This Data Protection Policy (“Policy”) sets out our approach to data protection law and the principles that we will apply to our processing of personal data. The aim of this Policy is to ensure that we process personal data in accordance with the law and with the utmost care and respect.
References in this Policy to “us”, “we” and “our” are to Ocean Youth Trust Scotland. References to “you”, “yourself” and “your” are to each Worker to whom this Policy applies. “Voyage crew” refers to anyone sailing with us who is not Sea Staff. Sea Staff are any Workers sailing with us.
We recognise that you have an important role to play in achieving these aims. It is your responsibility, therefore, to familiarise yourself with this Policy and to apply and implement its requirements when processing any personal data. Please pay special attention to paragraph 13 and section 3 as these set out the practical day-to-day actions that you must adhere to when working or volunteering for us.
Data protection law is a complex area. This Policy has been designed to ensure that you are aware of the legal requirements imposed on you and on us and to give you practical guidance on how to comply with them. This Policy also sets out the consequences of failing to comply with these legal requirements. However, this Policy is not an exhaustive statement of data protection law nor of our or your responsibilities in relation to data protection.
If at any time you have any queries on this Policy, your responsibilities or any aspect of data protection law, seek advice. Contact your line manager or the Chief Executive whom OYT Scotland has appointed to be responsible for its data protection compliance.
Section 1 General Information
1. Who is responsible for data protection?
2. Why do we have a data protection policy?
3. Status of this Policy and the implications of breach
4. Other consequences
5. Data protection laws
6. Key words in relation to data protection
7. Personal data
8. Lawful basis for processing
9. Special category data
10. When do we process personal data?
12. Data protection principles
13. Data subject rights
14. Your main obligations
15. Data Breach Notification
16. Foreign transfers of personal data
Section 2 Data Protection Principles in more detail
18. Personal data must be processed fairly, lawfully and transparently.
19. Personal data must be collected for specific, explicit and legitimate purposes, and not processed in any way incompatible with those purposes (“purpose limitation”).
20. Personal data must be adequate and relevant, and limited to what is necessary to the purposes for which it is processed (“data minimisation”)
21. Personal data must be accurate and, where necessary, kept up to date.
22. Personal data must be kept for no longer than is necessary for the purpose (“storage limitation”).
23. Personal data must be processed in a manner that ensures appropriate security of the personal data using appropriate technical and organisational measures (“integrity and security”).
Section 3 Data Subject Rights
24. Individuals have certain rights under data protection laws (Rights).
25. Notification and response procedure
26. How to locate information for data subject right requests and requests for the right to be forgotten
27. Right of Access
29. Disclosing personal data relating to other individuals
30. Exemptions to the right of subject access
31. Right to Erasure
32. Right to rectification
33. Right to Restrict Processing
34. The Right to Data Portability
35. Right to Object
36. Automated decision making and profiling
38. Deleting personal data in the normal course
Section 4 Practical Matters
39. Data Security – Transferring Personal Data and Communications
40. Data Security – Storage
41. Data Security – Disposal
42. Data Security – Use of Personal Data
43. Data Security – IT Security
44. Organisational Measures
Section 1 General Information
1.1 All our Workers are responsible for data protection, and each person has their role to play to make sure that we are compliant with data protection laws.
1.2 We are not required to appoint a Data Protection Officer (DPO). However, we have still appointed the Chief Executive to be responsible for overseeing our compliance with data protection laws.
2.1. We recognise that processing of individuals’ personal data in a careful and respectful manner cultivates trusting relationships with those individuals and trust in our brand. We believe that such relationships will enable our organisation to work more effectively with and to provide a better service to those individuals.
2.2. This Policy works in conjunction with other policies implemented by us from time to time, including for example the Data Retention Policy and any other policies we implement from time to time.
3.1. Any breaches of this Policy will be viewed very seriously. All Workers must read this Policy carefully and make sure they are familiar with it. Breaching this Policy is a disciplinary offence and will be dealt with under our Disciplinary Procedure.
3.2. If you do not comply with Data Protection Laws and/or this Policy, then you are encouraged to report this fact immediately to the Chief Executive. This self-reporting will be taken into account in assessing how to deal with any breach, including any non-compliance which may pre-date this Policy coming into force.
3.3. Also if you are aware of or believe that any other representative of ours is not complying with Data Protection Laws and/or this Policy you should report it in confidence to the Chief Executive. Our Whistleblowing Procedure will apply in these circumstances and you may choose to report any non-compliance or breach through our confidential whistleblowing reporting facility.
4.1. There are a number of serious consequences for both yourself and us if we do not comply with Data Protection Laws. These include:
4.1.1. For you:
184.108.40.206 Disciplinary action: If you are an employee, your terms and conditions of employment require you to comply with our policies. Failure to do so could lead to disciplinary action including dismissal. Where you are a volunteer, failure to comply with our policies could lead to termination of your volunteering position with us.
220.127.116.11. Criminal sanctions: Serious breaches could potentially result in criminal liability.
18.104.22.168. Investigations and interviews: Your actions could be investigated and you could be interviewed in relation to any non-compliance.
4.1.2. For the organisation:
22.214.171.124. Criminal sanctions: Non-compliance could involve a criminal offence.
126.96.36.199. Civil Fines: These can be up to Euro 20 million or 4% of group worldwide turnover whichever is higher.
188.8.131.52. Assessments, investigations and enforcement action: We could be assessed or investigated by, and obliged to provide information to, the Information Commissioner on our processes and procedures and/or subject to the Information Commissioner’s powers of entry, inspection and seizure causing disruption and embarrassment.
184.108.40.206. Court orders: These may require us to implement measures or take steps in relation to, or cease or refrain from, processing personal data.
220.127.116.11. Claims for compensation: Individuals may make claims for damage they have suffered as a result of our non-compliance.
18.104.22.168. Bad publicity: Assessments, investigations and enforcement action by, and complaints to, the Information Commissioner quickly become public knowledge and might damage our brand. Court proceedings are public knowledge.
