Data Protection
The Restore Trust
Data Protection Policy Statement 2018 (GDPR)
1 - Introduction
The Restore Trust creates or processes a variety of personal data and special category data (previously known as sensitive personal data) on our employees, Board Members and clients. The Trust also holds a range of commercially sensitive data.
Data Protection Law is evolving to meet the fast pace of technology development and creation of new ways of processing information. This policy has been updated in line with GDPR legislation effective from 25.5.2018 and the Data Protection Act 2018. This regulation improves the rights of data subjects, but the fundamental principles of data protection remain. Restore Trust is a proactive advocate of GDPR principles and requirements.
Due to the 2018 changes in Data Protection Law the first section of the Policy includes amended definitions for clarity.
2 - Restore Policy Statement
The Restore Trust will securely create, process, store, archive and destroy a wide range of data linked to its employees, Board Members, operational and corporate business activities, partners and wider contracts. We will treat all such data will appropriate care, meeting or exceeding legal and contractual standards.
We will adhere to the enhanced requirements for processing Personal Data and Special Category Data, Privacy by Default and Design Principles and enact the enhanced rights of Data Subjects under GDPR and the Data Protection Act 2018.
All staff will be trained in the principles of protecting personal data and Information Security. The Restore Trust CEO and a nominated Board member will also be trained and ensure that Privacy and GDPR requirements receive appropriate strategic attention and are further embedded into The Restore Trust Governance cycles.
The Restore Trust view the principles good Data Governance as a key enabler and will ensure that the matter receives appropriate Board Level attention by placing Data Protection as a standing Board Agenda Item.
3 - Data Protection Strategy Scope
This strategy relates to all personal information processed by The Restore Trust. This strategy relates to the processing of personal data and special category data throughout it’s lifecycle – from planning and creation through to eventual disposal.
This strategy concerns the processing of all personal data processed by Restore including all personal data that is processed on behalf of our Commissioners, as well as that for which Restore is the sole data controller.
For an analysis of these data flows please see GDPR Data Analysis May 2018.
4 - Data Definitions
Personal Data and Personal Information are interchangeable for the purpose of this strategy and are considered to have the same meaning.
"‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
Personal information is defined as per GDPR / DPA 2018, meaning data which relates to a living individual and who can be identified:
- wholly or partly by automated means;
- or the processing other than by automated means of personal data which forms part of, or is intended to form part of, a filing system.
Personal data only includes information relating to natural persons who:
- can be identified or who are identifiable, directly from the information in question; or
- who can be indirectly identified from that information in combination with other information.
- Personal data may also include special categories of personal data or criminal conviction and offences data. These are considered to be more sensitive and you may only process them in more limited circumstances.
- Pseudonymised data can help reduce privacy risks by making it more difficult to identify individuals, but it is still personal data.
- If personal data can be truly anonymised then the anonymised data is not subject to the GDPR. It is important to understand what personal data is in order to understand if the data has been anonymised.
- Information about a deceased person does not constitute personal data and therefore is not subject to the GDPR.
- Information about companies or public authorities is not personal data.
- However, information about individuals acting as sole traders, employees, partners and company directors where they are individually identifiable and the information relates to them as an individual may constitute personal data.
Lawful Basis for Processing
Processing, in relation to information or data, means obtaining, recording or holding the information or data; or carrying out any operation or set of operations on the information or data, including:
- organisation, adaptation or alteration of the information or data,
- retrieval, consultation or use of the information or data,
- disclosure of the information or data by transmission, dissemination or otherwise making available, or
- alignment, combination, blocking, erasure or destruction of the information or data.
The Lawful Basis for Processing are as follows:
- Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
- Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
- Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
- Vital interests: the processing is necessary to protect someone’s life.
- Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
- Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
NB: Full Data Protection Policy available upon request