SNT are passionate about safeguarding our customers, volunteers, moorers and supporters personal data. In accordance with the new General Data Protection Regulation we have developed and committed to the following policies:
Data Protection Policy
INTRODUCTION / BACKGROUND
The protection of private and sensitive data held by businesses is one of the most regulated issues in the business sector. Organisations who fail to protect the data they use can find themselves in trouble with the law, facing significant fines and even imprisonment. The risk to the company and its operations from corrupted data and loss of reputation can also be devastating.
In order to operate efficiently, we must collect information about people we work with, this may be members of the public, current, past and prospective employees, funded bodies and suppliers.
Personal data is defined as: “any information relating to an identified or unidentifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
This policy exists to ensure Stourbridge Navigation Trust (incorporating Fellows, Morton & Clayton Trip Boats):
- Complies with current data protection law and follows good practice.
- Protects the rights of staff, customers and partners.
- Is open about how it collects, stores and processes individual’s data.
- Protects itself from risks of data breach.
This policy has been drawn up in recognition of the requirements of The Data Protection Act 1998 and in accordance with the 2018 General Data Protection Regulation (GDPR) requirements with regard to the way data must be collected, handled and how personal information is stored. The law provides standards for protecting personal data, in accordance with the GDPR, giving people more control over use of their data, and provide rights to move or delete personal data.
These rules apply regardless of whether information is stored electronically, on paper or through other means.
The Data Protection Act is underpinned by eight important principles. These say that personal data must:
- Be processed fairly and lawfully
- Be obtained only for specific lawful purposes
- Be adequate, relevant and not excessive
- Be accurate and kept up to date
- Not be held for longer than necessary
- Processed in accordance with the rights of data subjects
- Be protected in appropriate ways
- Not to be transferred outside the European Economic Area (EEA), unless that country or territory also ensures an adequate level of protection
This policy applies to all Trustees, Staff, Volunteers, Supporters, Contractors, Suppliers and others working for or representing SNT. The purpose of this policy is to ensure that SNT complies with the provisions of GDPR and UK Data Protection Law to protect the rights and privacies of individuals.
It applies to all data that the Trust holds relating to identifiable individuals, even if it falls outside of the Data Protection Act 1998, this can include-
- Names of individuals
- Postal addresses
- Email addresses
- Telephone numbers
- plus, any other indirect information relating to individuals such as physical, economic or social identity which can be traced back to an individual
This policy will help protect the Trust from data security risks including-
- Breaches of confidentiality – i.e. information given out inappropriately
- Failing to offer choice – i.e. all individuals should be free to choose how the company uses data relating to them
- Reputational damage – i.e. hackers gaining information to sensitive data
Everyone who works for or supports SNT has responsibility to ensure data is collected, stored and handled appropriately. Anyone who handles personal data must ensure it is handled, processed and stored in line with this policy and the Data Protection Principles.
KEY AREAS OF RESPONSIBILITY
- The Board of Directors/Trustees is ultimately responsible for ensuring SNT meets all its legal obligations
- As required the nominated Data Protection Officer (DPO) will be responsible for ensuring all SNT personnel are aware of the regulations and expected behaviours concerning the use of data.
- The DPO will keep the Board informed of any issues or concerns with the way SNT Staff, Volunteers and Trustees manage and use data and report any breaches.
- If required the DPO will attend and represent SNT at any meetings and criminal proceedings involving the misuse of data.
The Chairman is responsible for:
- Ensuring all data is collected and used in the manner prescribed in this data protection policy.
- Reviewing all data protection procedures and related policies, in line with an agreed schedule
- Arranging Data Protection training and advice for all covered by this policy
- Handling data protection requests for information and reviews of data held by individuals
- Checking any contracts or agreements with third parties that may handle the company’s sensitive data
- Checking that there is a clear audit trail to show all data collected was done in a way to prove opt in and use of data by the individual.
The SNT Manager is responsible for:
- Ensuring all systems, processes, services and equipment used for storing and managing data meets acceptable security standards
- Performing regular checks and scans to ensure security hardware and software is functioning properly
- Evaluating any third-party services for storing or processing data, i.e. cloud computing and Credit Card processing
- Undertaking Data Protection Impact Assessments
The SNT Manager acting as the “Marketing Manager” is responsible for:
- Approving any data protection statements attached to communications such as emails and letters.
