Privacy Policy

Aims

The National Association for Leisure Industry Certification aims to ensure that all personal data collected about members and other individuals is collected, stored and processed in accordance with the Data Protection Act 2018 (DPA 2018), the UK General Data Protection  Regulation (UK GDPR), the Digital Economy Act 2017, the Human Rights Act 1998, PECR and all other relevant legislation.  We will act within the frameworks advised by the Information Commissioner’s Office.

This policy applies to all personal data, regardless of whether it is in paper or electronic format and irrespective of who the data subject is. The information and guidelines in this policy apply to the whole organisation.

Legislation and Guidance

This policy meets the requirements of the UK GDPR and the DPA 2018. It is based on guidance published by the Information Commissioner’s Office (ICO) and the Information and Records Management Society (IRMS).  It follows the ICO’s code of practice for subject access requests.

We are committed to providing and maintaining a data environment that is safe by ensuring our representatives are appropriately trained and by producing additional policies and arrangements as detailed in this document including:

•     Privacy Notice (Appendix A).
•     Acceptable use of IT Policies (Appendix B).
•     Data Breach Procedure (Appendix C).
•     Subject Access Procedure (Appendix D).
•     Records Management and Retention Policy.
•     A Record of Processing Activities.

This Policy sets out our obligations regarding the collection, processing, transfer, storage, and disposal of personal data. The procedures and principles set out herein must be followed at all times including by employees, agents, contractors, or other parties working on our behalf. All those involved in processing data are responsible for assisting us in the achievement of our aims and objectives and will play a positive role in promoting a secure data processing environment where the rights and freedoms of the individual are protected.

Roles and Responsibilities

This policy applies to all NAFLIC representatives and any external organisations or individuals working on our behalf.

Data Protection Officer

The organisation does not require a data protection officer.

NAFLIC representatives

It is the responsibility of all those representing NAFLIC to maintain the quality of the data that we process and to comply with GDPR and the DPA 2018. Anyone who collects data, enters, extracts or analyses data on our IT system should be aware of how their job contributes to this function and the need to ensure the safety and accuracy of the data that they process. Personal data processed by our representatives shall:

•     Be kept for no longer than it is required for the purpose for which it was originally collected and thereafter securely disposed of.
•     Be kept up to date and accurate as far as is reasonable.
•     Be processed only where there is a lawful purpose.
•     Not be used for purposes other than that for which it was collected (unless consent is obtained).

Any questions or concerns about the interpretation or operation of this policy should be taken up with the secretary.

The Data Controller and Data Processor

We are both a "data controller" and "data processor" under the data protection regulations. This is because we determine the purpose and the means of processing of personal data as well as carrying out the processing itself of the personal data relating to members and others.

We hold and process information about members and other individuals (data subjects) for a variety of purposes such as to enable correspondence and communications. We have a Legal Basis for processing each category of information and these are clearly articulated in our Privacy Policy and Notice (See Appendix  A).

In this policy the term “personal data” describes any information that relates to an identified or identifiable living individual. This can be as simple as a name or a phone number or could include other factors such as pictures, biometric information or voice recordings. If it is possible to identify an individual directly or indirectly from the information being processed then that information will be classed as personal data.

Legal Obligations

We meet our legal obligations as laid down by the Data Protection Act 2018 by taking steps to establish appropriate retention periods for personal data and ensuring that data subjects' rights can be appropriately exercised. In addition to:

•     Ensuring that everyone is made aware of good practice in data protection.
•     Ensuring that everyone handling personal data knows where to find further guidance.
•     Ensuring that queries about data protection, internal and external to the organisation, are dealt with effectively and promptly.
•     Implementing appropriate technical and organisational measures against unauthorised and unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
•     Regularly reviewing data protection procedures and guidelines within the organisation.

Commitment to GDPR Principles and Accountability Rule

The GDPR is based on data protection principles that we must comply with. Data is collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. The principles say that personal data must be:

•     Processed lawfully, fairly and in a transparent manner.
•     Collected for specified, explicit and legitimate purposes.
•     Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
•     Accurate and, where necessary, kept up to date.
•     Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
•     Processed in a manner that ensures appropriate security of the personal data,

In addition to the six principals of processing (above) we have a robust plan to demonstrate our compliance with the Accountability Rule of GDPR. We achieve this by regular oversight of data protection matters and implementing appropriate policies and procedures and will conduct Data Audits and Data Protection Impact Assessments as necessary.

