IET Guidelines for Volunteers: Data Protection

Transcription

1 SERIAL NO: Issue No: 3.0 IET Guidelines for Volunteers: Protection Effective Date Approved by Author February 2012 Executive Committee Richard Best Date of Last Review Reviewed By Date of Next Review February 2015 Lesley Roe February 2016 Distribution All Volunteers Change History Version Author Date Summary of changes 3.1 Lesley Roe February 2015 No changes this year 3.0 Lesley Roe February 2014 Updated and general tidy up 2.0 Camille February 2012 Restructured, revised and updated. Hiemstra 1.3 Katy Turff August 2011 Addition of Appendix C listing countries with adequate protection to meet UK Protection Act requirements. Minor amendment to definitions. 1.3 Richard Best July 2011 Minor updates, updated links, inclusion of reference to subsidiaries 1.2 Diane Pemberton CONTENTS February Henny Shone February 2008 General update. Addition of Clause 27 regarding submission to the IET of data collected by volunteers. 1. Introduction 2. Summary Protection Policy 3. Protection Principles 4. Guidelines 5. Responsibilities 6. Appendix A: Countries with adequate protection to comply with the UK Protection Act Definitions Version 3.0 Page 1 of 10

2 1. INTRODUCTION As part of our strategy to achieve both our charitable and business objectives, the Institution of Engineering and Technology (the IET) and our associated organisations process personal information about IET members, customers and other external contacts; and market to these individuals IET products, services, events and qualifications. The IET activities of processing personal information and marketing to individuals are governed by UK legislation and regulations such as the Protection Act, and the Privacy and Electronic Communications Regulations (see for details). Good information handling enhances the IET s reputation by increasing member, customer and partner confidence in the organisation. protection is the responsibility of all members and volunteers as well as all staff and agency or contract employees. These guidelines will assist in the understanding and interpretation of the Protection Act and are best read in conjunction with the IET Protection Policy. Definitions, and explanations, of the terms used are given below. 2. SUMMARY DATA PROTECTION POLICY The IET Protection Policy (available separately) addresses the use of personal information about living and identifiable individuals. The processes and procedures of the IET will be compliant with the Protection Act, the eight data protection principles, and the terms of the Privacy & Electronic Communications Regulations, insofar as they apply. The organisation will regularly monitor for compliance. protection is the responsibility of all IET volunteers who have access to any personal information in connection with IET activities. Individuals should use their judgement to determine compliance with the Protection Policy and guidelines. The IET will provide appropriate training, guidance and support, but if in doubt, advice should be sought from the IET Compliance Officer. Any volunteer found to have acted contrary to this policy and related guidelines may be subject to investigation which could result in suspension from volunteer activities involving access to personal information. The IET will take all necessary steps to minimise the risk of civil action being taken against it by the Information Commissioner. It will deal promptly and efficiently with any query, complaint, action, or threatened action, and make any necessary amendments to its policies, processes and procedures to ensure continuing compliance. 3. DATA PROTECTION PRINCIPLES Eight principles are defined to ensure personal information of living and identifiable individuals is handled and processed properly. This includes any action from acquiring or processing the data, including sensitive personal information which relates to racial or ethnic origin, health, political views, religious beliefs, sexual life, trade union membership etc. Although financial data is not covered by the Act, it is recommended that this is treated as sensitive data. Failure to observe these principles puts the professional reputation of the IET at risk. It may result in the Information Commissioner issuing an enforcement notice or criminal prosecution in respect of unlawful Version 3.0 Page 2 of 10

