1. Introduction

1. Awel Aman Tawe (AAT) is fully committed to compliance with the requirements of the General Data Protection Regulation 2018 (GDPR), which replaces the Data Protection Act 1998.  The charity follows procedures that aim to ensure that all employees,  board members, volunteers, contractors, and others who work with the organisation, and have access to any personal, confidential or sensitive data held by or on behalf of the AAT are fully aware of and abide by their duties and responsibilities under the Regulation.

1.2       In order to operate efficiently, Awel Aman Tawe has to collect and use personal and sensitive information about people with whom it works.  Apart from its clients, these may include members of the public, current, past and prospective employees, contracting organisations and suppliers.  In addition, it may be required to collect and use information in order to comply with the law and to meet governmental requirements.  This information must be handled and dealt with effectively and securely to ensure compliance with the legislation, regardless of how the data is collected, recorded and used.

1. Awel Aman Tawe regards the lawful and correct treatment of personal and sensitive information to be of paramount importance in relation to the success of its operations.  Maintaining the confidence of clients, members and other stakeholders is fundamental so all personal and sensitive information is treated in accordance with the legislative framework, in particular the principles of General Data Protection Regulation, which came into force in May 2018. 

1. Non-compliance with this Data Protection policy is a serious matter likely to damage the reputation of AAT. Loss of personal data can result in adverse publicity and financial implications of fines and loss of contracts.  Care needs to be taken to ensure that all information is stored and destroyed appropriately and that portable IT equipment is kept safe and in the possession of the user/owner at all times.

1.5       This policy needs to be read in conjunction with the Confidentiality Policy and Privacy Statement.

2. The General Data Protection Regulation 2018

• The GDPR is concerned with the processing of personal data, which can include HR records, customer/members lists or details, and contact information, including IP addresses.  The Regulation applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria.  It should be noted that personal data that has been pseudonymised – e.g. key-coded – can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual.

3. GDPR Principles

• The principles that apply to all data collected by the charity are that it is:

• Processed lawfully, fairly and in a transparent manner in relation to individuals;
• Collected for specific, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
• Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
• Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
• Kept in a form which permits identification of data subjects for no longer than is necessary for purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures requires by the GDPR in order to safeguard  the rights and freedoms of individuals;
• Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

3.2       Under the Regulation there are clear accountability responsibilities and these rest with a designated data processor and data controller.  The data controller is the Project Manager who decides how and why personal data is processed and ensures that the designated administrator, who acts as the data processor, complies with the Regulation in relation to the processing activity and, maintaining and safeguarding records of personal data. Certain sensitive information such as ethnic background; political opinions; religious beliefs; health; sexual life; trade union membership; and criminal records receives particularly strong protection.

3.3       The data processor, as part of the maintenance of processing activities, has the duty of documenting the personal data held by AAT together with detailing where it has come form and who it is shared with.  The legal basis for collecting personal data needs to be identified and noted.  Consent to hold personal data needs to be sought and the individual or representative must be informed of the intention in an unambiguous way.  Consent must be given freely and the opt in commitment needs to be evident.  Withdrawal of consent should be a simple, open process. (A checklist is available on the ICO’s website).  Personal data is to be provided in a structured, commonly used and machine-readable form.  If any inaccurate information is shared, the organisation which has received the data will need to be told. 

3.4       Under the Regulation, individuals have to be informed of any personal data held about them and be able to access it.  They also have right to rectification and erasure of data together with the right to restrict processing and portability of personal information. The latter only applies in circumstances when processing is carried out by automated means and where an individual or representative has consented to the processing and provided the data to a controller.  In addition, an individual can object to the holding of personal data and request not to be subject to automated decision making, including profiling.

• There is a legal requirement on Awel Aman Tawe to provide individuals with any information held in respect of them and this can be obtained following a written request.  In most cases this is provided free of charge and must be suppled within one month. If a request is unfounded or excessive, it may be refused or a charge may be levied.  An explanation has to accompany any refusal together with details of right to complain and be done within one month.

• As regards children, consideration needs to be given as to whether systems need to be put in place to verify their ages and to obtain parental or guardian consent for any data processing activity.  Under the Regulation there is special protection of children’s personal data.  A child can give consent to processing from the age of 16 years old. 

• In some situations personal information can be revealed to other parties.  These are situations that relate to the prevention, detection and investigation of crime; national security or the armed forces; assessment or collection of tax; and judicial or Ministerial appointments, and this giving of this information can be withheld from the individual.  There is no obligation to give the reasons for withholding such information.

3.8       Processes need to be in place to detect, report and investigate any breaches of data protection.  Certain types of data breaches, such as those likely to result in a risk to the rights and freedom of the individual, are to be reported to the ICO and, in some high risk cases directly to the individual concerned.  Failure to report a breach could result in a fine, as well as a fine for the breach itself. 

3.9       In cases where a person considers that personal data has been used inappropriately, there is the right to complain to the organisation concerned.  If the response is unsatisfactory, representations can be made to the Information Commissioner’s Office (Telephone: 0303 123 1113 or  www.ico.org.uk ).