Data Collection

Lawfulness, Fairness and Transparency

All processing of personal data which is undertaken by data users must be in compliance with the principles above. We will process personal data under the following legal reasons:

•     Consent: the individual has given clear consent for us to process their personal data for a specific purpose.
•     Contract: the processing is necessary for a contract we have with the individual, or because they have asked us to take specific steps before entering into a contract.
•     Legal obligation: the processing is necessary in order to comply with the law (not including contractual obligations).
•     Vital interests: the processing is necessary to protect someone's life.
•     Legitimate interests: we use this as our lawful basis where the processing is necessary for our legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual's personal data which overrides those legitimate interests.

Special Category Personal Data

We do not at this time process special category personal data.

Limitation, Minimisation and Accuracy

We only collect personal data for specified, explicit and legitimate reasons. We will explain these reasons to the individuals when we first collect their data. If we want to use personal data for reasons other than those given when we first obtained it, we will inform the individuals concerned before we do so and seek consent where necessary.

When we no longer require the personal data that we hold we will ensure it is deleted or anonymised. This will be done in accordance with our Data Retention Schedule and Record of Processing Activities.

 Consent

Consent will be requested on every occasion where we wish to use personal data for a reason other than that for which it was originally collected.

Responsibilities of Members

Members are responsible for ensuring that any personal data that they supply to us is accurate and kept up­ to-date. In particular changes of address, telephone number, email address or other personal details should be provided as soon as possible.

Biometric Recognition Systems

We do not use Biometric Recognition Systems.

CCTV

We do not use CCTV.

Data Sharing

We will not normally share personal data with anyone else, but may do so where:

•     There is an issue that puts the safety of our representatives at risk
•     We need to liaise with other agencies

Our suppliers or contractors need data to enable us to provide services to our members.

When doing this, we will:

•         Only appoint suppliers or contractors which can provide sufficient guarantees that they comply with data protection law
•         Establish a data sharing agreement with the supplier or contractor, either in the contract or as a standalone agreement, to ensure the fair and lawful processing of any personal data we share
•         Only share data that the supplier or contractor needs to carry out their service, and information necessary to keep them safe while working with us

    We will also share personal data with law enforcement and government bodies where we are legally required to do so, including for:

•         The prevention or detection of crime and/or fraud
•         The apprehension or prosecution of offenders
•         The assessment or collection of tax owed to HMRC
•         In connection with legal proceedings
•         Where the disclosure is required to satisfy our safeguarding obligations
•         Research and statistical purposes, as long as personal data is sufficiently anonymised or consent has been provided.

We may also share personal data with emergency services and local authorities to help them to respond to an emergency situation.

Where we transfer personal data to a country or territory outside the European Economic Area, we will do so in accordance with data protection law.

Disclosure outside the EEA     

Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing personal data. A decision will be made on a case by case basis should this situation arise.

Data Security and Storage of Records

We will protect personal data and keep it safe from unauthorised or unlawful access, alteration, processing or disclosure and against accidental or unlawful loss, destruction or damage. In particular:

•     Paper-based records and portable electronic devices, laptops and hard drives that contain personal data are kept in a secure location when not in use.
•     Documents containing personal data must not be left out where there is general access.
•     Passwords (at least 8 characters long containing letters and numbers) are used to access computers, laptops and other electronic devices.
•     Where personal information is stored on an individual’s personal device the same security procedures are followed as for organisation-owned equipment (see our IT acceptable use policy).
•     Where we need to share personal data with a third party, we carry out due diligence and take reasonable steps to ensure it is stored securely and adequately protected.

 Retention of Personal Data for Research and Archive Purposes

Despite the general requirement that data should be retained for no longer than is required, GDPR permits the retention of records for research and archival purposes. We have decided that there is no need for records to be kept for archive and research purposes past their retention period as laid out in our ROPA.

Disposal of Records

Personal data that is no longer needed, has become inaccurate or is out of date will be disposed of securely, where we cannot or do not need to rectify or update it.

We will shred paper-based records and overwrite or delete electronic files. We may also use a third party to safely dispose of records on our behalf. If we do so, we will require the third party to provide sufficient guarantees that it complies with data protection law.

Data Breaches

We will make all reasonable endeavours to ensure that there are no personal data breaches. In the unlikely event of a suspected data breach, we will follow the procedure set out in Appendix C.

