Butterfly Conservation GDPR and Data Protection Policy
Purpose
Butterfly Conservation is committed to being transparent about how it collects and processes personal data to ensure it meets or exceeds its obligations under the General Data Protection Regulation (GDPR). This policy sets out Butterfly Conservation’s commitment to data protection, and individual’s rights to and obligations in relation to personal data.
This policy applies to all personal data processed by Butterfly Conservation, including but not limited to, personal data held about employees, members and volunteers.
This policy is non-contractual and can be amended by Butterfly Conservation at any time.
Butterfly Conservation has appointed the Database Support Officer as its Data Protection Officer. Their role is to advise Butterfly Conservation on its data protection obligations. Any questions about this policy or requests for further information should be directed to the Data Protection Officer [[email protected]].
The Chief Executive Officer is Butterfly Conservation's Data Controller. This means that they hold ultimate responsibility and accountability for implementing this policy.
Definitions
Personal data refers to information relating to any natural living person who can be identified from that information, this person is known as the Data Subject. Processing is any use of that data and can include storing, collecting, amending, disclosing or destroying it. Butterfly Conservation stores personal data in electronic and paper formats. Storge locations include Butterfly Conservation’s email system, SharePoint, IT monitoring systems, HR systems, paper membership forms and Butterfly Conservation’s CRM system.
Personal data may be provided to Butterfly Conservation by the Data Subject through online forms, over the phone, via post or in person at events held by Butterfly Conservation.
Special categories of personal data refers to information about a person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation and biometric data. Some of this data may be collected to help ensure delivery of safe and impactful projects and activities including the diversity of people engaged with Butterfly Conservation.
Where special category data is collected and processed in an anonymised format it will not be considered personal data.
Details of any special category data Butterfly Conservation collects will be explained in detail when collected.
Criminal record data is information about an individual’s criminal convictions and offences and information relating to criminal allegations and proceedings, which is collected to meet regulatory requirements.
Data Protection Principles
Butterfly Conservation processes personal data in accordance with the following data protection principles, which set out that all personal data shall be:
• Processed lawfully, fairly and in a transparent manner.
• Collected and processed for specified, explicit and legitimate purposes.
• Adequate, relevant and limited to what is necessary for processing.
• Accurate and in date and any inaccurate data rectified or erased without delay.
• Only kept for the period of processing and no longer than is necessary.
• Processed in a way that ensures appropriate security.
In line with the principles of the GDPR Butterfly Conservation will only process personal data for the reasons outlined to the data subject in Butterfly Conservation’s privacy policy. Butterfly Conservation must have a specified lawful basis for processing personal data.
A full list of types of data held by Butterfly Conservation and the lawful bases for processing them can be found in Appendix 1 of the Data Retention Policy.
Where consent is the lawful basis for data processing Butterfly Conservation must receive a freely given positive indication of consent to data processing to be able to process the data subject’s personal data.
Where another lawful basis is used Butterfly Conservation may process the data subject’s personal data without consent. Data subjects may choose not to provide certain information; however, this may prevent Butterfly Conservation from complying with its legal obligations which could affect their employment or prevent them from receiving all supporter benefits. For example, if a member doesn’t provide their address they will not be automatically assigned to a branch or receive a welcome pack.
Data Subject Rights
As a data subject, individuals have a number or rights in relation to their personal data.
Subject access requests
This is also known as the right of access.
Any data subject has the right to review the information Butterfly Conservation holds about them, with some exceptions. Requests can be made verbally or in writing in a hard copy letter or transmitted electronically by email or text and may also be valid if submitted by social media. Where a request has been made verbally, the data subject can be requested to confirm this request in writing. However, it is not compulsory for an individual to confirm, and this cannot be used to extend the response deadline.
Butterfly Conservation has one month to respond to such a request, however where the request is complex this can be extended by up to two months. Where this is the case, Butterfly Conservation will advise the individual within one month of receiving the request and explain why more time is needed.
No charge will usually be made for a response to a subject access request. However, a ‘reasonable fee’ may be charged for administrative costs if the request is manifestly unfounded/excessive or an individual requests further copies of their data following a request.
If anyone receives a subject access request from another member of staff, the request must be immediately passed onto to the Data Protection Officer [[email protected]].
Right to be Informed
Data subjects have the right to be told what personal data Butterfly Conservation processes, how this processing takes place and on what basis.
This information can be found in Butterfly Conservation’s privacy policy.
Right to Rectification
Data subjects have the right to rectify any inaccurate data held about them.
Butterfly Conservation has one month to respond to such a request.
Right to Erasure
This is also known as the Right to be Forgotten.
Data subjects have the right to ask Butterfly Conservation to erase personal data where it is no longer necessary to process it for the purpose it was collected or where it should not have been collected in the first place.
Not all data can be erased and in some circumstances Butterfly Conservation can refuse to delete data. For example, where a legal or statutory requirement means the data must be retained.
Butterfly Conservation has one month to respond to such a request.
Right to Restrict Processing
Data Subjects can request a restriction in the processing of their data when they believe:
• the data held about them is inaccurate.
• the data was not obtained lawfully.
• the data is no longer required by the Data Controller, but it’s required for a Data Subject’s legal claim.
• the legitimate interest of Butterfly Conservation needs to be verified.
Restricted data can be held by Butterfly Conservation, but not processed.
Butterfly Conservation has one month to respond to such a request.
