Data Protection & Information Security Policy – Overview

Last updated: 24/05/2023

Introduction

e50K regards the lawful and correct treatment of personal information as critical to its successful operations as well as maintaining confidence between e50K and those with whom it carries out business. e50K is committed to processing data in accordance with the law. Any reference herein to e50K includes e50K Consultancy Limited and e50K Communities.

Purpose

The policy has been approved by the Trustees of e50K (‘the not-for-profit’) and covers the data protection of staff, beneficiaries, customers, donors, volunteers, fundraisers and any other individual whom e50K may collect personal data regarding. Personal information must be handled and dealt with in accordance with procedure, regardless of how it is collected, recorded and used, and whether it is on paper, in computer records or recorded by any other means. e50K fully endorses and adheres to the principles of data protection as set out in the Data Protection Act 2018 (DPA) and the General Data Protection Regulation (GDPR). The policy applies to all personal information collected, created or held by e50K, in whatever format including but not limited to paper, electronic, email, microfiche, film. It is also applicable however it is stored including ICT system/database, filing cabinets, shelving and personal offices – all of which are subject to control measures and security checks. Throughout the policy, terms including “staff”, “workers”, “employees” cover both paid and volunteer workers within e50K. The policy should be read in conjunction with other relevant policies and any changes from this policy should be delivered via training and cascaded through the business with immediate effect.

Definitions

 Definitions to support this policy: Personal Data. Defined in s(1) of the GDPR, as ‘data which relates to a living individual who can be identified from that data, or from that data and other information which is in the possession of, or is likely to come into the possession of the data controller’, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other in respect of the individual.

• Data Controller: Is a legal or natural person, an agency, a public authority, or any other body who, alone or when joined with others, determines the purposes of any personal data and the means of processing it. e50K is classed as a data controller.

• Data Protection Officer – The person(s) responsible for ensuring that e50K follows its data protection policy and complies with the Data Protection Act 1998. • Information Commissioner: The UK Information Commissioner’s Office (ICO) is responsible for implementing and overseeing the GDPR. • Processing: It covers a broad range of activities including collecting, amending, handling, storing or disclosing personal information.

• Sensitive Personal Data: Personal data about an individual's racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership (or non-membership), physical or mental health or condition, criminal offences, or related proceedings. The use of sensitive personal data should be strictly controlled in accordance with the policy.

• Subject Access Request: An individual’s request for personal data under the Data Protection Act 2018.

Responsibility

The Trustees of e50K are responsible for the strategic overview of the policy including:

• Ensuring suitable and sufficient resources are provided as required and agreed in the implementation of the policy

• Controlling the development and review of the policy The Trustees will delegate the overall responsibility for the policy to the Chief Executive Officer (CEO) who will ensure:

• Compliance with the policy

• Effective development and monitoring of the policy The CEO will delegate responsibility to the Chief Operating Officer (SLT) for the implementation of the policy. The SLT will be the designated ‘Data Protection Officer’ and will be responsible for ensuring:

• Employees are provided training on practical data protection issues

• Questions are answered from staff and other stakeholders

• Registration with the Information Commissioner as an organisation that processes personal data

• Data is appropriately protected, and controls are put in place to prevent access by unauthorised personnel and that data is not lost, damaged or tampered with • Data Protection Impact Assessments are completed on high-risk personal data

• Third parties that handle e50K’s data are checked/approved and any contracts or agreements regarding data processing

• The policy is fit for purpose and up to date All members of staff who hold or collect personal data are responsible for their own compliance. All staff must ensure personal data and sensitive personal data is kept and used in accordance with the GDPR and the policy. In particular, staff must not attempt to access personal data they are not authorised to view. Failure to comply with the GDPR may result in disciplinary action under e50K’s Disciplinary Policy and Procedure. This may lead to dismissal and, in some cases, criminal proceedings.

Data Protection

At e50K Article 5 of the GDPR requires that anyone processing personal data comply with seven principles - these principles are legally enforceable. The principles require that personal information:

• Shall be processed lawfully, fairly and transparently. e50K will: o Ensure personal data is only processed where a lawful basis applies, and where processing is otherwise lawful.

o Only process personal data fairly, and will ensure that data subjects are not misled about the purposes of any processing

o Ensure data subjects receive full privacy information so processing of personal data is transparent. • Shall be processed specifically, explicitly and legitimately e50K will:

Data Protection at e50K Article 5 of the GDPR requires that anyone processing personal data comply with seven principles - these principles are legally enforceable. The principles require that personal information:

