Everyone has rights with regards to the way in which their personal data is handled. During the course of our activities we collect, store and process personal data about our membership, friends and other contacts, suppliers and other third parties, as well as our employees and other workers, and we recognise that the correct and lawful treatment of this data will maintain confidence in our organisation and will assist us to achieve success in our business operations.
 
Employees and other individuals who handle personal data within our organisation are obliged to comply with this policy when processing personal data on our behalf.

Your data and our website
Your data may also be available to our website provider to enable us and them to deliver their service to us, carry out analysis and research on demographics, interests and behavior of our users and supporters to help us gain a better understanding of them to enable us to improve our services.  This may include connecting data we receive from you on the website to data available from other sources.  Your personally identifiable data will only be used where it is necessary for the analysis required, and where your interests for privacy are not deemed to outweigh their legitimate interests in developing new services for us.  In the case of this activity the following will apply:

  1. Your data will be made available to our website provider
  2. The data that may be available to them include any of the data we collect as described in this privacy policy.
  3. Our website provider will not transfer your data to any other third party, or transfer your data outside of the EEA.
  4. They will store your data for a maximum of 7 years.
  5. This processing does not affect your rights as detailed in this privacy policy 

We use cookies to control our website functions, to keep statistics and for session management. We do not store any personal information in cookies. Examples of how we use cookies include:

  • recognising your computer, so you don't have to give the same information several times
  • measuring how many people are using our websites, so we can make improvements.

If you do not want to accept cookies, your browser can be set to automatically reject them or to inform you every time a website asks to store a cookie. You can also delete previously stored cookies.

About this policy
Personal data which is held on a computer or other electronic device, and in some cases in paper files, is subject to certain legal safeguards specified in the Data Protection Act 1998 (the “DPA”) and other regulations. As from 25th May 2018 the DPA will be replaced by the EU General Data Protection Regulation (“GDPR”), supplemented by UK legislation currently going through Parliament (“New DPA”). These laws are together referred to in this policy document as the “Data Protection Legislation”.

The Data Protection Legislation is not intended to prevent the processing of personal data, but to ensure that it is done fairly and without adversely affecting the rights of the data subject.

This policy sets out the basis on which we process any personal data that we collect from data subjects or other sources outside of our organisation. (For the ways in which we process personal data about our own employees and other workers, there is a separate policy for Internal use: “Processing Employee Data”)
 
This policy does not form part of any employee's contract of employment and may be amended at any time. Nevertheless, any breach of this policy may result in disciplinary action, as well as possible personal liability.

This policy has been approved by The WLS Executive Director, Stewart Sether. It sets out rules on data protection and the legal conditions that must be satisfied when we collect, handle, process, store and transfer personal data.
 
Should you have any queries, issues, concerns or problems however in relation to this Privacy Policy please contact either:

Please contact Stewart Sether (Executive Director), the WLS Data Protection Lead should you have any concerns that Data Protection Legislation or this Privacy Policy or is not being complied with:

Definition of data protection terms
Data is information which is stored electronically, on a computer or other device, or in certain paper-based filing systems.

Data subjects include all living individuals about whom we hold personal data. A data subject need not be a UK national or resident. All data subjects have legal rights in relation to their personal information.
 
Personal data means data relating to a living individual who can be identified, directly or indirectly, from that data (or from that data and other information in our possession), in particular by reference to an identifier such as a name, an identification number, location data or an online identifier. Personal data can be factual (for example, a name, address, email address or date of birth or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person) or it can be an opinion about that person, their actions and behaviour.

Data Controllers are the people who or organisations which determine the purposes and means of processing personal data. They are responsible for establishing practices and policies in line with the Data Protection Legislation. We are the data controller of all personal data used in our business for our own commercial purposes other than (for example) where we process data in the context of providing services to a third party who is the data controller, in which case we will be a data processor.
 
Data Users are those of our employees or other workers whose work involves processing personal data. Data users must protect the data they handle in accordance with this data protection policy and any applicable data security procedures at all times.
 
Data Processors include any person or organisation (other than a data user) that processes personal data on our behalf and on our instructions. Data processors will include suppliers that handle personal data on our behalf.
 
Data Processing is any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means. It includes the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction or destruction of the data.
 