Right to Data Portability
Data Subjects have the right to request that their data can be reused in a different service by another Data Controller. Only data provided to Butterfly Conservation by the Data Subject is covered by this.
Right to Object
Data subjects have the right to object to data processing where Butterfly Conservation is relying on a legitimate interest or consent to do so and the individual thinks that their rights and interests outweigh those of Butterfly Conservation. For example, a Data Subject can withdraw consent to direct marketing from Butterfly Conservation.
A Data Subject has the right to object at any point, not just when they first sign up and provide their personal data.
Automated Decision Making and Profiling Rights
Where Butterfly Conservation makes use of automated decision making which has a legal or significant effect on the data subject, they can request to opt out of having their data processed in this manner.
Other Rights
Data subjects have other rights in relation to their personal data:
• to be notified if there is a data security breach involving their data that may affect them.
• have the right to complain to the Information Commissioner. Contact details can be found on the website: https://ico.org.uk/
Data Security
Butterfly Conservation takes the security of personal data seriously. Butterfly Conservation has internal policies and controls in place to protect personal data against loss, accidental destruction, misuse or disclosure, and to ensure that data is not accessed, except by employees in the proper performance of their duties. Access to individual’s data is restricted to those users with a specific and legitimate business need for the data.
Where Butterfly Conservation engages third parties to process personal data on its behalf or acts as a joint controller of the data with another organisation, Butterfly Conservation still retains responsibility for the secure and appropriate use of that data. Consequently, before an individual’s data is transferred to any third party, Butterfly Conservation will:
• ensure that the third party has sufficient security measures in place to protect the processing of personal data.
• ensure any transfer of data is done securely, either by password protecting documents, or by transferring data via a secure collaborative portal.
• have in place a data processing agreement establishing what personal data will be processed and for what purpose which has been signed by both parties.
Impact Assessments
When Butterfly Conservation implements new systems or processes relating to personal data where there may be a risk to privacy a Data Protection Impact Assessment (DPIA) must be carried out to determine the necessity and proportionality of processing.
This will include considering the purposes for which the activity is carried out, the risks for individuals and the measures that can be put in place to mitigate those risks.
Data Breaches
If Butterfly Conservation discovers that there has been a breach of personal data that poses a risk to the rights and freedoms of individuals, it will report it to the Information Commissioner within 72 hours of discovery. Butterfly Conservation will record all data breaches regardless of their effect.
If the Data Controller considers that the breach is likely to result in a high risk to the rights and freedoms of individuals, Butterfly Conservation will tell affected individuals that there has been a breach and provide them with information about its likely consequences and the mitigation measures it has taken. This will ideally as soon as reasonably possible after discovery.
International data transfers
If Butterfly Conservation transfers data to countries outside of the UK, a Transfer Risk Assessment (TRA) should be completed. The ICO’s online TRA tool should be used and the outcomes documented.
If after completing the TRA it’s determined that the data transfer can proceed an International Data Transfer Agreement (IDTA) should be completed. A template for this can be found on the ICO website.
Staff Responsibilities
Although the Chief Executive has the ultimate responsibility for implementing the policy, all employees have individual responsibility and an important part to play in implementing and maintaining legal compliance.
If an employee becomes aware of a data subject exercising one of their rights listed above under “Data Subject Rights” they must let the Data Protection Officer [[email protected]] know immediately to ensure it is dealt with in a timely manner.
Employees are responsible for helping Butterfly Conservation keep their personal data and personal data of any data subjects held by Butterfly Conservation up to date.
They must let Butterfly Conservation know if data provided to Butterfly Conservation changes, for example if an employee moves house or a volunteer updates their phone number.
Any employee who has access to personal data held by Butterfly Conservation must familiarise themselves with this policy, including the data protection principles, and comply with them.
Employees who have access to personal data are required:
• to access only data that they have authority to access and only for authorised purposes.
• not to disclose data except to individuals (whether inside or outside Butterfly Conservation) who have appropriate authorisation.
• to keep all data secure – whether on paper or electronically, in line with the Information Technology Systems Policy. For example, by complying with rules on computer access, including password protection, and secure file storage and destruction. Always lock electronic devices when not in use and keep paper-based personal data in locked cabinets.
• not to remove personal data, or devices containing or that can be used to access personal data, from Butterfly Conservation's premises without permission and by adopting appropriate security measures (such as encryption or password protection) to secure the data and the device.
• not to store personal data on local drives or on personal devices that are used for work purposes.
• to securely destroy and copies of personal data they create in line with the data retention policy.
• to report data breaches of which they become aware to the data protection officer ([email protected]) immediately.
Failing to observe these requirements may amount to a disciplinary offence, which will be dealt with under Butterfly Conservation's disciplinary procedure. Significant or deliberate breaches of this policy, such as accessing or publishing personal data without authorisation or a legitimate reason to do so, may constitute gross misconduct which could lead to dismissal without notice. Such a breach could be considered a criminal offence, in these circumstances Butterfly Conservation or an affected data subject may report the individual responsible for the breach to the police.
Training
Butterfly Conservation will provide training to all employees about their data protection responsibilities as part of the induction process and at regular intervals thereafter. This needs to include awareness of any restrictions on personal use of Butterfly Conservation’s systems as detailed in Butterfly Conservation’s IT policy.
Employees whose roles require regular access to personal data, or who are responsible for implementing this policy or responding to subject access requests under this policy, will receive additional training to help them understand their duties and how to comply with them.