Action for XP Data Privacy Policy

Adopted 10/07/22
Review date 30/06/2023

1. INTRODUCTION
1.1       Action for XP is committed to adhering to all data protection laws and protecting the rights and privacies of the individuals that Action for XP processes. The various pieces of legislation and that apply to the collection, storage and handling of personal information at the time of writing this policy are the Data Protection Act 2018, the General Data Protection Regulation (EU) 2016/679 and the Privacy and Electronic Communications Regulations 2003 (as amended and updated) and are collectively referred to in this Policy as the Data Protection Laws.
 
1.2       Action for XP will take a risk-based approach to data protection decision-making; ensuring that the requirements and intent of the Data Protection Laws are followed while making effective use of personal data to support our charitable objectives.
 
1.3       All Action for XP information that is not in the public domain should be regarded as confidential, treated in accordance with this Policy, and not divulged to unauthorised parties.
 
1.4       Definitions used in this Policy (drawn from the Data Protection Laws, where applicable):
Data Controller
Any person or organisation that makes decisions with regard to personal data, including decisions regarding the purposes for, and the way in which, personal data is processed.

Data Processor
 
Data Subject
Any person or organisation that processes personal data on behalf of a data controller.
Any living individual who can be identified by personal information held by an organisation.

Personal Data
Data relating to a living individual who can be identified from that data, such as a name, telephone number, email address and even an IP address.  It also includes:
●      information that enables you to ‘recognise’ an individual such as accents, key phrases or situations;
●      data that is likely to come into the possession of Action for XP that can be combined with other information we hold to identify an individual; and
●      any expression of opinion about the individual or any record of decisions made by Action for XP in respect of the individual.

Sensitive Personal Data
The Data Protection Laws also classify certain types of personal data as “sensitive”.  The presumption is that, because information about these matters could be used in a discriminatory way, and is likely to be of a private nature, it needs to be treated with greater care than other personal data.  Sensitive personal data is defined as personal data consisting of information about an individual’s:
●      racial or ethnic origins;
●      political opinions;
●      religious beliefs or other beliefs of a similar nature;
●      trade Union membership;
●      physical or mental health or condition;
●      sexual life; or
●      commission or alleged commission of any offence, or any proceedings for any offence committed or alleged to have been committed

Processing
Processing, in relation to personal data, means collecting, recording, storing, accessing or sharing the data or carrying out any operation or set of operations on the data.

1.5       Any questions about this Data Protection Policy should be addressed to John Roberts - Trustee. e-mail  rebecca@actionforxp.org
 
2. SCOPE OF THIS POLICY
2.1       This Data Protection Policy applies where Action for XP processes personal data as Data Controller or a Data Processor.
 
2.2       The Policy is designed to comply with UK data protection legislation.  It is acknowledged that the Republic of Ireland and the Crown Dependencies are subject to local legislation (although similar to that in the UK).
 
2.3       The requirements of this Policy will be incorporated into Action for XP operational procedures and contractual arrangements.
 
 
 
3. THE POLICY
3.1    The Data Protection Laws
 
3.1.1      The Data Protection Laws establish a framework of rights and duties which are designed to safeguard personal data.  They place legal obligations on organisations which handle personal data about individuals. 
3.1.2      The Data Protection Laws apply to electronic records (including CCTV images) and paper-based records.
3.1.3      The Privacy and Electronic Communications Regulations 2003 (PECR) give people specific privacy rights in relation to electronic communications (this refers to telephone, email, Webchat, fax and instant messaging).  It includes specific rules on ‘marketing’ calls, emails and texts. In this context ‘marketing’ includes promotional information on campaigning, fundraising activities of charities, use of cookies (and similar technologies).
3.2    The Data Protection Principles
 
3.2.1      The Data Protection Laws establish the data protection principles which govern the processing of personal data.  These state that personal data must be:
 
●      processed fairly and lawfully
●      obtained for one or more specified and lawful purposes
●      adequate, relevant and not excessive
●      accurate and up to date
●      not kept for longer than is necessary
●      processed in accordance with the rights of data subjects
●      kept securely
●      not transferred out of the European Economic Area without adequate protection
 
3.2.2      Action for XP processes personal data relating to patients and their families, volunteers, supporters, donors, and employees.
 
3.3   Registration with the ICO
 
3.3.1      Action for XP is registered as a data controller with the Information Commissioner’s Office (ICO) as required by the Data Protection Laws.
 
 
3.4   Legal Basis for Processing Personal Data
 
3.4.1      Action for XP collects and processes personal data on patients and their families, volunteers, donors, supporters, and employees as detailed in this Policy. We collect personal data on our website or in person only if it is directly provided to us by you via a web form, in writing or by telephone. We may collect the following information: your name, email address, address, telephone number, date of birth whether you identify as a patient or carer, and XP status/complementation.
 
3.4.2      Action for XP needs to collect, use, store and share certain information about patients, volunteers, donors and supporters in order to:
●     send you issues of our newsletter
●     correspond with you relating to addressing your support needs
●     to notify you of changes to our website
●     to inform you of improvements or new projects and services
The need to use patient, volunteer and donor information in these ways is through  ‘consent’ and forms ‘legitimate interest’ of Action for XP and these are the lawful basis upon which Action for XP handles personal data for these purposes. 
 
3.9  Privacy Statements
 
3.9.1      Action for XP ensures that all documentation used to collect personal data with regard to patients, volunteers, donors and employees meets the “fair collection” requirements of the Data Protection Laws.
 
