data that the NCC collects and holds.

The Data Protection Act 2018 (DPA 2018) is the UK’s current data protection legislation.

To indicate the UK’s status outside the European Union (EU), it was amended on 01 January 2021 by regulations under the European Union (Withdrawal) Act 2018. DPA 2018 sits alongside and supplements the UK General Data Protection Regulation (UK GDPR).

DPA 2018 controls how personal information is used. It was put in place to give a clearer understanding of how and why personal data is collected, how it is stored, for how long and how it is disposed. It also includes information as to when and how personal information might be shared with others.

This Data Protection policy applies to all the personal data that we process regardless of the media on which that data is stored or whether it relates to past or present employees, workers, customers, clients or supplier contacts, shareholders, website users, or any other data subject.

Principles of data protection outlined in the DPA 2018  

The NCC abides by the principles laid out in DPA 2018.

Anyone processing personal data must comply with the seven enforceable principles. These are:  

1. Lawfulness – data must be processed lawfully, fairly and in a transparent manner.
2. Purpose limitation – data must be collected for specified, explicit and legitimate purposes.
3. Data minimisation – data must be adequate, relevant, and limited to what is necessary.
4. Accuracy – data must be accurate and, where necessary, kept up to date.
5. Storage limitation – data must be retained only for as long as necessary.
6. Integrity and confidentiality (security) data must be processed in an appropriate manner to maintain security.
7. Accountability – this underpins the other six principles. It is about taking responsibility, having appropriate measures in place, and keeping records to demonstrate how data protection compliance is achieved. Company owners should hold themselves accountable for getting it right.

In addition

1. Data must not be transferred to another country without appropriate safeguards in place (transfer limitation); and
2. Data must be made available to data subjects and allow data subjects to exercise certain rights in relation to their personal data (data subject’s rights and requests).

Managing Data Protection

To collect and process personal data including special category data, the NCC is registered as a Data Controller with the Information Commissioner’s Office (ICO). Registration is required under the Act.

The NCC processes personal data for charitable purposes.

The NCC is committed to meeting its obligations under DPA 2018 and has a Data Protection Officer (DPO) within the staff team.

THE DATA PROTECTION ACT 2018 PROCEDURES

Introduction

Data privacy is relevant to – and the responsibility of – everyone in the NCC, paid or unpaid, including third party processors, who have access to the personal data the charity holds and to which they may require access to in the course of their work.

Mishandled data can cause distress for the data subject and serious penalties for the NCC as well as damaging reputation and erosion of trust.

The NCC endeavours to observe the law in the collection and processing of personal data and will meet any subject access request in compliance with the DPA 2018. The subject access request can be made verbally or in writing, including via social media and should be responded to within one month. The NCC will only use data for conducting the charity’s’ legitimate charitable purposes and in a way that is not prejudicial to the interests of the data subjects.

The NCC takes appropriate care in the collection, processing, storage, and disposal of all personal data, being also mindful of the requirements for the processing of special category personal data (sensitive personal data) as defined by the DPA 2018.

The NCC processes personal data transparently and provides accessible information to individuals about using their personal data and its importance to the organisation.

All NCC staff must be aware of the requirements of the DPA 2018 when personal data is collected or managed

• data must be accurate, minimal, and secured.
• data must not be disclosed except where there is either subject consent, or a legal requirement to do so.

Data sent to outside agencies must always be protected by a written information sharing agreement or data protection compliant contract. All collection and processing must be done in accordance with the DPA 2018.

Employees must read, understand, and comply with this Data Protection policy when processing personal data on our behalf and attend training on its requirements. This Data Protection policy sets out what we expect from employees for the Company to comply with applicable law.

Compliance with this Data Protection policy is mandatory. Related policies and privacy guidelines are available to help employees interpret and act in accordance with this Data Protection policy. Employees must also comply with all those related policies and privacy guidelines. Any breach of this Data Protection policy may result in disciplinary action.

The Data Protection Officer keeps records of all data breaches, complaints by data subjects, subject data requests and the actions taken. There is a repository of all the NCC statements of Data Protection law compliance and information about any contacts made with the Data Protection Registrar.

This policy requires staff to ensure that the DPO is consulted before any significant new data processing activity is initiated to ensure that relevant compliance steps are addressed. The DPO is the Head of Welfare (currently Sara Smith); information regarding how to contact the DPO is public and easily accessible.

Special category data

In most cases where the NCC processes sensitive personal data, the charity will require the data subject’s explicit consent to do this unless exceptional circumstances apply, or they are required to do this by law (e.g., to comply with legal obligations to ensure health and safety at work). Any such consent will need to clearly identify what the relevant data is, why it is being processed and to whom it will be disclosed.

