GENERAL DATA PROTECTION REGULATIONS POLICY (GDPR)
Policy Statement & Introduction
The In4Wood Project is committed to ensuring that it remains compliant at all times with its legal obligations and responsibilities under the Data Protection Act (DPA) 1998 and the General Data Protection Regulations (GDPR). Data protection concerns personal data, i.e. information from which an individual can be identified. This includes data held on electronic systems and hard copies.
The In4Wood Project is a collaborative project, part funded by the EU Commission’s ErasmusPlus programme.
In order to achieve its project ambitions and deliver the project, In4Wood has to collect and make use of personal information about users of its online system. In4Wood is committed to a policy of protecting the rights and freedoms of individuals with respect to the processing of their personal data.
Scope
This policy is applicable to all personal data/information processed by In4Wood or for In4Wood purposes. It will apply to all staff, partner organisations, consultants or agents performing work for or on behalf of the business.
Responsibility
The In4Wood Project’s Project Manager has overall responsibility for ensuring that this policy is implemented. These responsibilities are shown at Annex 1.
Updates
From time to time we will make changes to this Privacy Policy, for example, as the result of government regulation, new technologies, or other developments in data protection laws or privacy generally. You should check our website periodically to view the most up-to-date Privacy Policy. This Privacy Policy was last updated on 16th June 2019.
WHAT THIS POLICY COVERS AND HOW IT WILL BE IMPLEMENTED
Compliance with the Principles of the GDPR
The In4Wood Project collects the minimum amount of data and processes this fairly and lawfully.
The following candidate data is collected via the database for the purposes of registration, certification and reporting:
Student ID
Student surname
Student forename
Student email address
Student avatar
Date registered for the training
Issue date of Certificate
Training /test results
Other personal data held, includes:
Data that the platform can gather
- IP Address
- Social Network ID and session token ( if user makes social login )
- Google analytics
For the cookies
- Google analytics
Obtains data only for specified and lawful purposes, and processes this for the purposes for which it was obtained, and for which the individual has agreed.
Data is used to enable the company to manage the operations of In4Wood including training delivery and quality assurance of these through approved centres. Data is also used to enable the registration and certification of candidates, including the production of replacement certificates where required.
Collects data that it is relevant, adequate, and of proportionate.
The minimum amount of data is collected to enable In4Wood to operate and to register and certificate candidates and to produce reports for management and the regulatory bodies.
Contacts details include name, address, telephone number(s) and email address.
Makes every effort to ensure that data held is kept up-to-date with regularly reviews of data held and cleansing of databases.
Contacts details will be reviewed periodically and all contacts required to verify that the information held is accurate. This excludes candidates as the data obtained is not ordinarily subject to change (address is not collected).
Keeps under review the length of time data is kept for, storing data for specific purposes only and not keeping for longer than deemed necessary
Data is retained as long as it serves the function for which it was obtained.
Candidate data is retained indefinitely for the purposes of replacement certificates, or verification of achievement
Data that is no longer required is shredded confidentially/deleted from the database.
Ensures that individuals are aware of the purposes of processing data supplied by them.
Centres collecting for the purposes of registration and certification are required to inform candidates of how the data supplied will be used.
Ensures that electronic systems that store data are secure and restricting access to these.
Data is stored securely.
Does not to transfer data to any country or territory outside of the European Economic Area.
Transfer of data is restricted.
Training
Training on data protection aspects will be provided as necessary and as appropriate either using internal or external facilitation.
Related Information
Within this policy statement there are references to other related policies and procedures which include:
Internet and Email Use Policy
The Information Commissioner’s Website http://www.ico.gov.uk
All individuals that work for or with The In4Wood Project have a responsibility to abide by this policy and associated procedures.
Disciplinary action may be taken against staff in breach of data protection policy in line with HR Policy.
If staff have queries on obligations under the Data Protection Act please direct them to the Project Manager in the first instance for advice.
4.2 Privacy Notices
The GDPR includes rules on giving privacy information to data subjects. These are more detailed and specific than in the Data Protection Act (DPA) and place an emphasis on making privacy notices understandable and accessible. The information that The In4Wood Project provides about processing date is therefore:
Concise, transparent, intelligible and easily accessible
Written in clear and plain language, particularly if addressed to a child
Free of charge.