3.9.2      In order to effectively signpost we host links to relevant third-party organisations and companies. We do not accept liability for third party privacy policies. If you have concerns, please refer to the individual organisations privacy policy.
 
3.9.3      We host Twitter, Facebook, LinkedIn, and YouTube buttons on our website, some of which are our own and some of which are third parties. Please be aware that by clicking these buttons you are being taken through to these sites for which we have no control nor liability.
 
3.10       Data Sharing
 
3.10.1   Action for XP will only share patient information with other organisations when requested to do so by the individual with XP or, in the case of a child under 16 years, their carer other than relates to clause 3.10.2
 
 



3.10.2   In some specific and limited cases, we may share your details with companies outside of Action for XP for the purpose of running the charity.
●      we will share data with our delivery partner if we require to send you anything by courier.
●      we will share limited data with HMRC when collection gift aid from fundraising.
●      we share data with our bank and SAGE our accounts software provider if payments are required to be made.
●      we share data on our Trustees and fundraisers with OSCR
●      we share limited data with Weebly / Mailchimp for the purposes of group communications
●      we host data on all individuals connected with Action for XP in a secure online database which is provided to us by HubSpot. We confirm annually that this is maintained and meets the GDPR standards for handling personal data.
●      we use secure online e-mail storage from Google Cloud and GMail. We confirm annually that this is maintained and meets the GDPR standards for handling personal data.
●      we retain a limited set of phone numbers and names in our online telephone address books for the purposes of identifying callers.


3.10.3   If we need to share your data in a way not laid out above then we will communicate with you to obtain permission prior to sharing (for exceptions see 3.10.4).


    
3.10.4   We may in exceptional circumstances be required to share personal data of patients, volunteers, donors and employees to law enforcement or safeguarding authorities. There are three main circumstances when Action for XP may be required to share personal data with external law enforcement or safeguarding agencies:
●      where we want to report a crime or safeguarding issue and want to provide relevant personal data we hold
●      where we receive a request or law enforcement
●      where a court order or other legal obligation compels us to share personal data
 
3.10.5    Before sharing any information with law enforcement or safeguarding authorities, Action for XP must be satisfied that we have a valid lawful basis for processing under Article 6 of the EU/UK GDPR
 
3.10.6   We use analytical tools including: Google Analytics, Weebly and Pagesuite.  We use these products to:
●      understand how our website is used so we can make improvements to the user experience
●      understand how our readers interact with our digital resources
User data is anonymous. To view the privacy policies of these companies please refer to their websites.
 
3.11       Data Retention
 
3.11.1   Action for XP has different retention periods for different categories of personal data it holds, taking into account applicable professional rules, regulatory requirements and relevant industry practices. These retention periods apply from the date of the last interaction that an individual has with Action for XP.
 
3.11.2   Any data generated or received prior to transfer to our secure GDPR compliant data stores is disposed of securely. Either shredded or securely deleted.
Data kept securely in our GDPR compliant data stores, when it reaches the end of its data retention period is also securely deleted at that point.
 
3.11.3   We review our data policy and its operation on an annual basis to ensure that we remain compliant.
 
3.12       Rights of Data Subjects
 
3.12.1    We ensure that data subjects are informed of their data rights and the options available to them for exercising these rights. We do this at the point of engagement verbally when we receive calls from people new to working with Action for XP and in a written message when we receive e-mails or users submit data online to us.
 
3.12.2   Data subjects have the right to access information held about them within Action for XP database and files. To submit a data subject request please submit your request to John Roberts Trustee via e-mail at rebecca@actionforxp.org
 
3.13       Data Security and data incidents
 
3.13.1   Action for XP take data security very seriously.
 
3.13.2   Action for XP issues guidance to staff and volunteers, when they join and on a regular basis, on how to ensure that personal data is stored, shared and disposed of in a secure manner.
 
3.13.3   A data incident is any actual or suspected unauthorised use, loss, access to, or disclosure of personal data. This could include any of the following:
●      physical loss of data
●      intentional misuse or access
●      insider action
●      attacks of computer systems
●      procedural failure
 
3.13.4   Where a data security incident meets the definition of a “personal data breach” under the Data Protection Laws, an assessment is made as to whether there are sufficient mitigating measures in place to protect the rights of the affected data subjects. If the affected data subjects’ rights may be affected by the breach, then the Information Commissioner’s Office will be notified, and the affected data subjects will be informed.
 
3.13.5   A data incident may or may not amount to a data breach. Whether or not there has been a breach of the data protection laws will depend on the circumstances. All data incidents must be internally reported in accordance with this policy so that an assessment can be made.
 
3.13.6   As soon as you become aware of an actual or suspected data incident you must immediately report it to John Roberts, trustee via email rebecca@actionforxp.org
 
3.13.7   It is extremely important that all data incidents are reported immediately upon becoming aware of them. As a result of changes to reporting requirements under the GDPR, Action for XP will be required to report the majority of breaches within 72 hours of becoming aware of the breach.
 
 
3.14       Training and Education
 
3.14.1   All Action for XP volunteers, employees and trustees are trained in the basic principles of data protection as well as the specific processing, identification and reporting requirements laid out in this policy.
 
3.14.2   Appropriate training and guidance is given to other members of the organisation based on the nature, scope, and context of the processing of personal data, which is undertaken, and the data protection responsibilities of particular roles.