Isle Access regards the lawful and correct treatment of personal information as very important and is fully committed to the principles of data protection, as set out in the General Data Protection Regulation.
On 25 May 2018, the European General Data Protection Regulation (GDPR) will apply. And, as it is an EU regulation, the GDPR will automatically take effect without the need for it to be locally implemented by member states.
Designed to help safeguard data protection rights for individuals, the GDPR introduces a single set of rules across the EU when it comes to how organisations handle data relating to identifiable individuals.
Currently Isle Access will not have a designated Data Protection Officer as personal data is only processed on a small scale. If this changes an independent designated Data Protection Officer will be utilized.
We process personal data in connection with our charitable activities, local surveys and to help our volunteers and staff to collaborate and share learning.
Under GDPR, because the consent needs to be clear, specific and explicit we avoid relying on consent unless absolutely necessary. For this reason, we use ‘legitimate interests’ to process your data. This means the interests of our organisation in conducting and managing our activities to enable us to give you the best service. For example, we have an interest in making sure you receive only the emails that matter to you, so we may process your information to send you only the information you are interested in or need. You can inform us if you wish to be contacted differently, or not contacted at all – see number 9 in this document for information on how you can do this.
You may be asked for personal data if you want to take advantage of specific services we offer, such as receiving volunteer briefings and blog updates, joining email lists and networks or taking part in workshops, customer advisory groups, projects, conferences and seminars etc.
We will use the personal information you provide to administer our relationship with you and deliver the services you have told us you wish to use or to send you information that you have requested. We may also offer you the opportunity to receive additional information about our activities or those of our volunteers, supporters, service providers and partners. You may opt out of this at any time by info@IsleAccess.co.uk
Information that you supply will be treated in confidence and in accordance with the principles of the GDPR.
The types of personal data we hold on you might include:
This information is kept as accurate as possible – all of our staff take responsibility for keeping this database up to date and have an awareness of data protection.
We store your personal data just for the intended purpose (e.g. we won’t sign you up to every mailing list we run unless you ask us to), and we take steps to collect only the minimum personal data necessary, that it’s accurate, and kept for only as long as necessary, after which it is deleted from our database.
We will amend your record when you tell us that your details have changed. If you leave an organisation and would like us to delete your record, we’ll do it straight away if you tell us. Otherwise we’ll keep it on file for 3 years, after which, if we still haven’t heard from you in another capacity, we’ll delete it on your behalf.
We use your information to provide and improve the services we operate. Isle Access uses this information as reasonably necessary and in accordance with your instructions:
Isle Access may also collect and receive:
Isle Access takes security seriously. We take various organisational and technical steps to protect information you provide to us from loss, misuse, and unauthorised access, alteration or disclosure.
Occasionally, we introduce changes or improvements to our systems. Any test data that may have been used in this connection are managed in a secure and confidential manner.
We will conduct due-diligence on our supply chain ensuring that all suppliers and contractors are GDPR-compliant. Isle Access will also include a contractual clause so suppliers will need to inform us of any data breach.
Cookies are small text files sent by us to your computer and from your computer or mobile device to us each time you visit our website. Cookies do not identify the individual user, just the computer used.
Cookies provide us with information and some are essential to allow parts of the website to operate. Session-based cookies last only while your browser is open and are automatically deleted when you close your browser. Persistent cookies last until you or your browser delete them or until they expire.
Isle Access uses third parties like Google Analytics for website analytics, Facebook, Twitter etc.
You can determine your own preferences for such sharing and disclosure by contacting us at any time.
If you would prefer us to:
Please tell us. You can do so by emailing info@IsleAccess.co.uk
We will make any changes requested within 1 month.
You also have the right to ask us for a copy of the information we hold about you and to have any inaccuracies in your information corrected.
If you feel we haven’t handled your data properly, please do contact us and we will do everything we can to rectify the problem.
If you feel this doesn’t go far enough, or if you want to report your concern elsewhere, you can contact the Information Commissioner’s Office (ICO): https://ico.org.uk/concerns/
Isle Access encourages a culture where employees and volunteers feel comfortable in self-reporting when they have made innocent mistakes – the root cause of the vast majority of data breaches. Any breach should be reported immediately to an Isle Access Trustee.
The GDPR describes a personal data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.” This applies to data held in any form.
Isle Access will instigate an incident response plan (see appendix 1.), lead by the CEO to investigate any data breaches within 72 hours.
Breaches will be reported to the ICO unless they are “unlikely to result in a risk to the rights and freedoms of individuals.” Examples of ICO notable breaches are where it may “result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage.”
Isle Access will only inform individuals concerned where there is a high risk of the above.
We may change this policy from time to time. If we do, we will post any changes on our website. If you continue to use the services after those changes are in effect, you agree to the revised policy.
Date of Change:
Policy approved by the Trustees
There are four key steps to consider when responding to a breach or suspected breach.
STEP 1: Contain the breach and do a preliminary assessment
Move quickly to secure your systems and fix vulnerabilities that may have caused the breach.
Take all affected equipment off line immediately
Update credentials and passwords of authorized users. (If a hacker stole credentials, your system will remain vulnerable until you change those credentials, even if you’ve removed the hacker’s tools).
If the data breach involved personal information improperly posted on Isle Access website, immediately remove it. Be aware that internet search engines store, or “cache,” information for a period of time. You can contact the search engines to ensure that they don’t archive personal information posted in error.
Other websites: Search for Isle Access exposed data to make sure that no other websites have saved a copy. If you find any, contact those sites and ask them to remove it.
Interview people who discovered the breach. Also, talk with anyone else who may know about it. Consider:
» how it happened
» what information was taken
» how the thieves have used the information (if you know)
Document the investigation.
STEP 2: Evaluate the risks associated with the breach
STEP 3: Notification
When reporting a breach, the GDPR says you must provide:
The attached form (page 12) can be utilized to inform individuals of a data breach
STEP 4: Prevent future breaches
The CEO of Isle Access will ensure that any data breach action plans are acted upon.
If service providers were involved, Isle Access will examine what personal information they can access and decide if you need to change their access privileges. Isle Access will also, ensure service providers are taking the necessary steps to avoid another breach. If service providers say they have remedied vulnerabilities, Isle Access will verify this.
Isle Access Date:
NOTICE OF DATA BREACH
Dear [Insert Name]:
We are contacting you about a data breach that has occurred at Isle Access.
[Describe how the data breach happened, the date of the breach, and how the stolen information has been misused (if you know)].
What Information Was Involved?
This incident involved your [describe the type of personal information that may have been exposed due to the breach].
What We Are Doing
[Describe how you are responding to the data breach, including: what actions you’ve taken to remedy the situation; what steps you are taking to protect individuals whose information has been breached; and what services you are offering
(like credit monitoring or identity theft restoration services).]
What You Can Do
We recommend that you place a fraud alert on your credit file. A fraud alert tells creditors to contact you before they open any new accounts or change your existing accounts.