Privacy and Data Protection Policy

The Iranian Association is committed to protecting the privacy of clients and staff. This policy has been written in accordance with the Data Protection Act 1998 and amended in line with the General Data Protection Regulations (GDPR).

Policy Statement

The Iranian Association needs to process and store certain information about its employees and service users to allow the organisation to deliver services, comply with our statutory responsibilities and undertake other tasks to complete the work with which we are entrusted. To comply with the law, information must be collected and used fairly, stored safely and not disclosed to any other person unlawfully. To do this, we must comply with the General Data Protection Regulations and the Data Protection Principles, which are set out below.

In summary, the Data Protection Principles state that personal data shall:

  • Be obtained and processed fairly and lawfully and shall not be processed unless certain conditions are met
  • Be obtained for a specified and lawful purpose and shall not be processed in any manner incompatible with that purpose
  • Be adequate, relevant and not excessive for those purposes
  • Be accurate and kept up to date
  • Not be kept for longer than is necessary for that purpose
  • Be processed in accordance with the data subject’s rights
  • Be kept safe from unauthorised access, accidental loss or destruction
  • Not be transferred to a country outside the European Economic Area, unless that country has equivalent levels of protection for personal data

The GDPR principles require that personal data shall be

  • processed lawfully, fairly and in a transparent manner in relation to individuals (Lawfulness, fairness and transparency)
  • collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (Purpose limitation)
  • adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (Data minimisation)
  • accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (Accuracy )
  • kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (Storage limitation)
  • processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (Integrity and confidentiality)

The data controller shall be responsible for, and be able to demonstrate compliance with the above principles (Accountability)

All staff who process or use any personal information must ensure that they follow these principles at all times. The employees must abide by the rules and policies made by the Iranian Association from time to time. Any failures to follow the policy can therefore result in disciplinary proceedings. Any member of staff, who considers that the policy has not been followed, should raise the matter with the Designated Data Controller, in the first instance. If the matter is not resolved, it should be raised as a formal grievance.

 

Scope

This policy applies to all staff, clients, volunteers, interns, placements, contractors and the Trustees of the Iranian Association. Data covered under this policy may be paper or electronic.

Purpose

The purpose of this policy is to:

  • Inform staff, Trustees and those outside of the Iranian Association of our commitment to meet our obligations under relevant legislation; inform stakeholders, clients and staff about what they can expect from the Iranian Association when we store and handle data; reassure stakeholders, clients and staff that they are able to voice any concerns they may have regarding privacy and data protection through an established procedure.
  • Provide guidance to Managers on how to identify and minimise poor practice
  • Raise staff awareness and provide guidance on the storage and processing of personal data.

Responsibilities

The Management Committee (i.e. Trustees) and the Management Team, are responsible for ensuring that the Privacy and Data Protection Policy is implemented and is reviewed every year.

All staff will check that any information that they provide to the Iranian Association in connection with their employment is accurate and up to date, inform the Iranian Association of any changes to information (i.e. changes of address), which they have provided, inform the Iranian Association of any errors or changes in staff information. The Iranian Association cannot be held responsible for any such errors unless the staff member has informed the organisation of them. 

If and when, as part of their responsibilities, staff collect information about other people (i.e. about client profiles and circumstances), they must comply with the guidelines for staff. All staff are responsible for Data Security. Any personal data, which they hold, is kept securely, for example, kept in a locked filing cabinet or, if it is computerised, be password protected. Passwords are to be kept private and secure. Data should not be taken off site unless it is subject to strict protection. Electronically, this would normally be encrypted and password protected. Data should not be used for purposes other than for which it was collected. Personal data must be disposed by destruction, using confidential waste bins or cross-cut shredders.

The Iranian Association will undertake Privacy Impact Assessments when designing or significantly changing systems or processes.

We may need to share personal information we process with other organisations and individuals. We do so under strict control and in accordance with the Data Protection Act and the General Data Protection Regulations. Clients’ personal information is not disclosed either orally or in writing or accidentally or otherwise to any unauthorised third party. Staff should note that unauthorised disclosure will usually be a disciplinary matter, and may be considered gross misconduct in some cases. It may also result in a personal liability for the individual staff.

The Iranian Association does not transfer any personal information outside the European Economic Area (EEA).

The client is responsible for ensuring that all personal data provided to the organisation is accurate and up to date.

Rights to Access Information

Staff and clients of the Iranian Association have the right to access any personal data that is being kept about them either on computer or in certain files. Any member of staff who wishes to exercise this right should contact the Designated Data Controller. Any client who wishes to exercise this right should contact a staff member in the first instance. The organisation aims to comply with requests for access to personal information as quickly as possible, but will ensure that it is provided within 30 days as per the new GDPR guidelines. This can be extended where requests are complex or numerous, but the individual must be notified within one month of the receipt of the request and given an explanation why the extension is needed.

Lawful Basis

The lawful basis for processing data include:

a. Consent of the data subject 

b. Processing is necessary for compliance with a legal obligation 

c. Processing is necessary to protect the vital interests of a data subject or another person 

d. Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller 

e. Processing is necessary for purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject. 

The conditions for special categories of data, formerly known as sensitive data are:

a.Explicit consent of the data subject, unless reliance on consent is prohibited by EU or Member State law  

b. Processing is necessary for carrying out obligations under employment, social security, social protection law or a collective agreement

c. Processing necessary to protect the vital interests of a data subject where the subject is incapable of giving consent

d. Processing is necessary for the establishment, exercise or defence of legal claims

e.Processing is necessary for reasons of substantial public interest

f. Processing is necessary for the assessing the working capacity of the employee 

Retention of Data

We will only  retain your personal information for as long as necessary to fulfil the purpose we collected it for, including for the purpose of satisfying any legal, accounting, or reporting requirements. The Iranian Association is legally obliged to keep client files in accordance with terms and conditions of the contracts and grants for a period of time after the last intervention/contact and financial records for a period of seven tax years after the end of contract with employee, partners and funding body.  After the last day of each tax year, the Iranian Association deletes all data which relates to contracts which ended more than seven years beforehand.

Breach

Any deliberate breach of this policy may lead to disciplinary action being taken or even a criminal prosecution. Any questions or concerns about the interpretation or operation of this policy should be taken up with the designated data controller. This policy will be reviewed at least every year.

The Data Controller and the Designated Data Controller

The Iranian Association is the Data Controller under the Data Protection Act, and the Board of Trustees is therefore ultimately responsible for implementation. However, the Designated Data Controller will deal with day to day matters. The Iranian Association has designated a Data Controller. Any query relating to the implementation within the organisation of the GDPR and Data Protection Act 1998 requirements will be dealt with by the Designated Data Controller.

If you have any questions regarding our management of your personal data please contact:

Designated Data Controller

The Iranian Association

222 King Street, London W6 0RA

Copyright@Iranian association- All Right Reserved | Charity Reg: 1120205
222 King Street, London, W6 0RA