Bankside Open Spaces Trust

DATA PROTECTION & PRIVACY POLICY

DATE OF REVIEW: June 2024

Contents

1. Purpose of the policy

2. About this policy

3. Definitions of data protection terms

4. Data protection principles

5. Processing data fairly and lawfully

6. Processing data for the original purpose

7. Personal data should be adequate and accurate

8. Not retaining data longer than necessary

9. Rights of individuals under the GDPR

10. Data security

11. Transferring data outside the UK

12. Processing sensitive personal data

13. Notification

14. Monitoring and review of the policy

 1. Purpose of the policy

1.1 Bankside Open Spaces Trust is committed to complying with privacy and data protection laws, including:

  • the UK General Data Protection Regulation (“the UK GDPR”) and any related legislation which applies in the UK, including, without limitation, any legislation derived from the Data Protection Act 2018;

  • the Privacy and Electronic Communications Regulations (2003) and any successor or related legislation, including without limitation, the E-Privacy Regulation; and

  • all other applicable laws and regulations relating to the processing of personal data and privacy, including statutory instruments and, where applicable, the guidance and codes of practice issued by the Information Commissioner's Office (“ICO”) or any other supervisory authority. (together “the Legislation”)

1.2 This policy sets out what we do to protect individuals’ personal data.

1.3 Anyone who handles personal data in any way on behalf of Bankside Open Spaces Trust must ensure that we comply with this policy. Section 3 of this policy describes what comes within the definition of “personal data”. Any breach of this policy will be taken seriously and may result in disciplinary action or more serious sanctions.

1.4 This policy may be amended from time to time to reflect any changes in legislation, regulatory guidance, or internal policy decisions.

2. About this policy

2.1 The types of personal data that we may handle include details of: staff, volunteers, trustees, complainants, supporters, donors, enquirers, advisers, and representatives of other organisations.

2.2 The CEO at Bankside Open Spaces Trust is responsible for ensuring compliance with the UK GDPR and with this policy. Any questions or concerns about this policy should be referred in the first instance to the CEO who can be contacted at info@bost.org.uk or on 020 7403 3393.

3. Definitions of data protection terms

3.1 The following terms will be used in this policy and are defined below:

3.2 Data Subjects include all living individuals about whom we hold personal data, for instance, an employee or a supporter. A data subject need not be a UK national or resident. All data subjects have legal rights in relation to their personal data.

3.3 Personal Data means any information relating to a living person who can be identified directly or indirectly from that information (or from that information and other information in our possession). Personal data can be factual (such as a name, address, or date of birth) or it can be an opinion (such as a performance appraisal). It can also include an identifier such as an identification number, location data, or an online identifier specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.

3.4 Data Controllers are the people who, or organisations which, decide the purposes and the means for which any personal data is processed. They have a responsibility to process personal data in compliance with the Legislation. Bankside Open Spaces Trust is the data controller of all personal data that we manage in connection with our work and activities.

3.5 Data Processors include any person who processes personal data on behalf of a data controller. Employees of data controllers are excluded from this definition, but it could include other organisations such as website hosts, fulfilment houses, or other service providers which handle personal data on our behalf.

3.6 ICO means the Information Commissioner’s Office (the authority which oversees data protection regulation in the UK).

3.7 Processing is any activity that involves use of personal data, whether or not by automated means. It includes but is not limited to:

  • collecting;

  • recording;

  • organising;

  • structuring;

  • storing;

  • adapting or altering;

  • retrieving;

  • disclosing by transmission;

  • disseminating or otherwise making available;

  • alignment or combination;

  • restricting;

  • erasing; or

  • destruction of personal data.

3.8 Sensitive Personal Data (which is defined as “special categories of personal data” under the UK GDPR) includes information about a person's:

  • racial or ethnic origin;

  • political opinions;

  • religious, philosophical, or similar beliefs;

  • trade union membership;

  • physical or mental health or condition;

  • sexual life or orientation;

  • genetic data;

  • biometric data; and

  • such other categories of personal data as may be designated as “special categories of personal data” under the Legislation.

4. Data protection principles

4.1 Anyone processing personal data must comply with the six data protection principles set out in the UK GDPR. We are required to comply with these principles (summarised below) and show that we comply, in respect of any personal data that we deal with as a data controller.