22.214.171.124. Loss of business: Prospective voyage crew, sea staff customers, suppliers and contractors might not want to deal with us if we are viewed as careless with personal data and disregarding our legal obligations.
126.96.36.199 Use of management time and resources: Dealing with assessments, investigations, enforcement action, complaints, claims, etc takes time and effort and can involve considerable cost.
5.1. The Data Protection Act 1998 (“DPA”) applies to any personal data that we process, and from 25th May 2018 this will be replaced by the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (“DPA 2018”) (together “Data Protection Laws”) and then after Brexit the UK will adopt laws equivalent to these Data Protection Laws.
5.2. This Policy is written as though GDPR and the DPA 2018 are both in force, i.e. it states the position as from 25th May 2018.
5.3. The Data Protection Laws all require that the personal data is processed in accordance with the Data Protection Principles (on which see below) and gives individuals rights to access, correct and control how we use their personal data (on which see below).
6.1. Personal data is data that relates to a living individual who can be identified from that data (or from that data and other information in or likely to come into our possession). That living individual might be an employee, customer, prospective customer, supplier, contractor or contact, and that personal data might be written, oral or visual (e.g. CCTV).
6.2. Identifiable means that the individual can be distinguished from a group of individuals (although the name of that individual need not be ascertainable). The data might identify an individual on its own (e.g. if a name or video footage) or might do if taken together with other information available to or obtainable us (e.g. a job title and company name).
6.3. Data subject is the living individual to whom the relevant personal data relates.
6.4. Processing is widely defined under data protection law and generally any action taken by us in respect of personal data will fall under the definition, including for example collection, modification, transfer, viewing, deleting, holding, backing up, archiving, retention, disclosure or destruction of personal data, including CCTV images.
6.5. Data controller is the person who decides how personal data is used, for example we will always be a data controller in respect of personal data relating to our employees.
6.6. Data processor is a person who processes personal data on behalf of a data controller and only processes that personal data in accordance with instructions from the data controller, for example an outsourced payroll provider will be a data processor.
7.1. Data will relate to an individual and therefore be their personal data if it:
7.1.1. identifies the individual. For instance, names, addresses, telephone numbers and email addresses;
7.1.2. its content is about the individual personally. For instance, medical records, credit history, a recording of their actions, or contact details;
7.1.3. relates to property of the individual, for example their home, their car or other possessions;
7.1.4. it could be processed to learn, record or decide something about the individual (or this is a consequence of processing). For instance, if you are able to link the data to the individual to tell you something about them, this will relate to the individual (e.g. salary details for a post where there is only one named individual in that post, or a telephone bill for the occupier of a property where there is only one occupant);
7.1.5. is biographical in a significant sense: that is, it does more than record the individual’s connection with or involvement in a matter or event which has no personal connotations for them. For instance, if an individual’s name appears on a list of attendees of an organisation meeting this may not relate to the individual and may be more likely to relate to the company they represent;
7.1.6. has the individual as its focus, that is the information relates to the individual personally rather than to some other person or a transaction or event he was involved in. For instance, if a work meeting is to discuss the individual’s performance this is likely to relate to the individual;
7.1.7.affects the individual’s privacy, whether in their personal, family, organisation or professional capacity, for instance, email address or location and work email addresses can also be personal data;
7.1.8. is an expression of opinion about the individual; or
7.1.9. is an indication of our (or any other person’s) intentions towards the individual (e.g. how a complaint by that individual will be dealt with)
7.2. Information about companies or other legal persons who are not living individuals is not personal data. However, information about directors, shareholders, officers and employees, and about sole traders or partners, is often personal data, so business related information can often be personal data.
7.3. Examples of information likely to constitute personal data:
7.3.1. Unique names;
7.3.2. Names together with email addresses or other contact details;
7.3.3. Job title and employer (if there is only one person in the position);
7.3.4. V ideo and photographic images;
7.3.5. Information about individuals obtained as a result of Safeguarding checks;
7.3.6. Medical and disability information;
7.3.7. CCTV images;
7.3.8. Member profile information (e.g. marketing preferences); and
7.3.9. Financial information and accounts (e.g. information about expenses and benefits entitlements, income and expenditure).
7.4. Examples of information unlikely to constitute personal data:
7.4.1. Reference to the individual’s name in a document that contains no other personal data about that them (e.g. including the individual in a list of attendees of a meeting where the individual attended in an official capacity on behalf of a company); and
7.4.2. Where the individual’s name appears in an email that has been sent to or copied to them, but where the content is not about him or her (e.g. emails sent to the individual about an organisation’s dealings).
8.1. For personal data to be processed lawfully, we must be processing it on one of the legal grounds set out in the Data Protection Laws.
8.2. For the processing of ordinary personal data in our organisation these may include, among other things:
8.2.1. the data subject has given their consent to the processing (perhaps on their membership application form or when they registered on the club’s website)
8.2.2. the processing is necessary for the performance of a contract with the data subject (for example, for processing membership subscriptions);
8.2.3. the processing is necessary for compliance with a legal obligation to which the data controller is subject (such as reporting employee PAYE deductions to the tax authorities); or
8.2.4. the processing is necessary for the legitimate interest reasons of the data controller or a third party (for example, keeping in touch with sea staff or voyage crew about voyage dates).
9.1. Special category data under the Data Protection Laws is personal data relating to an individual’s race, political opinions, health, religious or other beliefs, trade union records, sex life, biometric data and genetic data.
9.2. Under Data Protection Laws this type of information is known as special category data and criminal records history becomes its own special category which is treated for some purposes the same as special category data. Previously these types of personal data were referred to as sensitive personal data and some people may continue to use this term.
9.3. To lawfully process special categories of personal data we must also ensure that either the individual has given their explicit consent to the processing or that another of the following conditions has been met:
9.3.1. the processing is necessary for the performance of our obligations under employment law;
9.3.2. the processing is necessary to protect the vital interests of the data subject. The ICO has previously indicated that this condition is unlikely to be met other than in a life or death or other extreme situation;
9.3.3. the processing relates to information manifestly made public by the data subject;
9.3.4. the processing is necessary for the purpose of establishing, exercising or defending legal claims; or
9.3.5. the processing is necessary for the purpose of preventative or occupational medicine or for the assessment of the working capacity of the employee.
