Privacy and Data Protection Policy
The Iranian Association (IA) is committed to protecting the privacy of clients and staff. This policy has been written in accordance with the Data Protection Act 2018 (DPA 2018) and amended in line with the General Data Protection Regulations (GDPR).
Policy Statement
The IA needs to process and store certain information about its employees and service users to allow the organisation to deliver services, comply with our statutory responsibilities and undertake other tasks to complete the work with which we are entrusted. To comply with the law, information must be collected and used fairly, stored safely and not disclosed to any other person unlawfully. To do this, we must comply with the Data Protection Principles (DPP) and the GDPR, which are set out below.
In summary, the DPP state that personal data shall:
- Be obtained and processed fairly and lawfully and shall not be processed unless certain conditions are met
- Be obtained for a specified and lawful purpose and shall not be processed in any manner incompatible with that purpose
- Be adequate, relevant and not excessive for those purposes
- Be accurate and kept up-to-date
- Not be kept for longer than is necessary for that purpose
- Be processed in accordance with the data-subjects’ rights
- Be kept safe from unauthorised access, accidental loss or destruction
- Not be transferred to a country outside the European Economic Area (EEA), unless that country has equivalent levels of protection for personal data
The GDPR require that personal data shall be:
- Processed lawfully, fairly and in a transparent manner in relation to individuals (Lawfulness, fairness and transparency)
- Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (Purpose limitation)
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (Data minimisation)
- Accurate and, where necessary, kept up-to-date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (Accuracy)
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (Storage limitation)
- Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (Integrity and confidentiality)
The Data Controller (DC) shall be responsible for and be able to demonstrate compliance with the above principles/regulations (Accountability).
All staff who process or use any personal information must ensure that they follow these principles/regulations at all times. The employees must abide by the rules and policies made by the Iranian Association. Any failure to follow this policy can, therefore, result in disciplinary proceedings. Any member of staff, who considers that the policy has not been followed, should raise the matter with the Designated Data Controller (DDC) in the first instance. If the matter is not resolved, it should be raised as a formal grievance.
Scope
This policy applies to all staff, clients, volunteers, interns, contractors and the Trustees of the Iranian Association. Data covered under this policy may be in paper or electronic format.
Purpose
The purpose of this policy is to:
- Inform staff, Trustees and those outside of the Iranian Association of our commitment to meet our obligations under relevant legislation; inform stakeholders, clients and staff about what they can expect from the IA when we store and handle data; reassure stakeholders, clients and staff that they are able to voice any concerns they may have regarding privacy and data protection through an established procedure.
- Provide guidance to Manager(s) on how to identify and minimise poor practice.
- Raise staff awareness and provide guidance on the storage and processing of personal data.
Responsibilities
The Management Committee (i.e. Trustees) and the Management Team are responsible for ensuring that the Privacy and Data Protection Policy is implemented and reviewed every year.
All staff will check that any information that they provide to the Iranian Association in connection with their employment is accurate and up-to-date and inform the IA of any changes or errors to the information they have already provided. The Iranian Association cannot be held responsible for any such errors unless the staff member has informed the organisation of them.
If and when, as part of their responsibilities, staff collect information about other people (i.e. about clients’ profiles and circumstances), they must comply with the staff guidelines. All staff are responsible for Data Security. Any personal data, which they hold, is kept securely, for example, kept in a locked filing cabinet or, if it is computerised, it must be password-protected. Passwords are to be kept private and secure. Data should not be taken off-site unless it is subject to strict protection. Electronically, this would normally be encrypted and password-protected. Data should not be used for purposes other than for which it was collected. Any unnecessary personal paper-based data must be disposed by destruction, using cross-cut shredders, and/or any unnecessary digitally-stored data must be deleted.
The Iranian Association will undertake Privacy Impact Assessments when designing or significantly changing systems or processes.
We may need to share personal information we process with other organisations and individuals. We will do so under strict control and in accordance with the DPA and the GDPR. Clients’ personal information is not disclosed either orally or in writing or accidentally or otherwise to any unauthorised third party. Staff should note that unauthorised disclosure will be a disciplinary matter and may be considered gross misconduct. It may also result in a personal liability for the individual staff.
The IA does not transfer any personal information outside the EEA.
The client is responsible for ensuring that all personal data provided to the organisation is accurate and up-to-date.
Rights to Access Information
Staff and clients of the Iranian Association have the right to access any personal data that is being kept about them either on computer or in certain files. Any member of staff who wishes to exercise this right should contact the DDC. Any client who wishes to exercise this right should contact a staff member in the first instance. The organisation aims to comply with requests for access to personal information as quickly as possible, but will ensure that it is provided within 30 days as per the GDPR. This can be extended where requests are complex or numerous, but the individual must be notified within one month of the receipt of the request and given an explanation why the extension is needed.
Lawful Basis
The lawful basis for processing data include
- Consent of the data subject
- Processing is necessary for compliance with a legal obligation
- Processing is necessary to protect the vital interests of a data subject or another person
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller
- Processing is necessary for purposes of legitimate interests pursued by the Controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject.
The conditions for special categories of data, formerly known as sensitive data, are:
- Explicit consent of the data subject, unless reliance on consent is prohibited by EU or Member State law
- Processing is necessary for carrying out obligations under employment, social security, social protection law or a collective agreement
- Processing is necessary to protect the vital interests of a data subject where the subject is incapable of giving consent
- Processing is necessary for the establishment, exercise or defence of legal claims
- Processing is necessary for reasons of substantial public interest
- Processing is necessary for assessing the working capacity of the employee
Retention of Data
We will only retain your personal information for as long as necessary to fulfil the purpose we collected it for, including for the purpose of satisfying any legal, accounting, or reporting requirements. The Iranian Association is legally obliged to keep clients’ files in accordance with terms and conditions of the contracts and grants for a period of time after the last intervention/contact and financial records for a period of seven tax years after the end of contract with employees, partners and funding body. After the last day of each tax year, the IA deletes all data which relates to contracts that ended more than seven years beforehand.
Breach
Any deliberate breach of this policy may lead to a disciplinary action being taken or even a criminal prosecution. Any questions or concerns about the interpretation or operation of this policy should be taken up with the DDC. This policy will be reviewed at least once a year.
The Data Controller and the Designated Data Controller
The Iranian Association is the DC under the DPA, and the Board of Trustees is, therefore, ultimately responsible for implementation. However, the Designated Data Controller will deal with day-to-day matters. The IA has a DDC. Any query relating to the implementation of the GDPR and DPA 2018 requirements within the organisation will be dealt with by the DDC. If you have any questions regarding our management of your personal data, please contact:
Designated Data Controller
The Iranian Association
222 King Street
London
W6 0RA