Sensitive Personal Data (referred to under the GDPR as “special categories of personal data”) includes information revealing a person's racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as data concerning a person’s health or sex life or sexual orientation. Sensitive personal data can only be processed with the explicit consent of the person concerned. Under the DPA, sensitive personal data also includes information about the commission of, or proceedings for, any offence committed or alleged to have been committed by that person, the disposal of such proceedings or the sentence of any court in such proceedings. Under the GDPR and the New DPA, similar conditions apply to processing of personal data about criminal convictions and offences or related security measures. Third country means a country outside the European Union (or the EEA).

Data Protection Principles
Data controllers are responsible for ensuring and demonstrating that data processing is performed in accordance with the requirements of the Data Protection Legislation (“Data Protection Principles”).

These provide that personal data must be:

  • processed fairly and lawfully and in a transparent manner (see Fair & Lawful Processing below)
  • collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
  • adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
  • accurate and, where necessary, kept up to date;
  • kept in a form which permits identification of data subjects for no longer than necessary for the purpose;
  • processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

In addition, personal data must not be:

  • transferred to people or organisations situated in countries without adequate protection for personal data.

When processing personal data as the data controller in the course of our business, we will ensure that those requirements are met, and all Data Users must therefore take account of the contents of this policy document.

Fair and lawful processing
For personal data to be processed lawfully, they must be processed on the basis of one of the legal grounds set out in the Data Protection Legislation.

These include, among other things, where:

  • the data subject has given consent to the processing,
  • or the processing is necessary for the performance of a contract with the data subject,
  • or the processing is necessary for the compliance with a legal obligation to which the data controller is subject
  • or the processing is necessary for the legitimate interests of the data controller or a third party (except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data).

When Sensitive Personal Data (see page 4) is being processed (including personal data about criminal convictions etc), additional conditions must also be met.

Data Subject’s Consent
It is important to note that when this is relied on as a lawful basis for processing, the consent has to be:

  • freely given
  • specific
  • informed
  • unambiguous
  • consent requires some form of clear affirmative action
  • silence, pre-ticked boxes or inactivity does not constitute consent
  • if the data subject's consent is given in a context which also concerns other matters, the request for consent must be presented so it is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language
  • consent must be verifiable
  • individuals have a right to withdraw their consent at any time, as easily as they gave it.

Personal Data we may collect and process
In the course of our business, we may collect and process Personal Data, a sample of which is set out in the attached Schedule.  
 
This may include:

  • data we receive directly from a data subject (for example, by completing forms or by corresponding with us by mail, phone, email or otherwise)
  • data we receive from other sources (including, for example, business partners, sub-contractors in technical, payment and delivery services, credit reference agencies and others).

We will only:

  • process personal data of the types and for the specific purposes set out in the attached Schedule
  • or for any other purposes specifically permitted by the Data Protection Legislation.

We will also ensure that:

  • our processing is based on the lawful basis set out by the Data Protection Legislation
  • is not retained for longer than the period set out there
  • personal data is not transferred to third parties other than those specified in the Schedule.

Notifying Data Subjects

1.    If we collect personal data directly from data subjects, we must inform them of:

  • our identity and contact details
  • the purpose or purposes for which we intend to process that personal data, as well as our legal basis for doing so
  • where we are processing the personal data on the basis of legitimate interests, what those interests are
  • the third parties, or categories of third parties, if any, with which we will share or to which we will disclose that personal data
  • if we intend to transfer the personal data to a Third Country, the adequacy (or otherwise) of the data protection laws there, and safeguards to be used to protect the personal data (and how the data subject can access these safeguards).
     

2.    In addition, the following information must also be provided at the time of collection, where this is necessary in order to ensure fair and transparent processing:

  • the period for which the personal data will be stored, or how that period will be calculated
  • the individual’s right of right of access to, and rectification or erasure of the data
  • where processing is based on the individual’s consent, their right to withdraw consent for processing their data
  • the individual’s right to lodge a complaint with a supervisory authority
  • whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract (and the possible consequences of failure to provide the data)
  • where applicable, the existence of automated decision-making
  • any further processing of the data that is intended for any other purpose.

If we receive personal data about a data subject from other sources, we must provide the data subject with the information at 1. and 2. above (as soon as possible and at the latest within one month) together with:

  • the categories of personal data concerned
  • the source from which the personal data originated, and if applicable, whether it came from publicly accessible sources.

