DATA PROTECTION POLICY
This is a statement of the Data Protection Policy adopted by GRAMPIAN CYCLE PARTNERSHIP.
This policy is applicable to all personal data held by GRAMPIAN CYCLE PARTNERSHIP. It applies to all Members of GRAMPIAN CYCLE PARTNERSHIP and to any contractors or agents performing work for or on behalf of GRAMPIAN CYCLE PARTNERSHIP.
GRAMPIAN CYCLE PARTNERSHIP needs to process certain types of data about people with whom it deals in order to operate (“personal data”). This includes anyone with whom it communicates.
In order to comply with the Data Protection Act 2018, GRAMPIAN CYCLE PARTNERSHIP must ensure that all personal data are securely stored and processed lawfully, however it is collected, recorded and used. Safeguards are in place to support compliance with the legislation and these are detailed below.
GRAMPIAN CYCLE PARTNERSHIP regards the safekeeping of all personal data as paramount to maintaining confidence between it and those with whom it deals. GRAMPIAN CYCLE PARTNERSHIP endeavours to fulfil all the requirements of the Act while remaining open and accessible by the public.
SCOPE
This policy is applicable to all personal data held by GRAMPIAN CYCLE PARTNERSHIP whether the information is held or accessed on GRAMPIAN CYCLE PARTNERSHIP premises or accessed remotely via mobile or home working or by using network access from partner organisations. Personal information held on removable devices and other portable media is also covered by this policy.
THE DATA PROTECTION PRINCIPLES
To that end, GRAMPIAN CYCLE PARTNERSHIP fully endorses and adheres to the Principles set out below.
Lawfulness, Fairness and Transparency
- Personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject.
Purpose Limitation
- Personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (with exceptions for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes).
Data Minimisation
- Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
Accuracy
- Personal data must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
Storage limitation
- Personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to implementation of appropriate technical and organisational measures in order to safeguard the rights and freedoms of the data subject.
Integrity and confidentiality
Personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Accountability
In addition, GRAMPIAN CYCLE PARTNERSHIP is responsible for, and must be able to demonstrate compliance with, the data protection principles listed above, in accordance with the principle of accountability. It must keep a full and accurate record of its personal data processing activities, e.g., the lawful basis for the processing in question, who is undertaking these activities and with what data, the results of any data protection impact assessment or data protection audit and details of any data breaches and actions taken.
RESPONSIBILITIES
- The Chairperson of Grampian Cycle Partnership has specific senior responsibility for data protection within GRAMPIAN CYCLE PARTNERSHIP. The Partnership Director has responsibility for ensuring that the information under their control is collected, processed and held in accordance with this policy and the GDPR.
- The Secretary of GRAMPIAN CYCLE PARTNERSHIP is the designated Data Protection Officer for GRAMPIAN CYCLE PARTNERSHIP, advising on and monitoring GRAMPIAN CYCLE PARTNERSHIP’s compliance with GDPR and providing a point of contact for data subjects and the Information Commissioner’s Office.
- All committee members of the Partnership and any contractors or agents performing work for or on behalf of the Partnership and any other individuals with access to GRAMPIAN CYCLE PARTNERSHIP’s information have a responsibility to ensure that personal information is properly protected at all times. This requires continued compliance with the GRAMPIAN CYCLE PARTNERSHIP’s information policies, procedures and other guidance.
- All users have a responsibility to report any observed or suspected breach of this Data Protection Policy or related information procedures and guidance. All incidents must be reported to the Data Protection Officer
WHAT GRAMPIAN CYCLE PARTNERSHIPWILL DO
To ensure compliance GRAMPIAN CYCLE PARTNERSHIP will, through appropriate management and strict application of criteria and controls;
- maintain appropriate and accurate transparency information (a privacy notice) on its website clearly signposted from any portals or forms which may collect personal data
- meet its legal obligations to specify the purposes for which data is used
- collect and process appropriate data, and only to the extent that it is required to fulfil operational needs or to comply with any legal requirements
- ensure the quality of the data used
- apply the retention policy set out in GRAMPIAN CYCLE PARTNERSHIP Records Management Plan to determine the length of time the data is held
- ensure that rights of people about whom data is held can be fully exercised.
- ensure that materials are only distributed to corporate email addresses or to the personal email addresses of current members, organisations or individuals, who have agreed/requested to receive them
- ensure that the Data Protection Officer has sight of all new projects and business activities to consider whether data protection issues arise and to include Privacy by Design as appropriate;
- take appropriate technical and organisational security measures to safeguard personal data;
- ensure that personal data is not transferred outside the European Economic Area without suitable safeguards.
In addition, GRAMPIAN CYCLE PARTNERSHIP will ensure that:
- there is a designated Data Protection Officer for the organisation;
- everyone managing and handling personal data understands that they are contractually responsible for following good data protection practice
- everyone managing and handling personal data is appropriately trained do to so
- anyone wishing to make enquiries about handling personal data knows what to do
- queries about handling personal data are competently and courteously dealt with
- methods of handling personal data are clearly described
- an annual review and audit is made of the way personal data is managed
- methods of handling personal data are annually accessed and evaluated; and
- performance with handling personal data is regularly accessed and evaluated as part of Records Management Plan
DATA RIGHTS
GRAMPIAN CYCLE PARTNERSHIP will ensure individuals’ rights are respected with regard to their personal data.
- anyone wishing to make enquiries about handling personal data knows what to do
- queries about handling personal data are competently and courteously dealt with
- methods of handling personal data are clearly described
- a regular review and audit is made of the way personal data is managed
- methods of handling personal data are regularly accessed and evaluated; and
- performance with handling personal data is regularly accessed and evaluated.
