Data Protection Policy - hris-tr.irworldwide.eu
Transcript of Data Protection Policy - hris-tr.irworldwide.eu
Version management
Title: Data Protection Policy
Category: Information
URN: IRW/INF/002
Policy Type: Operational Policy
Version Control: V1.02
Date of Creation: 07 July 2020
Last Modified: 07 July 2020
Review Date: February 2021
Approving Body: Board of Directors
Date of Approval: August 2020
Document author(s)/ Key: Data Protection Leads
Contributors including: Global Data Protection Steering Group; Policy Review Committee; Information Governance (IG) Officers; Deputy Director Global Programmes Operations; Heads of Region
Department: Governance
Policy Owner: Head of Governance
For public access or staff access Public
Contents
Version management .................................................................................................................................................... 2
Definitions ......................................................................................................................................................................... 4
Introduction ...................................................................................................................................................................... 5
Goals and Objectives ......................................................................................................................................................... 7
Processes ........................................................................................................................................................................... 9
Implementation and Assurance Plan .............................................................................................................................. 11
Appendices ...................................................................................................................................................................... 12
Definitions
Anonymisation The process of removing enough information from an information asset (e.g. document, spreadsheet, list etc) to
make it impossible or more difficult to identify an individual. For example, removing all personal data so an
individual can no longer be identified (full anonymisation) or replacing directly identifiable personal data such as a
name or address with another identifier such as a number (partial anonymisation).
Data Owner The head of the department that is in control of the processing of personal data.
Data Procesor An external party (individual or organisation) that processes personal data on behalf of IRW. For example, a cloud storage provider, emunerator, implementation partner etc.
Data Subject The individual whose personal data is being processed. A data subject maybe a programme participant, donor, supporter, customer, employee, volunteer, intern, partner etc.
Data Subject Request A written or verbal request from a data subject (or their parent, guardian or legal representative acting on their
behalf) that relates to their personal data that IRW holds. For example, a request to access a copy of their personal
data, an objection to the processing of their personal data, a request for their personal data to be erased etc.
A data subject request maybe received by any IRW employee, at any time, and in any format that clearly brings the
request to the attention of IRW including by email, letter, post, IRW social media, verbally over phone / in person, or
through another IRW process such as a compliant.
Direct Marketing An electronic communication sent directly to an individual that promotes the services, aims or ideals of IRW. For
example, a text message sent to a donor encouraging them to make a donation, an email sent to a supporter
encouraging them to a attend a public rally, a phone call to a customer promoting conference facilities for hire etc.
Informed Consent The process by which an individual freely and voluntarily agrees to share their personal data with IRW based on them
receiving a clear understanding of who we are, what we plan to do with their personal data, and their rights over
their personal data.
Personal Data Information that relates to a living individual that can be identified. Examples of personal data can include an
individuals’ name, contact details, image (photograph or video), religious belief, health status, identification number,
unique physical characteristic used for identification purposes such as a thumbprint etc.
Personal Data Breach An incident, whether intentional or not, that might lead to the accidential or unlawful destruction, loss, alteration,
unauthorised disclosure of, or access, to personal data outside the control of IRW. For example, a physical file or
electronic device containing personal data being lost or stolen, a document containing personal data being shared
with an incorrect external party, a cyber-security incident (such as clicking on a suspicious link) that might result in
unauthorised access to a system containing personal data etc.
Privacy Statement (‘Data Transparency’) Information made available to a data subject to inform them why IRW is processing their personal data, how it is
being processed, and who they can contact to make a data subject request. Privacy statements provide data
subjects with the knowledge to make decisions, and raise concerns about the use of their personal data.
Processing Any action performed on personal data including when personal data is collected, stored, recorded, accessed, used,
shared, disposed etc.
Sensitive Personal Data Special categories of personal data that require additional safeguarding because of its potential to put individuals’ at
risk. Personal data maybe sensitive because of its content or the context in which it is being processed.
Content. Any personal data that can reveal information about an individuals’ racial or ethnic origin, political
opinions, religious beliefs, health status (including disability), sexual activity/orientation; or any genetic or
biometric data being processed by electronic means for identification purposes such as facial recognition
technology.