Data Subject Rights

GDPR gives rights to individuals in respect of personal data that an organisation holds about them.   Data subjects have the right to request a portable copy of the data collected by a processor in a common format, and the right to have their data erased under certain circumstances.  Data Subject rights are:

•     The right to be informed.
•     The right of access.
•     The right to rectification.
•     The right to erasure.
•     The right to restrict processing.
•     The right to data portability.
•     The right to object.
•     Rights in relation to automated decision making and profiling.

Subject Access Requests

An individual who wishes to make a "Subject Access Request" (SAR) to obtain a copy of the personal data that we process about them may submit their request to the secretary in any format. Should we receive a SAR we will follow the procedure set out in Appendix D. We will respond to SARs within the required timescale of 30 days unless there are exceptional circumstances.

Other Data Protection Rights of the Individual

In addition to the right to make a subject access request and to receive information when we are collecting their data about how we use and process it, individuals also have the right to:

•     Ask for their personal data to be transferred to a third party in a structured, commonly used and machine-readable format (in certain circumstances).
•     Ask us to rectify, erase or restrict processing of their personal data, or object to the processing of it (in certain circumstances).
•     Be notified of a data breach (where there is a risk to their rights and freedoms).
•     Challenge processing which has been justified on the basis of public interest.
•     Make a complaint to the ICO.
•     Object to decisions based solely on automated decision making or profiling (decisions taken with no human involvement, that might negatively affect them).
•     Prevent processing that is likely to cause damage or distress.
•     Prevent the use of their personal data for direct marketing.
•     Request a copy of agreements under which their personal data is transferred outside of the European Economic Area.
•     Withdraw their consent to processing at any time (where consent is the basis for processing).

New or Additional Processing

Our representatives may:

•     Develop a new computer system for processing personal data.
•     Use an existing computer system to process personal data for a new purpose.
•     Create a new manual filing system containing personal data.
•     Use an existing manual filing system containing personal data for a new purpose
•     Create new folders on the main file structure.

Data Protection by Design and Default

We will put measures in place to show that we have integrated data protection into all of our data processing activities, including:

•     Only processing personal data that is necessary for each specific purpose of processing, and always in line with the data protection principles set out in relevant data protection law.
•     Completing privacy impact assessments where the processing of personal data presents a high risk to rights and freedoms of individuals and when introducing new technologies.
•     Integrating data protection into internal documents including this policy, any related policies and privacy notices.
•     Maintaining records of our processing activities. Keeping an internal record of the type of data, data subject, how and why we are using the data, any third-party recipients, how and why we are storing the data, retention periods and how we are keeping the data secure

Monitoring arrangements

Review of the policy will be undertaken on a bi-annual basis or as required.

Appendix A – NAFLIC Privacy Policy

Privacy Statement

This privacy statement was updated on 21 April 2021 and is effective immediately. It tells you everything you need to know about how NAFLIC process, control and protect your personal data and the rights that you have in relation that data. This privacy statement is regularly updated to reflect any changes in the way we handle your personal data or any changes to applicable laws.  

PROTECTING YOUR PERSONAL DATA

NAFLIC is a membership organisation.

We attach great importance to your right to privacy and the protection of your personal data. We want our members to feel secure that when you deal us your personal data is in good hands. We protect your personal data in accordance with the applicable laws and our data privacy policies. We have appropriate technical and organisational measures in place to protect your personal data against unauthorised or unlawful processing and/or against accidental loss, alteration, disclosure or access, or accidental or unlawful destruction of or damage.

DATA CONTROLLER

The Data Controller for all personal data collected by us is NAFLIC. We are responsible for deciding what data we collect and how we hold and use your personal data.

DATA COLLECTION

We collect personal data on our members so that we can interact with them.

What information do we hold and how do we collect it?

 

What information we hold	What we use it for	Our lawful basis for holding this information	When we delete it
Your Name, address (if given), telephone numbers, email address	So that we can contact you regarding a contract we have with you	It is Necessary for a Contract we have with you	It is kept for our own records while we have a contract with you unless you request that we remove it from our database. Historical data is deleted after 6 years
Your contact details for marketing communications	To send you details of offers and events	Consent	We ask for explicit consent for marketing and you have the option to unsubscribe at any time
Information you have made public access such as social media, online directories and internet searches	To interact with you on line	Public information	Social media interactions on our company social media profiles will remain there until you request that we remove it.  Historical data is deleted after 6 years
Computer IP address and Cookie ID	When you contact us via our website Our website contains a banner explaining what cookies are placed on your device	It is Necessary for a Contract we have with you	Website data and history are kept for our own records for 6 years or until you advise us that we should remove it from our database
Bank account details	To receive payments	It is Necessary for a Contract we have with you	Transaction information is kept for 7 years

Who do we share your personal information with?

