Data Protection Policy
Last updated 26th March 2020
Hope and May is committed to protecting the privacy and the security of personal data. To ensure the processing of data is lawful, Hope and May ensure they process data in accordance with the EU General Data Protection Regulation (GDPR), the Data Protection, Privacy and Electronic Communications Regulation 2019 (UK GDPR), the Privacy and Electronic Communications Regulation (PECR), The Data Protection Act 2018 and any other relevant data protection legislation.
This Data Protection policy explains the types of personal data we may process when we conduct business. It also explains how we storeand handle that data and keep it safe.
First of all, here’s a few terms we may use in this document to explain ourselves. “Personal data” is information relating to a living, identifiable individual. So, this could be anything from a postal address to a telephone number or date of birth.
“Processing” data includes various operations that may be carried out on information, including collecting, recording, organising, using,
disclosing, storing and deleting it. A “Condition for processing data” is essentially the justification for processing the data, forexample we may ask a data subject to agree for us to send marketing information, in this instance we may ask that person for Consent, but normally only if they are a sole trader or partnership. Generally, we deal with organisations and the current legislation does not require Consent (PECR) to be collected for organisation to organisation communications. However, we are committed to protecting all data and this includes the personal information of employees of organisations with which we may communicate.
The law requires us:
To process data in a lawful, fair and transparent way;
To only collect data for explicit and legitimate purposes;
To only collect data that is relevant, and limited to the purpose(s) we may have indicated;
To ensure that data is accurate and up to date;
To ensure that data is only kept as long as necessary for the purpose(s) we have indicated;
To ensure that appropriate security measures are used to protect the data.
It is likely that we will need to update this Policy from time to time, updates are published on our website and are available upon request.
Who is Hope and May?
It is an organisation that delivers advice, guidance and support services to organisations. These services relate to the legal obligations of those organisations concerning the protection of data, privacy and confidentiality. Hope and May operates across the World and is able to work with any organisation in any country.
The Purposes of Processing data
The law on data protection sets out a number of different reasons or conditions for which an organisation may collect and processpersonal data. When collecting personal data, we will always where required make a case for processing. We will process data in the organisation’s legitimate interest unless there is a legal obligation such as employment law or a contractual obligation.
Special Category Data
Hope and May does not set out to collect sensitive information about its clients or their staff, customers, supporters, beneficiaries or members. We have no need for this information. However, we are mindful that information of the type may be available to us from time to time. For example, if an organisation reveals to us a staff file, or the details of a beneficiary or service user of a charity. We do not process this data and therefore do not control it. Any observations made as part of our service are justified in our general terms and conditions of business which forms the necessary contractual understanding. We may however process this data concerning our own staff. For the avoidance of doubt, these categories of information include;
· Racial or ethnic origin;
· Political opinions;
· Religious or philosophical beliefs;
· Trade union membership.
· Genetic data;
· Biometric data (e.g. fingerprints) for the purpose of uniquely identifying someone;
· Data concerning health;
· Data concerning someone's sex life or sexual orientation.
We may process special categories of personal data of staff in the following circumstances:
With their explicit written consent; or
Where it is necessary in the substantial public interest, and further conditions are met;
Where the processing is necessary for archiving purposes in the public interest, or for scientific or historical research purposes, or statistical purposes, subject to further safeguards of fundamental rights and interests specified in law;
Where there is a legal obligation.
Further legal controls apply to data relating to criminal convictions and allegations of criminal activity. We may process such data onthe same grounds as those identified for “Special Categories” referred to above.
What data does Hope and May collects?
occasions will include, but are not limited to:
When an individual works with the Hope and May team;
When an individual visits our offices or an event is organized;
When an individual or organisation supplies good and services;
When an individual writes to us about any subject by any means;
When an individual posts, likes, follows or reply on any of our social media feeds;
When an individual’s images or vehicle number plate is recorded on our CCTV system;
When an individual or an organisation is a client of Hope and May and uses our services;
When an individual is part of an audience which Hope and May may address;
When an individual has engaged with asks us to send a communication;
When an individual accesses or engages with our website.
Hope and May collects personal data in order to manage its business and deliver its service to its clients. The data collected is most likely in electronic format but can also be in paper form.
When an individual visits our website, we may collect the IP Address, page visited, web browser, any search criteria entered, previousweb page visited and other technical information. This information is used solely for web server monitoring and to deliver the bestvisitor experienceWe may use technology such as cookies to help us deliver relevant and interesting content in our communications inthe future. We may profile individuals to find out more about them but in the least most intrusive way. We may use information wecollect to display the most interesting content on our website we may use data we hold about previous visits.
We may also collect social media usernames if data subjects interact with us through these channels in order to help us respond tocomments, questions and feedback. The data privacy laws allow this as part of our legitimate interest in understanding our audience.
For security reasons, we use all appropriate organisational and technical security controls to safeguard data.
When we interact with data subjects, we may also collect notes from conversations with them, and details of any complaints orcomments made.
Hope and May is committed to the data protection rights
There are eight important rights detailed in the GDPR and the Data Protection Act 2018. Hope and May is committed to uphold these rights. For further details please contact our offices.
Sharing data with Hope and May
Hope and May considers business to business communications to be outside of the scope of the GDPR. However, it acknowledges that some personal data may be contained in business correspondence. Hope and May publishes opt-out information in such circumstances. Any individual can ask to be forgotten and Hope and May will respect this decision unless there is a professional or legal obligation to retain such information. However, in the course of consultancy and DPO service delivery some personal information may be shared between the client and Hope and May that identify donors, volunteers, staff, (in ways not necessarily connected with business matter) and beneficiaries, members and clients (as individuals). If the sharing of data necessitates a determination or decision by Hope and May, then Hope and May will be a data controller of such information and will apply the terms of this policy when processing the data.
Whenever we collect or process personal data, we will only keep it for as long as is necessary for the purpose for which it was collected. The Information Asset Register includes retention periods and this Register will indicate the types of data concerned and clearly indicate the period it will be retained. Annual reviews will ensure that retention schedules are followed. At the end of the retentionperiod, data will either be deleted completely, put beyond use or anonymised. In some cases, personal data may be kept in perpetuity.
Your data outside the EEA
Occasionally we will need to share personal data with a third party or suppliers outside the European Economic Area (EEA). The EEAincludes all EU Member countries as well as a number of other countries that have received an Adequacy Decision from the EU Commission. We have put in place the necessary safeguards to ensure the data is protected on these occasions. These include but are not limited to, Model Clauses and data sharing agreements for both Data Processors and those that may be Joint Controllers. This section will be updated in due course in accordance with the outcome of Brexit.
Hope and May takes the GDPR seventh principle of data protection very seriously. It ensures compliance with this lawful requirement by recording events and continually documenting its compliance journey. These records include Records of Processing Activity, Events log and Breach reporting log. Hope and May reviews its data protection policies every three months or sooner where required. It is registered with the ICO as a data controller and has appointed a Data Protection Officer under reference ZA432708.
Stopping us from using your data
Although there is no strict obligation upon us to inform employees of organisations with which we are contractually delivering a business service or wish to deliver such a service about our processing of data and our processing activities that may identify them, we aim to be ethically compliant. Therefore, an individual can stop Hope and May from processing personal data that may identify them bycontacting us using the information below.
It must be remembered; some administrative communications cannot be stopped due to a legal or contractual obligation.
Complain about our processing of data
If you feel that data has been handled incorrectly by Hope and May, a complaint can be made to the Information Commissioner’s Office(ICO) which regulates the use of information in the UK.
If the organisation is based outside the UK, the complaint should be directed to the relevant data protection supervisory authority inthat Country.