Context. Any situation where the protection of an individuals’ identity is essential for their safety. For example,
processing personal data in sensitive contexts such as conflict zones and fragile states, or when working with
survivors of violence or abuse, children or adults with multiple or complex disabilities.
Introduction
Policy Statement
IRW relies on the processing of personal data to deliver and develop its services in an impartial, inclusive and
efficient manner. This policy provides principles and processes to ensure that IRW is processing personal data
according to 3 key principles and organisational values.
Do No Harm. IRW will process personal data in a manner that does not put data subjects at unnecessary risk. For
example, the disclosure of personal data to the wrong people might result in data subjects being persecuted,
stigmatized, socially excluded, harassed, physically harmed, or subject to identify theft or fraud. IRW believes
that the protection and well-being of every life is of paramount importance. (Compassion – Rahma).
Human Rights. IRW will safeguard the rights that individuals have over their personal data including the right to
privacy as set out under article 8 of the universal declaration of human rights, and the right to be informed about
what is being done with their personal data so they can make informed decisions and raise concerns about its
use. IRW accepts its duty to safeguard the trust that people place in us, and to be transparent and accountable.
(Custodianship – Amana).
Compliance. IRW is committed to compliance with any applicable law or regulation that governs data protection
and privacy including the EU General Data Protection Regulations (GDPR) and the Privacy and Electronic
Communcations Regulations (PECR), and recognises that failure to do so could cause damage and distress to data
subjects, and will ultimately damage the reputational and financial standing of IRW. IRW is committed to
excellence in our operations. (Excellence – Ihsan).
Scope This policy applies to all personal data processed by IRW and data processors on behalf of IRW, regardless of the format
of the personal data and the location of the its processing. For the purpose of this policy the term ‘IRW’ is used to
cover the organisational scope of this policy that includes personal data processed by all IR country/field offices and IR
afilliates in the UK including IRW, IRUK, HAD, TIC and WAQF.
This policy does not preclude the responsibility of IRW offices that process personal data in or across different
jurisdictions to identify and comply with all applicable national laws, regulations, or sector specific regulations (such
as banking) that govern data protection or privacy. This policy should therefore be seen as a minimum IRW standard.
This policy is made available to all IR partner offices as a statement of good business practice to follow and is advised
to be adopted as a template. IR partner offices are asked to be made aware of the expectations of IRW when sharing
personal data with external parties (section 11) and to support a family wide approach to protecting personal data
consistent with our shared values.
Responsibilities
Head of Governance (Policy Sponsor) Responsible for advising and updating the Board of Directors/Trustees on data protection and privacy requirements,
progress, risks and issues as appropriate, and to approve the scope of any policy deviation in relation to this policy.
Head of Department (Data Owners) Responsible for ensuring that personal data under their departmental control is processed in accordance with the
data protection principles and processes set out in this policy, including implementing data protection by design
(section 8) and processing data subject requests (section 9).
IRW Staff (including volunteers, interns, trustees, non-excutive directors) Responsible for processing personal data for, or on behalf of IRW in accordance with the data principles and
processes set out in this policy, including completing mandatory training (section 14), reporting personal data
breaches identified (section 12) and forwarding data subject requests appropriately (section 9).
Data Protection Leads Responsible for advising IRW on its data protection obligations set out in this policy, including co-ordinating training
and assurance. The Data Protection Team can be contacted at [email protected]
Information Governance (IG) Officer (formerly known as archive officer) To support the implementation and maintenance of this policy in their country/field office by performing the key
tasks set out in the IG-01 IG Officer Terms of Reference
Failure to follow this policy, for example, the unauthorised access, disclosure or use of personal data will be
treated seriously and potentially as a gross misconduct issue.
Goals and Objectives
IRW will process personal data in accordance with six data protection principles. A data protection
guideline/checklist for humanitarian programmes is provided at appendix 1 of this policy.
1. Lawful, fair and transparent processing
Personal data will only be processed if the purpose meets at least one of the following lawful conditions:
Legal obligation. The processing is necessary for IRW to comply with a legal or regulatory obligation.
Contract requirement. The processing is necessary for IRW to fulfil a contract that it has with a data subject or
because the data subject has asked IRW to do something which is required before entering into a contract.
Informed consent. The data subject has provided IRW with their informed consent for the processing.
Legitimate interest. The processing is a legitimate interest of any party that is not outweighed by any risk that
the processing might present to the data subject.