Accuracy and relevance

The NCC will ensure that any personal data processed is accurate, adequate, relevant, and not excessive, given the purpose for which it was obtained. The NCC will not process personal data obtained for one purpose for any unconnected purpose unless the individual concerned has agreed to this or would otherwise reasonably expect this.

Individuals may ask that we correct inaccurate personal data relating to them. If it is believed that information is inaccurate it will be recorded that the accuracy of the information is disputed and the DPO informed.

Justification for personal data

The NCC processes personal data in compliance with all seven data protection principles.

The NCC documents any additional justification for the processing of special category (sensitive) data including biometric and genetic data.

Consent

Some of the personal data that the NCC collects is subject to active consent by the data subject. This consent can be revoked at any time.

It is not necessary to seek consent to share information for the purposes of safeguarding and promoting the welfare of a child or vulnerable adult if there is a lawful basis to process any personal information required.

Criminal record checks

Any criminal record checks are justified by law. Criminal record checks cannot be undertaken based solely on the consent of the subject.

Misuse of Personal Data

The misuse or inappropriate use of personal data under any circumstances is   regarded as gross misconduct.

Data portability

Upon request, a data subject has the right to receive a copy of their automated data in a structured format. These requests should be processed within the data protection guidance, provided there is no undue burden, and it does not compromise the privacy of other individuals. A data subject may also request that their data is transferred directly to another system. This must be done for free.

Right to be forgotten

A data subject may request that any information held on them is deleted or removed if it is no longer accurate or relevant. Any third parties who process or use that data must also comply with the request if there is no excessive burden placed upon them in doing so.

The data cannot be deleted or removed if the privacy of other individual(s) is likely to be compromised and/or the data can be legitimately retained in accordance with the requirements of data protection and other legislation.

Privacy by design and default

Privacy by design is an approach to projects that promote privacy and data protection compliance from the start. The DPO is responsible for conducting Data Privacy Impact Assessments should this be required.

International data transfers

No data may be transferred outside of the EEA (European Economic Area) without first discussing it with the CEO/DPO. Specific consent from the data subject must be obtained prior to transferring their data outside the EEA and recognised safeguards will need to be in place.

Reporting data breaches

Staff must report all actual or potential data protection compliance failures or breaches at the earliest opportunity by contacting the DPO. This allows the charity to take the appropriate course of action which may include:

• Investigating the failure and taking remedial steps if necessary.
• Informing the data subject whose personal data has been breached. The advice must include:
  • The nature of the breach.
  • The name and contact details of the relevant data protection officer (DPO).
  • The likely consequences of the breach.
  • The measures that have been taken or proposed to address the breach.
• Notify the ICO of any compliance failures or data breaches that are material either or as part of a pattern of failures as defined by the DPA 2018.
• Maintain a register of compliance failures/data breaches.

Procedures for ensuring data protection compliance

Data protection legislation and compliance is about the protection and security of information relating to people (personal data).

Employees have a duty to safeguard the personal data that they collect. This involves protecting the privacy rights of individuals and compliance is a continuous requirement.

To keep personal information secure employees must:

• At all times and places, take care when collecting, processing, storing, and disposing of all personal information.
• Only use data for the purpose it is intended and for the interests of the data subject i.e., a person whose personal data is being collected, held, or processed.
• Keep all data accurate, up to date, relevant, minimal, and secure by conducting regular reviews to delete/shred all irrelevant and out of date (within the last 2 years) paper and electronic documents.
• Keep personal data for no longer than is necessary.
• Only disclose information when the data subject has given explicit consent or where there is a legal requirement to do so.

When at work (home/workspace or in the office)

Routine daily ‘best practice’ helps to safeguard information.

One of the simplest ways to protect data is to keep workspaces clear. This reduces the risk of personal data being stolen if left in view and unattended. To keep work environments secure:

• Safeguard privacy and security by always being aware of surroundings and people nearby.
• Take precautions to protect data from visitors or others who are not authorised to see it by:
  • Checking for sensitive information placed on a workspace or desktop before leaving them and by transferring to a folder or secure place.
  • Locking computers when moving away from them.
• After meetings, tidy away/clear documents.
• After printing, copying, or faxing, collect documents straight away.
• Keep sensitive documents in secure locations.

At the end of each workday:

• Clear workspaces. This not only includes documents and notes, but any post-it notes, businesses cards etc.
• File documents or lock them up.