9.4. To lawfully process personal data relating to criminal records and history there are even more limited reasons, and we must either:
9.4.1. ensure that either the individual has given their explicit consent to the processing; or
9.4.2. ensure that our processing of those criminal records history is necessary under a legal requirement imposed upon us.
- 9.5. We would normally only expect to process special category personal data or criminal records history data usually in a Human Resources context and also in the context of our voyage crew and Workers for e.g. Ensuring ability to sail with us, health and safety requirements, safeguarding checks, etc.
10.1. Virtually anything we do with personal data is processing including collection, modification, transfer, viewing, deleting, holding, backing up, archiving, retention, disclosure or destruction. So even just storage of personal data is a form of processing. We might process personal data using computers or manually by keeping paper records.
10.2. Examples of processing personal data might include:
10.2.1. Using personal data to correspond with voyage crew or sea staff
10.2.2. Holding personal data in our databases or documents; and
10.2.3. Recording personal data in personnel or Workers files.
11.1. The main themes of the Data Protection Laws are:
11.1.1. good practices for handling personal data;
11.1.2. rights for individuals in respect of personal data that data controllers hold on them; and
11.1.3. being able to demonstrate compliance with these laws.
11.2. In summary, data protection law requires each data controller to:
11.2.1.only process personal data for certain purposes;
11.2.2. process personal data in accordance with the 6 principles of ‘good information handling’ (including keeping personal data secure and processing it fairly and in a transparent manner);
11.2.3. provide certain information to those individuals about whom we process personal data which is usually provided in a privacy notice, for example you will have received one of these from us as one of our Workers;
11.2.4. respect the rights of those individuals about whom we process personal data (including providing them with access to the personal data we hold on them); and
11.2.5. keep adequate records of how data is processed and, where necessary, notify the ICO and possibly data subjects where there has been a data breach.
11.3. Every Worker has an important role to play in achieving these aims. It is your responsibility, therefore, to familiarise yourself with this Policy.
11.4. Data protection law in the UK is enforced by the Information Commissioner’s Office (“ICO”). The ICO has extensive powers, including the ability to impose civil fines of up to Euros 20 million or 4% of group worldwide turnover, whichever is higher. Also the data protection laws can be enforced in the courts and the courts have the power to award compensation to individuals.
12.1. The Data Protection Laws set out 6 principles for maintaining and protecting personal data, which form the basis of the legislation. There are indications in relation to each principle as to what you must and must not do. However, these are not exhaustive and for guidance only. You must use your common sense and be mindful of the potential implications to an individual of you processing their personal data. The principles are that personal data must be
12.1.1. processed lawfully, fairly and in a transparent manner and only if certain specified conditions are met;
12.1.2. collected for specific, explicit and legitimate purposes, and not processed in any way incompatible with those purposes (“purpose limitation”);
12.1.3. adequate and relevant, and limited to what is necessary to the purposes for which it is processed (“data minimisation”);
12.1.4. accurate and where necessary kept up to date;
12.1.5. kept for no longer than is necessary for the purpose (“storage limitation”);
12.1.6. processed in a manner that ensures appropriate security of the personal data using appropriate technical and organisational measures (“integrity and security”).
12.2. Not all of these rights are absolute rights, some are qualified and some only apply in specific circumstances. More details on these rights can be found in Section 2 of this Policy ”Data Protection Principle in more detail”
13.1. Under Data Protection Laws individuals have certain rights (Rights) in relation to their own personal data. In summary these are:
13.1.1. The rights to access their personal data, usually referred to as a subject access request
13.1.2. The right to have their personal data rectified;
13.1.3. The right to have their personal data erased, usually referred to as the right to be forgotten;
13.1.4. The right to restrict processing of their personal data;;
13.1.5. The right to object to receiving direct marketing materials;
13.1.6. The right to portability of their personal data;
13.1.7. The right to object to processing of their personal data; and
13.1.8. The right to not be subject to a decision made solely by automated data processing.
13.2. The application of these rights in practice is set out in Section 3
14.1. Data protection laws have different implications in different areas of our organisation and for different types of activity, and sometimes these effects can be unexpected.
14.2. Areas and activities particularly affected by data protection law include human resources, payroll, security, customer care, sales, marketing and promotions, health and safety and finance. performance and participation
14.3. You must consider what personal data you might handle, consider carefully what data protection law might mean for you and your activities, and ensure that you comply at all times with this policy.
14.4. What this all means for you can be summarised as follows:
14.4.1. Treat all personal data with respect;
14.4.2. Treat all personal data as you would want your own personal data to be treated;
14.4.3. Immediately notify your line manager or the Chief Executive if any individual says or does anything which gives the appearance of them wanting to invoke any rights in relation to personal data relating to them;
14.4.4. Take care with all personal data and items containing personal data you handle or come across so that it stays secure and is only available to or accessed by authorised individuals; and
14.4.5. Immediately notify the Chief Executive if you become aware of or suspect the loss of any personal data or any item containing personal data. For more details on this see our separate Data Breach paragraphs below which applies to all our Workers regardless of their position or role in our organisation.
14.4. Please read below for more guidance:
Section 2 Data Protection Principles in more detail
Section 3 Data Subject Rights
Section 4 Practical matters
15.1. All personal data breaches must be reported immediately to the Chief Executive.
15.2. If a personal data breach occurs and that breach is likely to result in a risk to the rights and freedoms of data subjects (e.g. financial loss, breach of confidentiality, discrimination, reputational damage, or other significant social or economic damage), the Chief Executive must ensure that the Information Commissioner’s Office is informed of the breach without delay, and in any event, within 72 hours after having become aware of it.
15.3 In the event that a personal data breach is likely to result in a high risk (that is, a higher risk than that described under para 15.1.2 ) to the rights and freedoms of data subjects, the Chief Executive must ensure that all affected data subjects are informed of the breach directly and without undue delay.