We do not routinely share your information except in the following circumstances:

•     Details of financial transactions are shared with our accountant and our payment services provider.
•     Your computer details e.g. IP address are shared with our website provider.
•     We may share information with law enforcement or security agencies if it is requested.
•     We may need to share information with legal entities should we need to enforce our legal rights or defend legal proceedings or in order to protect your vital interests or the vital interests of another natural person.

What happens if you do not wish to share your personal data with us?

•     We are unable to enter into a contract with you unless we have this information about you.   
•     If you provide us with personal data of another person (for instance, a potential member/referral), you are responsible for informing that person that you have provided us their information. We will let them know where we obtained the information on the first occasion that we contact them.

Transferring your data outside of the United Kingdom

We do not share your personal information outside the United Kingdom.

Sensitive data

We do not process sensitive data (medical and disability information).

DATA SECURITY

We are committed to data security and have appropriate organisational, physical and technical security measures in place.

We only process your personal data in accordance with the applicable data privacy laws (including the General Data Protection Regulation).

DATA RETENTION

We will retain your personal data only for as long as is necessary (as listed in the table on page 1 of this policy). Thereafter personal data is deleted or destroyed in accordance with industry best practice.

•     Members’ data will be retained for a minimum period of 12 months following the date of joining and for a maximum period of 12 months following their resignation.

YOUR RIGHTS AND YOUR PERSONAL DATA

You have the following rights with respect to your personal data:

•     The right to request access to and a copy of your personal data.
•     The right to ask us to correct any personal data if it is found to be inaccurate.
•     The right to withdraw consent at any time.
•     The right to data portability.
•     The right to erasure where:

1.         the personal data is no longer required for the purpose it was collected for.
2.         you withdraw consent (where processing is based on consent).
3.         you object to the processing (certain rules apply).
4.         the processing is for direct marketing purposes (we provide the option to unsubscribe in all our direct marketing communications).  If you make an objection, we will cease to process your personal data for this purpose.
5.         the personal data has been unlawfully processed.

•     The right, where there is a dispute about the accuracy or processing of your personal data, to request a restriction is placed on further processing.
•     The right to complain to a supervisory authority.

​In all cases you must provide us with evidence of your identity before we will respond to a subject access request and we would prefer if your request could be sent to us in writing with a signed for delivery service. We may contact you to confirm the details of your request it in order ensure that we provide the detail that you require.

HOW WE USE COOKIES

Our website does not drop cookies.

CONTACT US

Please contact us if you have any questions about how we protect your personal data or if you wish to exercise your rights in relation to your personal data or if you wish to make a complaint. In such circumstances please direct your enquiry to the secretary, Andrew Mellor, via email – andrewfmellor@aol.com

If you wish to make a complaint about our use of your data you have the right to contact the Information Commissioner’s Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF (Tel: 0303 123 1113 or https://ico.org.uk).

Appendix B - IT Acceptable Use Policy

All representatives must read and comply with our Data Protection Policy and Privacy Notice. All those working with our IT equipment must ensure that they have read, and agree to abide by, the points below. Our systems and equipment are provided for professional use and the guidelines below apply to all use on premises, elsewhere via e-mail or ‘Remote Access’ and when using material stored on external devices such as USB memory sticks/hard drives. In complying, representatives agree to the following:

Data Protection and Privacy

•     To understand that NAFLIC officials may access all files in extreme circumstances (for example as part of a Subject Access Request Response). No files can be considered private.
•     Not to give anyone access to your login name or password.
•     To use a password that conforms to the recommended advice and format (typically “threerandomwords”).
•     To password protect USBs, or the files within them, which contain personal information.
•     To keep all personal data safe when away from site.
•     Not to have personal data on display in a public area.
•     To treat any client IT systems in accordance with both our organisation and the client company policies and procedures.
•     That no PC or laptop will be left unattended whilst logged on without being locked.
•     To close browsers and log out when your session has finished.
•     Not to reproduce copyright materials without first getting permission from the owner.
•     Not to release personal details of others including phone numbers, fax numbers or personal e-mail addresses unless you have the express permission of that person.
•     Not to use another person’s login details or open their files without express permission.
•     Not to corrupt, interfere with or destroy any other user’s information.
•     To check before publishing another’s work; make sure that you have permission.
•     To remove all out of date personal data from systems.  

