GDPR (UK) Policy
Metro Kids Africa is committed to a policy of protecting the rights of individuals, employees and others, in accordance with General Data Protection Regulation (GDPR UK) May 2018, 2019 and 2020 ammendments.
The new regulatory environment demands higher transparency and accountability in how the organisations manage and use personal data. It also accords new and stronger rights for individuals to understand and control that use. The senior management team is responsible for the day to day data protection matters, and will be responsible for ensuring that every employee and relevant individual abide by this policy, and for developing and encouraging good information handling within Metro Kids Africa.
It is also the responsibility of the senior management team for ensuring that the charity notification is kept accurate. Compliance with the legislation is the personal responsibility of every individual who process personal information. Individuals who provide personal data to Metro Kids Africa are responsible for ensuring that information is accurate and up to date.
Data Protection Principles:
Metro Kids Africa places a committed to processing data in accordance with its responsibilities under the Principles of GDPR. In order to comply with our obligations, Metro Kids Africa undertakes to adhere to the eight principles:
- Process personal data fairly and lawfully.
- Process the data for the specific and lawful purpose for which it collected that data and not further process the data in a manner incompatible with this purpose.
- Ensure that the data is adequate, relevant and not excessive in relation to the purpose for which it is processed.
- Keep personal data accurate and, where necessary, up to date.
- Only keep personal data for as long as is necessary.
- Process personal data in accordance with the rights of the data subject under the legislation.
- Put appropriate technical and organisational measures in place against unauthorised or unlawful processing of personal data, and against accidental loss or destruction of data.
- Ensure that no personal data is transferred to a country or a territory outside the European Economic Area (EEA) unless that country or territory ensures adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
- This policy applies to all personal data processed by Metro Kids Africa.
- The Responsible Person shall take responsibility for the Charity’s ongoing compliance with this policy.
- This policy shall be reviewed at least annually.
- The Charity shall register with the Information Commissioner’s Office.
Lawful, Fair and Transparent Processing
- To ensure its processing of data is lawful, fair and transparent, the Charity shall maintain a Register of Systems.
- The Register of Systems shall be reviewed at least annually.
- Individuals have the right to access their personal data and any such requests made to High Impact Development shall be dealt with in a timely manner.
- All data processed by the charity must be done on one of the following lawful bases: consent, contract, legal obligation, vital interests, public task or legitimate interests (see ICO guidance for more information).
- Metro Kids Africa shall note the appropriate lawful basis in the Register of Systems.
- Where consent is relied upon as a lawful basis for processing data, evidence of opt-in consent shall be kept with the personal data.
- Where communications are sent to individuals based on their consent, the option for the individual to revoke their consent should be clearly available and systems should be in place to ensure such revocation is reflected accurately in Metro Kids Africa systems.
- The Charity shall ensure that personal data are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
- Metro Kids Africa shall take reasonable steps to ensure personal data is accurate.
- Where necessary for the lawful basis on which data is processed, steps shall be put in place to ensure that personal data is kept up to date.
Archiving / Removal
- To ensure that personal data is kept for no longer than necessary, Metro Kids Africa shall put in place an archiving policy for each area in which personal data is processed and review this process annually.
- The archiving policy shall consider what data should/must be retained, for how long, and why.
- The Charity shall ensure that personal data is stored securely using modern software that is kept-up-to-date.
- Access to personal data shall be limited to personnel who need access and appropriate security should be in place to avoid unauthorised sharing of information.
- When personal data is deleted this should be done safely such that the data is irrecoverable.
- Appropriate back-up and disaster recovery solutions shall be in place.
In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. Metro Kids Africa shall promptly assess the risk to people’s rights and freedoms and if appropriate report this breach to the Information Commissioners Office (ICO) within 72 hours.
- If the breach is likely to result in high risk of adversely affecting individuals’ rights and freedoms, Metro Kids Africa will inform those individuals without undue delay.
- If a breach is detected then we will undertake a robust investigation and report that matter to the appropriate authorities and individuals.
- As part of our internal processes we will keep a record of any personal data breaches, regardless of whether we notified ICO or individual(s).
Consent as a Basis For Processing:
Although it is not always necessary to gain consent from individuals before processing their data, it is often the best way to ensure that data is collected and processed in an open and transparent manner. Consent is especially important when Metro Kids Africa is processing any sensitive data, as defined by the legislation.
Metro Kids Africa understands consent to mean that the individual has been fully informed of the intended processing and has signified their agreement, whilst being of a sound mind and without having any undue influence exerted upon them. Consent obtained on the basis of misleading information will not be a valid basis for processing.
Metro Kids Africa will ensure that if the individual does not give his/her consent for the processing, and there is no other lawful basis on which to process the data, then steps will be taken to ensure that processing of that data does not take place.
Confidentiality & Privacy
All employees are required to abide by the privacy rights of all other employees regarding the disclosure of personal information, as required by current legislation. It should also be noted that disclosure of confidential information to unauthorised persons or entities, or the use of such information for self-interest or advantage, is prohibited; as is access to non-public areas of any network drive. Breaches will be treated severely under the charity disciplinary rules.
Procedure for Review
This policy will be updated as necessary to reflect best practice or future amendments made to the General Data Protection Regulation (GDPR) May 2018 and Data Protection Act 1998.