The In4Wood Project complies with the GDPR requirements by ensuring our privacy statement includes:
Identity and contact details of The In4Wood Project Manager
Purpose of the processing and the lawful basis for the processing
The legitimate interests of The In4Wood Project or third party, where applicable
Categories of personal data/ any recipient or categories of recipients of the personal data
Details of transfers to third country and safeguards
Retention period or criteria used to determine the retention period
The existence of each of data subject’s rights
The right to withdraw consent at any time, where relevant
The right to lodge a complaint with a supervisory authority
The source the personal data originates from and whether it came from publicly accessible sources
Whether the provision of personal data is part of a statutory or contractual requirement or obligation and possible consequences of failing to provide the personal data
The existence of automated decision making, including profiling and information about how decisions are made, the significance and the consequences
See Annex 2. The In4Wood Project identify the legal basis for processing personal data before any processing operations take place by clearly establishing, defining and documenting the specific purpose of processing the personal data and the legal basis to process the data under:
consent obtained from the data subject;
performance of a contract where the data subject is a party;
legal obligation that The In4Wood Project is required to meet;
protect the vital interests of the data subject, including the protection of rights and freedoms;
official authority of The In4Wood Project or to carry out the processing that is in the public interest;
necessary for the legitimate interests of the data controller or third party, unless the processing is overridden by the vital interests, including rights and freedoms;
national law.
Any special categories of personal data processed and the legal basis to process the data under:
explicit consent obtained from the data subject;
necessary for employment rights or obligations;
protect the vital interests of the data subject, including the protection of rights and freedoms;
necessary for the legitimate activities with appropriate safeguards;
personal data made public by the data subject;
legal claims;
substantial public interest;
preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, provision of health or social care treatment, or management of health and social care systems and services, under the basis that appropriate contracts with health professionals and safeguards are in place;
public health, ensuring appropriate safeguards are in place for the protection of rights and freedoms of the data subject, or professional secrecy;
national laws in terms of processing genetic, biometric or health data.
The In4Wood Project record this information in line with its data protection impact assessment.
When personal data is collected from data subjects with consent The In4Wood Project is transparent in its processing of personal data and provides the data subject with the following:
The In4Wood Project identity, and contact details of the In4Wood Project Manager
The purpose(s), including legal basis, for the intended processing of personal data
Potential recipients of personal data;
Any information regarding the intention to disclose personal data to third parties. In such circumstances, The In4Wood Project will provide information on the safeguards in place
Any information on website technologies used to collect personal data about the data subject;
Any other information required to demonstrate that the processing is fair and transparent.
When personal data has been obtained from a source other than the data subject The In4Wood Project makes clear the types of information collected as well as the source of the personal data and provides the data subject with:
The purpose(s), including legal basis, for the intended processing of personal data;
Categories of personal data;
Potential recipients of personal data;
Any information regarding disclosing personal data to third parties – The In4Wood Project will provide information on the safeguards in place;
Any other information required to demonstrate that the processing is fair and transparent.
Privacy notice for this personal data processing is recorded.
4.2 Data security breach
Every care is taken to protect personal data from incidents (either accidentally or deliberately) to avoid a data protection breach that could compromise security. Notification of a personal data breach will be made by the Project Manager.
Data security breaches include both confirmed and suspected incidents. An incident is an event or action which may compromise the confidentiality, integrity or availability of systems or data, either accidentally or deliberately and has caused or has the potential to cause damage to In4Wood’s information assets and/or reputation. An incident includes but is not restricted to, the following:
|
Technical |
Data Corruption; Malware; Corrupt Code; Hacking |
|
Physical |
Loss or theft of confidential or sensitive data or equipment on which such data is stored (e.g. loss of laptop, USB stick, iPad/tablet device, or paper record); Equipment theft or failure; Unescorted visitors in secure areas; Break-ins to sites; Thefts from secure sites; Loss in transit/post; Website defacement; Unforeseen circumstances such as a fire or flood. |
|
Human Resources |
Data Input errors; Non-secure disposal of hardware or paperwork; Inappropriate sharing; Attempts (failed or successful) to gain unauthorised access to information or IT system(s); Unauthorised disclosure of sensitive / confidential data; ‘Blagging’ offences where information is obtained by deceiving the organisation who holds it. |
The In4Wood Project will notify data subjects of any breach that may affect them. Notification will include a description of how and when the breach occurred, and the data involved. Clear advice will be given on what they can do to protect themselves and include what action has already been taken to mitigate the risks.
