UWC International Data Protection Policy
This policy sets out UWC International’s organisational approach to data protection.
UWC International is committed to protecting the privacy of all individuals (including employees and volunteers) and service users who come into contact with it. In order to carry out its work, UWC International needs to collect and use certain types of information about these individuals or service users (“data subjects”). This personal information must be collected and dealt with appropriately, whether it is collected on paper, stored in an electronic database, or recorded on other material. As a charitable company in the UK, UWC International operates under UK data protection law, which is in line with EU data protection law and which provides one of the world’s highest benchmarks for data protection. This policy sets out UWC International’s top level approach to Data Protection Act 1998 (“the Act”) and associated regulations. This policy is complemented by specific privacy policies, statements and training for different activities undertaken by UWC International so there are appropriate safeguards that ensure that the processing of (sensitive) personal data is carried out appropriately under the Act.
2. Data Controller and Data Protection Officer
UWC International is a Data Controller under the Act, which means that it determines the purposes for which and the manner in which any (sensitive) personal data is, or is to be, processed. It is also responsible for notifying the Information Commissioner’s Office (“ICO”) of the types of data it holds or is likely to hold, and the general purposes that this data will be used for.
UWC International is registered with the ICO (registration no Z7317174) and has appointed a Data Protection Officer, Mr Roberto Pitea (Head of Finance), who is responsible for UWC International’s compliance with the Act, training staff and volunteers appropriately, and responding to requests from the ICO, constituents or data subjects.
3. Overall Approach
UWC International intends to ensure that personal or sensitive personal data is treated lawfully and correctly. We regard the lawful and correct treatment of (sensitive) personal data as critical to successful working and to maintaining the confidence of those we serve. To this end, UWC International will adhere to the principles of data protection (“Principles”) as detailed in the Act.
Specifically, these Principles require that (sensitive) personal data:
- Shall be processed fairly and lawfully and, in particular, shall not be processed unless specific conditions are met
- Shall be obtained only for one or more of the purposes specified in the Act, and shall not be processed in any manner incompatible with that purpose or those purposes
- Shall be adequate, relevant and not excessive in relation to those purposes
- Shall be accurate and, where necessary, kept up to date
- Shall not be kept for longer than is necessary
- Shall be processed in accordance with the rights of data subjects under the Act
- Shall be kept secure by the Data Controller who takes appropriate technical and other measures to prevent unauthorised or unlawful processing or accidental loss or destruction of or damage to personal information
- Shall not be transferred to an entity outside the European Economic Area unless that entity ensures an adequate level of protection for the rights and freedoms of Data Subjects in relation to the processing of personal information.
4. Data collection and usage
UWC International will process (sensitive) personal data where needed to carry out its activities. UWC understands the wide definition of “processing” and notes that it includes collecting, amending, handling, storing and disclosing personal information.
The data UWC International will process can be:
- Personal data, which is information about a living individual from which they are identifiable (either from that piece of information or in conjunction with other personal data held) and that can include contact information, financial information, marital status, age and sex
- Sensitive personal data, which can include: religious or similar beliefs, political opinions, racial/ethnic origin, union membership, physical/mental condition, sexual orientation / gender and alleged or actual criminal offenses. Sensitive data can only be recorded if there is a specific reason to process this data. UWC International will ensure that the specific conditions for processing (sensitive) personal data are met.
Where personal data is processed, at least one of the following specific conditions will be
- The data subject has given their consent to the processing
- The processing is necessary for the performance of a contract to which the data subject is a party or for the taking of steps at the request of the data subject with a view to entering into a contract
- The processing is necessary for compliance with any legal obligation to which UWC International is subject, other than an obligation imposed by contract
- The processing is necessary in order to protect the vital interests of the data subject
- The processing is necessary for the administration of justice, for the exercise of an UWC International acknowledges that it will largely (but not solely) be relying upon the first two conditions.
Sensitive personal data
Where sensitive personal data is processed, at least one of following conditions will also be
- The data subject has given their explicit consent to the processing of the sensitive personal data.
- The processing is necessary for the purposes of exercising or performing any right or obligation that is conferred or imposed by law on UWC International in connection with employment
- The processing is necessary in order to protect the vital interests of the data subject or another person in a case where consent cannot be given by or on behalf of the data subject, or the data controller cannot reasonably be expected to obtain the consent of the data subject; or in order to protect the vital interests of another person in a case where consent by or on behalf of the data subject has been unreasonably withheld
- The information contained in the personal data has been made public as a result of steps deliberately taken by the data subject
- The processing is necessary for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings), obtaining legal advice, or for the purposes of establishing, exercising or defending legal rights.
- The processing is necessary for medical purposes and is undertaken by a health professional or a person who in the circumstances owes a duty of confidentiality that is equivalent to that which would arise if that person were a health professional
- In the case of processing information on racial or ethnic origin, the processing is necessary for the purpose of identifying or keeping under review the existence or absence of equality of opportunity or treatment between persons of different racial or ethnic origins, with a view to enabling such equality to be promoted or maintained, and is carried out with appropriate safeguards for the rights and freedoms of data subjects.
