The Macari Foundation recognises the requirements placed upon it by the General Data Protection Regulation (GDPR) and data retention legislation to receive, record, organise, store, protect and destroy data concerning its clients, employees and volunteers.
The GDPR purpose is to protect an individual’s rights and freedoms and to ensure that personal data is not processed without their knowledge, and, wherever possible, that it is processed with their consent.
The Macari Foundation will abide by the GDPR principles of:
- lawfulness, fairness and transparency
- purpose limitation
- data minimisation
- storage limitation
- integrity and confidentiality
Governance, Compliance and Accountability
- The Macari Foundation is a data controller and data processor under the GDPR. The trustees, senior leadership and managers are responsible for developing and encouraging good information handling practices within the organisation.
- Compliance with data protection legislation is the responsibility of all employees who process personal data and forms part of The Macari Foundation induction, training and performance management process. Employees are responsible for ensuring that any personal data about them and supplied by them to The Macari Foundation is accurate.
- Each organisation function is monitored for compliance, review and improvement with regards to GDPR regulations.
- We monitor the Supervisory Authority and GDPR news and updates, to stay abreast of updates, notifications and additional requirements.
- We have robust and documented Complaint Handling and Data Breach controls for identifying, investigating, reviewing and reporting any breaches or complaints with regards to data protection.
- We have developed and documented appropriate technical and organisational measures and controls for personal data security.
All customers, employees and potential employees have the following rights concerning their data:
- To be informed about the collection and use of your personal data at the time we collect the data, the recipients to whom the personal data has/will be disclosed, why we process your data, how long we store it for and who has access to it.
- To have access to any personal information that The Macari Foundation processes about you and confirmation that your data is being processed so you can verify the lawfulness of the processing.
- To rectification of your personal information. We will update inaccurate information that you tell us about either verbally or in writing.
- To erasure of your personal data in accordance with data protection laws, as well as to object to any direct marketing from us and to be informed about any automated decision-making that we use.
- To restrict processing of your personal data. We may retain the data in accordance with data protection laws, but not use it.
- To data portability allowing you to obtain and reuse your personal data for your own purposes across different services.
- To object to processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority, direct marketing and processing for purposes of scientific/historical research and statistics.
- Not to be subject to automated decision-making profiling where automated decisions are made without any human involvement.
If we receive a request to exercise any of the above rights, we may ask for verification of identity before acting on the request; this is to ensure that data is kept protected and secure. To exercise rights, contact should be made with The Macari Foundation via any communication channel.
All requests to exercise rights will be given to the DPO, who will oversee all related investigation and resulting changes. The request, decisions and related activities will be documented.
A privacy notice outlines how, why and when we gather and process personal information in compliance with the relevant data protection regulation, as well as providing an outline of the necessary information regarding rights and obligations.
The Macari Foundation has the following privacy notices for the collection and processing of personal data:
- Customer Privacy Notice – relating to customers and recipients of services
- Staff Privacy Notice – relating to current and former employees and volunteers
- Recruitment Privacy Notice – relating to job applicants.
Privacy notices are referred to in relevant correspondent to the above groups.
Documenting Lawful Basis
When we process personal data, we always identify and establish the legal basis for doing so.
This is determined by the purpose and relationship with the individual:
- Consent to the processing of their personal data for one or more specific purposes
- Deliver a contractor to take steps to deliver a contract g. to provide a quote.
- Protect the vital interests of a data subject e.g. providing medical information in an emergency.
- Legal obligation g. informing relevant bodies.
- Legitimate interests e.g. where people would expect us to process data.
- Special category data – see below
The Macari Foundation understands consent to mean that it has been explicitly and freely given by statement or a clear affirmative action, signifying agreement to the processing of personal data.
- Consent is required when no other lawful basis applies.
- Consent will always be sought but if consent is not in place and other lawful basis applies The Macari Foundation will still take action.
- In most instances, consent to process personal and sensitive data is obtained routinely using standard consent documents.
- For sensitive data, explicit written consent must be obtained unless an alternative legitimate basis for processing exists.
- Consent can be withdrawn at any time.
- Consent is stored on the relevant processing software.
Special Category Data
Special category data is personal data which is more sensitive and therefore requires more protection.
Data will only be collected and processed where we have explicit consent under one of the following conditions:
A personal data breach is defined as a security incident that has affected the confidentiality, integrity or availability of personal data. A personal data breach occurs when:
- any personal data is lost, destroyed, corrupted or disclosed
- if someone accesses the data or passes it on without proper authorisation
- if the data is made unavailable e.g. when it has been encrypted by ransomware, or accidentally lost or destroyed
If a security incident takes place, we will establish whether a personal data breach has occurred and, if so, promptly take steps to address it, including informing the ICO if required.
Detecting & Investigating a Data Breach
We perform regular checks and assessments on how the personal data we process is obtained, used, stored and shared to prevent data breaches. If a data breach is detected, the following steps are followed:
- The DPO must be informed immediately using any communication method. The DPO will request this be followed up in writing.
- The DPO will assess the immediacy and severity of the situation, and will either make a decision or commission an investigation, which will be led by a senior member of staff. Where immediate action needs to be taken, DPO will instruct this, including changes to procedures if necessary.
- Investigation findings will include recommendations which will be the responsibility of the director team to implement.
- The DPO will log the breach in the Data Breach Log and file copies of related correspondence.
- The DPO will identify whether the ICO should be informed (required within 72 hours).
When & how to inform the ICO of a data breach – if a personal data breach has occurred, the DPO will assess the potential negative consequences for individuals:
- if there is a risk to people’s rights and freedoms, the risks will be justified and documented and we will contact the ICO.
- Breaches must be reported within 72 hours of the breach. Contact the ICO on 0303 1231113 or visit https://ico.org.uk/for-organisations/report-a-breach/
- If there is no risk, the breach will be documented but not reported.
Data Protection Impact Assessment (DPIA)
The Macari Foundation uses a Data Protection Impact Assessment (DPIA) to identify and minimise the data protection risks of a project. Such projects are likely to result in a high risk to individuals or any major project which requires the processing of personal data.
A DPIA consists of:
- Screening questions to identify if a DPIA is required.
- Project brief – detailing the what, how and why of the project that will process personal data and sets out the outcomes, intentions and risks.
- Information audit to assess where personal data comes from, goes to and how it is processed.
- Assessment criteria to provide the basis for identifying the risks and specific details such as how the data is used, if it is disclosed or transferred and what privacy by design methods are in place.
- Privacy issues and risks.
- Proposed solutions and mitigating actions.
- Integrating outcomes – specifying the actions to be taken, who is responsible and what the completion timeframe is.
Once the DPIA is completed we will reassess the project to ensure that it meets the regulation requirements.