Privacy and Data Protection
Last reviewed: April 2021
To be reviewed: April 2022
Introduction
In order to operate efficiently, Primary (the data controller) must collect, store, and use (process) personal data in order to effectively deliver our organisational aims, commitments and legal obligations. This may include information about our audiences, residents, participants, staff or other organisations with whom we work. We may also be required to process data in order to comply with the requirements of our funders.
This personal information must be handled properly under the EU General Data Protection Regulation 2018 (‘GDPR’). The GDPR regulates the way that we process personal data and gives certain rights to people whose data we hold.
We consider that the correct treatment of personal data is integral to our successful operations and to maintaining trust of the people we deal with. We appreciate the underlying principles of the GDPR, and support and adhere to its provisions.
Information covered by the GDPR
Personal data
The GDPR applies to ‘personal data’, meaning any information which can be used to directly or indirectly identify a person.
Sensitive personal data
The GDPR refers to sensitive personal data as ‘special categories of personal data’ (see Article 9). These special categories include:
race;
ethnic origin;
politics;
religion;
trade union membership;
genetics;
biometrics (where used for ID purposes);
health;
sex life;
sexual orientation
Processing of sensitive personal data is prohibited unless certain conditions are met, e.g., the data subject has given explicit consent to the processing of their sensitive personal data for one or more specified purposes. A complete list of conditions is listed in Article 9(2) of the GDPR.
Data protection principles
We will comply with the principles as set out in the GDPR by making sure that personal data is:
processed lawfully, fairly, and in a transparent manner;
collected for specified, explicit, and legitimate purposes, and not further processed in a manner that is incompatible with those purposes;
adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed;
accurate and, where necessary, kept up to date, with every reasonable step taken to ensure that inaccurate data is erased or rectified without delay;
kept in a form which permits identification of data subjects for no longer than is necessary for purpose; and
processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.
Conditions
We will ensure we have a valid lawful basis in order to process personal data. Any of the following may be considered a lawful basis, and at least one must apply in each case:
Consent: the individual has given clear consent for Primary to process their personal data for a specific purpose.
Contract: the processing is necessary for a contract that Primary has with the individual.
Legal obligation: the processing is necessary for Primary to comply with the law.
Vital interests: the processing is necessary to protect someone’s life.
Public task: the processing is necessary for Primary to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law.
Legitimate interests: the processing is necessary for Primary’s legitimate interests.
We will ensure that processing personal data is necessary and will not proceed if we can reasonably achieve the same purpose without doing so.
We commit to determining which lawful basis will apply before we collect or process data, and to documenting proof of this.
Individuals’ rights
We will ensure that we adhere to individuals’ rights under the GDPR, which are as follows:
The right to be informed about the collection and use of their personal data, including our purposes for processing, retention periods, and who data will be shared with
The right of access to their personal data
The right to rectification, i.e., to have inaccurate personal data corrected or completed
The right to erasure, i.e., to have personal data erased (‘the right to be forgotten’)
The right to restrict processing
The right to data portability, i.e., to obtain and reuse their personal data for their own purposes across different services
The right to object. Individuals have an absolute right to stop their data being used for direct marketing (e.g. newsletters, publicity materials, event invitations)
Rights in relation to automated decision making and profiling
Legal requirements
While it is unlikely, Primary may be required to disclose user data by a court order or to comply with other legal requirements. We will use all reasonable endeavors to notify individuals before we do so, unless we are legally restricted from doing so.
No commercial disposal to third parties
Primary shall not sell, rent, distribute or otherwise make user data commercially available to any third party, except with prior permission.
Our commitment to data protection
We will ensure that everyone at Primary who handles personal information understands that they are responsible for following good data protection practice. We will appoint one member of staff to lead on data protection and ensure that staff are appropriately supervised and trained.
Where requests are made to access, rectify, or erase personal data, we will ensure that these are responded to within one calendar month.
We will carry out an annual data audit to ensure that our procedures surrounding the processing of personal data are regularly assessed and evaluated.
We will take all necessary steps to ensure that personal data is kept secure at all times against unauthorised or unlawful loss or disclosure.
We have appointed Terri Cutforth, Operations Manager as our lead. This person is responsible for ensuring that this policy is effectively implemented.
If you'd like to get in touch with us regarding your data, please email terri@weareprimary.org.
Further information
Information Commissioner’s Office – Guide to the GDPR