4.3 Data Portability
The In4Wood Project informs data subjects of the existence of the new right to portability at the time where personal data is obtained. Data subjects may exercise their right to data portability and apply to The In4Wood Project to receive their data in order to reuse or transfer it to other data controllers. Data subjects are entitled to ask:
For a copy of the personal data they have provided to The In4Wood Project
For The In4Wood Project to transmit the data to another data controller
Within this scope is any personal data concerning the data subject that:
he/she has provided to the data controller knowingly and actively, or through observations of his/her activities by virtue of the service of The In4Wood Project; and
has been processed through automated means; and
has been processed on the basis of the data subject’s consent or a contract to which the data subject is a party.
This procedure will most commonly be used when transmitting data directly to another data controller. This procedure also applies to circumstances when The In4Wood Project is the “receiving data controller”.
The In4Wood Project (as data controller/data processor) is responsible for transmitting the data without hindrance and ensure that it is transmitted with the appropriate level of security with encryption.
Any request is forwarded to the Project Manager to ensure that the requested data is provided/transmitted within the timeframe.
Where the data requested concerns a third party(ies), the Project Manager reviews whether or not transmitting data to another data controller would cause harm to the rights and freedoms of other data subjects. The data subject identifies the personal data that is to be transmitted or provided for their own use. The Project Manager maintains a record of requests for data and of its receipt. In4Wood has set safeguards that ensure the personal data transmitted are only those that the data subject has requested to be transmitted.
The In4Wood Project seek to provide the requested information within one month from the request date. If the request is complex, In4Wood can extend this time frame to (maximum) three months. In4Wood inform the data subject of any reasons for the delay.
The In4Wood Project do not by default accept and process personal data received from another data controller following a personal data request nor does it retain all the data received. The In4Wood Project only accept and retains data that is necessary and relevant to the service being provided.
4.3 Requests for information
Individuals are entitled to make requests to In4Wood for copies of any information held about them. This is called a ‘subject access request’. The In4Wood Project will consider the request in accordance with the ICO publication ‘Subject Access Code of Practice’ (2014).
Information will be supplied where:
a request in writing has been made
the data can be located
the identity of the applicant can be validated
In4Wood will respond within 40 calendar days.
If In4Wood fails to act on a data subject’s access request within the appropriate timeframe, or refuses the request, it sets out the reasons it took no action/refusal.
4.4 Monitoring
The implementation of this policy is monitored though internal audits as described in In4Wood’s Audit Policy and Audit Procedure. This includes the development of an Audit Plan to include Privacy Audits with the objective to ensure compliance with the General Data Protection Regulations (GPDR).
4.4 Complaints
Data subjects have the right to make a complaint to IN4WOOD relating to the processing of their personal data, In4Wood’s handling of requests from data subjects. Complaints should be directed to In4Wood’s Project Manager whose contact details are published on its website.
The Project Manager logs all complaints relating to data protection matters and is responsible for their resolution.
Data subjects have the right to complain direct to the Information Commissioners Office (ICO).
ANNEX 1: GDPR JOB PROFILE
MAIN PURPOSE
To drive compliance with the EU General Data Protection Regulation (GDPR) and ensure ongoing compliance of all core activities for In4Wood. May form part of other roles.
POSITION
The Project Manager also conforms as the Data Protection Officer, note that Article 24(1) states that data protection compliance is a corporate responsibility of the data controller, not of the Data Protection Officer / Project Manager.
RESPONSIBILITIES
The Project Manager will maintain expert knowledge of data protection law and practices to ensure that The In4Wood Project comply with the requirements of the GDPR.
