Isle Access regards the lawful and correct treatment of personal information as very important and is fully committed to the principles of data protection, as set out in the General Data Protection Regulation.

Why do we have this policy?

Our privacy policy will help you understand what information we collect, how we use it, and what choices you have.

On 25 May 2018, the European General Data Protection Regulation (GDPR) will apply. And, as it is an EU regulation, the GDPR will automatically take effect without the need for it to be locally implemented by member states.

Designed to help safeguard data protection rights for individuals, the GDPR introduces a single set of rules across the EU when it comes to how organisations handle data relating to identifiable individuals.

Under the General Data Protection Regulation, Isle Access is termed a ‘data controller’ which means that we are responsible for how and why personal data is used. Isle Access Trustees can help you with any queries about the information in this privacy policy.

Currently Isle Access will not have a designated Data Protection Officer as personal data is only processed on a small scale. If this changes an independent designated Data Protection Officer will be utilized.

Please also note that this privacy policy covers Isle Access website only. Other websites linked to or from this site are not covered by this policy.

What information do we collect and receive?

We process personal data in connection with our charitable activities, local surveys and to help our volunteers and staff to collaborate and share learning.

Under GDPR, because the consent needs to be clear, specific and explicit we avoid relying on consent unless absolutely necessary. For this reason, we use ‘legitimate interests’ to process your data. This means the interests of our organisation in conducting and managing our activities to enable us to give you the best service. For example, we have an interest in making sure you receive only the emails that matter to you, so we may process your information to send you only the information you are interested in or need. You can inform us if you wish to be contacted differently, or not contacted at all – see number 9 in this document for information on how you can do this.

What personal data could we hold about you?

You may be asked for personal data if you want to take advantage of specific services we offer, such as receiving volunteer briefings and blog updates, joining email lists and networks or taking part in workshops, customer advisory groups, projects, conferences and seminars etc.

We will use the personal information you provide to administer our relationship with you and deliver the services you have told us you wish to use or to send you information that you have requested. We may also offer you the opportunity to receive additional information about our activities or those of our volunteers, supporters, service providers and partners. You may opt out of this at any time by info@IsleAccess.co.uk

Information that you supply will be treated in confidence and in accordance with the principles of the GDPR.

The types of personal data we hold on you might include:

• Your full name
• Your address
• Your volunteer role or job title
• The name and address of an organisation you work for or are associated with
• Your organisation or personal email address (dependent on your preference)
• Your organization or personal telephone number (dependent on your preference)
• We may also store brief notes about where you may have worked before, any specific preferences you have told us about and your main areas of expertise (e.g. research, policy).

This information is kept as accurate as possible – all of our staff take responsibility for keeping this database up to date and have an awareness of data protection.

We store your personal data just for the intended purpose (e.g. we won’t sign you up to every mailing list we run unless you ask us to), and we take steps to collect only the minimum personal data necessary, that it’s accurate, and kept for only as long as necessary, after which it is deleted from our database.

We will amend your record when you tell us that your details have changed. If you leave an organisation and would like us to delete your record, we’ll do it straight away if you tell us. Otherwise we’ll keep it on file for 3 years, after which, if we still haven’t heard from you in another capacity, we’ll delete it on your behalf.

How do we use your information?

We use your information to provide and improve the services we operate. Isle Access uses this information as reasonably necessary and in accordance with your instructions:

• To communicate with you:
  • Through our newsletters, mailing groups, to invite you to events or speak to meetings and conferences. You can opt out of these at any time.
  • Responding to your requests. If you contact us with a problem or question, we will use your information to respond.
  • To tell you about changes in how we operate, or provide you with formal documentation as part of your involvement with Isle Access

What other information could we hold?

Isle Access may also collect and receive:

• Billing and other information: we may collect and store the billing address and financial information
• Service usage information: from time to time, we conduct surveys and interviews with individuals and organisations. We will explain any specific privacy notices as part of the activity, should it differ from this privacy policy.
• Website traffic and newsletter readings: we also store some information to enable us to see how popular pages on our website are and news items in our newsletters. This typically involves assessing aggregate level information, such as IP addresses. Analysing this information allows us to tailor our services to meet your needs.
• Device information. We may collect information about the device you are using to access our services on, including what type of device it is, what operating system you are using, device settings, application IDs, unique device identifiers, and crash data. Whether we collect some or all of this information often depends on what type of device you are using and its settings.
• How do Isle Access protect the security of your information?

Isle Access takes security seriously. We take various organisational and technical steps to protect information you provide to us from loss, misuse, and unauthorised access, alteration or disclosure.

Occasionally, we introduce changes or improvements to our systems. Any test data that may have been used in this connection are managed in a secure and confidential manner.

We will conduct due-diligence on our supply chain ensuring that all suppliers and contractors are GDPR-compliant. Isle Access will also include a contractual clause so suppliers will need to inform us of any data breach.

Use of Cookies

Isle Access uses cookies on our websites.

Cookies are small text files sent by us to your computer and from your computer or mobile device to us each time you visit our website. Cookies do not identify the individual user, just the computer used.

Cookies provide us with information and some are essential to allow parts of the website to operate. Session-based cookies last only while your browser is open and are automatically deleted when you close your browser. Persistent cookies last until you or your browser delete them or until they expire.