Appendix C - Data Breach Procedure

This procedure is based on guidance on personal data breaches produced by the ICO.

On finding or causing a breach, or potential breach, the representative or data processor must immediately:

•     Investigate the report and determine whether a breach has occurred, considering whether personal data has been accidentally or unlawfully: lost, stolen, destroyed, altered, disclosed or made available where it should not have been made available to unauthorised people.
•     Enter the details of the breach into the “Breach Log” and review what happened and how it can be stopped from happening again. This will take place as soon as reasonably possible after any breach.
•     Make all reasonable efforts to contain and minimise the impact of the breach.
•     Assess the potential consequences, based on seriousness and likelihood.
•     Determine whether the breach must be reported to the ICO, judged on a case-by-case basis. The decision will consider whether the breach is likely to negatively affect people’s rights and freedoms and cause them any physical, material or non-material damage. If it’s likely that there will be a risk to people’s rights and freedoms, the DPO must notify the ICO.
•     Ensure all decisions are noted in the Breach Log in case the ICO or an individual affected by the breach has questions.
•     Decide if the ICO must be notified, and do this via the ‘report a breach’ page of the ICO website within 72 hours setting out:

1.         A description of the nature of the personal data breach.
2.         The name and contact details of the DPO.
3.         A description of the likely consequences of the personal data breach.
4.         A description of the measures that have been, or will be taken, to deal with the breach and mitigate any possible adverse effects on the individual(s) concerned.
5.         Where all details are not yet known, the ORGANISATION will report as much as they can within 72 hours, explaining the reason for the delay and confirming when the organisation expects to have further information. The organisation will submit the remaining information as soon as possible.

•     Assess the risk to individuals, based on the severity and likelihood of potential or actual impact.

1.         If the risk is high, the organisation will promptly inform all individuals whose personal data has been breached giving a description of the likely consequences of the personal data breach.
2.         Description of the measures that have been, or will be, taken to deal with the data breach and mitigate any possible adverse effects on the individual(s) concerned.
3.         If the there is no risk to the rights and freedoms of individuals the organisation will annotate the breach log accordingly and consult with the Directors whether it is appropriate to advise the data subjects.

•     The organisation will notify any relevant third parties who can help mitigate the loss to individuals – for example, the police, insurers, banks or credit card companies.
•     The organisation will document each breach, irrespective of whether it is reported to the ICO:

1.         Facts and cause.
2.         Effects.
3.         Action taken to contain it and ensure it does not happen again (such as establishing more robust processes or providing further training for individuals).

Details of all breaches will be appropriately recorded and maintained.

Actions to minimise the impact of data breaches

We will take the actions set out below to mitigate the impact of different types of data breach, focusing especially on breaches involving particularly risky or sensitive information. We will review the effectiveness of these actions and amend them as necessary after any data breach.

Sensitive information being disclosed via email

• If personal data is accidentally made available via email to unauthorised individuals, the sender must attempt to recall the email as soon as they become aware of the error.

•     NAFLIC representatives who receive personal data sent in error must alert the sender and the organisation as soon as they become aware of the error.

•     In any cases where the recall is unsuccessful, the organisation will contact the relevant unauthorised individuals who received the email, explain that the information was sent in error, and request that they delete the information and do not share, publish, save or replicate it in any way.

•     The organisation will ensure that we receive a written response from all the individuals who received the data, confirming that they have complied with this request.

•     Where appropriate the organisation will carry out an internet search to check that the information has not been made public.  If it has, we will contact the publisher/website owner or administrator to request that the information is removed from their website and deleted.

Other types of breach that could occur:

•     Documentation sent in error to another individual.
•     A self-access form reveals another user’s data.
•     A laptop containing non-encrypted sensitive personal data being stolen or hacked.

Appendix D – Subject Access Request

Individuals have a right to make a ‘subject access request’ to gain access to personal information that we hold about them.

The rights of individuals include:

•     Confirmation that their personal data is being processed.
•     Access to a copy of the data.
•     The purposes of the data processing.
•     The categories of personal data concerned.
•     Who the data has been, or will be, shared with.
•     How long the data will be stored for, or if this isn’t possible, the criteria used to determine this period.
•     The source of the data, if not the individual.
•     Whether any automated decision-making is being applied to their data, and what the significance and consequences of this might be for the individual.