The Project Manager:
must inform and advise on the protection of personal data in relation to the GDPR and law(s) and regulations
will ensure that documentation to demonstrate compliance with the GDPR such as policies and procedures are kept up to date
will plan and schedule data processing audits regularly, monitoring core activities to ensure they comply with the GDPR
is the main contact point for employees and will liaise with all members of staff on matters of data protection
Key tasks of the Project Manager:
To inform and advise all members of staff on their obligation to adhere to the GDPR and law(s) when dealing with personal data.
To monitor compliance with the GDPR and law(s).
Advise and inform on the data protection impact assessment (DPIA)
Liaise and cooperate with the supervisory authority
To contribute to the development and maintenance of all IN4WOOD data protection policies, procedures and processes
Ensure training is available and delivered to staff
Regularly monitor compliance with the GDPR and data protection law(s) by ensuring audits of processes relating to personal data
To be the point of contact for data subjects with regard to the processing of their personal data
To develop/advise on formal procedures for reporting incidents and investigations
To contribute to the business continuity and disaster recovery planning process.
Work with information asset owners to ascertain the extent to which personal data is collected, held and/or used in The In4Wood Project and that it is properly controlled and safeguarded from loss of confidentiality, integrity or availability from any cause.
To ensure that records of the processing are kept by The In4Wood Project
To advise the controller of its obligation to issue privacy notices to data subjects at the point of collection of their personal data
To identify and test the controls and, where appropriate, to suggest additional controls, which may be established to maintain the confidentiality, integrity and availability of personal data.
The Project Manager is authorised to have access to all In4Wood systems relating to the collection, processing and storage of personal data for the purpose of assessing the use and security of personal data.
PROJECT MANAGER RATIONALE
|
Mandatory requirements for a DPO |
Y/N |
Comments |
|
Is processing carried out by a public authority or body, (not courts)? Is processing carried out by a court, but not in relation to the court’s judicial capacity (e.g. courts processing personal data in their capacity as an employer)? |
NO NO |
If yes, a DPO is required |
|
Are you a national, regional or local authority? |
||
|
Do you carry out tasks on behalf of the public that are governed by public or private law in sectors such as: - public transport services - water and energy supply - road infrastructure - public service broadcasting - public housing - disciplinary bodies for regulated professions |
NO |
|
|
Do the core activities of organisation name (controller or processor) consist of data processing operations? Do these activities require regular and systematic monitoring of data subjects on a large scale? |
NO |
If yes, a DPO is required |
|
Are these activities performed at particular intervals for a particular period? |
||
|
Do they recur or are they repeated at fixed times? |
||
|
Do they constantly or periodically take place? |
||
|
Do they occur according to a systematic approach? |
||
|
Are they pre-arranged, organised or methodological? |
||
|
Are they part of a general plan for data collection? |
||
|
Are they carried our as part of a strategy? |
||
|
Do you conduct large-scale processing operations of special categories of data, or of personal data relating to criminal convictions and offences or related security measures? |
NO |
If yes, a DPO is required |
|
How many data subjects are concerned? |
||
|
What is the volume of data being processed? |
||
|
What is the range of different data being processed? |
||
|
How long is the data processing activity? |
||
|
What is the permanence of the data processing activity? |
||
|
Does the data processed contain special categories such as: - Racial or ethnic origin - Political opinions - Religious or philosophical beliefs - Trade-union memberships - Genetic data - Biometric data - Health - Sexual orientation - Criminal convictions and offences - Security measures related to criminal convictions |
||
|
Voluntary designation of a DPO * in addition to the above requirements |
Y/N |
Comments |
|
Have you considered the nature and scope of the processing? |
||
|
Have you considered the context and purposes of the processing? |
||
|
Have you considered the size, complexity and diversity of the processing against the business operations? |
||
|
Have these been reviewed and considered in conjunction with the acceptable level of risk to business as to whether appoint a DPO or not? |
||
|
Business justification for not designating a (DPO): |
||
|
||
ANNEX 2: PRIVACY NOTICE
Identity and contact details
If you would like to discuss anything in this privacy notice, please contact the In4Wood Project Manager.