4.2 Personal data should be:

  • processed fairly, lawfully, and transparently;

  • collected for specified, explicit, and legitimate purposes and not further processed in a way which is incompatible with those purposes;

  • adequate, relevant, and limited to what is necessary for the purpose for which it is held;

  • accurate and, where necessary, kept up to date;

  • not kept longer than necessary; and

  • processed in a manner that ensures appropriate security of the personal data.

5. Processing data fairly and lawfully

5.1 The first data protection principle requires that personal data is obtained fairly and lawfully and processed for purposes that the data subject has been told about. Processing will only be lawful if certain conditions can be satisfied, including where the data subject has given consent, or where the processing is necessary for one or more specified reasons, such as where it is necessary for the performance of a contract.

5.2 To comply with this principle, when we receive personal data about a person directly from that individual, which we intend to keep, we need to provide that person with “the fair processing information”. In other words, we need to tell them:

  • the type of information we will be collecting (categories of personal data concerned);

  • who will be holding their information, i.e. Bankside Open Spaces Trust including contact details and the contact details of our Data Protection Officer (if we have one);

  • why we are collecting their information and what we intend to do with it, for instance, to process donations or send them mailing updates about our activities;

  • the legal basis for collecting their information (for example, are we relying on their consent, or on our legitimate interests, or on another legal basis);

  • if we are relying on legitimate interests as a basis for processing, what those legitimate interests are;

  • whether the provision of their personal data is part of a statutory or contractual obligation and details of the consequences of the data subject not providing that data;

  • the period for which their personal data will be stored or, where that is not possible, the criteria that will be used to decide that period;

  • details of people or organisations with whom we will be sharing their personal data;

  • if relevant, the fact that we will be transferring their personal data outside the UK and details of relevant safeguards; and

  • the existence of any automated decision-making, including profiling in relation to that personal data.

5.3 Where we obtain personal data about a person from a source other than the person themselves, we must provide that individual with the following information in addition to that listed under 5.2 above:

  • the categories of personal data that we hold; and

  • the source of the personal data and whether this is a public source.

5.4 In addition, in both scenarios (where personal data is obtained both directly and indirectly) we must also inform individuals of their rights outlined in section 9 below, including the right to lodge a complaint with the ICO and the right to withdraw consent to the processing of their personal data.

5.5 This fair processing information can be provided in a number of places including on web pages, in mailings, or on application forms. We must ensure that the fair processing information is concise, transparent, intelligible, and easily accessible.

6. Processing data for the original purpose

6.1 The second data protection principle requires that personal data is only processed for the specific, explicit, and legitimate purposes that the individual was told about when we first obtained their information.

6.2 This means that we should not collect personal data for one purpose and then use it for another. If it becomes necessary to process a person’s information for a new purpose, the individual should be informed of the new purpose beforehand. For example, if we collect personal data such as a contact number or email address, in order to update a person about our activities, it should not then be used for any new purpose, for example, to share it with other organisations for marketing purposes, without first getting the individual’s consent.

7. Personal data should be adequate and accurate

7.1 The third and fourth data protection principles require that personal data that we keep should be accurate, adequate, and relevant. Data should be limited to what is necessary in relation to the purposes for which it is processed. Inaccurate or out-of-date data should be corrected or erased without delay.

7.2 We will:

ensure that the personal data we collect is adequate, relevant, and limited to what is necessary for the purposes for which it is to be processed;

not collect or hold personal data on a ‘just in case’ basis or process personal data if we do not need it;

take every reasonable step to ensure that personal data which we hold is accurate and kept up to date; and

take every reasonable step to ensure that any inaccurate personal data that we hold is erased or rectified without delay.

7.3 Individuals may ask us to correct inaccurate personal data relating to them. If you are aware that personal data that we hold is inaccurate or if an individual asks you to correct inaccurate data, you should inform the CEO at info@bost.org.uk or on 020 7403 3393, so that the data can be corrected.

8. Not retaining data longer than necessary

8.1 The fifth data protection principle requires that personal data should not be kept longer than is necessary for the purpose for which it is held. This means that data should be destroyed or erased from our systems when it is no longer required.