- Addressing any data protection queries from journalists and media outlets
- Working with staff to ensure marketing initiatives are in line with the data protection principles
GENERAL STAFF GUIDELINES
The only people able to access the data covered by this policy should be those who need it to complete their work roles and duties.
Data should not be shared informally, access to confidential information must be through appropriate personnel.
Everyone who works for or supports SNT should take sensible precautions to keep data secure. For example, use strong passwords which are kept private, regularly change passwords, password protect documents when emailing, put sensitive documents in a secure cabinet or filing system.
Never disclose personal information to unauthorised persons, even internally or externally.
Regularly review and update data – purge any information no longer needed.
If anyone is unsure about any aspect of data protection they must seek guidance and advice.
STORAGE
Paper data must be stored in a secure place where unauthorised staff cannot access it. This includes printed electronic information.
Paper data should be shredded or disposed of securely when no longer required.
Take care that sensitive paper data is not left around on printers, in trays or desks.
Electronic data must be protected from unauthorised access, accidental deletion and hacking.
Data should only be kept on designated PC drives and only uploaded to approved computing services.
CD’s, USB sticks or DVD’s should be locked away when not in use.
PCs must be stored in a secure location, be protected by approved / current security software and running on latest versions of the desktop operating system.
Data should be backed up regularly and back-ups tested.
Sensitive data should never be stored on a laptop or other mobile device.
The storage systems and use of data must be regularly tested and assessed for effectiveness.
DATA USE
The unauthorised access to and use of personal data along with corruption of data can be one of the biggest risks to a business.
When working with personal data it is important that screens are locked when unattended.
Personal data should not be shared informally – emails are not secure. Data must be encrypted before being sent electronically.
Never share information outside of the European Economic Area.
All personal data should be stored centrally on an agreed drive not on employees own computers.
DATA ACCURACY
The law requires that SNT takes reasonable measures to ensure data is kept accurate and up to date.
Data should only be held in necessary places, this must be kept to a minimum number of areas.
Staff should take every effort to ensure data is kept up to date. E.g. rectify immediately inaccurate data such as obsolete email addresses, change of name of a customer.
Marketing databases must be checked against Industry Suppression Files every 6 months.
SUBJECT ACCESS REQUESTS/RIGHT TO BE FORGOTTEN
All individuals who are the subject of personal data held by SNT are entitled to
- Ask what information the company holds about them and why
- Ask how to gain access to it
- Ask how the information is gained and kept up to date
- Ask how the company meets its data protection obligations
If an individual contacts the Trust requesting this information, this is called a subject access request.
A subject access request should be formally made by email to: stourbridge-trust@ btconnect.com, clearly marked for the attention of the Chairman of SNT.
The Chairman will verify the identity of anyone making a subject access request before processing any information.
Information will be supplied within 28 days of the request; the individual will be charged £10 per subject access request.
In some circumstances, the Data Protection Act allows personal data to be disclosed to law enforcement agencies without the consent of the data subject. The Chairman will ensure the request is legitimate and seek assistance from the Trustee Committee and legal advisers before handing any information over.
SNT will ensure that individuals are aware how their data is being used and how they can exercise their rights to request information. A privacy statement is available and a link to this is available on the homepage of SNT website:
www.thebondedwarehousestourbridge.co.uk
REPORTING OF BREACHES
Where a breach of “security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed” has occurred SNT will inform the relevant authorities within 72 hours of becoming aware of it, if the breach is likely to “result in a risk for the rights and freedoms of individuals”.
POLICY GOVERNANCE
The following table identifies who within SNT is Accountable, Responsible, Informed or Consulted with regards to this policy.
The following definitions apply:
- Responsible – the person(s) responsible for developing and implementing the policy.
- Accountable – the person who has ultimate accountability and authority for the policy.
- Consulted – the person(s) or groups to be consulted prior to final policy implementation or amendment.
- Informed – the person(s) or groups to be informed after policy implementation or amendment.
Responsible |
Data Protection Officer |
Accountable |
SNT Chairman |
Consulted |
SNT Committee |
Informed |
All SNT Employees and staff, partners and those who process personal data on behalf of SNT. |
MONITORING and GOVERNANCE
SNT will regularly monitor and audit its practices for compliance with this policy.