Informed consent will be received from a data subject before processing their personal data for the purpose of
creating case studies and images (print, digital, photography or video) for fundraising, marketing or donor reporting
purposes; conducting voluntary surveys or questionnaries for research or MEAL purposes; or direct marketing.
Informed consent for case studies, images, and surveys will be collected and managed in accordance with the DPS-01
Informed Consent Standard.
Personal data will only be processed if the processing is necessary for a valid work purpose. For example, a survey
carried out to assess a general humanitarian situation may not require personal data to be collected.
A privacy statement will be made available to data subjects prior to collecting their personal data for the first time
for a particular purpose. Exceptions to this rule include when a data subject has already previously received the
information, or providing a privacy statement would be impossible or seriously undermine the objectives of the
processing.
2. Data minimisation
Only the minimum volume of personal data required for the purpose will be collected and processed. Anoymisation
will be used whenever appropriate and reasonable to do so i.e. when anoymisation wont undermine an objective of
the processing.
3. Purpose limitation
Personal data will only be processed for the purpose it was collected. Processing personal data for another purpose
is only permitted if the further processing is lawful, fair and transparent (section 1).
4. Data accuracy
Personal data will be collected and recorded accurately, and reasonable steps will be taken to to keep personal data
up-to-date where necessary for a purpose. Data accuracy is particularly important when IRW is relying on personal
data to make decisions or deliver services that can impact on data subjects, for example, programme selection, direct
marketing and the design of protection and inclusion controls.
5. Data retention
Personal data will only be kept for as long as necessary. In practice this means applying the IRW/INF/005 Data
Retention Policy. For example:
Working papers containing personal data will be destroyed when no longer required as part of good
housekeeping. Examples of working papers include drafts, edits, and routine communications.
Unnecessary duplication of personal data will be kept to a minimum. For example, ensuring copies of emails
containining personal data are deleted from mailboxes including ‘sent items’, ‘deleted items’ and ‘archive’
folders.
Information assets (e.g. spreadsheets, documents, lists etc) containing personal data created for research or
MEAL purposes will be fully anonymised when the personal data is no longer required. This way only fully
anonymised data will continue to be retained for organisational learning and research purposes. Anonymisation
will be in accordance with the standards set out in the DPS-02 Anonymisation Standard.
6. Data security
Personal data will protected from unauthorised access or use throughout the lifecycle of the data from collection,
through storage and use, to final disposal. In practice this means applying the IRW/INF/004 Information Security
Policy. For example:
Personal data (All formats)
Personal data will be accessed on a strict ‘need to know’ basis i.e. when necessary for a valid work purpose.
Personal data will only taken out of an IRW office when necessary for a valid work purpose, and then personal data will be kept in IRW possession whenever possible and securely locked of sight when not in use, for example, in a hotel safe when travelling.
Personal data (electronic format)
Personal data will be stored on and processed using ICT approved, provided or managed systems, technologies, platforms and devices (‘IR systems’).
Personal data will not be stored on local disk drives (C drive), portable storage devices that are not syncrhonised to an IR system, or personal storage services, devices or applications not managed by ICT without the authorisation of the Head ICT. For example, the use of USB flash drives to transfer files, forwarding copies of emails or saving files to cloud storage providers including but not limited to Drop Box and Google Drive is prohibited.
Personal data will be stored on IR systems that are password protected. Usernames and passwords will comply with the IRW/INF/003 ICT Password Policy.
Personal data will only be shared with external parties if permitted under this policy (section 11), and then personal data will only be sent to official addresses of intended recipients only. The use of protective marketing, password protection (with the password being sent in a separate message) and expiry dates on data sharing links is further encouraged to protect personal data.
Computer screens will be locked whenever a work area is left unattended. Personal data (physical format)
Personal data will be stored in equipment or a very secure office location that is lockable and access to all keys controlled in order to reduce the risk of unauthorised access. Personal data will be locked away whenever a work area is left unattended.
Personal data will only be shared with external parties if permitted under this policy (section 11), and then personal data will only be sent to official addresses of intended recipients using IRW staff or a reliable and contracted postal or courier service, packaged in secure equipment that is marked as confidential with return to sender details, and a record of the safe receipt of items will be kept.