15.4. Data breach notifications shall include the following information:
15.4.1. The categories and approximate number of data subjects concerned;
15.4.2. The categories and approximate number of personal data records concerned;
15.4.3. The name and contact details of the Company’s data protection officer (or other contact point where more information can be obtained in this case the Chief Executive);
15.4.4. The likely consequences of the breach; 15.4.5. Details of the measures taken, or proposed to be taken, by the Company to address the breach including, where appropriate, measures to mitigate its possible adverse effects.
16.1. Personal data must not be transferred outside the European Economic Area (EEA) unless the destination country ensures an adequate level of protection for the rights of the data subject in relation to the processing of personal data or we put in place adequate protections. This is mainly relevant to data held and accessed in Cloud-based services as well as some data processing the club may outsource like payroll processing or performance data analysis.
16.2. These protections may come from special contracts we need to put in place with the recipient of the personal data, from them agreeing to be bound by specific data protection rules or due to the fact that the recipients own country’s laws provide sufficient protection.
16.3. These restrictions also apply to transfers of personal data outside of the EEA even if the personal data is not being transferred outside of our group of companies.
16.4. You must not under any circumstances transfer any personal data outside of the EEA without the Chief Executive’s prior written consent.
16.5. We will also need to inform data subjects of any transfer of their personal data outside of the UK and may need to amend their privacy notice to take account of the transfer of data outside of the EEA.
16.6. If you are involved in any new processing of personal data which may involve transfer of personal data outside of the EEA, then please seek approval of the Chief Executive prior to implementing any processing of personal data which may have this effect.
17.1. If you have any queries about this Policy please contact either your line manager or the Chief Executive
Section 2 Data Protection Principles in more detail
18.1 You must not process personal data obtained illegally (e.g. stolen). You must not process personal data obtained by misleading, pressurising or inducing an individual.
18.2. You must inform an individual: who the data controller is (i.e. the Chief Executive ); the purpose for which personal data is to be processed; and any additional information that is necessary to ensure that the processing is fair and transparent.
18.2.1. In the majority of cases, it will be sufficient for the individual to have been provided with our privacy notice applicable to the category of individual to satisfy this requirement. This can be done by using our approved standard forms, contracts and terms, and approved scripts, that contain our relevant privacy notices. Therefore, you must use approved standard documents and scripts at all times.
18.2.2. If you are processing personal data in a new or extraordinary way, you must confirm that this is covered by our privacy notice. If in doubt, seek advice from your line manager or the Chief Executive.
19.1 You must only process personal data for purpose for which it was collected e.g. if you have taken a volunteer’s details to forward information to them on our services, you must not pass those details on to a third party seeking to promote their services.
19.2. If personal data is to be processed for another purpose, the individual must be informed of that purpose.
19.3. Again the purposes for which we collect and process personal data are set out in our standard privacy notices. This is another reason to make sure you always use our standard documents.
20.1. You must ensure that the personal data can be used for the purposes for which it was collected. This means collecting what we need to collect, but not more personal data than we need nor too little personal data.
20.2. If we do not collect sufficient personal data to utilise it for its intended purpose, it should be securely deleted or destroyed.
20.3. If more personal data than is required has been collected, the unnecessary personal data should be securely deleted or destroyed.
20.4. When collecting personal data or recording personal data, think whether it is in fact needed for the purpose for which it is collected.
21.1. When recording personal data make sure that you record it accurately. This is always important, but especially so where personal data is being entered into a database that may be reused on numerous occasions. Any mistakes or errors in the personal data will repeat themselves each time it is used.
21.2. Wherever possible, you must regularly confirm that personal data is correct and update databases accordingly (noting if personal data is incorrect and correcting it accordingly).
21.3. Where you become aware that personal data is incorrect, then the personal data should be corrected to remove the errors.
22.1. You must delete data no longer required to fulfil the purposes for which it was originally collected.
22.2. Retention periods for data will be set out in our Data Retention Policy and also in our standard privacy notice provided to the individual.
22.3. What is ‘necessary’ will depend on the circumstances. Use your common sense and if in doubt, seek advice. Once deleted it may not be possible to retrieve personal data deleted in error so it is always best to check before permanently deleting any personal data.
23.1. What are appropriate measures will depend on the circumstances, particularly the nature of the personal data you are processing, the harm that might result to the individual, the technologies available to you to keep personal data secure (e.g. encryption software) and the cost of measures.
23.2. Most of these technical and organisational measures are set for you by the organisation, and you just need to follow them. You must therefore follow all security policies, guidelines and instructions issued to you at all times. This includes both security for electronic systems and devices and also physical security.
23.3. Specific parts of the organisation will have responsibility for implementing various technical and organisational measures to protect personal data, for example IT in relation to our computer systems, and HR in relation to our Workers.
Section 3 Data Subject Rights
24.1. These are:
24.1.1. the right of access (also known as a data subject access request)
24.1.2. the right to rectification
24.1.3. the right to erasure (also known as the right to be forgotten)
24.1.4. the right to restrict processing
24.1.5. the right to data portability
24.1.6. the right to object
24.1.7. rights in relation to automated decision making and profiling.
24.2. The exercise of these Rights may be made in writing, including email, and also verbally and should be responded to in writing by us (if we are the relevant data controller) without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. We must inform the individual of any such extension within one month of receipt of the request, together with the reasons for the delay.
24.3. Where the data subject makes the request by electronic form means, any information is to be provided by electronic means where possible, unless otherwise requested by the individual.
24.4. If we receive the request from a third party (e.g. a legal advisor), we must take steps to verify that the request was, in fact, instigated by the individual and that the third party is properly authorised to make the request. This will usually mean contacting the relevant individual directly to verify that the third party is properly authorised to make the request.
24.5. There are very specific exemptions or partial exemptions for some of these Rights and they will be discussed in relation to the specific Right.