UWC International acknowledges that it will largely (but not solely) be relying upon the first condition.
When collecting data requires (explicit) consent, UWC International will ensure that it provides sufficient information to the data subject, so as to make sure the consent is valid. UWC International will consider the following points to design the necessary procedures and privacy statements for each type of processing where consent is required:
- The data subject has received sufficient information on and clearly understands why their data is needed, how it will be used, and what for
- The data subject understands what the consequences are, should they decide not to give consent to processing
- As far as reasonably possible, the data subject grants explicit written or verbal consent for data to be processed
- UWC International Data Protection Policy - as approved by the UWC International Board in July 2016, updated paragraph 2 as of 2 October 2017
- The data subject is, as far as reasonably practicable, competent enough to give the consent described above, and has given this freely without any duress.
UWC International will also consider what other information should be included in any specific privacy notices/statements in order for data subjects to feel empowered and aware of how their (sensitive) personal data is used by UWC International.
UWC International understands that the collection of (sensitive) personal data relates to specific purposes for which it was collected. UWC International will not process (sensitive understand that they are contractually responsible for following good data protection practice. All staff and volunteers will be made aware that a breach of the rules and procedures relating to the Act may lead to disciplinary action being taken against them.
5. Data storage, security and accuracy
UWC International will actively encourage data subjects to keep their data up to date and accurate, and will ensure that there are easy methods by which they can do this. UWC International will also ensure it undertakes appropriate checks to ensure data is kept up to date and accurate.
Information and records relating to data subjects will be stored securely and will only be accessible to authorised staff and volunteers as is necessary for them to perform their job functions.
Information will be stored for only as long as it is needed or required, and will be disposed of appropriately. As such, different time periods for retention will apply depending on the type of (sensitive) personal data and the reason for its processing.
UWC International will implement appropriate security measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, including through the transmission or storage on or within a network.
These security measures include:
- Industry standard firewall and other network security features such as well-encrypted cloud or physical server systems
- Clear guidelines for staff and volunteers on device and network security expectations placed on them
- Robust data backup and recovery processes provided by leading industry suppliers
- Periodic security audits of online systems.
In case of accidental or unauthorised access, UWC International will notify both the ICO and the data subjects if there is likely to be a high risk to the rights and freedoms of the data subject as a result of the data breach.
It is UWC International’s responsibility to ensure that all personal and company data is non-recoverable from any electronic or paper systems previously used within the organisation that have been passed on, sold to a third party or discarded.
UWC International will provide regular training on the Act to ensure this policy and other specific procedures relating to the processing of (sensitive) personal data are understood and enacted by staff and volunteers. Everyone processing (sensitive) personal data must understand that they are contractually responsible for following good data protection practice. All staff and volunteers will be made aware that a breach of the rules and procedures relating to the Act may lead to disciplinary action being taken against them.
6. Data access
Under the Act, all data subjects have the right to access the information UWC International holds about them and to demand UWC International removes their (sensitive) personal data from their records or stops processing their data, by contacting the Data Protection Officer. UWC International will ensure that access to its Data Protection Officer is publicly available.
In addition, UWC International will ensure that:
- It has a Data Protection Officer with specific responsibility for ensuring compliance with Data Protection
- Anybody wanting to make enquiries about handling personal information is offered a clear pathway to make their enquiries
- It deals promptly and courteously with any enquiries about handling personal information and in line with time frames and principles set out under the Act
- It describes clearly how it handles personal information
- Treat people justly fairly whatever their age, religion, disability, gender, sexual orientation or ethnicity when dealing with requests for information
Data Sharing (including outside of the European Economic Area)
UWC International considers other entities of UWC that it shares data with, including current and future UWC schools, colleges and national committees, to be joint data owners. In some very specific cases partner organisations can be included into this, if the sharing of certain data is necessary for carrying out a project that has been agreed upon through a signed agreement, MoU or contract.
UWC International may share information with these entities on the condition that they have data protection policies in place that are up to the standard of the Act and comply with UWC International’s Data Protection Policy and in accordance with local laws.
UWC International therefore undertakes to establish Data Sharing Memoranda of Understanding with these entities.
(Sensitive) personal data will only be shared in support of the UWC mission and UWC International shall not buy from or sell data to external organisations.
This policy is subject to UK legislation. If UK data protection legislation or the Act change and these changes affect this policy, they will override the policy.
This policy will be updated as necessary to reflect best practice in data management, security and control and to ensure compliance with any changes or amendments made to the Act.
All other procedures or privacy statements that compliment this policy will also be updated as necessary at any time.
UWC International Data Protection Policy - as approved by the UWC International Board in July 2016, updated paragraph 2 as of 2 October 2017