Personal data will be collected from printers immediately and a ‘print lock’ facility will be used if available.
Personal data will be confidentially destroyed using a cross-cutting shredder or a third-party confidential waste service provider.
Processes
7. Contracts
New data processors will sign a contract and new IRW staff will sign an HR agreement form that includes standard
data protection terms. Data protection contract terms will be in accordance with the standards set out in the DPS-03
Standard Data Protection Contract Terms.
8. Data Protection by Design
UK data owners will be responsible for completing a DPF-04 Data Protection Checklist Form at the first design
stage of any new system, process or project involving the processing of personal data.
UK data owners will be responsible for completing a DPF-04a Direct Marketing Checklist Form at the first design
stage of any new direct marketing campaign.
Data protection will be a planned activity of every humanitarian programme. A data protection
guideline/checklist for humanitarian programmes is provided at appendix 1 of this policy.
Data owners will be responsible for completing a DPF-04b Privacy Impact Assessment Form when formally
requested by the policy sponsor or data protection lead i.e. when a new system or programme is identified to
present high privacy risks to data subjects.
9. Data Subject Requests
A complaint, concern of feedback regarding an individuals personal data will be managed in accordance with the
appropriate complaints policy.
A data subject request received from a UK based data subject (including ex-pat employees) will be immediately
forwarded to [email protected] and then processed within 30 calendar days from date of receipt.
Routine requests relating to marketing preferences and HR reference requests can continue to be dealt with
normally without being forwarded to the data protection team.
A data subject request received from a non-UK based data subject will be immediately forwarded to the relevant
data owner and processed within 30 calendar days from date of receipt.
10. Direct Marketing
Direct marketing will only be sent to individuals that have provided their clear, informed, freely given and
unambigious consent (i.e. ‘opt-in’).
A record of consent will be kept that details when consent was given, what the consent is for, and how long the
consent will be valid for.
Clear and easy instructions on how individuals can withdraw their consent at anytime (i.e. ‘opt-out’) will be
included in all direct marketing communications.
11. External Data Sharing
Personal data will only be shared with an external party (e.g. government agency, IR partner office, institutional
donor, other INGO, bank, private company etc.) if at least one of the following conditions apply:
Legal obligation. The transfer is necessary for IRW to comply with a legal or regulatory obligation.
Contract requirement. The transfer is governed by a contract between IRW and the external party that includes
standard data protection terms.
Informed consent. The data subject has provided IRW with their informed consent for the transfer.
Legitimate interest. The transfer has been explicitly approved by the data owner, an upward line report, the
head of governance, or a legal counsel.
External data sharing will be in full compliance with the data protection principles including in particular data
minimisation (i.e. only sharing the minimum volume of personal data required) and data security (i.e. ensuring that
the method of sharing data is secure and protects personal data).
Personal data of programme participants will only be published in the public domain (such as on banners, websites,
newsletters, public reports, etc.) if the data subject has provided their informed consent: DPS-01 Informed Consent
Standard. Links to images or videos that contain personal data of programme participants will not be included
directly in the body of any project report.
12. Personal Data Breaches
Personal data breaches will be immediately reported to [email protected] as soon as possible after
identification and then processed confidentially in accordance with legal requirements.
13. Privacy Statements (‘Data Transparency’)
Privacy statements will be designed to be able to understood by data subjects taking into account factors such as
their age, language, literacy, IT literacy etc. It is important that privacy statements are are made available to data
subjects in a local language, are not to too long or complicated, and include either the contacts details of a
country/field office or a link to the IRW online privacy statement. For example:
Islamic Relief [INSERT COUNTRY] is collecting your personal data for the purpose of [INSERT PURPOSE[S]].
We are committed to keeping your personal data secure and confidential and we will not share your personal data with other Islamic Relief employees or any external organisation unless absolutely necessary for an official purpose. External organisations we [will / may] share your personal data with includes [INSERT NAME[S]].
If you have any questions or concerns about your personal data please contact [INSERT].
Making privacy statements available to participants in humanitarian programmes can be challenging. However, data
owners must be prepared to make extensive efforts to be transparent and not to deny individuals of their data
rights. Examples of how privacy statements can be made available in humanitarian programmes include:
Verbal. For example, reading out the privacy statement to the data subject in a local language at a programme
inception workshop, beneficiary registration activity etc.