The information provision requirements at 1. and 2. above will not apply where the data subject already has the information, or the provision of such information proves impossible or would involve a disproportionate effort, in which case we must take appropriate measures to protect the data subject's rights and freedoms and legitimate interests, including making the information publicly available.

Rights of Data Subjects
Data subjects have certain enforceable rights under the Data Protection Legislation, including:

  • the right to obtain from the controller confirmation as to whether or not personal data concerning them are being processed and, if so, access to the personal data, plus a copy of the personal data undergoing processing
  • information on their personal data as to:
  • - the purposes of the processing
  • - the categories of personal data concerned
  • - the recipients or categories of recipient of the data
  • - the envisaged period for which the personal data will be stored or, if that is not possible, the criteria used to determine that period
  •  - where the personal data are not collected from the data subject, any available information as to their source
  •  - where personal data are transferred to a third country, the safeguards relating to the transfer

In addition, the data subject has the following rights:

  • the right of rectification: to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her and (taking into account the purposes of the processing)
  • the right to have incomplete personal data completed
  • the right of erasure: to obtain from the controller the erasure of personal data concerning him or her without undue delay, where:
  •  - the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed
  •  - the processing is based on the data subject’s consent, and the data subject withdraws consent (and there is no other legal basis for processing)
  •  - the processing is based on it being necessary for the legitimate interests of the data controller or a third party, and the data subject objects to the processing, unless the controller demonstrates that the processing is based on compelling legitimate grounds which override the interests, rights and freedoms of the data subject, or is for the establishment, exercise or defence of legal claims
  •  - the processing is for the purpose of direct marketing, and the data subject objects to the processing (including profiling)
  •  - the right of restriction: to obtain from the controller restriction of processing where the data is inaccurate, unlawfully processed, no longer required except for the establishment, exercise or defence of legal claims, or pending the verification whether the legitimate grounds of the controller override those of the data subject
  •  - the right of portability: to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format, and to transmit the data to another controller, where the processing is based on consent or carried out by automated means
  •  - the right to object: to object to processing based on the controller’s legitimate interests, where these are outweighed by the interests, rights and freedoms of the data subject, unless the processing is required for the establishment, exercise or defence of legal claims
  • the right not to be subject to a decision based solely on automated processing, including profiling

Manner of processing
In order to ensure that we comply with the Data Protection Legislation, we need to implement appropriate technical and organisational measures to ensure and to be able to demonstrate compliance, and to maintain a record of our processing activities.

The practical implications of this include ensuring that:

  • we only collect personal data to the extent that it is required for the specific purpose notified to the data subject
  • we check the accuracy of any personal data at the point of collection and at regular intervals afterwards, and take all reasonable steps to destroy or amend inaccurate or out-of-date data
  • we do not keep personal data longer than is necessary for the purpose or purposes for which they were collected, and take all reasonable steps to destroy, or erase from our systems, all data which is no longer required we process all personal data in line with data subjects' rights.

In addition we will:

  • adopt appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement the data protection principles, including data minimization
  • implement appropriate technical and organisational measures to ensure that, by default, only personal data which are necessary for each specific purpose of the processing are processed (“protection by design and by default”)
  • where processing (in particular, when using new technologies) is likely to result in a high risk to the rights and freedoms of individuals, carry out an impact assessment of the data processing implications prior to the processing and, where necessary, consult the supervisory authority (the Information Commissioner’s Office)
  • Where processing is to be carried out on our behalf by a data processor we must ensure that:
  •  - the processor provides sufficient guarantees to implement appropriate technical and organisational measures so that processing meets the requirements of the Data Protection Legislation and ensures the protection of the rights of the data subjects
  •  - the processing is governed by a written contract that sets out (amongst other things) the:
  •  -- subject-matter and duration of the processing
  •  -- the nature and purpose of the processing
  •  -- the type of personal data and categories of data subjects
  •  -- the obligations and rights of our organisation as data controller.

Data security

We will take appropriate security measures against unauthorised or unlawful processing of personal data, and against the accidental loss of, destruction or damage to, personal data, using appropriate technical or organisational measures.