Although we recognise that subject access requests may be made in any way, we request that subject access requests are submitted in writing, either by letter, email or fax to the secretary. In order to respond to a request in a timely manner requests should include:

•     Name of individual.
•     Correspondence address.
•     Contact number and email address.
•     Details of the information requested.

Any NAFLIC representative who receives a subject access request must immediately forward it to the organisation so that the information can be entered in the “Subject Access Request Log.” If the request is made verbally then the representative to whom the request is made should take sufficient notes to answer the request.

Children and subject access requests

We do not process personal data about children.

Requests for large amounts of personal data

If we need more information before responding to a request then we will let the individual know as soon as possible. The timescale for responding to the request begins when you receive the additional information.  If an individual refuses to provide any additional information, we will still endeavour to comply with their original request.

Requests made on behalf of others

When a SAR is made via a third party such as a solicitor we will need to be satisfied that the third party making the request is entitled to act on behalf of the individual. The third party should provide us with evidence of this entitlement (either written authority or a more general power of attorney).

Processors and Subject Access Requests

As Data Controller we are responsible for complying with a SAR. We will therefore ensure that we have contractual arrangements in place to guarantee that SARs are dealt with properly, irrespective of who they are sent to.

Responding to Subject Access Requests

Prior to responding to requests, we:

•     May ask the individual to provide 2 forms of identification (or identify themselves from information we hold about them).
•     May contact the individual via phone to confirm the details of the request.

We will:

•     Provide the information free of charge.
•     Respond without delay and within 1 month of receipt of the request.
•     We may tell the individual we will comply within 3 months of receipt of the request, where a request is complex or numerous. We will inform the individual of this within 1 month, and explain why the extension is necessary.

We will not disclose information if it:

•     Is given to a court in proceedings.
•     Might cause serious harm to the physical or mental health of another individual.

Subject Access Responses

The information provided in any response will be concise, transparent, intelligible and in an easily accessible form, using clear and plain language. Any internal codes used in the source document will be explained. We are not required to decipher poorly written notes or to ensure that that the information is provided in a form that can be understood by the individual making the request.

If data is regularly updated or altered it will be supplied as at the time of sending out a response, even if this is different to information which was held when the request was received. We recognise that it is an offence to make an amendment simply to prevent disclosure.

If possible or appropriate we will consider providing Data Subjects with remote access to a secure self-service system so that they can see all the personal information that is held on them (as long as this does not adversely affect the rights and freedoms of others).

Our SAR response will include:

•     Confirmation that we are processing the subject’s personal data.
•     A copy of all personal data as requested.
•     Any other supplementary information about data processing activities (as set out in our privacy notice) which includes:

1.         Our purpose for processing.
2.         The categories of data we process.
3.         Who we share/disclose the data with.
4.         How long we store the data or, how we determine how long to store it.
5.         Confirmation of their right of rectification, erasure or to restrict processing relevant to the situation (depending on your legal basis for processing).
6.         Confirmation that they have a right to complain to the supervisory authority.
7.         Information about the data source (if it is not themselves).
8.         Information if automated decision-making takes place (including profiling).
9.         Details of the safeguards we provide if we transfer personal data to a third country or international organisation.

What is NOT included in our SAR Response

An individual is not entitled to receive any information that relates to another person in a SAR response (unless they are acting on behalf of someone e.g. a Lawyer or Parent). Therefore we will remove or redact any data which relates to other individuals. It is up to us to decide if the information requested falls within the definition of personal data or not.

Recording SAR Requests

The organisation will record the details of any SAR we receive in the SAR Log. Each request will be date stamped if necessary and saved in a specific folder for future reference.

Exemptions

In addition to the manifestly unfounded or excessive exemption there are several statutory exemptions contained in the DPA18. The majority of these exemptions relate to the detection and prevention of crime, national security and public functions such as immigration control.

Exemptions which relate to a commercial context include if the information:

•     is subject to legal or litigation privilege.
•     is purely personal or for household use.
•     is a reference for employment, training or educational purposes.
•     is processed for management forecasting or planning in a business activity which could be prejudiced if it were to be disclosed.
•     consists of records of intentions and relate to negotiations between the employer and employee and compliance with the request would prejudice the negotiations.
•     contains a third party’s personal data.
•     is of the type which would be likely to prejudice crime prevention/detection or the prosecution of offenders if disclosed.