24.6. Where an individual considers that we have not complied with their request e.g. exceeded the time period, they can seek a court order and compensation. If the court agrees with the individual, it will issue a Court Order, to make us comply. The Court can also award compensation.
24.7. The individual can also complain to the regulator for privacy legislation, which in our case will usually be the ICO, and they too can make us comply and can also impose a civil fine upon us.
24.8. In addition to the rights discussed in this document, any person may ask the ICO to assess whether it is likely that any processing of personal data has or is being carried out in compliance with the data protection laws. The ICO must investigate and may serve an information notice on us (if we are the relevant data controller) to obtain relevant information. The ICO may also conduct an informal investigation to start with, usually by writing a letter to us asking us to explain the position.
24.9. The result of any investigation may lead to an enforcement notice being issued by the ICO. Any letters, assessments, information notices or enforcement notices from the ICO should be immediately sent directly to our Chief Executive.
25.1. A request for a Right should preferably be made in writing. All requests should be passed to the Chief Executive.
25.2. Our Chief Executive will co-ordinate our response. The action taken will depend upon the nature of the request and the Right. Our Chief Executive will write to the individual and explain the legal situation and whether we will comply with the request, co-ordinate any additional activity required by us to meet the exercise of any of the Rights and be responsible for ensuring that the relevant response is made within the time period required.
26.1. If you are responsible for carrying out or co-ordinating any searches for personal data then this section will assist you in how you should approach carrying out the searches.
26.2. The personal data we need to provide in response to a subject access request, right to be forgotten or any other exercise of data subject rights may be located in several filing and/or network systems, so it is important to identify at the outset the type of information requested to enable a focused search.
26.3. However you should note that the individual is not obliged to clarify the scope of what we will need to search for, so whilst we can ask, we may not receive a useful clarification or any response at all. In this case we still have to comply with the original request.
26.4. Depending on the type of information requested, you may need to search all or some of the following:
26.4.1. electronic systems (e.g. databases, networked and non-networked computers, servers, customer records, human resources records system, email data,);
26.4.2. manual/paper filing systems (but only if they are ‘structured filing systems’, on which see below);
26.5. If you are not authorised to access the relevant system or files that need to be searched, then you will not be able to carry out the search in those systems or files. In this case you will need to delegate those aspects of the search to a person who is authorised to access the relevant system or files.
26.6. You should conduct a reasonable search of the relevant systems using the individual’s name, employee, address, national insurance number, telephone number, email address or other information specific to that individual. In each case the scope of the search may be different.
26.7. If information is not part of a structured filing system, it does not amount to personal data and will fall outside the scope of personal data under the data protection laws, and therefore will not be caught by the rights of data subjects.
26.8. To be a structured filing system, the system must be:
26.8.1. contain information relating in some way to individuals. Usually, there would be more than one file in the system or a group of information referenced by a common theme (e.g. an absence spread sheet). The files need not be located in the same geographical location, but could be dispersed over different locations;
26.8.2. structured by reference to individuals (e.g. by name or employee or account number) or by reference to information relating to individuals (e.g. type of job or location, address), so it is clear at the outset whether the system might contain information capable of amounting to personal data and, if so, in which file(s) it is held; and
26.8.3. structured so that specific information relating to a particular individual is readily accessible. This means that the system must be indexed or referenced so as to easily indicate whether and where in the file data about the individual is located.
26.9. Therefore, a structured filing system which is subject to the data protection laws must have an external and internal structure which allows personal data about an individual to be located relatively easily without having to conduct a manual search of the entire file. If you have to thumb through the whole file to find specific information, the file is not a structured filing system.
26.10 It might help to apply the ‘temp test’ to determine if a system is a relevant filing system. Ask yourself if a temp with no specialist knowledge of our internal processes and procedures could, if asked to retrieve information about a specified individual, identify that the system might hold such information and where in that system the information would be. If so it will be a structured filling system.
27.1. This paragraph contains the specific procedure to be followed where an individual exercises their right of access (also known as a data Subject Access Request “SAR”). The request need not refer to the Right, for instance, it might simply request ‘a copy of all the information that you have about me’.
27.2. Responses to SARs shall normally be made within one month of receipt, however this may be extended by up to two months if the SAR is complex and/or numerous requests are made. If such additional time is required, the data subject shall be informed.
27.3. The data protection laws gives individuals the right to obtain:
27.3.1. confirmation that their personal data is being processed;
27.3.2. access to their personal data; and
27.3.3 access to other supplementary information.
27.4. The individual is entitled to receive a description of the following:
27.4.1. the purposes for which we process the data;
27.4.2. the categories of personal data we process about them;
27.4.3. the recipients to whom we may disclose the data;
27.4.4. the duration for which the personal data may be stored;
27.4.5. the rights of the data subject under the data protection laws;
27.4.6. any information available regarding the source of the data where it is not collected from the data subject direct;
27.4.7 the right of the data subject to make a complaint to the supervisory authority for data protection;
27.5. Plus we must also provide the information constituting the individual’s personal data which is within the scope of their request. We must provide this information in an intelligible form and technical terms, abbreviations and codes must be explained, and where the request was made electronically we can, unless the data subject specifies otherwise, also provide the information in electronic form.
27.6. We may:
27.6.1. ask for additional information to confirm the identity of the individual making the request;
27.6.2. request that the scope of the request is narrowed in order to ease the searches to be undertaken (but the individual does not have to agree to such a request from us); and
27.6.3. where requests are manifestly unfounded or excessive, because they are repetitive: (a) charge a reasonable fee considering the administrative costs of providing the information (and the amount can be subject to limits); or (b) or refuse to respond. Where we refuse to respond to a request, we must explain why to the individual, informing them of their right to complain to the supervisory authority and to a judicial remedy without undue delay and at the latest within one month.
27.7. Where we process a large quantity of information about an individual, the data protection laws permit us to ask the individual to specify the information the request relates to. The legislation does not introduce an exemption for requests that relate to large amounts of data, but we may be able to consider whether the request is manifestly unfounded or excessive.
