Privacy and Data Protection Policy

The Iranian Association (IA) is committed to protecting the privacy of clients and staff. This policy has been written in accordance with the Data Protection Act 2018 (DPA 2018) and amended in line with the General Data Protection Regulations (GDPR).

Policy Statement

The IA needs to process and store certain information about its employees and service users to allow the organisation to deliver services, comply with our statutory responsibilities and undertake other tasks to complete the work with which we are entrusted. To comply with the law, information must be collected and used fairly, stored safely and not disclosed to any other person unlawfully. To do this, we must comply with the Data Protection Principles (DPP) and the GDPR, which are set out below.

In summary, the DPP state that personal data shall:

The GDPR require that personal data shall be:

The Data Controller (DC) shall be responsible for and be able to demonstrate compliance with the above principles/regulations (Accountability).

All staff who process or use any personal information must ensure that they follow these principles/regulations at all times. The employees must abide by the rules and policies made by the Iranian Association. Any failure to follow this policy can, therefore, result in disciplinary proceedings. Any member of staff, who considers that the policy has not been followed, should raise the matter with the Designated Data Controller (DDC) in the first instance. If the matter is not resolved, it should be raised as a formal grievance.

Scope

This policy applies to all staff, clients, volunteers, interns, contractors and the Trustees of the Iranian Association. Data covered under this policy may be in paper or electronic format.

Purpose

The purpose of this policy is to:

Responsibilities

The Management Committee (i.e. Trustees) and the Management Team are responsible for ensuring that the Privacy and Data Protection Policy is implemented and reviewed every year.

All staff will check that any information that they provide to the Iranian Association in connection with their employment is accurate and up-to-date and inform the IA of any changes or errors to the information they have already provided. The Iranian Association cannot be held responsible for any such errors unless the staff member has informed the organisation of them.

If and when, as part of their responsibilities, staff collect information about other people (i.e. about clients’ profiles and circumstances), they must comply with the staff guidelines. All staff are responsible for Data Security. Any personal data, which they hold, is kept securely, for example, kept in a locked filing cabinet or, if it is computerised, it must be password-protected. Passwords are to be kept private and secure. Data should not be taken off-site unless it is subject to strict protection. Electronically, this would normally be encrypted and password-protected. Data should not be used for purposes other than for which it was collected. Any unnecessary personal paper-based data must be disposed by destruction, using cross-cut shredders, and/or any unnecessary digitally-stored data must be deleted.

The Iranian Association will undertake Privacy Impact Assessments when designing or significantly changing systems or processes. We may need to share personal information we process with other organisations and individuals. We will do so under strict control and in accordance with the DPA and the GDPR. Clients’ personal information is not disclosed either orally or in writing or accidentally or otherwise to any unauthorised third party. Staff should note that unauthorised disclosure will be a disciplinary matter and may be considered gross misconduct. It may also result in a personal liability for the individual staff.

The IA does not transfer any personal information outside the EEA. The client is responsible for ensuring that all personal data provided to the organisation is accurate and up-to-date.

Rights to Access Information

Staff and clients of the Iranian Association have the right to access any personal data that is being kept about them either on computer or in certain files. Any member of staff who wishes to exercise this right should contact the DDC. Any client who wishes to exercise this right should contact a staff member in the first instance. The organisation aims to comply with requests for access to personal information as quickly as possible, but will ensure that it is provided within 30 days as per the GDPR. This can be extended where requests are complex or numerous, but the individual must be notified within one month of the receipt of the request and given an explanation why the extension is needed.

Lawful Basis

The lawful basis for processing data include

The conditions for special categories of data, formerly known as sensitive data, are:

Retention of Data

We will only retain your personal information for as long as necessary to fulfil the purpose we collected it for, including for the purpose of satisfying any legal, accounting, or reporting requirements. The Iranian Association is legally obliged to keep clients’ files in accordance with terms and conditions of the contracts and grants for a period of time after the last intervention/contact and financial records for a period of seven tax years after the end of contract with employees, partners and funding body. After the last day of each tax year, the IA deletes all data which relates to contracts that ended more than seven years beforehand.

Breach

Any deliberate breach of this policy may lead to a disciplinary action being taken or even a criminal prosecution. Any questions or concerns about the interpretation or operation of this policy should be taken up with the DDC. This policy will be reviewed at least once a year.

The Data Controller and the Designated Data Controller

The Iranian Association is the DC under the DPA, and the Board of Trustees is, therefore, ultimately responsible for implementation. However, the Designated Data Controller will deal with day-to-day matters. The IA has a DDC. Any query relating to the implementation of the GDPR and DPA 2018 requirements within the organisation will be dealt with by the DDC.
If you have any questions regarding our management of your personal data, please contact:

Designated Data Controller

The Iranian Association

222 King Street

London

W6 0RA