Information about a third party may only be disclosed where that person has consented to the disclosure or where it is reasonable to disclose the information without their consent. Therefore, we will balance the rights of all the individuals involved taking into account:

•     the type of information.
•     any duty of confidentiality owed to the other individual.
•     any steps we have taken to seek consent from the other individual.
•     whether the other individual is capable of giving consent.
•     any express refusal of consent by the other individual.

In a 'tie-breaker' situation, the presumption will fall in favour of non-disclosure.

Refusing a SAR

In accordance with the regulations we reserve the right to reject repeated or vexatious requests where a reasonable period has not elapsed between requests and may charge for large volumes of documents.  A request will be deemed to be unfounded or excessive if it is repetitive, or asks for further copies of the same information.  When we refuse a request, we will tell the individual why, and tell them they have the right to complain to the ICO.

 Appendix E - Key Terms

Term	Definition
Personal data	Any information relating to an identified, or identifiable, individual. At our this includes the following: Name, Student Number, Tax Information, Address, Photograph, On Line Identifier, Sexual Orientation, Location Data, Character Traits, Biographical Information, Current Living Situation, Email address, phone number, Location, Financial information, Educational Information, Private and Subjective Data, Sickness, Date of Birth, Appearance and Behaviour
Special categories of personal data	Personal data which is more sensitive needs more protection. At our we process the following special categories of data: Racial/Ethnic Origin, Religious/Philosophical Views, Health, Genetic/Biometric Data, Criminal Record
Processing	Anything done to personal data, such as collecting, recording, organising, structuring, storing, adapting, altering, retrieving, using, disseminating, erasing or destroying. Processing can be automated or manual.
Data subject	The identified or identifiable living individual whose personal data is held or processed.
Data controller	A person or organisation that determines the purposes and the means of processing of personal data (our).
Data processor	A person or other body, other than a representative of the data controller, who processes personal data on behalf of the data controller.
Data breach	A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data.

