The purpose of this paper is to state clearly Butterfly Conservation’s commitment to compliance with Data Protection requirements under the General Data Protection Regulations 2016 and to provide an overview of responsibilities and how they will be fulfilled.
This Statement should be read in conjunction with The Procedures for Handling
Personal Information under the General Data Protection Regulations 2016.
1. Butterfly Conservation’s Commitment
Butterfly Conservation is committed to ensuring the privacy of personal data by complying with all statutory data protection and privacy requirements as a minimum, and to the adoption of best practice by working positively to prevent any misuse of personal data under the General Data Protection Regulation 2016 and any subsequent legislation.
Butterfly Conservation recognises its responsibility to collect and process personal data fairly and lawfully. This includes all personal data (employees, members, supporters and members of the public) in all areas where personal data is needed to carry out the work of Butterfly Conservation.
2. Our Legal Responsibilities
Who?
- Although the Chief Executive has the ultimate responsibility for implementing the policy, all employees and Branch volunteers have individual responsibility and an important part to play in implementing and maintaining legal compliance.
- Therefore the responsibility for implementing the policy lies directly with line management from the Chief Executive, Directors and Line Managers through to every employee and Branch volunteer.
- Every Line Manager and Branch Chair are responsible for implementing and monitoring the policy in their area of activity.
- Every employee and Branch volunteer must adhere to the policy and co-operate with their colleagues to achieve high standards of legal compliance and best practice as data processors.
- The organisation and arrangements to support the implementation of the policy are described in Section 4 below.
3. Our Objective
What?
Butterfly Conservation (including both collectively and individually its Trustees and Directors) is responsible for:
- Promoting data protection compliance within the Organisation.
- Ensuring all Council decisions reflect Butterfly Conservation’s data protection intentions as described in the Data Protection Policy Statement.
- Encouraging the active promotion to employees of best practice.
- Ensuring the Trustees are kept informed of any data protection risk management issues.
To ensure all activities involving the collection, processing and storage of personal data are carried out in compliance with current legislation, regulations and best practice.
To achieve this Butterfly Conservation will:
- Provide the necessary information, instruction, training and supervision to all staff responsible for handling personal data.
- Make sure that all new staff and Branch volunteers are aware of the Butterfly Conservation’s Data Protection Policy and the procedures necessary to carry out their work.
- Promote awareness of data protection matters to staff and advise of changes to the legislation and procedures.
- Provide specialist support to Line Managers and Branches on data protection matters.
- Maintain Butterfly Conservation’s notification with the Information Commission’s Register for Data Controllers.
- Keep the policy under review and amend practice guidelines when necessary.
- Monitor the implementation of the data protection policy.
- Carry out compliance audits.
4. Organisation and arrangements for implementing the policy
To support Trustees, Directors, staff and Branch volunteers in fulfilling this objective, Butterfly Conservation has nominated the Chief Executive as Data Controller for Butterfly Conservation. The Data Controller is responsible, in particular, for monitoring, assisting and ensuring:
- Butterfly Conservation is lawfully registered as a data controller under the requirements of the Data Protection Act 1998 and subsequent legislation.
- Butterfly Conservation’s Data Protection Policy is reviewed periodically and its effectiveness monitored, with any necessary changes to be recommended to the Trustees.
- That data protection matters raised by employees, Branch volunteers, members of Butterfly Conservation and the general public are dealt with promptly and efficiently.
- That new non-data protection legislation is assessed for its impact on Butterfly Conservation’s work and procedures (eg law and regulations relating to electronic communications and freedom of information).
- The development of new procedures, guidelines and codes of practice where appropriate in consultation with Line Managers.
- There is consultation, agreement and dissemination of information on best practice.
- That data audits are carried out as appropriate.
However, it must be remembered that the Data Controller is a support role. It is, therefore the responsibility of all Line Managers and Branch Chairs to assess the skills and knowledge required by themselves and their staff and volunteers and to identify training needs to enable them to comply with data protection requirements.
Where instruction and training, over and above a basic level, is required by staff and Branches, this may be provided either in-house or by specialist third-parties. Such training needs are to be agreed with the Data Controller so that the benefits may be shared throughout the organisation.
5. European Union Data Protection Laws
The European Union (EU) General Data Protection Regulation has come into effect, despite the UK leaving the EU; we will abide by EU regulation until United Kingdom law supersedes.
Recital 32
“Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent.“
European Union General Data Protection Regulation 2016 (5419/16) p.18
Recital 43
“Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case.”
European Union General Data Protection Regulation 2016 (5419/16) p.24