3.10     Under the Regulation, privacy by design is a legal requirement and Data Protection Impact Assessments are mandatory where data processing is likely to result in high risk for the individual.   

4.         Handling Personal and Sensitive Information

4.1       Awel Aman Tawe undertakes to:

• Observe fully conditions regarding the fair collection and use of personal information;
• Meet its legal obligations to specify the purpose for which information is used;
• Collect and process appropriate information and only to the extent that it is needed to fulfil operational needs or to comply with any legal requirements;
• Ensure the quality of information used;
• Apply strict checks to determine the length of time information is held;
• Take appropriate technical and organisational security measures to safeguard personal information;
• Ensure that personal information is not transferred abroad without suitable safeguards; and
• Ensure that the rights of people about whom the information is held can be fully exercised under the Regulations.

4.2       The Project Manager is responsible for the protection of data held by the organisation.    All staff who process and manage personal and sensitive information are to familiarise themselves with and abide by this policy.  The importance of effective data protection and contractual responsibilities (including managerial responsibilities) is made clear in job descriptions and, through induction and performance appraisal processes.  Appropriate training in data protection is provided to all staff members and the Board of Trustees to ensure they are familiar and comply with their responsibilities under the Act.  This takes place at the induction stage following which staff and board members receive communications reminding them of their responsibilities and providing updates. 

4.3        The Project Manager also has the responsibility of ensuring that all personal data collected is relevant and adequate for the purpose, and not excessive.  Information should only be gathered for legitimate business reasons to achieve the purposes set out in the Privacy Statement.  The methods for recording and managing this information are detailed in the charity’s Confidentiality Policy, and this must include regularly reviewing the information to ensure its accuracy and that is it up to date.

4.4       The times for retention of personal data are set out in the Privacy Statement and the Confidentiality Policy.   Data must be securely disposed of in line with the statement and policy, and the Data Controller should maintain a disposal plan and log details of any destroying of information. 

4.5       It is the responsibility of the Project Manager to implement this policy and monitor staff and board members compliance with it. The policy is approved by the Trustees, who retain overall responsibility and ensures that the Project Manager regularly reviews and updates the policy in the light of experience.  

4.6       This Data Protection policy is supplemented with the attached Privacy Statement to provide transparency to staff, Trustees, volunteers and others about why and how data is collected and used and how the process complies with the principles of the Regulation.  

4.7       If anyone wants to enquire about the handling of personal information, they are asked to either write or email the Manager, who is the designated, lead person on data protection policy.  The contact details are:

Mr Dan McCallum

Manager

Awel Aman Tawe: Community Energy

76-78 Heol Gwilym

Cwmllynfell

Swansea

SA9 2GN

Tel: 01639 830870

There is no fee for handling the request, provided it is not vexatious.     

4.8       Enquiries will be responded to fully, normally within 10 working days and include the attached Privacy Statement.  All requests for personal and sensitive information will be processed in accordance with the organisation’s Confidential Policy. 

4.9       All staff, volunteers and Trustees within the organisation are required to ensure that personal data is kept secure at all times against unauthorised or unlawful loss or disclosure and in particular ensure that:

• Paper files and other records or documents containing personal/sensitive data are kept in a secure environment;
• Personal data held on computers and computer systems is protected by the use of secure passwords, which where possible have forced changes periodically;
• Individual passwords should be such that they are not easily compromised.

4.10     All contractors, consultants, partners or other servants or agents of the Organisation must:

• Ensure that they and all their staff who have access to personal data held or processed for or on behalf of the organisation, are aware of this policy and are fully trained in their duties and responsibilities under the Act.  Any breach of the Regulation’s provisions will be deemed as being a breach of contract between the organisation and that individual, company, partner or firm;
• Allow data protection audits by the organisation of data held on its behalf (if requested);
• Indemnify the organisation against any prosecutions, claims, proceedings, actions or payments of compensation or damages, without limitation.

• All contractors, who are users of personal information supplied by the organisation, will be required to confirm that they will abide by the requirements of the Regulation with regard to information supplied by the organisation.

 5.  Business Compliance

5.1       To be fully compliant the following needs to be in place:

• An appropriate data protection policy
  • A nominated data protection lead
  • Staff and others provided with data protection awareness training.
  • The company is registered with the ICO
  • Privacy statements are readily available to individuals
  • Processes are in place to recognise and respond to individuals’ requests to access their personal data.
  • Processes have been established to ensure personal data is of sufficient quality to make decisions about the individual.
  • A process to routinely dispose of personal data that us no longer available within set timescales.
  • An Information Security Policy together with appropriate security measures.
  • An adequate level of protection for any personal data processed by others on the charity’s  behalf or transferred outside the European Economic Area.
  • A process to ensure new projects or initiatives are privacy proofed at the planning stage.

5.2       Further compliance information is available at https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment/data-protection-assurance-report/