Data Protection

Data Protection and Data security Policy

Statement of policy and purpose of Policy

  1. is committed to ensuring that all personal information handled by us will be processed accordingly to legally compliant standards of data protection and data security.
  2. The purpose is of this policy is to help us achieve our data protection and data security aims by:
    1. notifying users of our website of the types of personal information that we may hold about them and what we do with that information;
    2. ensuring users understand our rules and the legal standards for handling personal information relating to others: and
    3. clarifying the responsibilities and duties of managers in respect of data protection and data security.
  3. This is a statement of policy. We may amend this policy at any time, in our absolute discretion.

Who is responsible for data protection and data security?

  1. Maintaining appropriate standards of data protection and data security is a collective task shared between us and you. This policy and the rules contained in it apply to all managers of, irrespective tenure, including all volunteers.
  2. The website owner has overall responsibility for ensuring that all personal information is handled in compliance with the law and as the Website owner with day-to-day responsibility for data processing and data security.
  3. We have a personal responsibility to ensure compliance with this policy, to handle all personal information consistently with the principles set out here and to ensure that measures are taken to protect the data security. We endeavour to lead by example and to monitor & enforce compliance.
  4. Any breach of this policy will be taken seriously and may result in further action.

What personal information and activities are covered by this policy?

  1. This policy covers personal information:
    1. which relates to a living individual who can be identified either from that information in isolation or by reading it together with other information we possess;
    2. is stored electronically or on paper in a filing system;
    3. in the form of statements of opinion as well as facts;
    4. which relates to the allotment volunteers or to any other individual whose personal information we handle or control;
    5. which we obtain, hold or store, organise, disclose or transfer, amend, retrieve, use, handle, process, transport or destroy.
    6. We collect personal information about you which you provide during your engagement with us;
    7. The types of personal information that we may collect, store and use about you include records relating to your home address and contact details as well as contact details for your next of kin;

What personal information do we process about users and what do we do with it?

  1. We will use information to carry out our business, to administer your use of the website or engagement with Greenlink Allotment Group and to deal with any problems or concerns you may have including:
    1. Tenant and Co-worker contact details and name & address information:to compile and circulate lists of home address and contact details, to contact you regarding changes to the running of the allotment or the website.
  2. We confirm that that for the purposes of the Data Protection Act 1998, the Website owner is a Data Controller of the personal information in connection with your tenancy at Greenlink Allotment. This means that we determine the purposes for which, and the manner in which, your personal information is processed.
  3. If you consider that any information held about you is inaccurate then you should tell the secretary (contactable via the contact us section of the website) and, if we agree that the information is inaccurate then we will correct it. If we do not agree with the correction then we will note your comments and discuss this with you.
  4. We will take reasonable steps to ensure that your personal information is kept secure, as described later in this policy and in general, we will not disclose your personal information to others outside the Greenlink Allotment Group. However, we may need to disclose personal information about tenants to:
    1. our land owner North Lanarkshire Council;
    2. to comply with our legal obligations or assist in a criminal investigation or to seek legal or professional advice in relation to tenancy issues or breach(es) of the Conditions of Tenancy Agreement, which may involve disclosure to our lawyers, accountants or auditors and to legal and regulatory authorities, such as HM Revenue and Customs;
    3. to other parties which provide products or services to us.
  5. By providing your personal information to us, you consent to the use of your personal information (including any sensitive personal data) in accordance with this policy.

Data Protection Principles.

  1. The website owner and committee members will ensure any personal data we hold or are offered by or about you is:
    1. Processed fairly and lawfully.We must always have a lawful basis to process personal information. In most (but not all) cases, the person to whom the information relates (the Subject) must have given consent. The Subject must be told who controls the information (us), the purpose(s) for which we are processing the information and to whom it may be disclosed.
    2. Processed for limited purposes and in an appropriate way.Personal information must not be collected for one purpose and then used for another. If we want to change the way we use personal information we must first tell the Subject.
    3. Adequate, relevant and not excessive for the purpose.
    4. Regular checks must be made to correct or destroy inaccurate information.
    5. Not kept longer than necessary for the purpose.Information must be destroyed or deleted when we no longer need it. For guidance on how long particular information should be kept, contact the Website owner.
    6. Processed in line with Subjects’ rights.Subjects have a right to request access to their personal information, prevent their personal information being used for direct-marketing, request the correction of inaccurate data and to prevent their personal information being used in a way likely to cause them or another person damage or distress.
    7. See further information about data security below.
    8. Not transferred to people or organisations situated in countries without adequate protection.
  2. Some personal information needs even more careful handling. This includes information about a person’s racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health or condition or sexual life or about criminal offences. Strict conditions apply to processing this sensitive personal information and the Subject must normally have given specific and express consent to each way in which the information is used. We will not hold information about any aspect of this.

Data security

  1. We must all protect personal information in our possession from being accessed, lost, deleted or damaged unlawfully or without proper authorisation through the use of data security measures.
  2. Maintaining data security means making sure that:
    1. only people who are authorised to use the information can access it;
    2. information is accurate and suitable for the purpose for which it is processed; and
    3. authorised persons can access information if they need it for authorised purposes. Personal information therefore should not be stored on individual computers but instead on our central system.
  3. By law, we must use procedures and technology to secure personal information throughout the period that we hold or control it, from obtaining to destroying the information.
  4. Personal information must not be transferred to any person to process (eg while performing services for us on or our behalf), unless that person has either agreed to comply with our data security procedures or we are satisfied that other adequate measures exist.
  5. Security procedures include:
    1. Physically securing information.Any desk or cupboard containing confidential information must be kept locked. Computers should be locked with a password or shut down when they are left unattended and discretion should be used when viewing personal information on a monitor to ensure that it is not visible to others.
    2. Controlling access to premises.Staff should report to security if they see any person they do not recognised in an entry-controlled area.
    3. Telephone Precautions.Particular care must be taken by Staff who deal with telephone enquiries to avoid inappropriate disclosures. In particular:
      1. the identity of any telephone caller must be verified before any personal information is disclosed;
      2. if the caller’s identity cannot be verified satisfactorily then they should be asked to put their query in writing;
      3. do not allow callers to bully you into disclosing information. In case of any problems or uncertainty, contact the Website owner.
    4. Methods of disposal.Copies of personal information, whether on paper or on any physical storage device, must be physically destroyed when they are no longer needed. Paper documents should be shredded and CDs or memory sticks or similar must be rendered permanently unreadable.

Subject access requests

  1. By law, any Subject may make a formal request for information that we hold about them, provided that certain conditions are met. The request must be made in writing. A fee is payable by the data subject for provision of this information. In some circumstances it may not be possible to release the information about the Subject to them e.g. if it contains personal data about another person.
  2. Any member of the committee who receives a written request should forward it to the Website owner immediately.