3 disclosure, unlawful obtaining or procuring of personal information, unlawful selling or offering to sell personal information etc. The eight Protection principles state that: 1. Personal Information must be fairly and lawfully processed o Personal information will only be collected with explicit or reasonably implied consent; this may be as part of initiating or entering into a contract. For example, a person applying for membership of the IET will receive information (by post or electronic means) about our various activities, unless they tell us they do not want this. If they choose to opt-out of marketing, they will continue to receive essential communications regarding their membership as defined in the Royal Charter and Bye-Laws. o Manual collection of addresses from third party websites for marketing purposes is not permitted as the individuals will not have had the opportunity to give their consent. o Personal information should not be collected from minors under 16 without prior advice and agreement from the Compliance Officer. 2. Personal information must be processes for limited purposes In practice, the second data protection principle means that you must: o be clear from the outset about why you are collecting personal information and what you intend to do with it o comply with the Act s fair processing requirements including the duty to give privacy notices to individuals when collecting their personal information o ensure that if you wish to use or disclose the personal information for any purpose that is additional to or different from the originally specified purpose, the new use or disclosure is fair. 3. Personal information must be adequate, relevant and not excessive o The personal information collected should be adequate and relevant for the purposes identified. Do not ask for more information than you need for the stated purposes. 4. Personal information must be accurate, and where necessary kept up to date o The IET will make every effort to ensure that personal information is accurate. When individuals tell us about changes to their details we must update our records to reflect this. 5. Personal information must not be kept for longer than necessary o The IET can keep personal information for as long as this is deemed reasonably necessary. o Each department must determine what personal information they hold, why it is needed, where it is kept and for how long remember to include archived data in the data retention schedule. o Do not keep data just in case. It is good practice to organise data purge days on an annual basis to dispose securely of data that is no longer needed. 6. Personal information must be processed in line with the rights of individuals Individuals have a right to: o Access the information the IET holds about them. This is called a Subject Access Request; more detail can be requested from the Compliance Officer. An individual has a right to see a copy of the personal information the IET holds about them, including duplicate copies where there may be, unintended, discrepancies in the data. The IET is required to respond within 40 days of receipt of the request and sufficient information to identify the individual. More Version 3.0 Page 3 of 10

4 o information about compliance to a Subject Access Request is available at the Information Commissioner s web site. Oppose to their details being processed for marketing purposes, this is called opting out. Every marketing message sent out must give recipients the opportunity to opt-out. When an individual opts-out of marketing, this must be acted upon immediately. 7. Personal information must be secure This includes technical, physical and organisational security. o Only those people who need to will be granted access to personal information o The IET will implement physical security measures to protect personal information o The IET will implement organisational controls to protect personal information The IET Information Security Policy should be viewed in conjunction with the Protection Policy Particular attention should be paid to: o Password Management o Secure Disposal Provision Advice on this can be obtained from the Compliance Officer. 8. Personal information must not be transferred outside the European Economic Area (EEA) unless there is adequate protection 1. o The IET can transfer personal information outside the EEA providing there are sufficient controls in place. This will most often mean that the IET will enter in a contractual relationship with a company to ensure that the data receives the same level of protection as in the UK. 4. GUIDELINES This document applies to: Personal information which is data relating to a living individual who can be identified from those data, or from those data and other information which is in the possession of, or is likely to come into the possession of, the controller. And relates to: All electronically processed personal data and information contained in certain manual records. Examples of where personal information can be held: Electronic records and media, e.g. databases, files, tapes, s etc. Manual records where there is evidence of a structured filing system; such as personnel files, member & customer files, training records, card indexes and paper lists of customer contracts s and voic s where the focus is on an individual CCTV recordings, video and photo s All volunteers dealing directly with personal information will be required to take part in training relating to the Protection Act, included in volunteer induction and refresher training. Personal information must only be processed in accordance with IET instructions and procedures. 1 Countries in the European Economic Area and deemed as having adequate protection are listed at Appendix A Version 3.0 Page 4 of 10

5 may only be used for the IET s business and for the purpose for which it has been compiled. Personal information should be protected in accordance with the IET Information Security Policy. Users accessing IET data over the web should log out of the secure site as soon as their query has been completed. No personal information held by, or on behalf of, the IET should be sold or inappropriately disclosed to a third party. Prior to the collection of personal information or the deployment of a process, system, service or application etc. which involves using personal information, a review should be held to determine: (a) (b) (c) (d) (e) (f) (g) (h) what personal information is to be collected, and its sensitivity; why this personal information is required the purpose ; the amount of personal information required to be collected; the retention period to keep the personal information; how the information (in electronic form and hardcopy) will be protected; where the information will be held (electronic & physical location); who will have access; the process by which the information will be disclosed in the event of a Subject Access Request. (see for details). For further information please contact the Compliance Officer. Any volunteer storing personal information on behalf of the IET is responsible for ensuring adequate controls are in place for its protection. All data must be encrypted and/or password protected before it is transferred. All devices used to store and transfer data (such as laptops or USB memory sticks) must be encrypted. Any new purposes for collecting data should be communicated to the IET Compliance Officer. Personal information should be held with an indication as to the date of its collection or modification and review or deletion. The collection and processing of sensitive personal information (e.g. racial or ethnic origin, health, political views, religious beliefs, trade union membership etc.) requires very strict controls. Sensitive personal information should only be collected with the explicit consent of the individual it pertains to, and should not be collected without prior authorisation from the IET Compliance Officer. All external requests for disclosure by the individual whose data it is (Subject Access Requests, police enquiries etc.) should be forwarded to the IET Compliance Officer, who will coordinate and collate the response. Volunteers must submit all details of IET members, prospective members, event delegates and any other individual who has disclosed their contact (and other) details in connection with the IET whenever requested by the Compliance Officer. This instruction takes precedence over all other guidelines. transfer will be compliant with the data protection laws of the country of collection. Version 3.0 Page 5 of 10

6 5. RESPONSIBILITIES Where relevant, all volunteer role descriptions should contain a statement clearly defining their responsibilities to safeguard data. The IET will obtain and maintain all necessary data protection notifications, keep its notifications current and under regular review, and ensure that all necessary amendments are promptly made. The public register can be searched here: The IET will ensure that its practices relating to the holding, use and disclosure of personal information are always in accordance with its data protection notification. The IET Compliance Officer is responsible for the IET interaction with the Information Commissioner s Office and overseeing the IET data protection governance process. Contact with the ICO should always be with the prior knowledge of the Compliance Officer. Regular self-assessments of IET volunteer activities should be carried out to check compliance to the Protection Policy and related policies. Reports on the status of compliance will be reported to the Board of Trustees. Clear guidance should be set on the retention period for personal information and the period it is available to process for a particular purpose. For example, in the case of mailing labels provided by the IET, these should be used within ten days and then deleted. A fresh dataset should be requested for each subsequent mailing. Or, in the case of candidate applications for Registration, data should be held only from the point of receipt of a candidate application to completion of the process. Should the candidate appeal, IET staff will resend the necessary information. Volunteers should ensure the safe removal of personal information from all files and systems. The Compliance Officer will ensure that any request for transfer of data outside the volunteer s country of residence or country of data collection will be compliant with data protection laws of the respective country. If there is any doubt about the requirements of this Protection Policy and guidelines, volunteers should seek advice from the IET Compliance Officer. Version 3.0 Page 6 of 10

7 6. APPENDIX A: Countries with adequate protection to comply with the UK Protection Act 1998 Countries in the European Economic Area (EEA) Austria Belgium Bulgaria Cyprus Czech Republic Denmark Estonia Finland France Germany Greece Hungary Iceland Latvia Liechtenstein Lithuania Luxembourg Malta Netherlands Norway Poland Portugal Romania Slovakia Slovenia Spain Sweden Ireland Countries outside the EEA deemed to have adequate protection to comply with the UK Protection Act 1998: Andorra Argentina Canada Faroe Islands Guernsey Isle of Man Jersey Switzerland Version 3.0 Page 7 of 10

8 7. DEFINITIONS Term Consent Implied (Implicit) & Explicit Cookies collection from minors Controller Processor Definition Consent is one of the conditions under which personal information may be processed. See processing. The majority of the IET s processing activities are as a result of the data subject implicitly or explicitly giving consent. For example, a caller requesting information or giving feedback about the IET will implicitly expect their name address and or contact details to be processed in order to address their call. The caller might not expect information relating to their age or occupation to be requested. If it is required, there may need to be an explanation as to why this information is necessary whereupon the caller may consent to the information to be used. Date of birth may be used to distinguish between two individuals of the same name living at the same address. This may need to be explained. For example, an online registration is where information will be collected with explicit consent i.e. the individual registering is freely giving the IET personal information. The IET must still ensure that the request for information is not excessive. Only request sufficient information to enable the IET to maintain a relationship with the individual in order to provide the service that is being offered. Cookies are small pieces of text that a Web site can store on your computer and recover later to identify users and track data relating to them when they are visiting a web site. They are also used to identify whether you have visited that site before and if so recall the information about you already collected and stored. The IET Cookies statement is available here. Personal information must only be collected from minors with the explicit and verifiable consent of the minor s guardian / parent unless the minor is aged 16 years or over, the information is restricted to that necessary to enable the minor to be sent further but limited on-line communications and it is clear that the minor understands what is involved. Information about the minor s parents or guardian may not be collected. This is the IET as an organisation. It is responsible for the personal information it controls. Where the IET processes personal information on behalf of another organisation, there should be clear guidance, given in writing to the IET (the data processor ), regarding the purpose of use of the data and how it is to be processed. The IET will offer the same safeguards as though it were the controller of the data. Similarly, where the IET contracts a third party to perform a function on its behalf then the third party is a data processor. The IET is still obligated under the Protection Act. Version 3.0 Page 8 of 10

