1.0 Policy Summary
TCNOGA UK processes a high volume of personal data relating to its workforce and stakeholders (known collectively as data subjects). External third parties also process such personal data on behalf of TCNOGA UK. TCNOGA UK has a legal duty under data protection law to ensure the privacy of all data subjects by ensuring that their personal data is protected against unauthorized or unlawful processing and against accidental disclosure, loss, destruction or damage. All individuals and organizations that process personal data for or on behalf of TCNOGA UK are expected to comply with TCNOGA UK data protection policies and procedures.
This policy outlines TCNOGA UK commitment to the aims of data protection law and best practice. Compliance with this policy will therefore avoid and mitigate any data protection breaches by any individuals and organizations who process personal data for or on behalf of TCNOGA UK.
This policy applies to all individuals and organization who process personal data for or on behalf of TCNOGA UK. This includes the workforce (i.e. employees, casual workers, agency workers and contractors), stakeholders (such as Members) as well as external third parties (for example, suppliers to TCNOGA UK such as auditors). To that end, this policy applies (a) where TCNOGA UK is the Data Controller and/or joint Data Controller, and (b) where an external third party is the Data Processor and/or joint Data Controller. This policy has contractual status. Practical guidance is detailed in the Data Protection procedure.
4.0 Types of data
Personal data is information which relates to a living person who can be identified from that data on its own, or when that data taken together with other information. For example, name, address, date of birth. It also includes any expression of opinion about that person and any indication of TCNOGA UK or others’ intentions in respect of that person. It does not include anonymised data.
Special category data is a type of personal data which is more sensitive than other personal data and which therefore requires additional protection. Special category data includes information about: racial or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; genetic or biometric data; health; sex life and sexual orientation; and criminal convictions and offences.
TCNOGA UK is committed to achieving a high standard of data protection for all personal data and special category data. (Both types of data are collectively referred to as “personal data” in the rest of this document unless specified otherwise).
All personal data will be processed in accordance with six ‘Data Protection Principles’ outlined in data protection law.
As such, all personal data will:
5.1 be processed fairly, lawfully and transparently;
5.2 be collected and processed only for specified, explicit and legitimate purposes;
5.3 be adequate, relevant and limited to what is necessary for the purposes for which it is processed; be accurate and kept up to date. Any inaccurate data will be deleted or rectified without delay;
5.4 processed; and be processed securely.
TCNOGA UK will comply with these principles and will implement such processes and practices so as to prove compliance with these principles. Such compliance will also ensure the upholding of data subjects’ rights (see below).
6.0 Data subject rights
Data protection law gives data subjects certain rights in respect of their personal data. Data subjects therefore have the right:
6.1 to be informed how their personal data will be processed (for example, via accessible privacy notices – see below) in language which is plain, concise, transparent and intelligible;
6.2 of access to their personal data;
6.3 to rectify their personal data if it is incorrect or incomplete;
6.4 to erase their personal data;
6.5 to restrict the processing of their personal data;
6.6 to be given their personal data in a portable form to be able to reuse their personal data for their own purposes across different services;
6.7 to object to the processing of their personal data;
6.8 not to be subject to automated decision making (i.e. where decisions are made solely by automated means and without any human involvement).
Some of the rights are not absolute and therefore will not automatically apply when a data subject seeks to exercise their rights. TCNOGA UK will implement procedures to facilitate the exercise of these rights by data subjects, although TCNOGA UK will give written reasons if it believes that any given does not apply.
TCNOGA UK will implement appropriate technical and organizational measures to ensure compliance with data protection law and also to prove such compliance. These include:
7.1 producing clear, comprehensive data protection and data security policies and procedures;
7.2 implementing data protection by design so as to pre-empt data protection breaches using Data Protection Impact Assessments where appropriate;
7.3 putting written agreements in place with external third parties who act in the capacities of Data Processors or Data Controllers and/or Joint Data Controllers;
7.4 maintaining documentation of processing activities;
7.5 implementing appropriate cyber and IT security measures;
7.6 recording, and where necessary, reporting data breaches;
7.7 appointing a Data Protection Officer;
7.8 providing data protection training; and
7.9 writing privacy notices (which, among other things, explain to data subjects how TCNOGA UK will process and protect their personal data).
8.1 Board and Company Directors
The Board and company directors have overall responsibility for ensuring that the organization complies with its legal obligations.
8.2 Data Protection Officer
The Data Protection Officer occupies an important place in the governance of data protection in TCNOGA UK. The duties include:
Informing and advising the Board and staff of their obligations to comply with data protection law and other data protection laws;
Monitoring compliance with data protection law and with our data protection policies, including internal data protection activities, raising awareness of data protection issues, training staff and conducting internal audits;
Advising on and monitoring Data Protection Impact Assessments; and
Acting as the first point of contact for the Information Commissions Office (ICO) including the reporting of breaches;
8.3 The workforce (i.e. employees, casual workers, agency workers and contractors)
Any member of the workforce who processes personal data will abide by this policy so as to ensure that any personal data, with which they work, is protected.
8.4 Stakeholders (such as Members)
Any stakeholder who processes personal data will abide by this policy so as to ensure that any personal data, with which they work, is protected.
Approved by: Executive Committee: Sarah Kayanja
Policy Owner: Data Protection Officer under the TCNOGA UK Secretariat
Next Review Date: September 2020
Definitions and Abbreviations:
Data Controller: the individual or organization which determines the purpose for which, and the manner in which, personal data is processed.
Data Processor: the individual or organization which processes personal data on behalf of a Data Controller.
Joint Data Controller: the individuals or organizations who jointly determine the purposes for which, and the manner in which, personal data is processed.
Processing: subjecting personal data to any form of activity (including collecting, storing, analyzing, transferring, archiving or destroying).