Rainbow Pooch Pride is committed to meeting its obligations under current legislation. Rainbow Pooch Pride will strive to observe the law in all collection and processing of subject data and will meet any subject access request in compliance with the law. Rainbow Pooch Pride will only use data in ways relevant to carrying out its legitimate purposes and functions as an organisation in a way that is not prejudicial to the interests of individuals. Rainbow Pooch Pride will take due care in the collection and storage of all personal data. Individuals involved with Rainbow Pooch Pride will do their utmost to keep all data accurate, timely and secure. 

Individuals engaged with Rainbow Pooch Pride, whether freelance or voluntary, must be aware of the requirements of the current legislation when they collect or handle data about an individual. They must not disclose data except where there is subject consent, or legal requirement.  All collection and processing must be done in good faith. 

The Data Protection Act 2018 and the UK General Data Protection Regulation imposes statutory conditions for the maintenance of personal data on Rainbow Pooch Pride computer systems, including data held by individuals on PCs. It is an offence to use or disclose such data if not registered to do so under the UK General Data Protection Regulation. Rainbow Pooch Pride will keep records of all complaints by data subjects and the follow up. It will also keep a record of all data access requests and information about any contacts made with the Information Commissioner. This information will be available to freelancers, volunteers and data subjects on request. 

Rainbow Pooch Pride will inform subjects of any processing, disclosure or overseas transfer that does not fall within Rainbow Pooch Pride purpose in a way that any individual supplying could be expected to understand. Rainbow Pooch Pride will keep registration (now called notification) up to date. 

Principles of data protection outlined in the UK General Data Protection Regulation: 

Anyone processing personal data must comply with the following principles of good practice, which Rainbow Pooch Pride seeks to uphold. The principles say that data must be: 

1. Processed lawfully, fairly and in a transparent manner.
2. Collected for specified, explicit and legitimate purposes and not be processed in a way that is incompatible with those purposes. 
3. Adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed. 
4. Accurate and, where necessary, kept up to date. 
5. Not kept longer than necessary for the purposes for which the data are processed.
6. Processed in a manner that ensures appropriate security of the data (including to prevent unauthorised or unlawful processing, accidental loss, destruction or damage) using appropriate technical or organisational measures. 
7. Must not be transferred outside of the UK (European Economic Area) unless the country has an adequate level of protection for data subjects. 

 

Policy on collecting subject data

Rainbow Pooch Pride will only collect data that is relevant to the carrying out of the legitimate purposes and functions of the charity in a way that is not prejudicial to the interests of individuals.  All data on individual subjects will be treated in a consistent way. Subjects will be informed about how Rainbow Pooch Pride will store and use the data at the time of collection.  This will require a standard statement to be sent in all written requests for data and a similar verbal script to be used for phone data collection. 

Where the contact details (address, telephone number, email, etc) of an organisation are those of a private individual rather than office premises, those details will be considered to be personal data.

Where Rainbow Pooch Pride intends to use personal data for its main purposes, sending information, newsletters or mailings, subjects will be made aware of their rights and be required to give consent. The obtaining of consent will abide by the following principles:

• Consent requires an active opt-in. – e.g. unticked opt-in boxes or similar active opt-in methods (e.g. yes/no)
• Consent needs to be specific and granular – vague or blanket consent is not appropriate or acceptable
• Rainbow Pooch Pride will name any third parties who will rely on the consent
• Rainbow Pooch Pride will keep consent requests separate from other terms and conditions
• Rainbow Pooch Pride will avoid making consent a precondition of a service. 

Rainbow Pooch Pride will strive to ensure that data collection is as accurate as possible, given the methods used in collection. Voicemail data may be less reliable than written documents. Data may be stored in many ways. The data will be collected consistently no matter where the data is to be stored. 

Sensitive Data: 

Rainbow Pooch Pride will strive to ensure that sensitive data is accurately identified on collection so that the proper safeguards can be put in place.  Sensitive data means data consisting of information relating to the individual’s:  

1. Racial or ethnic origin 
2. Political opinions 
3. Religious or philosophical beliefs 
4. Trade Union 
5. Health 
6. Sex life or sexual orientation 
7. Civil or Criminal offences. 

Procedures for collecting subject data 

Freelancers and volunteers are responsible for ensuring that data are collected accurately and fully. 

Freelancers and volunteers are responsible for ensuring that sensitive data are identified when collected and will inform the subject that this data will be stored at the time of collection. 

All personal information should be dated at the time of collection so that records can be archived at an appropriate time. 

Statement for written forms and web/email communications: 

When data are collected the following statement must be included in all written forms and also electronic communications: 

“If you complete this form Rainbow Pooch Pride will store and process your data in accordance with the requirements of its Data Protection Policy and in keeping with the UK General Data Protection Regulation. As part of our commitment to keeping you informed, Rainbow Pooch Pride would like to send information to you from time to time including but not limited to our newsletter, e-bulletins, invitations to events. Please tick the box if you consent to receiving information from Rainbow Pooch Pride in this way. You may withdraw your consent at any time”. 

Policy for Data Storage and Processing 

Rainbow Pooch Pride will only hold data that is relevant to the carrying out of the legitimate purposes and functions of the organisation in a way not prejudicial to the interests of individuals. Information will be accurate and timely and will be held in an environment as secure as possible. Rainbow Pooch Pride staff will be responsible for ensuring that all regular data care procedures are fully and conscientiously followed. All ordered manual files and databases will be kept up to date and will have an agreed archiving policy. Data no longer required for the legitimate purposes of Rainbow Pooch Pride will be regularly purged. 

All individual data will be kept secure, by regular office security procedures or through the controls over the computer network. Sensitive data will be treated with appropriate security. 