Isle Access uses third parties like Google Analytics for website analytics, Facebook, Twitter etc.

When can we share and disclose your information?

For the majority of the time, we do not share the information described in this privacy policy with other organisations. However, on occasions where we run a joint event with another organisation, we do share information such as your name, email address, and any special dietary or accessibility requirements for use only for that event. This is necessary in order to run the event.

You can determine your own preferences for such sharing and disclosure by contacting us at any time.

Isle Access may also share information with others as follows:

• With third party service providers and agents: We may engage third party companies or individuals, such as third party payment processors, mailing houses etc, to process information on our behalf.
• To comply with laws: To comply with legal or regulatory requirements and to respond to lawful requests, court orders and legal process.
• To enforce our rights, prevent fraud and for safety: To protect and defend the rights, property, or safety of us or third parties, including enforcing contracts or policies, or in connection with investigating and preventing fraud.

How do you contact us about the data we hold on you?

If you would prefer us to:

• Stop contacting you
• Amend your information
• Delete your information
• Change your preferences (for instance if you would prefer us to only contact you about certain things or restrict what information we have about you)
• Any other change

Please tell us. You can do so by emailing info@IsleAccess.co.uk

We will make any changes requested within 1 month.

You also have the right to ask us for a copy of the information we hold about you and to have any inaccuracies in your information corrected.

10. Reporting a Concern.

If you feel we haven’t handled your data properly, please do contact us and we will do everything we can to rectify the problem.

If you feel this doesn’t go far enough, or if you want to report your concern elsewhere, you can contact the Information Commissioner’s Office (ICO): https://ico.org.uk/concerns/

Reporting a Data Breach

Isle Access encourages a culture where employees and volunteers feel comfortable in self-reporting when they have made innocent mistakes – the root cause of the vast majority of data breaches. Any breach should be reported immediately to an Isle Access Trustee.

The GDPR describes a personal data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.” This applies to data held in any form.

Isle Access will instigate an incident response plan (see appendix 1.), lead by the CEO to investigate any data breaches within 72 hours.

Breaches will be reported to the ICO unless they are “unlikely to result in a risk to the rights and freedoms of individuals.” Examples of ICO notable breaches are where it may “result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage.”

Isle Access will only inform individuals concerned where there is a high risk of the above.

Changes to this Privacy Policy

We may change this policy from time to time. If we do, we will post any changes on our website. If you continue to use the services after those changes are in effect, you agree to the revised policy.

Change Record

Appendix 1

There are four key steps to consider when responding to a breach or suspected breach.

STEP 1: Contain the breach and do a preliminary assessment

Move quickly to secure your systems and fix vulnerabilities that may have caused the breach.

Take all affected equipment off line immediately

Update credentials and passwords of authorized users. (If a hacker stole credentials, your system will remain vulnerable until you change those credentials, even if you’ve removed the hacker’s tools).

If the data breach involved personal information improperly posted on Isle Access website, immediately remove it. Be aware that internet search engines store, or “cache,” information for a period of time. You can contact the search engines to ensure that they don’t archive personal information posted in error.

Other websites: Search for Isle Access exposed data to make sure that no other websites have saved a copy. If you find any, contact those sites and ask them to remove it.

Interview people who discovered the breach. Also, talk with anyone else who may know about it. Consider:

» how it happened

» what information was taken

» how the thieves have used the information (if you know)

Document the investigation.

STEP 2: Evaluate the risks associated with the breach

Document:

• When the breach was detected, by whom and what method
• Scope of the incident/affected systems
• Data that was put at-risk
• How the breach was contained and eradicated?
• Work performed or changes made to systems during recovery
• Areas where the response plan was effective and what needs improvement

STEP 3: Notification

When reporting a breach, the GDPR says you must provide:

• a description of the nature of the personal data breach.

• the categories and approximate number of individuals concerned; and the categories and approximate number of personal data records concerned.

• the name and contact details where more information can be obtained.
• a description of the likely consequences of the personal data breach (Could there be media or stakeholder attention as a result of the breach or suspected breach?)
• a description of the measures taken, or proposed to be taken, to deal with the personal data breach, including, where appropriate, the measures taken to mitigate any possible adverse effects.

The attached form (page 12) can be utilized to inform individuals of a data breach

STEP 4: Prevent future breaches

The CEO of Isle Access will ensure that any data breach action plans are acted upon.

If service providers were involved, Isle Access will examine what personal information they can access and decide if you need to change their access privileges. Isle Access will also, ensure service providers are taking the necessary steps to avoid another breach. If service providers say they have remedied vulnerabilities, Isle Access will verify this.

Isle Access                                                          Date:

NOTICE OF DATA BREACH

Dear [Insert Name]:
We are contacting you about a data breach that has occurred at Isle Access.

What Happened?

[Describe how the data breach happened, the date of the breach, and how the stolen information has been misused (if you know)].

What Information Was Involved?

This incident involved your [describe the type of personal information that may have been exposed due to the breach].

What We Are Doing

[Describe how you are responding to the data breach, including: what actions you’ve taken to remedy the situation; what steps you are taking to protect individuals whose information has been breached; and what services you are offering

(like credit monitoring or identity theft restoration services).]

What You Can Do

We recommend that you place a fraud alert on your credit file. A fraud alert tells creditors to contact you before they open any new accounts or change your existing accounts.