A-Z of Data Protection Terms

Term	Definition
Antivirus	Software to detect, stop and remove viruses/ malicious software from a system
Archive	A collection of information/records with a specific focus or  theme (e.g. letters, documents, minutes, registers, maps, photographs, digital files, sound recordings)
Attacker	Someone who exploits computer systems in a malicious way
Biometric Data	Personal data relating to physical, physiological or behavioural characteristics from which a person can be identified (e.g. fingerprints, images)
Botnet	A network of infected devices which are connected to the internet to commit coordinated cyber-attacks without their owner's knowledge
Brute Force Attack	When computer power is used to automatically send a vast number of requests or input a series of numbers in order to discover passwords and gain access to a system
Click Farm	Where a large group of low paid workers are employed to click on advertising links in order to generate better results for the organisation being reviewed
Consent	Any freely given, specific, informed and unambiguous indication that the data subject agrees to an action (may be a statement or by clear affirmative action)
Cross Border Processing	Where personal data is processed by organisations in more than one Member State
Cyber Attack	A malicious attempt to damage/disrupt/gain unauthorised access to computer systems/networks/devices by cyber means
Cyber Incident	A breach of cyber security rules
Data Minimisation	Where an organisation collects and keeps only the personal data it requires in order to achieve an intended purpose
Data Protection Authority	A national authority responsible for data privacy (the UK ICO)
Data Protection By Design And Default	A principle whereby data subject's rights are taken into account at the design and development stage
Data Protection Impact Assessment	A tool used to identify and minimise data protection risks in new projects
Data Protection Officer	An individual who is appointed to ensure an organisation implements and complies with the policies and procedures set out in the GDPR
Data Transfer	The movement of personal data between organisations and people
Denial Of Service	When legitimate users are denied access to computer services or resources
Digital Footprint	The 'footprint' of digital information that a user's online activity leaves behind
Download Attack	The unintentional installation of malicious software or virus onto a device without the user’s knowledge or consent
Encrypted Data	Personal data which has been translated into another form or code so that only people with specific access can read it
Enterprise	A natural or legal person engaged in an economic activity, irrespective of its legal form (includes partnerships or associations)
EU-US Privacy Shield	A set of GDPR standards that allow for the legal transfer of personal data between the EU and US for commercial reasons
Fairness Principle	The principle that requires personal data to only be used in a way that is fair and not detrimental, unexpected or misleading to the individuals concerned
Filing System	Any structured set of personal data, accessible according to specific criteria (may be centralised, decentralised or dispersed )
Firewall	Hardware or software which uses a defined rule set to constrain network traffic and prevent unauthorised access to/from a network
Group Of Undertakings	A controller and the group of undertakings or institutions affiliated to it
Hacker	Someone who uses their computer skills to break into computers, systems and networks
Health Data	Personal data that relates to an individual’s physical or mental health (including the provision of health care services)
Honeypot	A decoy system to attract potential attackers that helps limit access to actual systems
Information Society Service	Any service normally provided for remuneration, at a distance, by electronic means and at the request of a recipient (e.g. social media)
Integrity & Confidentiality Principle	A key requirement of GDPR for personal data to be processed using appropriate technical, organisational and security measures
International Data Transfer	The movement of personal data to countries outside the EU/EEA or to international organizations (this includes viewing data hosted in another location)
International Organisation	An organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries
Internet Of  Things (Iot)	Everyday objects such as televisions (not computers and devices) that connect to the Internet
Keylogger	Software that tracks keyboard inputs – used to monitor the user
Legal Person	A human being, firm, or government agency that is recognized as having privileges and obligations
Legitimate Interests	Where an organisation believes there is justification to process personal data because it will either benefit society as a whole or a particular company
Main Establishment Of The Controller	The place, in the EU, where a data controller has their central administration or decision-making function
Main Establishment Of The Processor	The place where a processing organisation's central administration or main processing activities take place
Malvertising	Using online advertising to deliver malware
Malware	Malicious software (viruses, trojans, worms or any code) that could have an adverse impact on organisations or individuals
Man-In-The-Middle Attack	Computer eavesdropping whereby an attacker secretly relays computer communications through themselves thus compromising the integrity or confidentiality of messages
Natural Person	A living and breathing individual human being
Patching	Updates for firmware or software to improve security and/or enhance functionality
Pentest	An authorised test of a computer network or system designed to look for security weaknesses so that they can be fixed
Personal Data	Any information relating to an identified or identifiable natural person who can be identified, directly or indirectly by some element of that data (e.g. name, identification number, location)
Pharming	An attack on a network that results in a user being redirected to an illegitimate website even though they entered the correct address
Phishing	Untargeted, mass emails asking for sensitive information (such as bank details) or directing them to a fake website or malicious link
Pii - Personally Identifiable Information	Information that can be used to identify, contact, or locate a single person, or to identify an individual either on its own or when combined with other information
Privacy Impact Assessment	A tool used to identify the privacy risk
Privacy Notice	A document setting out (at the time of data collection) what data will be collected, the organisation’s purpose and legal basis for processing the data, the subject’s rights, how long the data is retained, who it will be shared with and how it will be disposed of
Profiling	Any form of automated processing which uses that data to evaluate certain personal aspects.  In particular where it is used to analyse or predict aspects of that person's performance or movements
Pseudonymisation	The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information (e.g. a key)
Purpose Limitation	The principle that information may only be used for the specified, explicit and legitimate purpose for which it was collected and not for any other purpose
Pwned	A notification that an account’s defences have been compromised
Ransomware	Malicious software that makes data or systems unusable until the victim makes a payment
Recipient	A natural or legal person, public authority, agency or another body, to whom personal data is disclosed
Relevant And Reasoned   Objection	An objection to a draft decision by a supervisory authority or opinion that an envisaged action by a controller or processor does not comply with this Regulation
Representative	A person within the EU who is chosen or appointed to act or speak for a controller or processor who is based outside the EU
Sanitisation	Electronic or physical destruction methods to securely erase or remove data from memory
Smishing	Phishing via SMS text
Software As A Service (Saas)	A business model where consumers access centrally-hosted software applications over the internet
Spear-Phishing	A targeted form of phishing, where the email is designed to look like it comes from a person the recipient knows and/or trusts
Spoofing	Faking (or imitating) a sending address to get access to a system
Subject Access	The right of the subject to obtain or request certain information relating to their personal data from a data controller
Third Party	An organisation or person (other than the data subject, controller, processor) who has been authorised to process personal data by the Data Controller/Processor
Trojan	A malware or virus disguised as legitimate software and used to hack into the victim's computer
Two-Factor Authentication	The use of two different components to verify a user's identity
Water-Holing	A fake website (or a compromised real one) which exploits visiting users
Whaling	Highly targeted phishing attack (masquerading as a legitimate emails) aimed at or purporting to come from senior executives
Whitelisting	A list of approved applications or addressees in an organisation which protects systems from potentially harmful applications