9 Term Protection notification Compliance Officer Subject Information Commissioner Definition The Protection Act 1998 requires every data controller who is processing personal information to provide a description of the type of processing of personal information the notification to the Information Commissioner unless they are exempt. The IET s registration is held in a public register and may be viewed at Having registered, the IET must ensure its processing does not deviate from its notification or update the notification. If a required purpose of use is outside the current notification, the notification must be updated. Contact the Compliance Officer to facilitate a timely update. The individual within the organisation with responsibility to oversee compliance and liaise with the Information Commissioner s office. This is the Compliance Officer. They can be contacted using the following address: compliance@theiet.org and telephone number: A living individual, who is the subject of the personal information. Where information is held about an individual because of their official business capacity - i.e., information about a Manager of an organisation; their name, company name, work address; contact details in most cases, the individual is not regarded as a Subject. The exception to this rule is where the individual is a sole trader or partnership. The Information Commissioner enforces and oversees the Protection Act 1998 (DPA) and the Freedom of Information Act 2000 (FOI). The Commissioner is a UK independent supervisory authority reporting directly to the UK Parliament and has an international role as well as a national one. The Information Commissioner s Office is very helpful. In the event of a query or inappropriate disclosure, it is good practice to contact the Information Commissioner s office and seek their advice. Such contact will be arranged via the Compliance Officer. More specific contact information is available on the Commissioner s web site Personal information Information that uniquely locates or identifies an individual by distinguishing him or her from others. Includes an individual s name, address, address, home or mobile phone number, age, date of birth, education, qualifications and sensitive data (see definition below). IET comments about, or plans for, an individual are also included. In the on-line world, personal information include profile information collected about an individual by tracking systems, such as those that use cookies. The IET holds personal information about employees, members, non-members and various other stakeholder individuals. Where information is held about an individual because of their official capacity - i.e., information about a Manager of an organisation; their name, company name, work address; contact details this is not classed as personal information. By comparison, data collected about an individual, say Joe Smith, such as his job title and company of employment is classed as personal information. Version 3.0 Page 9 of 10

10 Term Processing Definition Processing is defined in the widest sense. This includes collecting, recording, storing, reading, modifying, using, transmitting, transferring, disclosing, archiving and deleting. A data subject s personal information may only be processed by the IET if one of the following conditions are met: the individual has consented to the processing; processing is necessary for the performance of a contract with the individual, or start negotiating a contract; processing is required under a legal obligation, other than a contractual one; processing is necessary to protect the vital interests of the individual; processing is necessary to carry out public functions, e.g., administration of justice; processing is necessary in order to pursue the legitimate interests of the IET or third parties and is not unfair to the individual; The majority of the IET s processing activities are as a result of the first two criteria. Purpose of Use Sensitive Statistical or Anonymised Subject Access Request The stated organisational activities for which the personal information are, or will be used, as decided by the IET. Refer to Direct Marketing Policy & Guidelines for standard wording to be used on all forms collecting personal information. Sensitive personal information includes, but is not limited to, racial or ethnic origin, health, political views, religious beliefs, sexual life, trade union membership etc. Although financial data is not covered by the Act, it is recommended that this is treated as sensitive data. Sensitive data may only be collected with explicit consent. Statistical data (or anonymised data) is where the identity of an individual has been removed such that processing beyond that described in the purpose for use may occur. Care should still be taken when processing statistical data because the IET may still keep the source data, and therefore may retain the capability to subsequently identify the individuals from the anonymised data. An individual has a right to see a copy of the personal information the IET holds about them, including duplicate copies where there may be, unintended, discrepancies in the data. The IET is required to respond within 40 days of receipt of the request and sufficient information to identify the individual. More information about compliance to a Subject Access Request is available at the Information Commissioner s web site. All subject access requests must be notified to the Compliance Officer as soon as it is received. Version 3.0 Page 10 of 10