27.8. We should verify the identity of the person making the request, using “reasonable means” if we are not sure about their identity.
27.9.Information about children
27.9.1. may be released to a person with parental responsibility. However, the best interests of the child will always be considered.
27.9.2. Even if a child is very young, data about them is still their personal data and does not belong to anyone else. It is the child who has a right of access to the information held about them.
27.9.3. Before responding to a request for information held about a child, organisations should consider whether the child is mature enough to understand their rights. If the organisation is confident that the child can understand their rights, then it will respond to the child rather than the parent. What matters is that the child is able to understand (in broad terms) what it means to make a subject access request and how to interpret the information they receive as a result of doing so.
27.9.4. Read more details about requests for information about children.
28.1. Where we are providing information to an individual where they have made a subject access request, they are only entitled to their personal data. They are not entitled to see information which relates to other individuals or to other people, e.g. to a company.
28.2. In these cases we would redact, i.e. blank out in a permanent way, any information which is not the personal data of the individual making the subject access request.
29.1. Sometimes information that is determined to be personal data about one individual might include information identifying or personal data about another person (e.g. an email between two people might contain personal information relating to both the sender and the recipient) and in some cases it is not possible to redact the information about the other person. There are additional steps to consider in relation to whether we disclose this information.
29.2. We must consider whether the other person has consented to the disclosure of their information or whether it would be reasonable to comply with the request without the other person’s consent.
29.3. Where the other person has consented, their information can be disclosed.
29.4. Where the other person has not consented, whether it would be reasonable to disclose that person’s information will depend upon all the circumstances and you must assess these on a case by case basis.
29.5. We would consider whether:
29.5.1. The other person has refused their consent;
29.5.2. The other person’s consent cannot be obtained (e.g. because they are incapable of giving it due to illness or incapacity);
29.5.3. Asking for consent might reveal the identity of the individual making the request;
29.5.4. We owe the other person a duty of confidentiality;
29.5.5. We have taken any steps to obtain the consent of the other person;
29.5.6. The other person is a recipient or one of a class of recipients who might act on the data to the individual’s disadvantage;
29.5.7. The other person is the source of the information;
29.5.8. The information is generally known by the individual; and
29.5.9. The individual has a legitimate interest in the disclosure of the other person’s information which they have made known to us.
29.6. If you decide that the other person’s information should be withheld (usually it should be), we still have to provide as much of the information requested as we can. Therefore, we should protect the other person’s identity by redacting as much of this information and other identifiable particulars.
29.7. Always keep a record of what you have decided to do and your reasons for doing it.
30.1. In certain circumstances we might be exempt from providing personal data in response to a subject access request. These exemptions are described below and should only be applied on a case by case basis after a careful consideration of all the facts.
30.2. Crime detection and prevention
30.2.1. We do not have to disclose personal data that we process for the purposes of preventing or detecting crime, apprehending or prosecuting offenders, or assessing or collecting any tax or duty, if and to the extent that giving subject access would be likely to prejudice any of these purposes.
30.3. Confidential references
30.3.1. We do not have to disclose certain confidential references that we have given to third parties, but might have to disclose confidential references that we receive from third parties. Bear in mind that references received from third parties may contain personal data of another person, so you must consider the rules regarding disclosure of other party’s personal data set out above.
30.4. Legal professional privilege
30.4.1. We do not have to disclose any personal data that is legally privileged. The following would be legally privileged:
188.8.131.52. confidential communications between us and our lawyers where the dominant purpose of the communication is the giving or receiving of legal advice; and
184.108.40.206. confidential communications between us or our lawyers and a third party (e.g. a witness) where the dominant purpose of the communication is to give or seek legal advice in respect of current or potential legal proceedings. This claim to legal privilege would end as soon as the case has been decided and, at that moment, the documents in the file might be disclosable if a subject access request is received.
30.5. Management forecasting
30.5.1. We do not have to disclose any personal data which we process for the purposes of management forecasting or management planning to assist us in the conduct of any organisation or any other activity (e.g. staff relocations, redundancies, succession planning, promotions and demotions) if and to the extent that disclosing the personal data would be likely to prejudice the conduct of that organisation or activity.
30.6.1. We do not have to disclose any personal data consisting of records of our intentions in relation to any negotiations with the individual where doing so would be likely to prejudice those negotiations.
31.1. The right to erasure is also known as ‘the right to be forgotten’. The broad principle underpinning this right is to enable an individual to request the deletion or removal of their personal data where there is no compelling reason for its continued processing.
31.2. The right to erasure does not provide an absolute ‘right to be forgotten’. Individuals have a right to have their personal data erased and to prevent processing in specific circumstances:
31.2.1. where their personal data is no longer necessary in relation to the purpose for which it was originally collected/processed;
31.2.2.. when the individual withdraws consent (but only to the extent that consent is the only basis for processing their personal data);
31.2.3. when the individual objects to the processing of their personal data and there is no overriding legitimate interest for continuing the processing;
31.2.4. where their personal data was unlawfully processed;
31.2.5. where their personal data has to be erased in order to comply with a legal obligation; and
31.2.6. where their personal data is processed in relation to the offer of information society services to a child.
31.3. There are some specific circumstances where the right to erasure does not apply and we can refuse to deal with a request:
31.3.1. to exercise the right of freedom of expression and information;
31.3.2. to comply with a legal obligation or for the performance of a public interest task or exercise of official authority;
31.3.3. for public health purposes in the public interest;
31.3.4. archiving purposes in the public interest, scientific research historical research or statistical purposes; or
31.3.5. the exercise or defence of legal claims.
31.4. If we have disclosed the personal data to be erased to third parties, we must inform them about the erasure of the personal data, unless it is impossible or involves disproportionate effort to do so.
32.1. An individual has the right to ask us to:
32.1.1. correct inaccurate personal data;
32.1.2. complete information if it is incomplete; and
32.1.3. delete personal data which is irrelevant or no long required for our purposes.
32.2. If we have disclosed the personal data in question to third parties, we must inform them of the rectification request where possible. We must also inform the individuals about the third parties to whom the data has been disclosed where appropriate.
