Policy statement
TDI recognises that all individuals have a right to privacy, which extends to the considerate use of their personal data. TDI is subject to legal requirements around the use of personal data under the Data Protection Act (2018) and the accompanying Privacy and Electronic Communications Regulations.
Principles underlying this policy
Personal data is anything which can be used to identify an individual. This might be extensive information about a person, but extends to include such things as personal email addresses or descriptions in conversations about an individual where they are not named.
TDI have a legal responsibility to manage data securely and to only use or retain data where there is a legal basis for doing so. We are both controllers of data because we gather and utilise personal data on our own behalf, and processors of data for others, for instance our clients. We can only use or retain data where we have a lawful basis to do. For most purposes these will be legitimate interest and consent.
Aims, objectives and scope of this policy
TDI will only gather, store and use personal data where it has a lawful basis to do so.
TDI will be fair and transparent in its use of personal data; limit its use of personal data to the purposes for which it was collected; minimise the amount of personal data collected and held; ensure that personal data collected and held is accurate; store personal data only for as long as is necessary; keep personal data securely; and be accountable for the storage and use of personal data.
Where it is necessary and appropriate to transfer personal data, TDI will only do this with individuals or organisations with robust data protection procedures in place.
This policy applies to all trustees, directors, employees, volunteers and contractors of TDI.
Procedures
TDI will maintain its registration with the Information Commissioner's Office.
No one working on TDI business should seek personal data where it is not necessary for the conduct of that business, for example the provision of services or for direct marketing an individual has chosen to receive.
No one working on TDI business should use personal data for reasons other than the conduct of business, the operation of the individual or purposes which an individual has consented to. Examples of these would be communication with individuals necessary for the performance of a contract, retention of information necessary to pay employees, or the sending by email of information about TDI which individuals have signed-up to receive.
In circumstances where communication is unsolicited, for instance direct marketing, it should be clear that recipients can opt out and easy for them to do so. All individuals working for TDI will ensure that opt-out text is included in such communications.
Where an individual requests that personal data is destroyed, it must be destroyed unless it would prevent the operation of the organisation or the delivery of a service we are contracted to deliver. For example, an individual should be able to remove themselves from direct marketing, but should not be able to remove personal details from employee payroll documentation.
Where the destruction of personal data would prevent the operation of the organisation or the delivery of a contracted service, the individual should be informed of this and means of acting without the personal data should be explored. An example would be replacing the use of a personal mail address with a generic business address not used by a single individual.
All individuals should safely destroy personal data when necessary. This would include the wiping of electronic storage material and the shredding of hard copy documents.
All individuals working for TDI should store personal data securely, for example in filing cabinets in premises which can be locked or on electronic systems which are password protected.
All individuals will consider whether the retention and storage of personal data is necessary for the conduct of business or the operations of the organisation. For example, it should be considered whether personal data needs to be written down, and the retention of documents relating to historic work carried out by TDI should be actively reviewed on a regular basis.
All individuals working for TDI should report data breaches where personal data is or might be revealed to those without a lawful reason for having it. Such situations would include emails which are mis-delivered or which publicly copy in unconnected individuals, or situations where documents with personal data are lost or stolen. These should be reported to the Chief Executive, the Trustees and, where appropriate, the Information Commissioner’s Office.
All those working for TDI have a responsibility to ensure that personal data is only shared with other individuals or organisations with robust data protection policies in place. Data should not be shared with organisations without ascertaining that they have such policies.
Date of revision of this policy
December 2021. This policy is in effect, and should be reviewed within 3 years.
Additional resources
The Information Commissioner’s Office has various resources to support compliance with data protection requirements: https://ico.org.uk/.