Principle 1 of GDPR – Processing personal data lawfully, fairly and transparently
1. Lawfulness and fairness
You may only process personal data fairly and lawfully and for specified purposes. These restrictions are not intended to prevent processing, but ensure that we process personal data for legitimate purposes without prejudicing the rights and freedoms of data subjects. In order to be justified, the University may only process personal data if the processing in question is based on one (or more) of the legal bases set out below. Section 4.3 below deals with justifying the processing of sensitive personal data. Including special category data.
The legal bases for processing non-sensitive personal data are as follows:
the data subject has given his or her Consent
the processing is necessary for the performance of a contract with the data subject (e.g. monitoring academic performance in order to provide the relevant qualification for which the student has enrolled)
to meet our legal compliance obligations
to protect the data subject’s vital interests (i.e. matters of life or death)
to pursue our legitimate interests (or another’s legitimate interests) which are not overridden because the processing prejudices the interests or fundamental rights and freedoms of data subjects. The specific legitimate interest or interests that the University is pursuing when processing personal data will need to be set out in relevant Privacy Notices. This ground can only be relied upon for private functions e.g. marketing, fundraising and not for public functions.
You must identify the legal basis that is being relied on for each processing activity, which will be included in the Privacy Notice provided to data subjects.
You should only obtain a data subject’s Consent if there is no other legal basis for the processing. Consent requires genuine choice and genuine control.
A data subject consents to processing of his/her personal data if he/she indicates agreement clearly either by a statement or positive action to the processing. Silence, pre-ticked boxes or inactivity are therefore unlikely to be sufficient. If Consent is given in a document that deals with other matters, you must ensure that the Consent is separate and distinct from those other matters.
Data subjects must be able to withdraw Consent to processing easily at any time. Withdrawal of Consent must be promptly honoured. Consent may need to be renewed if you intend to process personal data for a different and incompatible purpose which was not disclosed when the data subject first consented, or if the Consent is historic.
You will need to ensure that you have evidence of Consent and you should keep a record of all Consents obtained so that we can demonstrate compliance.
Consent is required for some electronic marketing and some research purposes.
Legal bases for Processing Sensitive Personal Data, including Special Category Data
Special Category Personal Data is data revealing:
racial or ethnic origin
religious or philosophical beliefs,
trade union membership,
It also includes the processing of:
biometric data for the purpose of uniquely identifying a natural person,
data concerning health
data concerning a natural person’s sex life or sexual orientation
Personal data relating to criminal convictions and offences including the alleged commission of offences or proceedings for offences or alleged offences should be treated in the same way to special category data.
The processing of sensitive personal data by The Sunnybank Trust must be based on one of the following (together with one of the legal bases for processing non-sensitive personal data as listed above):
a. The data subject has given explicit Consent (requiring a clear statement, not merely an action)
b. The processing is necessary for complying with employment law;
c. The processing is necessary to protect the vital interests of the data subject or another person where the data subject is physically or legally incapable of giving Consent;
d. The processing relates to personal data which are manifestly made public by the data subject;
e. The processing is necessary for the establishment, exercise or defence of legal claims;
f. The processing is necessary for reasons of substantial public interest (provided it is proportionate to the particular aim pursued and takes into account the privacy rights of the data subject)
g. The processing is necessary for the purposes of preventive or occupational medicine, etc. provided that it is subject to professional confidentiality
h. The processing is necessary for reasons of public interest in the area of public health, provided it is subject to professional confidentiality;
i. The processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes if it is subject to certain safeguards (i.e. pseudonymisation or anonymisation where possible, the research is not carried out for the purposes of making decisions about particular individuals (unless it is approved medical research) and it must not be likely to cause substantial damage/distress to an individual and is in the public interest).
Examples of sensitive personal data processed by The Sunnybank Trust will include:
Checks conducted by the Disclosure and Barring Service for the purposes of assessing eligibility of staff or volunteers to engage in work with vulnerable adults, as permitted by legislation relating to the rehabilitation of offenders or for determining fitness to practise relevant professions
Health data for the purposes for assessing eligibility to undertake relevant work within the charity (eg: lifting and carrying furniture and/or equipment).
Details of disability for the purposes of assessing and implementing reasonable adjustments within The Sunnybank Trust policies, criteria or practices
Details of racial/ethnic origin, sexual orientation, religion/belief for the purposes of equality monitoring
We will take special care when processing sensitive personal data and ensure that we comply with the data protection principles (as set out in the main body of this policy) and with this policy, in particular in ensuring the security of the sensitive personal data.
3. Transparency (notifying data subjects)
Under the GDPR The Sunnybank Trust is required to provide detailed, specific information to data subjects depending on whether the information was collected directly from data subjects or from elsewhere. That information must be provided through appropriate Privacy Notices which must be concise, transparent, intelligible, easily accessible, and in clear and plain language so that a data subject can easily understand what happens to their personal data.
Whenever we collect personal data directly from data subjects, for example for the recruitment and employment of staff and for the recruitment of volunteers, at the time of collection we must provide the data subject with all the prescribed information which includes:
The Sunnybank Trust contact details
Purposes of processing
Legal basis of processing
Where the legal basis is legitimate interest, identify the particular interests (e.g. marketing, fundraising)
Where the legal basis is Consent, the right to withdraw
Where statutory/contractual necessity, the consequences for the Data Subject of not providing the data of non-provision.
Principle 2 of GDPR - Purpose Limitation
Personal data must be collected only for specified, explicit and legitimate purposes. It must not be further processed in any manner incompatible with those purposes.
You cannot therefore use personal data for entirely new, different or incompatible purposes from those disclosed when it was first obtained unless you have informed the data subject of the new purposes. Where the further processing is not based on the data subject’s Consent or on a lawful exemption from data-protection law requirements, you should assess whether a purpose is incompatible by taking into account factors such as:
a. The link between the original purpose/s for which the personal data was collected and the intended further processing
b. The context in which the personal data has been collected.
c. The nature of the personal data in particular whether it involves special categories of personal data (i.e. sensitive) or personal data relating to criminal offences/convictions
d. The consequences of the intended further processing for the data subjects
e. The existence of any appropriate safeguards e.g. encryption or pseudonymisation.
Provided that prescribed safeguards are implemented, further processing for scientific or historical research purposes or for statistical purposes will not be regarded as incompatible. Safeguards include ensuring data minimisation (e.g. pseudonymisation or anonymisation where possible), the research will not be carried out for the purposes of making decisions about particular individuals and it must not be likely to cause substantial damage/distress to an individual, unless it is approved medical research.
Principle 3 of the GDPR – Data minimisation
Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed. You should not therefore amass large volumes of personal data that are not relevant for the purposes for which they are intended to be processed. Conversely, personal data must be adequate to ensure that we can fulfil the purposes for which it was intended to be processed.
You may only process personal data when performing your job duties requires it and you should not process personal data for any reason unrelated to your job duties.
You must ensure that when personal data is no longer needed for specified purposes, it is deleted or anonymised in accordance with The Sunnybank Trust’s data retention policy and schedule.
Principle 4 of the GDPR - Accuracy
Personal data must be accurate and, where necessary, kept up to date. You should ensure that personal data is recorded in the correct files.
Incomplete records can lead to inaccurate conclusions being drawn and in particular, where there is such a risk, you should ensure that relevant records are completed.
You must check the accuracy of any personal data at the point of collection and at regular intervals thereafter. You must take all reasonable steps to destroy or amend inaccurate records without delay and you should up-date out-of-date personal data where necessary (e.g. where it is not simply a pure historical record).
Where a data subject has required his/her personal data to be rectified or erased, you should inform recipients of that personal data that it has been erased/rectified, unless it is impossible or significantly onerous to do so.
Principle 5 of the GDPR – Storage limitation
You must not keep personal data in a form that allows data subjects to be identified for longer than legitimately needed. Those purposes include satisfying any legal, accounting or reporting requirements. Records of personal data can be kept for longer than necessary if anonymised.
You will take all reasonable steps to destroy or erase from Sunnybank’s systems all personal data that we no longer require in accordance with the relevant records retention schedules and policies. Please see The Sunnybank Trust Data Retention Policy.
You will ensure that data subjects are informed of the period for which their personal data is stored or how that period is determined in any relevant Privacy Notice.
Principle 6 of the GDPR – Security, Integrity and Confidentiality
The Sunnybank Trust is required to implement and maintain appropriate safeguards to protect personal data, taking into account in particular the risks to data subjects presented by unauthorised or unlawful processing or accidental loss, destruction of, or damage to their personal data. Safeguarding will include the use of encryption and pseudonymisation where appropriate. It also includes protecting the confidentiality (i.e. that only those who need to know and are authorised to use personal data have access to it), integrity and availability of the personal data. We will regularly evaluate and test the effectiveness of those safeguards to ensure security of our processing of personal data.
You are also responsible for protecting the personal data that you process in the course of your duties. You must therefore handle personal data in a way that guards against accidental loss or disclosure or other unintended or unlawful processing and in a way that maintains its confidentiality. You must exercise particular care in protecting sensitive personal data from loss and unauthorised access, use or disclosure.
You must comply with all procedures and technologies we put in place to maintain the security of all personal data from the point of collection to the point of destruction.
Glossary of Terms
Automated Decision-Making (ADM): when a decision is made which is based solely on automated processing (including profiling) which produces legal effects or significantly affects an individual. The GDPR prohibits Automated Decision-Making (unless certain conditions are met) but not automated processing.
Profiling: any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to an individual, in particular to analyse or predict aspects concerning that individual’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements. Profiling is an example of automated processing.
Consent: agreement which must be freely given, specific, informed and be an unambiguous indication of the data subject’s wishes by which they, by a statement or by a clear positive action, signifies agreement to the processing of personal data relating to them.
Data Controller: the person or organisation that determines when, why and how to process personal data. It is responsible for establishing practices and policies in accordance with the GDPR. The Sunnybank Trust is the Data Controller of all personal data relating to it and used delivering education and training, conducting research and all other purposes connected with it including business purposes.
Data Subject: a living, identified or identifiable individual about whom we hold personal data.
Data Protection impact assessment (DPIA): tools and assessments used to identify and reduce risks of a data processing activity.
Personal Data: any information identifying a data subject or information relating to a data subject that we can identify (directly or indirectly) from that data alone or in combination with other identifiers we possess or can reasonably access. Personal data includes sensitive personal data and pseudonymised personal data but excludes anonymous data or data that has had the identity of an individual permanently removed. Personal data can be factual (for example, a name, email address, location or date of birth) or an opinion about that person’s actions or behaviour.
Personal Data Breach: any breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or unauthorised access to, personal data, where that breach results in a risk to the data subject. It can be an act or omission.
Processing or Process: any activity that involves the use of personal data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transmitting or transferring Personal Data to third parties. In brief, it is anything that can be done to personal data from its creation to its destruction, including both creation and destruction.
Pseudonymisation or Pseudonymised: replacing information that directly or indirectly identifies an individual with one or more artificial identifiers or pseudonyms so that the person, to whom the data relates, cannot be identified without the use of additional information which is meant to be kept separately and secure.
Data Management Sub Committee:
Luke Jennings: Trustee
Dorothy Watson: Chief Executive Officer
Faith Race: Operations Coordinator