Freelancers and volunteers will also take care to meet high standards of security by disposing appropriately any written reports, which are generated from individual records. Any data processing will only be allowed where there is a clear rationale for the activity, which meets the UK General Data Protection Regulation criteria. 

Procedure for Data Storage and Processing 

1. All freelancers and volunteers must take responsibility for following through any data care work required of them to maintain accurate corporate data systems. They are also responsible for any records they keep in any ordered filing systems. 
2. Archiving policies for data no longer needed in our storage systems will be set up for all data stores. A clear rationale must be supplied for personal data to be kept beyond longer than is necessary.  
3. All data will be stored in a secure location and precautions will be taken to avoid letting data become accidentally disclosed. 
4. Any agent employed to process data on Rainbow Pooch Pride’s behalf will be bound to comply with Rainbow Pooch Prid’s data protection policy by a written contract. No data will passed to a Third Party without obtaining consent of the data subject.
5. Any mailings generated from stored data will observe opt out choices in good faith. 
6. Sensitive data should not be kept unless agreed by the Data Controller at Rainbow Pooch Pride. 
7. Information that is stored on computers, mobile devices and laptops will be password protected. 

Policy on Disclosures 

Rainbow Pooch Pride will not allow data collected from subjects to be disclosed to third parties except in circumstances that meet the requirements of the General Data Protection Regulation. 

This will be either: 

1. The subject has consented to the disclosure. 
2. Rainbow Pooch Pride is legally obliged to disclose the data. 
3. There is a business requirement to disclose data that is within the remit of the UK General Data Protection Regulation and is not prejudicial to the interests of the individual. 

Any request for data based on a legal requirement, e.g. from Police or other body, must be put in writing and be checked against the advice of the Information Commissioner Registrar before data are disclosed. 

All staff have a duty to protect individuals’ data from accidental disclosure: 

• Do not give out passwords to other people, who will then have access to the data you are entitled to view. 
• Do not recycle reports that contain personal data. 
• In particular, take due care to ensure that data is not left about on laptops or mobile devices or in files out of the office where they can be accessed by other people who are not engaged on a freelance or voluntary basis for Rainbow Pooch Pride. 

Policy on Overseas Transfer 

Rainbow Pooch Pride will not allow data collected from subjects to be transferred to third parties outside of the UK Area except in circumstances which meet the requirements of the UK General Data Protection Regulation. This will be either: 

1. The subject has consented to the transfer. 
2. Rainbow Pooch Pride is legally obliged to transfer the data. 
3. There is a business requirement to transfer the data that is within the remit of the Data Protection Law as it is not prejudicial to the interests of the individual. 

Any data put on the Internet, via emails or Web Page will be considered a data transfer. 

Any request for data based on a legal requirement, e.g. from Police or other body, must be put in writing and be checked against the advice of the Information Commissioner before data is transferred Overseas. 

Subject Access Policy 

All data subjects have the right to request a copy of all personal data held by Rainbow Pooch Pride relating to the data subject.  This information must be provided within 1 month (at the latest) but may be extended where requests are complex or numerous. This information must also be provided free of charge. However, Rainbow Pooch Pride may charge a “reasonable fee” if the request is manifestly unfounded or complex.  If a request is made electronically, the information may be provided in a commonly used electronic format.  

Exceptions

In certain circumstances, the disclosure of data will involve disclosing information relating to another individual.  In such cases, Rainbow Pooch Pride will not be obliged to disclose the information unless the other individual has consented to the disclosure or it would be reasonable in all the circumstances to comply with such a request without such consent. These will be:

• Where the data controller is involved in negotiations with the data subject, the subject access provisions will not apply if their application would prejudice the negotiations
• Any personal data which is processed by the data controller for the purpose of management forecasting or management planning done in the conduct of Rainbow Pooch Pride business, will be exempt from the subject access provisions if such access would be likely to prejudice the conduct of such business or activity
• Where legal professional privilege can be claimed, the subject access     provisions will not apply.

Notification of Breach

Rainbow Pooch Pride is required to notify a personal data breach to the Information Commissioner as the supervisory authority if the breach is likely to result in risk to rights and freedoms and individuals. Where feasible, all breaches must reported no later than 72 hours after becoming aware of the breach. Examples of breaches include (this list is not exhaustive):

• loss or theft of memory stick/pen drive containing personal data
• loss or theft of a mobile device containing personal data
• loss or theft of manual files containing personal data
• inadvertently sending personal data electronically.

All individuals engaged with Rainbow Pooch Pride, freelancers or volunteers, MUST report a suspected breach to the data protection lead immediately and as a matter of urgency. Failure to report a suspected breach will result in disciplinary action being taken. The data protection lead will record the breach and decide whether the Information Commissioner should be notified. 

Definitions

Data controller – Is the entity who determines the purposes for which and the manner in which personal data is processed. Rainbow Pooch Pride’s data controller is the Project Manager.

Data Protection Principles – All data must be processed in accordance with the data protection principles, as detailed previously.

Manual data – Is data that is held on “a relevant filing system” with the intention that it should form part of such a system. A “relevant filing system” is any set of information relating to individuals which is “structured either by reference to individuals or by reference to criteria relating to such individuals” so that such information is “readily accessible”.

Personal data – Means any information relating to a living person who is identified (or can be identified) from that information. Expressions of opinion about an individual also constitute “personal data” but any indications of the intentions of the data controller in respect of that person do not. The facts on which such “intentions” are formulated, e.g. performance ratings, count as personal data and must be disclosed on request to the data subject.

Processing – Anything done with personal data. This includes collection, recording, storing, organising, structuring, altering, using, disclosing and erasing whether or not by automated means.

Special Categories of Personal Data – Is personal data revealing race or ethnic origins, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation.