Note: “Lodge” means any property or premises of White Eagle Lodge.
The Data Protection Act 2018 (DPA 2018) establishes a framework of rights and duties which safeguard personal data. Personal data is information about a living individual, who can be identified from the data. This framework balances the legitimate needs of organisations to collect and use personal data for business and other purposes, against the right of individuals to respect, for the privacy of their personal details.
The White Eagle Lodge is committed to protecting the privacy of individuals and handles all personal data in a manner that complies with the DPA 2018. The Lodge has established the following policy to support this commitment. It is the personal responsibility of all employees, contractors, volunteers, agents and anyone else processing information on our behalf to comply with this policy. This policy continues to apply to employees and individuals, even after their relationship with the Lodge ends.
Any deliberate breach of this policy could amount to a criminal offence under one or more pieces of legislation, for example the Computer Misuse Act 1990 and the DPA 2018. All incidents will be investigated and action may be taken under the Lodge’s formal disciplinary procedure. A serious breach of this policy could be regarded as gross misconduct and may lead to dismissal and / or criminal action being taken.
This policy explains what our expectations are when processing personal data. This policy should be read alongside the IT Policy which can be found in the Employee Handbook.
1.0 Data protection principles
1.1 The DPA 2018 is underpinned by a set of six common-sense principles, which must be adhered to whenever personal data is processed. Processing includes obtaining, recording, using and holding, disclosing and deleting personal data.
A summary of the data protection principles is as follows:
a) Personal data must be: Processed lawfully, fairly and in a transparent manner in relation to individuals,
b) Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes,
c) Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed,
d) Accurate and where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay,
e) Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. Personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest,
scientific or historical research purposes subject to implementation of the appropriate technical and organisational measures required by the General Data Protection Regulation (GDPR) in order to safeguard the rights and freedoms of individuals and
f) Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
2.0 Access and use of personal data
2.1 Access and use of personal data held by the Lodge, is only permitted by employees (temporary or permanent), members, contractors, agents and anyone else processing information on our behalf, for the purpose of carrying out their official duties. Use for any other purpose is prohibited.
2.2 Deliberate unauthorised access to copying, disclosure, destruction or alteration of or interference with any computer equipment or data is strictly forbidden and may constitute a criminal and/or a disciplinary offence.
2.3 It is an offence under Section 170 (1) of the Data Protection Act for any person to knowingly or recklessly obtain, procure or disclose personal data without the permission of the Data Controller subject to certain exceptions.
2.4 It is also an offence for someone to sell or offer to sell personal data which has been obtained in contravention of Section 170 (4). Full details of this offence can be found under Section 170 of the Data Protection Act 2018.
3.0 Collecting personal data
3.1 When personal data is collected, for example on a questionnaire, survey or a form the data subject (that is to say the person who the information is about) must be told, unless this is obvious to them, which organisation(s) they are giving their information to; what their information will be used for; who it may be shared with and anything else that might be relevant e.g. the consequences of that use. This is known as a Privacy Notice.
3.2 A person’s name and other identifying information should not be collected where depersonalised (anonymous) information would suffice. Personal data collected must be adequate, relevant and not excessive for the purpose of the collection.
3.3 If the information is collected for one purpose, it cannot subsequently be used for a different and unconnected purpose without the data subject’s consent (unless there is another lawful basis for using the information (see section 4 below)). It must be made clear to the data subject at the time the information is collected what other purposes their information may be used for.
4.0 Lawful basis for processing
4.1 The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply where personal data is processed.
a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
b) Contract: the processing is necessary for a contract you have with the individual or because they have asked you to take specific steps before entering into a contract.
c) Legal Obligation: the processing is necessary for you to comply with the law (not including contractual obligations)
d) Vital Interests: the processing is necessary to protect someone’s life.
e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions and the task or function has a clear basis in law.
f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
4.2 Article 9 of the DPA 2018 defines ‘sensitive’ personal data as information relating to a person’s racial or ethnic origin, political opinion, religious or philosophical beliefs, trade union membership and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person. Data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.
5.0 Disclosing personal data
5.1 Personal data must not be disclosed to anyone internally or externally unless the person disclosing the information is fully satisfied that the enquirer or recipient is authorised in all respects and is legally entitled to the information.
5.2. If information sharing agreements or protocols exist this should be adhered to.
5.3 In response to any lawful request only the minimum amount of personal information should be disclosed. The person disclosing the information should ensure that the information is adequate for the purpose of the disclosure, relevant and not excessive.
5.4 When personal data is disclosed internally or externally, it must be disclosed in a secure manner.
6.0 Accuracy and relevance
6.1 It is the responsibility of those who receive personal information to ensure, so far as possible, that it is accurate and up to date. Personal information should be checked at annual intervals to ensure that it is still accurate. If the information is found to be inaccurate steps must be taken to rectify it. Individuals who input or update information must also ensure that it is adequate, relevant, unambiguous and professionally worded. Data subjects have a right to access personal data held about them and have inaccuracies corrected. More information about a data subject’s rights can be found in Section 8 below.
7.0 Retention and disposal of data
7.1 The Lodge holds a large amount of information. The DPA 2018 requires that we do not keep personal data for any longer than is necessary. Personal data should be checked at regular intervals and deleted or destroyed when it is no longer needed, provided there is no legal or other reason for holding it.
7.2 Ensure data is disposed of responsibly; personal records on paper should be shredded or burnt.
8.0 Individual’s rights
8.1 Individuals have several rights under the DPA 2018. These include the right to access personal data held about them (this is known as Subject Access); the right to prevent their information being used in a way which is likely to cause damage or distress; the right to compensation for any damages as a result of their information not being handled in accordance with the DPA 2018; and the right to have inaccurate or misleading information held about them corrected or destroyed.
8.2 It is particularly important that if a person has made a Subject Access request that this is forwarded to the Data Controller immediately.
9.0 Reporting security incidents
9.1 The Lodge has a responsibility to monitor all incidents that occur within the organisation that may breach the security and/or the confidentiality of its information. All incidents need to be identified, reported, investigated and monitored. All incidents to be reported to the Data Controller.
9.2 In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, the Lodge shall promptly assess the risk to people’s rights and freedoms and if appropriate report this breach to the Information Commissioner’s Office (ICO).