When handling data

Data privacy relates to how a piece of information or data is managed. When handling data, the following guidance must be observed:

• Prevent accidental disclosures of personal information from computers or tablets by:
  • Placing screens away from windows.
  • Locking screens whenever devices are left.
• Work with electronic documents whenever possible.
• Never send documents to staff’s personal email addresses, systems, or devices.
• For security and privacy when sending emails:
  • Take care to send to the correct recipient(s).
  • Prevent disclosure of personal email addresses by using blind carbon copy (BCC) when sending emails to several people.
• Dispose of all sensitive and confidential documents securely by shredding – never throw any work-related documents into the waste basket.
• Ensure visitors are not left alone in areas where personal information can be accessed.
• Only use social media within policy guidelines and never publish personal data.
• Prevent others (including colleagues, friends, and family members) from accessing data by never sharing or writing down passwords. (Passwords are kept in a secure area on the server for emergency use)
• Use 2^nd class recorded delivery when posting any documents containing personal information.
• Be careful when giving out personal information to unknown callers – if in doubt do not disclose any.
• Encrypt personal information whenever possible.

On the telephone

When disclosing information over the phone employees must: 

• Be aware that there are people who will try and trick employees into giving out personal information.
• Conduct identity checks before giving out personal information to someone making an incoming call.
• Perform similar checks when making outgoing calls.
• Limit the amount of personal information given out over the phone and follow with written confirmation if necessary.

Away from normal places of work and travelling

When working away from normal workplaces, employees should be extra vigilant about the security of equipment and the disclosure of information:

• In open plan and public places:
  • Be aware of people who might be able to see information displayed on computer screens or mobile phones.
  • Do not leave documents open or in view.
• Always keep mobile devices (phone or laptop) in sight – never leave them in cars.
• Be discreet when keying in passwords and logging onto systems.
• Connect to trusted networks – public Wi-Fi can be vulnerable to cyber-attack.
• Speaking – remember that people can listen to conversations. Avoid leaving detailed voicemail messages.

When travelling:

• Always keep mobile devices (phone or laptop) in sight – never leave them visible in vehicles even if locked and never overnight.
• Do not pack laptops in checked luggage unless required to do so by airline security regulations. Devices can be stolen from checked luggage.
• Never leave bags or devices unattended anywhere particularly in an airport or train station as they could easily be picked up.
• When on an aircraft or train, secure all devices. Phones and laptops can be stolen from the overhead bins, seat, or seat pocket.
• Before leaving an aircraft or train, double-check the seat area and seat pocket to make sure there are no devices left behind.
• Hotel rooms – if mobile devices need to be left in hotel rooms, always leave them out of sight or by placing them in a room safe which is a better option than hiding them. Although neither option is 100% secure, this is still the current cyber prevention advice.
• Observe additional security safeguards when using hotels by:
  • Checking that windows and any adjoining doors are locked.
  • Closing and ensuring that the hotel room door is locked.

Security of information

Cybercrime (hacking, phishing, spamming etc) involves technology (desktops, laptops, and smartphones) which are used to steal information and cause harm and disruption. It is easier for cyber criminals to trick people than break security technology. Employees should endeavour to recognise the signs of attack and always practice safe computing.

Employees can help prevent cybercrime by observing the following rules:

• Do not lend any work devices, mobile or otherwise (desktop, phone, or laptop) to anyone including colleagues, friends, and family members.
• Never allow anyone including colleagues, friends, and family members to access or use any work devices, mobile or otherwise (desktop, phone, or laptop).
• Never give anyone, including colleagues, friends, and family members any passwords.
• Never allow anyone to plug any unauthorised removable media into business mobile devices.
• Do not use public Wi-Fi as it can be vulnerable to cyber-attack.
• Do not open suspicious phishing emails or texts that trick into giving out sensitive information. Report or delete them immediately.
• Beware of phishing scams that use social media to trick people into handing over personal information.
• Beware of voice or text message phishing attempts that scare or trick with a ‘problem’ to disclose sensitive information.
• Never use a public computer for work purposes.
• Endeavour to keep up to date with the latest scams.

Consequences of failing to comply

The NCC takes compliance with data protection law very seriously. Failure to comply could place the data subject, and the NCC at risk.

Everyone must observe this policy. This includes NCC employees, volunteers, and contractors who have access the personal data the NCC holds and to which they may require access to in the course of their work. Any breach of this Data Protection   policy may lead to disciplinary action under the NCC procedures and may result in dismissal.

If staff have any questions or concerns about anything in this policy, they should contact the Data Protection Officer, Sara Smith.