The Iranian Association is committed to protecting the privacy of clients and staff. This policy has been written in accordance with the Data Protection Act 1998 and amended in line with the General Data Protection Regulations (GDPR).
The Iranian Association needs to process and store certain information about its employees and service users to allow the organisation to deliver services, comply with our statutory responsibilities and undertake other tasks to complete the work with which we are entrusted. To comply with the law, information must be collected and used fairly, stored safely and not disclosed to any other person unlawfully. To do this, we must comply with the General Data Protection Regulations and the Data Protection Principles, which are set out below.
In summary, the Data Protection Principles state that personal data shall:
The GDPR principles require that personal data shall be
The data controller shall be responsible for, and be able to demonstrate compliance with the above principles (Accountability)
All staff who process or use any personal information must ensure that they follow these principles at all times. The employees must abide by the rules and policies made by the Iranian Association from time to time. Any failures to follow the policy can therefore result in disciplinary proceedings. Any member of staff, who considers that the policy has not been followed, should raise the matter with the Designated Data Controller, in the first instance. If the matter is not resolved, it should be raised as a formal grievance.
This policy applies to all staff, clients, volunteers, interns, placements, contractors and the Trustees of the Iranian Association. Data covered under this policy may be paper or electronic.
The purpose of this policy is to:
The Management Committee (i.e. Trustees) and the Management Team, are responsible for ensuring that the Privacy and Data Protection Policy is implemented and is reviewed every year.
All staff will check that any information that they provide to the Iranian Association in connection with their employment is accurate and up to date, inform the Iranian Association of any changes to information (i.e. changes of address), which they have provided, inform the Iranian Association of any errors or changes in staff information. The Iranian Association cannot be held responsible for any such errors unless the staff member has informed the organisation of them.
If and when, as part of their responsibilities, staff collect information about other people (i.e. about client profiles and circumstances), they must comply with the guidelines for staff. All staff are responsible for Data Security. Any personal data, which they hold, is kept securely, for example, kept in a locked filing cabinet or, if it is computerised, be password protected. Passwords are to be kept private and secure. Data should not be taken off site unless it is subject to strict protection. Electronically, this would normally be encrypted and password protected. Data should not be used for purposes other than for which it was collected. Personal data must be disposed by destruction, using confidential waste bins or cross-cut shredders.
The Iranian Association will undertake Privacy Impact Assessments when designing or significantly changing systems or processes.
We may need to share personal information we process with other organisations and individuals. We do so under strict control and in accordance with the Data Protection Act and the General Data Protection Regulations. Clients’ personal information is not disclosed either orally or in writing or accidentally or otherwise to any unauthorised third party. Staff should note that unauthorised disclosure will usually be a disciplinary matter, and may be considered gross misconduct in some cases. It may also result in a personal liability for the individual staff.
The Iranian Association does not transfer any personal information outside the European Economic Area (EEA).
The client is responsible for ensuring that all personal data provided to the organisation is accurate and up to date.
Staff and clients of the Iranian Association have the right to access any personal data that is being kept about them either on computer or in certain files. Any member of staff who wishes to exercise this right should contact the Designated Data Controller. Any client who wishes to exercise this right should contact a staff member in the first instance. The organisation aims to comply with requests for access to personal information as quickly as possible, but will ensure that it is provided within 30 days as per the new GDPR guidelines. This can be extended where requests are complex or numerous, but the individual must be notified within one month of the receipt of the request and given an explanation why the extension is needed.
The lawful basis for processing data include:
a. Consent of the data subject
b. Processing is necessary for compliance with a legal obligation
c. Processing is necessary to protect the vital interests of a data subject or another person
d. Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
e. Processing is necessary for purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject.
The conditions for special categories of data, formerly known as sensitive data are:
a.Explicit consent of the data subject, unless reliance on consent is prohibited by EU or Member State law
b. Processing is necessary for carrying out obligations under employment, social security, social protection law or a collective agreement
c. Processing necessary to protect the vital interests of a data subject where the subject is incapable of giving consent
d. Processing is necessary for the establishment, exercise or defence of legal claims
e.Processing is necessary for reasons of substantial public interest
f. Processing is necessary for the assessing the working capacity of the employee
We will only retain your personal information for as long as necessary to fulfil the purpose we collected it for, including for the purpose of satisfying any legal, accounting, or reporting requirements. The Iranian Association is legally obliged to keep client files in accordance with terms and conditions of the contracts and grants for a period of time after the last intervention/contact and financial records for a period of seven tax years after the end of contract with employee, partners and funding body. After the last day of each tax year, the Iranian Association deletes all data which relates to contracts which ended more than seven years beforehand.
Any deliberate breach of this policy may lead to disciplinary action being taken or even a criminal prosecution. Any questions or concerns about the interpretation or operation of this policy should be taken up with the designated data controller. This policy will be reviewed at least every year.
The Iranian Association is the Data Controller under the Data Protection Act, and the Board of Trustees is therefore ultimately responsible for implementation. However, the Designated Data Controller will deal with day to day matters. The Iranian Association has designated a Data Controller. Any query relating to the implementation within the organisation of the GDPR and Data Protection Act 1998 requirements will be dealt with by the Designated Data Controller.
If you have any questions regarding our management of your personal data please contact:
Designated Data Controller
The Iranian Association
222 King Street, London W6 0RA