Updated 21 May 2018
1. Purpose of policy
· To ensure that Evaluation Support Scotland (ESS) complies with General Data Protection Regulations (GDPR)
· To ensure that we uphold the rights of our clients, stakeholders and staff
· To ensure that our clients, stakeholders and staff know how and why we process their personal data.
In this policy ‘we/our’ is ESS the charity and ‘you/your’ is anyone reading this policy whose personal data is held by ESS.
2. What is personal information?
The GDPR defines personal data as “any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier”.
3. Individual’s rights under GDPR
GDPR provides following rights for everyone involved in ESS, including staff, Trustees and everyone we work with:
1. The right to be informed
This right encompasses our obligation to provide ‘fair processing information’ and this is covered in the ‘why we process your personal data’ section of this document. GDPR emphasises the need for transparency over how personal data is used. To this end we endeavour to be as transparent and possible with everyone we work with.
2. The right to access
Everyone has the right to:
· access their personal data
· confirm that their data is being processed
· be aware of and verify the lawfulness of the data processing.
Please see the ‘why we process your personal data’ section of this document.
3. The right of rectification
If we hold personal data that is incorrect or incomplete you have the right to have the data corrected. If we hold incorrect data on you, please email us at firstname.lastname@example.org and we will rectify it within one month of receipt of your email.
4. The right to erasure (the ‘right to be forgotten’)
You have the right to request deletion or removal from our records when there is no compelling reason for its continued processing. There are caveats on this right and these are set out in the access policy.
5. The right to restrict processing
You have the right to block or suppress processing of personal data. When processing is restricted ESS can still hold the information but cannot process it. Indeed we will have to keep a minimum amount of personal data to ensure that the block on processing personal data continues.
6. The right to data portability
This right allows you to obtain and reuse your personal data for your own purposes across different services. It aims to make transferring personal data between similar organisations easier. Generally these files will be provided in a universally accessible format such as .csv.
7. The right to object
You have the right to object to processing of your personal data for several reasons such as direct marketing or for processing completed under certain lawful bases. It is the right of any individual to object to their personal data being processed on “grounds relating to his or her particular situation”.
8. Rights in relation to automated decision making and profiling
ESS does not make use of automated decision making programmes or use profiling to get in touch with organisations.
For more information on your rights please visit the Information Commissioners Website: https://ico.org.uk/for-the-public/
4. Why we process your personal data
Personal data that we process is mostly limited to: work contact details, dietary and access requirements, attendance at events and support sessions, referrals from funders for support, and opinions on our work through feedback forms.
Our lawful basis for processing this information is three fold:
For a contract - Article 6 (1)(b)
“processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.”
Essentially, personal data that we collect in order to provide the service we have been asked to do, including prospective work (e.g. enquiries and applications).
For example, if a member of an organisation gets in touch to ask if attending our workshops is right for them we will take their contact details in order for someone to get back to them. We will also note down what was discussed so that if that person calls back again we don’t have to start from scratch. If that person then decides to attend a workshop we will need more detailed personal information including dietary and access requirements. This information is collected through the online workshop sign up form on our website.
Information collected through the following media are processed through the Contract lawful basis:
· Workshop signup sheets on website
· Tailored Support through telephone and email correspondence
· Enquiries via telephone and email
· Learning sets and fora we run or are involved in through telephone, email and meetings
· Mailing list, through online sign up or emailed requests
· Job and trustee applications via email
· Emails through ‘Contact us’ page of our website
· Reports to funders who refer, and pay for funded organisations to receive support
Legitimate interests - Article 6 (1)(f)
“processing is necessary for the purpose of legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the act.”
Personal data can be processed for legitimate interests as long as the processing doesn’t infringe on fundamental rights and freedoms set out in the Act. In this case our legitimate interest is the continued improvement and development of our work and website.
Is this interest legitimate?
The continued improvement of the services ESS offers to the third sector and funders is in the interest of the third sector more broadly, relationships between funders and funded and, of course, ESS itself.
Is processing this information necessary?
The personal data that we process is as targeted and proportionate as possible and is the least intrusive way of accomplishing this goal. Any published information gleaned from processing this data is aggregated and anonymised. We will always seek your permission to use quotes before they are included in any documents or publications.
Do individuals’ interests override the legitimate interest?
We believe this processing does not override the legitimate interest. The impact on individuals is small as names and associated feedback are stored securely and information is aggregated and anonymised. We will also, without question, refrain from processing this data for anyone who asks us not to. However in some cases this will result in ESS no longer being able to provide services requested. Personal data processed under this section of the GDPR by ESS is chiefly names and email requests on feedback forms and follow up surveys. Our website collects IP addresses of visitors to help us gauge the effectiveness of our materials, the website itself and our social media engagement.
Consent to process sensitive personal information - Article 6 and 9 (2)(a)
“the data subject has given explicit consent to the processing of personal data for one or more specified purposes…”
We will only process sensitive personal information if you have told us that it is okay to do so. You can withdraw your consent at any time.
Sensitive personal data is a subset of personal data including the following:
· Ethnic origin
· Trade union membership
· Sex life or
· Sexual orientation
These types of data are given higher levels of protection as unlawful access could create more significant risks to a person’s fundamental right and freedoms.
ESS processes very little sensitive personal information. We process data about protected characteristics when job applicants fill out a diversity monitoring form. This is used to monitor the diversity of people who apply for and take up posts at ESS. All data is completely anonymised. Giving us this data is entirely optional and the data has no impact on decisions. Forms are securely destroyed a month after the recruitment process is complete.
Requesting the information we hold on you
If you would like a copy of the information we hold on you please email Lydia Morrow, Finance and Business Manager at email@example.com requesting to access your data.
We will comply with your request within one month. If in the unlikely circumstance that we cannot meet this deadline (if requests are complex or numerous) we will be in touch with you as soon as we can to let you know when you can expect the information. This will be no more than three months from the date of your initial request.
Data retention period
ESS will not hold your data longer than necessary. However we do like to know what work we have done with your organisation in the past. To that end we hold on to records of workshop attendance, tailored support sessions and inclusion in learning sets, meetings and other evaluation support activities. This helps us provide a better service to organisations we have worked with before.
For special categories of data we keep anonymised statistical information for historical comparisons and analysis. We shred physical and erase digital copies the form within a month of the interview process.
The source of personal data
In the vast majority of cases personal data processed by ESS is provided by the data subject (you) through workshop signups, emails or telephone calls. If your organisation is a member of certain Evaluation Support Accounts we may have received information from funders about your organisation as they would like us to provide support. All data is securely stored on our in house server and our database and can only be accessed by authorised people.
Contracts: External processing
ESS uses several external organisations to process and store our information, including Salesforce, Live Drive and MailChimp. Whenever this is the case a contract/policy is in place which confirms that those organisations comply with GDPR requirements and that all data moving between the two organisations is secure.
What if you don’t want us to process any of your personal data?
Unfortunately if you don’t want us to process any of your personal data we will be unable to supply our services as even a one off attendance at a workshops requires names, organisation, email, dietary and access requirements etc.
What to do if ESS cannot satisfy your complaint?
If after working with us to solve the problem, your complaint is still unsatisfied you can contact the Information Commissioners Office to make a complaint.
Questions about how we process personal data? Get in touch