Purpose of the processing
In4Wood take your privacy seriously and will only use your personal information to administer your account, personalise your use of the website, and to provide the products and services you have requested from us. In order for ‘users’ to use some of our online services and to respond to enquiries we need to collect and process various personal data. The personal data we collect is used to process your request for our services. All information provided will be treated as confidential and will only be used for the purpose intended. Anyone can contact IN4WOOD to correct or update personal information in our records.
What information do we collect?
The sort of information we hold student contact details. If you contact us, we may keep a record of that correspondence.
What do we use personal information for?
We may use the information we hold about you to provide you with products and services requested by you. We use candidate data to issue certificates.
Corrections/Accuracy
We will endeavour to ensure that all personal data held in relation to all data subjects is accurate. Data subjects must notify In4Wood of any changes to information held about them.
The lawful basis
In4Wood will process data for the specific and lawful purpose for which it is collected and not further process the data in a manner incompatible with this purpose.
We collect and use information for general purposes where:
the data subject has given consent to the processing of his or her personal data for one or more specific purposes
processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
the data subject has given explicit consent to the processing of those personal data for one or more specified purposes
Categories of personal data
We will ensure that the reason for which it collected the data originally is the only reason for which it processes those data. We will ensure that the data is adequate, relevant and not excessive in relation to the purpose for which it is processed
Personal data
We may collect ‘personal data’ relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. This may include the data subjects name, identification number, location data or online identifier.
Sensitive Personal Data
We may, from time to time, be required to process sensitive personal data. Sensitive personal data include data relating to gender, race, and disability.
Disclosure to third parties
We will not sell or license your personal information to any third party. However, we may disclose your personal information:
to any member of In4Wood
contractors engaged by us to provide services on our behalf
in order to provide you with any products or services you have purchased or requested
the regulatory authorities.
Details of transfers to third country
We will not transfer your personal information to countries outside of the European Economic Area that do not have adequate data security law.
Retention period
In4Wood may retain data for differing periods of time for different purposes.
Data subject’s rights
You have the right to request access to information about you that we hold. You also have the right to:
object to processing of personal data that is likely to cause, or is causing, damage or distress
prevent processing for the purpose of direct marketing
object to decisions being taken by automated means
in certain circumstances, have inaccurate personal data rectified, blocked, erased or destroyed
Any data subject wishing to access their personal data should put their request in writing to the Project Manager who will endeavour to respond to any such written requests as soon as is reasonably practicable and, in any event, within 40 days.
The right to withdraw consent
Withdrawal of consent shall be without effect to the lawfulness of processing based on consent before its withdrawal.
We make it easy for individuals to withdraw their consent at any time.
We act on withdrawals of consent as soon as we can.
We don’t penalise individuals who wish to withdraw consent.
You may withdraw consent at any time by putting your request in writing to the Project Manager who will endeavour to respond to any such written requests as soon as is reasonably practicable and, in any event, within 40 days.
The right to lodge a complaint
If you have a concern about the way we are collecting or using your personal data, we request that you raise your concern with us in the first instance by contacting the Project Manager.
The source the personal data
All personal information provided to us is either stored on our secure servers located in the UK, or on the secure servers of sub-contractors that we have engaged to provide services on our behalf.
Statutory or contractual requirements
We will make you aware if we need to collect data for the purpose of statutory or contractual requirements. We will keep this data and use it to enable us to run our business and manage our relationship with you effectively, lawfully and appropriately.
Websites and cookies
This section applies to anyone accessing In4Wood website. A cookie is a small file downloaded on to your device when you access In4Wood website. Cookies allow the website to recognise your device. Session cookies will remember your selections as you browse the site. These cookies are for the browsing session and not stored long term. No personal information is collected by these cookies.
Google Analytics cookies help us to make the website better for you by providing us with user statistics, for example: which pages are the most visited; how a user navigates the site. No personal information is collected by these cookies.
You may delete or control the use of cookies through your browser settings, but this may limit the functionally of the website. The site and our computer systems have security measures in place with the aim of protecting the loss, misuse or alteration of the information ‘users’ provide to us. To find out more about cookies and what cookies might be stored on your device, visit www.aboutcookies.org or www.allaboutcookies.org