The SNT Data Protection Policy (Issue 1.0) was approved by Trustees at the Committee Meeting of 24th May 2018.
Social Media Policy
INTRODUCTION / BACKGROUND
The following guidelines and recommendations help to ensure that Stourbridge Navigation Trust (incorporating Fellows, Morton & Clayton Trip Boats) Trustees, Staff, Volunteers and Supporters have a clear understanding of our expectations and approaches to using Social Media forms of communication.
SNT encourages an active Social Media presence to help raise the profile and awareness of its business, however this must be carefully managed and monitored to ensure that it remains a positive resource and does not flout any Data Protection laws or requirements.
Though we actively encourage all Trustees, Staff, Volunteers and Supporters to provide relevant content and ideas for promotion of the Trust, in all cases public posts using the Trust’s chosen outlets must be monitored and authorised by nominated Trustees as this will facilitate consistent and accurate information sharing and communication to the public.
This Policy covers all aspects of Social and Multi-Media used by the Trust and its Trustees, Staff, Volunteers and Supporters including Social Networking websites, Blogs, You Tube, Facebook, Twitter, LinkedIn etc.
Code of Conduct for Online Communications
- All posts must be pertinent, accurate and informative. The principle aim of posts is to raise awareness and promote the facilities and services of the Trust.
- Posts must always use the correct business titles, logos and terms for the Trust.
- Posts must not include information that is confidential or proprietary to the Trust or any third party it is associated with.
- Posts must not include sensitive, derogatory, racist, political, confidential or malicious information, statements or views.
- Any photographs included must be clear and have a good resolution. Any individuals included in the image must give express permission for its use. Any third party images must be cleared for use by written permission or licenced acknowledgement.
- Any third party information must include all requested acknowledgements or references.
- Responses to requests for information or comments expressed by the public via Social Media must be provided by the Data Protection Officer (DPO) to ensure it is accurate and consistent. All staff and supporters are encouraged to provide information and insight to help the DPO to formulate accurate and timely responses.
- All Social Media services must be password protected where possible and access restricted to authorised users only.
Personal Online Communications
- SNT accepts that all staff and supporters have a right to form their own personal opinions and views about aspects of the Trust and its activities but these are to remain personal, even when using private Social Media accounts.
- It is easy to assume when using personal Social Media services that your correspondence is private – this is not always the case. Friends of friends & family members can see your posts and may Share these with others and others may then be able to see your posts if they have not been protected adequately. SNT will take appropriate action with regard to any posts they deem to be unacceptable.
- Do not express any opinions which could be detrimental, inflammatory, derogatory or risk the reputation of the Trust. Think about who has access to your posts, even on private outlets you use which may associate back to the Trust.
- Trustees, Staff or Volunteers using Social Media services should not use the Trust’s logo without the express permission of the Chairman.
- Trustees, Staff or Volunteers using Social Media services should not imply that they are speaking on the Trust’s behalf.
- Any Trustees, Staff or Volunteers who operate personal or third party blogs must declare it to the Trust.
- Any Trustees, Staff or Volunteers who operate a personal or third party You Tube page must declare it to the Trust.
- The Trust reserves the right to request that certain subjects are avoided, withdraw certain posts and remove inappropriate or inaccurate comments. If the Trustee, Staff or Volunteer does not comply the Trust will take the necessary action to protect itself and safeguard its reputation.
POLICY GOVERNANCE
The following table identifies who within SNT is Accountable, Responsible, Informed or Consulted with regards to this policy.
The following definitions apply:
- Responsible – the person(s) responsible for developing and implementing the policy.
- Accountable – the person who has ultimate accountability and authority for the policy.
- Consulted – the person(s) or groups to be consulted prior to final policy implementation or amendment.
- Informed – the person(s) or groups to be informed after policy implementation or amendment.
Responsible |
Data Protection Officer |
Accountable |
SNT Chairman |
Consulted |
SNT Committee |
Informed |
All SNT Employees and staff, partners and those who process personal data on behalf of SNT. |
MONITORING and GOVERNANCE
SNT will regularly monitor and audit its practices for compliance with this policy.
The SNT Social Media Policy (Issue 1.0) was approved by Trustees at the Committee Meeting of 24th May 2018.