32.3. If data is factually correct and we are justified in keeping it, i.e. it is relevant to the lawful purpose we are holding it for then we do not have to change or delete it, but the individual may make a request for erasure, i.e. the right to be forgotten, and in that case we would have to analyse the personal data and whether we can retain it based on that Right.
32.4. Where we are not taking any action in response to a request for rectification, we must explain why to the individual, informing them of their right to complain to the supervisory authority (usually the ICO) and to seek a remedy from the Courts.
33.1. An individual is entitled to require us to stop or not begin processing their personal data. When processing is restricted, we are permitted to store their personal data, but not further process it except in the exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest. We can retain just enough information about the individual to ensure that the restriction is respected in future.
33.2. We will be required to restrict the processing of personal data in the following circumstances:
33.2.1. where an individual contests the accuracy of the personal data, we should restrict the processing until we have verified the accuracy of the personal data;
33.2.2. where an individual has objected to the processing (where it was necessary for the performance of a public interest task or purpose of legitimate interests), and we are considering whether our legitimate grounds override those of the individual;
33.2.3. when processing is unlawful and the individual opposes erasure and requests restriction instead; and
33.2.4. if we no longer need the personal data but the individual requires the data to establish, exercise or defend a legal claim.
33.3. Previously given consent for processing can be revoked at any time by the individual, therefore we cannot justify continued processing of data as a result of a previous consent.
33.4. The individual does not have this right if the individual has entered into a contract with us and the processing is necessary for the fulfilment of that contract.
33.5. We must inform individuals when we decide to lift a restriction on processing (for example, if an individual contested our right to process their personal data on legitimate interest grounds and we subsequently found that our processing was justified on these grounds).
33.6. If we have disclosed the restricted personal data to third parties, we must inform them about the erasure of the personal data, unless it is impossible or involves disproportionate effort to do so.
34. The Right to Data Portability
34.1. The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. If the individual requests it, we may be required to transmit the data directly to another organisation if this is technically feasible. However, we are not required to adopt or maintain processing systems that are technically compatible with other organisations.
34.2. The right to data portability only applies:
34.2.1. to personal data an individual has provided to a data controller;
34.2.2. where the processing is based on the individual’s consent or for the performance of a contract; and
34.2.3. when processing is carried out by automated means.
34.3. We must provide the personal data in a structured, commonly used and machine-readable form. Open formats include CSV files. Machine readable means that the information is structured so that software can extract specific elements of the data. This enables other organisations to use the data. The information must be provided free of charge.
34.4. If the personal data concerns more than one individual, we must consider whether providing the information would prejudice the rights of any other individual.
34.5. It is not expected that this right will impact upon as we do not process personal data by automated means.
35.1. Individuals have the right to object to:
35.1.1. processing based on legitimate interests;
35.1.2. the performance of a task in the public interest/exercise of official authority (including profiling);#
35.1.3. direct marketing (including profiling); and
35.1.4. processing for purposes of scientific/historical research and statistics.
35.2. If we process personal data on the basis of our legitimate interests or the performance of a task in the public interest/exercise of official authority:
35.2.1. individuals must have an objection on “grounds relating to his or her particular situation”; and
35.2.2. we must stop processing the personal data unless we can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual; or the processing is for the establishment, exercise or defence of legal claims.
35.3. If we process personal data for direct marketing purposes:
35.3.1. we must stop processing personal data for direct marketing purposes as soon as we receive an objection. There are no exemptions or grounds to refuse;
35.3.2. we must deal with an objection to processing for direct marketing at any time and free of charge; and
35.3.3. we must nevertheless comply with the terms of the Privacy and Electronic Communication Regulations and the e-Privacy Regulation which replaces it.
35.4. If we process personal data for research purposes:
35.4.1. individuals must have “grounds relating to his or her particular situation” in order to exercise their right to object to processing for research purposes; and
35.4.2. If we are conducting research where the processing of personal data is necessary for the performance of a public interest task, we are not required to comply with an objection to the processing.
35.5. If our processing activities fall into any of the above categories and are carried out online, we must offer a way for individuals to object online.
35.6. We must inform individuals of their right to object “at the point of first communication” and in our privacy notices. This right must be “explicitly brought to the attention of the data subject and is to be presented clearly and separately from any other information”.
36.1. The privacy legislation provides safeguards for individuals against the risk that a potentially damaging decision is taken without human intervention.
36.2. We do not currently undertake any automated decision making.
37.1. If an individual disagrees that we have properly complied with a Right or we fail to respond they may apply to a Court for an order or complain to the ICO in each case requiring us to properly perform the Right.
37.2. If the Court or the ICO agrees with the individual it can:
37.2.1. order us to properly carry out the Right and what steps are needed to do this; and
37.2.2. order us to notify third parties who we have passed the data onto of the Right;
37.3. A court can also award compensation to the individual for any damage they have suffered as a result of our non-compliance. The ICO can also impose a civil fine upon us. These fines can be very substantial.
38.1. We are only required to supply information in response to an exercise of Rights that was processed at the date of that request. However, we are allowed to carry out regular housekeeping activities even if this means deleting or amending personal data after the receipt of request in relation to a Right.
38.2. What we cannot do is amend or delete data because we do not want to supply it or because of the exercise of a Right.
Section 4 Practical Matters
Whilst you should always apply a common sense approach to how you use and safeguard personal data, and treat personal data with care and respect, set out below are some examples of dos and don’ts:
If you see any areas of risk that you think are not addressed then please bring it to the attention the Chief Executive
39.1. Do not take personal data out of the organisation’s premises (unless absolutely necessary) Do not transfer personal data to any third party without the consent of your line manager or the Chief Executive.
39.2. Do challenge unexpected visitors or employees accessing personal data.
39.3. When speaking on the phone in a public place, take care not to use the full names of individuals or other identifying information, as you do not know who may overhear the conversation. Instead use initials or just first names to preserve confidentiality.