- the right to rectify or restrict inaccurate data
- the right or erase data or to data portability in certain circumstances
- the right to challenge processing reliant on legitimate interests or public interest
- the right to make a complaint to the UK Information Commissioner.
All requests must be directed to the Data Protection Officer and or Scottish Information Commissioner (ICO) who will ensure that appropriate actions are taken, and a response issued without undue delay, and except in certain circumstances at least within one month
PERSONAL DATA BREACHES
Any incident which may impact on the confidentiality, integrity or availability of personal data held by GRAMPIAN CYCLE PARTNERSHIP must be reported immediately to the Data Protection Officer.
Data Protection Officer will record the incident, ensure appropriate mitigation measures are in place and consider whether the incident is a personal data breach which presents a risk to individuals.
The Data Protection Officer will present a report to the Partnership Director including if appropriate, a recommendation on whether to report a breach to the Scottish Information Commissioner’s Office within 72 hours of GRAMPIAN CYCLE PARTNERSHIP becoming aware of the incident.
If the Partnership Director decides that an incident constitutes a reportable breach, the Data Protection Officer will report the incident to the ICO and liaise as appropriate. Affected data subjects may also require to be informed if there is a high risk to their rights and freedoms as a consequence of the data breach.
GENERAL
This document states GRAMPIAN CYCLE PARTNERSHIP’s primary, general policy with regard to Data Protection. GRAMPIAN CYCLE PARTNERSHIP also has policies, procedures and guidance, as appropriate, for specific types of data maintenance and data type. Additional data specific policies, procedures and guidance will be adopted as and when necessary.
REVIEW
This policy will be reviewed annually, along with our Records Management Plan take account of developments within GRAMPIAN CYCLE PARTNERSHIP and legislative requirements
Use of personal data at GRAMPIAN CYCLE PARTNERSHIP
This document describes how GRAMPIAN CYCLE PARTNERSHIP uses personal data (information relating to individuals).
GRAMPIAN CYCLE PARTNERSHIP is responsible for how we use any personal information.
Our Secretary, Jon Barron can be contacted with any concerns or requests relating to our use of personal data:
Jon Barron
Cycling Development Officer
Nestrans
Archibald Simpson House
27-29 King Street
Aberdeen
AB24 5AA
Telephone: 01224 346680
Email: JBarron@Nestrans.org.uk
Why does GRAMPIAN CYCLE PARTNERSHIP process personal data?
GRAMPIAN CYCLE PARTNERSHIP processes a minimal amount of personal data in the exercise of our role including:
- Administration
- Development and publication of local cycling strategies
- Consultation, promotion and communication on issues relating to sustainable and efficient transport in the partnership area
- Administration of projects and grant schemes
What personal data does GRAMPIAN CYCLE PARTNERSHIP process?
The personal data GRAMPIAN CYCLE PARTNERSHIP processes includes:
- For the public: Names and contact details for individuals responding to consultations, raising concerns or complaints or attending events
- For suppliers and contractors: Names and contact details for the management of the supplier relationship; bank details of sole traders for the purposes of making payments
- For members, consultative and other groups/meetings that GRAMPIAN CYCLE PARTNERSHIP take part in: Names and contact details for the administration of meetings and distribution and information on GRAMPIAN CYCLE PARTNERSHIP activities
- For partnership members: Name and email contact details; postcode prefix only
- With whom will GRAMPIAN CYCLE PARTNERSHIP share personal data?
- The following organisations will receive personal data as necessary from GRAMPIAN CYCLE PARTNERSHIP: N/A
- GRAMPIAN CYCLE PARTNERSHIP undertakes no automated decision-making affecting individuals or profiling of personal data.
Microsoft UK are data processors, hosting GRAMPIAN CYCLE PARTNERSHIP’s IT systems on Microsoft Office 365 Version 2016 via Aberdeen City Council, manage our ICT
- Partner local authorities or the Scottish Public
Sector Ombudsman (SPSO) may receive data relating to complainants or
correspondents where correspondence from the public should appropriately be
redirected to the authority or SPSO
- Aberdeenshire Council will receive personal data relating to employees and contractors for the purposes of the management of our payroll and for financial management, which they provide on our behalf
- Aberdeenshire Council will receive personal data relating to staff and job applicants for the purposes of the human resources management support they provide on our behalf
GRAMPIAN CYCLE PARTNERSHIP will put appropriate written arrangements in place with these organisations to protect your personal data.
GRAMPIAN CYCLE PARTNERSHIP transfers no personal data outside the European Economic Area. Microsoft hosts data on our behalf on servers within the UK and the European Union.
How long does GRAMPIAN CYCLE PARTNERSHIP retain personal data?
Personal data is managed in line with the GRAMPIAN CYCLE PARTNERSHIP records retention policy. For example, consultation responses are retained for five years before being securely deleted.
Your Rights to personal data
You have the right to:
Request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data’s accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
To exercise these or any of your rights, please contact the Data Protection Officer using the details above.
For more information on data rights see the website of the Information Commissioner’s Office.
Complaints or concerns relating to GRAMPIAN CYCLE PARTNERSHIP’s use of personal data
If you have any concerns relating to GRAMPIAN CYCLE PARTNERSHIP management of personal data, you can raise them with our Secretary, Jon Barron at the contact details above.
If you remain dissatisfied you can complain to the Information Commissioner’s Office by phoning their helpline on 01334 464610, by using their online portal for raising concerns or by post at:
Scottish Information Commissioner
Kinburn Castle
Doubledykes Road
St Andrews
Fife
KY16 9DS
Version 2, 11th March 2019