We will maintain data security by protecting the confidentiality, integrity and availability of the personal data, defined as follows:

Confidentiality:

  • Means that only people who are authorised to use the data can access 
  • When receiving telephone enquiries, we will only disclose personal data we hold on our systems if the following conditions are met:
  •  - We will check the caller's identity to make sure that information is only given to a person who is entitled to it.
  •  - We will suggest that the caller put their request in writing if we are not sure about the caller’s identity and where their identity cannot be checked.
  •  - Employees must not allow themselves to be bullied into disclosing personal information. For assistance in difficult situations employees will refer the request to their own Departmental Manager (or in their absence, Stewart Sether, the Executive Director) 

Integrity: means that personal data should be accurate and suitable for the purpose for which it is processed
Availability: means that authorised users should be able to access the data if they need it for authorised purposes. Personal data should therefore be stored on the company’s central computer system instead of individual PCs.
Security: The following measures will be adhered to:

  • Entry controls: Any stranger seen in entry-controlled areas should be reported.
  • Secure lockable desks and cupboards: Desks and cupboards should be kept locked if they hold confidential information of any kind. (Personal information is always considered confidential.)
  • Methods of disposal: Paper documents should be shredded. Digital storage devices should be physically destroyed when they are no longer required.
  • Equipment: Data users must ensure that individual monitors do not show confidential information to passers-by and that they log off from their PC when it is left unattended.
  • Passwords: These must not be shared or disclosed to anyone else
  • Encryption: This should be used wherever it is available and appropriate
  • Back-ups: Regular back-ups must be taken of the information on the computer system and kept in a separate place, so that if you lose your computers, you don’t lose the information.

Dealing with Subject Access requests
Data subjects may make a formal request for information we hold about them, this request must be made in writing. Any employees or workers who receive a written request will immediately forward it to Stewart Sether, the Executive Director. (Under the GDPR, we must usually provide information pursuant to a subject access request free of charge and within one month of the request)
 
ANY ACTUAL OR SUSPECTED BREACH OF DATA SECURITY, OR THIS POLICY,
MUST BE REPORTED IMMEDIATELY to:
Stewart Sether, the Executive Director
Data breaches will be handled in line with our Data Breach Policy. 

(Data subjects also have the right to lodge a complaint with the supervisory authority, which is the Information Commissioners Office: www.ico.org.uk, tel:0303 123 1113)

Transferring personal data to a country outside the EEA
We may transfer any personal data we hold to a country outside the European Economic Area ("EEA"), provided that one of the following conditions applies:

  • The data subject has explicitly consented to the transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards
  • The country to which the personal data are transferred ensures an adequate level of protection for the data subjects' rights and freedoms (this includes countries in respect of which a finding of adequacy has been made, and also transfers to entities in the USA that participate in the US-EU Privacy Shield)
  • The transfer is necessary for one of the reasons set out in the Data Protection Legislation, including the performance of a contract between us and the data subject, or to protect the vital interests of the data subject
  • The transfer is legally required on important public interest grounds or for the establishment, exercise or defence of legal claims
  • The transfer is authorised by the relevant data protection authority where we have adduced adequate safeguards with respect to the protection of the data subjects' privacy, their fundamental rights and freedoms, and the exercise of their rights. This may include what are known as “binding corporate rules”, or where standard data protection clauses in an approved form have been adopted
  • Subject to the requirements in clause  above, personal data we hold may also be processed by staff operating outside the EEA who work for us or for one of our suppliers. That staff maybe engaged in, among other things, the fulfilment of contracts with the data subject, the processing of payment details and the provision of support services.

Disclosure and sharing of personal information

We may:

  • share personal data we hold with any member of our group, which means our subsidiaries, our ultimate holding company and its subsidiaries, as defined in section 1159 of the UK Companies Act 2006, where this is necessary for certain reasons, or we have legitimate interest in doing so which are not outweighed by the interests, rights and freedoms of the data subject.
  • disclose personal data we hold to third parties, on the basis of our legitimate interests in the event that:
  • - we sell or buy any business or assets, in which case we may disclose personal data we hold to the prospective seller or buyer of such business or assets
  •  - we or substantially all of our assets are acquired by a third party, in which case personal data we hold will be one of the transferred assets
  •  - we are under a duty to disclose or share a data subject's personal data in order to comply with any legal obligation, or in order to enforce or apply any contract with the data subject or other agreements; or to protect our rights, property, or safety of our employees, customers, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.

Changes to this policy
We reserve the right to change this policy at any time. Where appropriate, we will notify data subjects of those changes by mail or email.

Please read the following Schedule of our Data Processing Activities, listed by department.