• Shall be processed lawfully, fairly and transparently. e50K will:

o Ensure personal data is only processed where a lawful basis applies, and where processing is otherwise lawful. o Only process personal data fairly, and will ensure that data subjects are not misled about the purposes of any processing

o Ensure data subjects receive full privacy information so processing of personal data is transparent.

e50K shall be able to demonstrate compliance with the above, and will: • Ensure records are kept of all personal data processing activities, and these are provided to the Information Commissioner on request. • Carry out a Data Protection Impact Assessment (DPIA) for any high-risk personal data processing, and consult the Information Commissioner if appropriate. • Ensure a Data Protection Officer (DPO) is appointed to provide independent advice and monitoring of e50K’s personal data handling. • Have in place internal processes to ensure personal data is only collected, used or handled in a way which is compliant with data protection law.

Data Protection Impact Assessment (DPIA)

The GDPR specifically identifies certain situations where a data protection impact assessment is required. A DPIA looks at high risk processing and requires the DPO to assess the necessity, lawfulness, security and risks of the processing.

DPIA must be completed when utilising:

• Systematic and extensive profiling with significant effects

• Large scale use of sensitive and/or Special Category data

• Public monitoring

• New technologies

• Denial of service

• Large-scale profiling

• Biometrics

• Genetic data

• Data matching

• Invisible processing

• Targeting of children or other vulnerable individuals

• Risk of physical harm DPIAs will then be undertaken by e50K’s DPO.

Information Security As part of onboarding/offboarding:

• All staff will be DBS cleared upon entry into employment

• Additional checks may be requested, and paid for by clients for those working with the Consultancy business

• All staff will sign confidentiality agreements and Memorandums of Understanding

• Staff will download malware/anti-virus which best suits the age and make of the asset they will utilise

• Staff will only download agreed software. Any change process must be agreed with a line manager Throughout employment:

• Staff will save all information to the CSA Level 2 approved cloud storage

• Staff will follow the correct classification of information as well as agreed labelling and handling (see Branding guidelines)

• Staff should ensure encryption as rest and in transit and transferred using only secure servers

• Follow agreed access based upon their role to ensure data is only viewed by those with relevant access (access limitations are cascaded down employee Grades)

• Passwords a changed at the exit of any current employee and at the end of any client project

• Staff will support the DPO with annual internal audits

• Staff are to liaise with the SLT to support the deletion of data at decision gates throughout the year. Request for the disposal of data will logged and actioned within 3-5 working days

• Risk is communicated to staff via Risk Assessments will be created at each new client onboarding As part of onboarding/offboarding:

• At notice to terminate a process to capture, manage, move and/or delete data is begun the process for which is covered via training modules and reiterated at the notice acceptance meeting where a program for handover is created including equipment and relationships/personnel data

• All staff will sign confidentiality agreements and Memorandums of Understanding

Sensitive personal data

Where e50K process sensitive personal data we will require the data subject's explicit consent to do this unless exceptional circumstances apply or we are required to do this by law (e.g. to comply with legal obligations to ensure health and safety at work). Any such consent will need to clearly identify what the relevant data is, why it is being processed and to whom it will be disclosed.

Third Party Partners

e50K will never sell, rent or share information with other charities or companies for marketing purposes. We may share details with trusted third-party partners if they are providing a contracted service to e50K. For example, joint projects, delivering our products, developing applications, or providing secure financial transaction tools. These trusted partners will be approved by the SLT and are given restricted access to the lowest denomination based upon their role. External clients and partners are given an access point and firewalls are in place. They are also required to comply with privacy and data legislation.

Individual Rights

The GDPR allows you to access your personal information - a request for your personal information is known as a ‘Subject Access Request’. You are in control of the data e50K hold and can request details of personal data and supplementary information at any time. You have the right to have data related to you deleted at any time. You can request these details or to have your data deleted by email admin@e50K.org.uk or by writing to Data Protection Officer, e50K, Office 12 Bentalls Shopping Centre, Maldon, Essex, England, CM9 4GD.

Breach

In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, the e50K shall promptly assess the risk to people’s rights and freedoms and if appropriate report this breach to the ICO.

Training

All staff will receive training on data protection policy and procedure. New staff will receive training as part of the induction process. Further training will be provided at least every two years or whenever there is a substantial change in the law or e50K’s policy and procedure.

Review

This policy shall be reviewed as deemed necessary or at least annually.

Signature: [NE1]

Name: Mrs Katie Jane Ankrett

Position: Director

Version:  v1

Approved for Implementation: 25/05/2024

Review date: 24/05/2025