39.4. If taking down details or instructions from a customer in a public place when third parties may overhear, try to limit the information which may identify that person to others who may overhear in a similar way to if you were speaking on the telephone.
39.5. Never act on instructions from someone unless you are absolutely sure of their Identity and if you are unsure then take steps to determine their identity. This is particularly so where the instructions relate to information which may be sensitive or damaging if it got into the hands of a third party or where the instructions involve money, valuable goods or items or cannot easily be reversed.
39.6. When picking up printing from any shared printer always check to make sure you only have the printed matter that you expect, and no third party’s printing appears in the printing.
39.7. Consideration should be given to the type of personal data being transferred and whether identifying names, addresses, date of birth etc. can be redacted. For example, if the CEO’s guidance is required as to the suitability of a voyage for someone then the person’s name and address may not be necessarily need to be included in the message or documentation sent.
39.8. End of Voyage reports, comments book and outcome wheels should be uploaded to sharepoint.
39.9. Transmission of crew lists should follow the procedure as set out in the T and S Notice “Reporting Procedures”
40.1. Do not leave personal data lying around, store it securely.
40.2. All backups should be encrypted. Our current approved back up system is Attix.
40.3. No personal data should be transferred to any device personally belonging to an employee without authorisation from your line manager or the Chief Executive and may only be transferred to devices belonging to agents, contractors, or other parties working on behalf of the Company where the party in question has agreed to comply fully with the letter and spirit of this Policy and of the GDPR (which may include demonstrating to the Company that all suitable technical and organisational measures have been taken).
40.4. Do notify your line manager or our Chief Executive immediately of any suspected security breaches or loss of personal data.
40.5. If any personal data is lost, or any devices or materials containing any personal data are lost, report it immediately to the Chief Executive.
41.1. When any personal data is to be erased or otherwise disposed of for any reason it should be securely deleted and disposed of.
41.2. Use confidential waste disposal for any papers containing personal data, do not place these into the ordinary waste, place them in a bin or skip etc, and either use a confidential waste service or have them shredded before placing them in the ordinary waste disposal.
41.3. Voyage reports, outcome wheels are to be deleted from Sharepoint 1 month from the voyage end or as soon as processed.
41.4. The vessel laptop will be checked on a weekly basis that no personal data is being stored on it.
41.5. Voyage photographs will be deleted from OneDrive at the end of the year.
42.1. No personal data may be shared informally and if an employee, agent, sub-contractor, or other party working on behalf of the Company requires access to any personal data that they do not already have access to, such access should be formally requested from the Chief Executive.
42.2. Personal data must be handled with care at all times and should not be left unattended or on view to unauthorised employees, agents, sub-contractors, or other parties at any time;
42.3. Never leave any items containing personal data in unsecure locations, e.g. in car on your drive overnight and this would include paper files, mobile phone, laptops, tablets, memory sticks etc.
42.4. If you are staying at a hotel then utilise the room safe or the hotel staff to store items containing personal data when you do not need to have them with you.
42.5. Never leave any items containing personal data unattended in a public place, e.g. on a train, in a café, navigation room, saloon etc and this would include paper files, mobile phone, laptops, tablets, memory sticks etc.
42.6. When in public place, e.g. a train or café, be careful as to who might be able to see the information on the screen of any device you are using when you have personal information on display. If necessary move location or change to a different task.
42.7. Do ensure that your screen faces away from prying eyes if you are processing personal data, even if you are working in the office. Personal data should only be accessed and seen by those who need to see it.
42.8. If personal data is being viewed on a computer screen and the computer in question is to be left unattended for any period of time, the user must lock the computer and screen before leaving it.
42.9. Where personal data held by the Company is used for marketing purposes, it shall be the responsibility of person sending it to ensure that the appropriate consent is obtained and that no data subjects have opted out, whether directly or via a third-party service such as the TPS.
43.1. All passwords used to protect personal data should be secure changed regularly and be secure. A secure password might contain a combination of uppercase and lowercase letters, numbers, and symbols. It should not use words or phrases that can be easily guessed or otherwise compromised
43.2. Only disclose your unique logins and passwords for any of our IT systems to authorised personnel (e.g. IT) and not to anyone else.
43.3. Do encrypt laptops, mobile devices and removable storage devices containing personal data. The vessel laptop need not be encrypted but will not store personal data.
43.4. Never use removable storage media to store personal data unless the personal data on the media is encrypted.
43.5. Under no circumstances should any passwords be written down or shared between any employees, agents, contractors, or other parties working on behalf of the Company, irrespective of seniority or department. If a password is forgotten, it must be reset using the applicable method. IT staff do not have access to passwords.
43.6. All software (including, but not limited to, applications and operating systems) should be kept up-to-date.
43.7. No software may be installed on any Company-owned computer or device without the prior approval of the line manager or Chief Executive.
44.1. All employees, agents, contractors, or other parties working on behalf of the Company and likely to come into contact with personal data shall be made fully aware of both their individual responsibilities and the Company’s responsibilities under the GDPR and under this Policy, and shall be provided with a copy of this Policy.
44.2. Only employees, agents, sub-contractors, or other parties working on behalf of the Company that need access to, and use of, personal data in order to carry out their assigned duties correctly shall have access to personal data held by the Company.
44.3. All employees, agents, contractors, or other parties working on behalf of the Company handling personal data will be appropriately trained to do so.
44.4. All employees, agents, contractors, or other parties working on behalf of the Company handling personal data will be appropriately supervised.
44.5. Methods of collecting, handling, holding, and processing personal data shall be regularly evaluated and reviewed.
44.6. All personal data held by the Company shall be reviewed periodically, as set out in the Company’s Data Retention Policy.
44.7. All employees, agents, contractors, or other parties working on behalf of the Company handling personal data will be bound to do so in accordance with the principles of the GDPR and this Policy.
44.8. All agents, contractors, or other parties working on behalf of the Company handling personal data must ensure that any and all of their employees who are involved in the processing of personal data are held to the same conditions as those relevant employees of the Company arising out of this Policy and the GDPR.