8.2 We will:

review the length of time we keep personal data;

consider the purpose or purposes for which we hold the information in deciding whether (and for how long) to retain it;

securely delete information that is no longer needed for this purpose or these purposes; and

update, archive, or securely delete information if it goes out of date.

8.3 We will ensure that when personal data is no longer needed for specified purposes, it is deleted or rendered permanently anonymous.

9. Rights of individuals under the GDPR

9.1 The UK GDPR provides individuals with the following rights regarding their personal data:

The right to be informed about how their personal data is being used;

The right of access to the personal data we hold about them;

The right to rectification if their personal data is inaccurate or incomplete;

The right to erasure (also known as the right to be forgotten) if certain grounds are met;

The right to restrict processing if certain grounds are met;

The right to data portability allowing individuals to obtain and reuse their personal data for their own purposes across different services;

The right to object to processing of their personal data if certain grounds are met; and

Rights in relation to automated decision making and profiling.

9.2 We will uphold individuals’ rights in accordance with the Legislation. Any requests received from individuals to exercise these rights should be handled as follows:

Inform the CEO immediately;

Acknowledge the request promptly;

Verify the identity of the individual making the request; and

Comply with the request within one month, unless the request is complex or numerous, in which case, we can extend the deadline by a further two months.

9.3 We will ensure that we provide information on the action we have taken on a request to exercise any of the above rights to the individual within one month of receiving the request.

10. Data security

10.1 The sixth data protection principle requires that personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing, accidental loss, destruction, or damage.

10.2 We will ensure that we have in place appropriate technical and organisational measures to protect personal data, including against unauthorised or unlawful processing, accidental loss, destruction, or damage. This includes:

keeping data secure by using strong passwords and encrypting data where appropriate;

storing data securely;

limiting access to personal data to those who need to process it for legitimate business purposes;

using secure methods to transfer data; and

regularly reviewing our security measures.

10.3 If you become aware of a data breach or a potential data breach, you must report it immediately to the CEO at info@bost.org.uk or on 020 7403 3393. All data breaches will be handled in accordance with our Data Breach Policy and may be reported to the ICO as necessary.

11. Transferring data outside the UK

11.1 The UK GDPR restricts the transfer of personal data to countries outside the UK unless the rights of individuals in relation to their personal data are protected.

11.2 We will only transfer data outside the UK if:

The country or territory to which the personal data is transferred ensures an adequate level of protection for the data subjects’ rights and freedoms;

The data subject has given explicit consent to the transfer after being informed of any potential risks; or

The transfer is necessary for one of the other reasons set out in the UK GDPR, including the performance of a contract between us and the data subject, reasons of public interest, or to establish, exercise, or defend legal claims.

11.3 If we are required to transfer personal data outside the UK, we will take all steps necessary to ensure that appropriate safeguards are in place to protect the data, including using standard contractual clauses approved by the ICO or other appropriate transfer mechanisms.

12. Processing sensitive personal data

12.1 Sensitive personal data (special categories of personal data) requires higher levels of protection. We will ensure that we only process sensitive personal data if:

The data subject has given explicit consent to the processing;

The processing is necessary for the purposes of carrying out obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law;

The processing is necessary to protect the vital interests of the data subject or of another person where the data subject is physically or legally incapable of giving consent;

The processing is carried out in the course of our legitimate activities with appropriate safeguards; or

The processing relates to personal data which are manifestly made public by the data subject.

12.2 We will ensure that any sensitive personal data we collect is adequate, relevant, and not excessive, and is processed in accordance with one of the legal bases set out above.

13. Notification

13.1 We will ensure that we notify the ICO as required under the Legislation and keep our registration up to date.

13.2 Any changes to our processing activities will be notified to the ICO to ensure our registration remains accurate.

14. Monitoring and review of the policy

14.1 This policy is reviewed annually by the CEO to ensure it is achieving its objectives.

14.2 We will continue to review the effectiveness of this policy to ensure it is achieving its stated objectives.

This revised policy is designed to align closely with UK law and current ICO guidelines, ensuring that Bankside Open Spaces Trust maintains compliance and adequately protects personal data.