Forms. For example, including a written privacy statement in a local language on a project information sheet
handed out to participants, or any agreement form that a participant, parent or guardian individually signs to
enter a programme such as an orphan sponsorship, microfinance loan, or health intervention agreement form.
Visibility materials. For example, including a written privacy statement on visability materials such as a poster or
banner.
14. Training & Awareness
All staff issued with a work email account will complete mandatory data protection training at an interval
directed by the policy sponsor.
All new staff will sign to confirm that they have read and understood this policy on a HR induction checklist form.
Data processors will be made aware of the expectation on them to comply with this policy and any related
standards that are relevant to the scope of their work such as informed consent.
Implementation and Assurance Plan
15. UK Level
UK data owners will maintain up-to-date details of their department’s processing activities involving personal
data using the DPF-01 IRW Processing Log. This will require data owners to confirm that their processing
activities are lawful, fair and transparent (section 1).
The Data Protection Team will check and monitor processing activities to ensure compliance with this policy.
Data owners will be responsible for managaing any data protection or privacy risks identified.
16. Field Level
Country offices will complete all data protection checks identified on the IGF-01 Information Governance (IG)
Checklist Form at an interval directed by the policy sponsor, and submit completed forms to IRW HQ.
Country offices will complete all data protection checks identified on the IGF-02 Project File Close Checklist Form
and submit the completed form to IRW HQ within 45 days of receiving the request.
The IG Officer (or delegated supporting officer) will co-ordinate the completion of above forms on behalf of their
country office.
Data owners will be responsible for managing any data protection or privacy risks identified.
17. Global Level
Internal audit will compile a report identifying all data protection risks, issues or actions, identified and recorded
on their risk management systems to the Data Protection Team on a quarterly basis.
Appendices
Appendix 1: Data protection checklist for Humanitarian Programmes
1. Data Protection by Design (Design Stage)
Data protection risks have been identified and assessed as part of the project proposal template/guideline and
actions to avoid any negative consequences to data subjects included in the detailed implementation plan or
risk mitigation plan.
2. Data Protection Planning (Planning Stage)
2.1. Privacy Statement
A privacy statement for the programme has been written, translated into local language(s) and the method(s) of
making the privacy statement available to programme participants included in the beneficiary communication
plan. The process of writing the privacy statement will include identifying whether personal data will be shared
with any external party for the purpose of the programme.
2.2. Data Collection Forms
Data collection forms such as beneficiary lists, surveys and questionnaires have been designed so only the
minimum volume of personal data required will be collected.
Data collection forms requiring the collection of sensitive personal data have been designed for partial
anonymisation wherever appropropiate and reasonable to do so. For example, allocating each participant with
an identification number (‘the key’) and keeping directly identifiable data such as names and contact details in a
separate document. This way, only individuals with access to the key will be able to identify participants.
Data collection activities have been designed to only collect the minimum volume of personal data required. For
example only, taking numbers of beneficiary IDs rather than copies of IDs, recording beneficiary IDs on tokens
and vouchers rather than beneficiary names etc.
2.3. Informed Consent Forms
Informed consent forms for the programme (if applicable) have been written and translated into local
language(s).
2.4. Data Security
Equipment required for the secure collection, transfer and/or storage of personal data have been identified and
procured where required. For example, devices that are encrypted and password protected for electronic data
collection, lockable equipment / containers for physical data storage etc.
IRW staff that will process personal data for the purpose of the programme have been identified and have been
given data protection instruction in relation to the scope of their role. As a minimum requirement all IRW staff
identified have been checked to have completed mandatory data protection training.
Any external parties that will process personal data on behalf of IRW (such as enumerators, implementation
partners or courier services) have signed an agreement that includes standard data protection terms and have
been made aware of their data protection obligations in relation to the scope of their role.
Secure methods for transferring and sharing personal data (if required) have been identified and communicated
to staff that will be involved in these procedures.
3. Data Management (Implementation Stage)
Records containing personal data are filed (either at field level or country HQ) in accordance with the
IRW/INF/001 Records Management Policy, for example, kept in a location where access is able to be controlled
and restricted to authorised staff only.
4. Data Retention / Archiving (Close Stage)
An email has been sent to IRW staff involved in the programme requesting them to identify and delete any
working papers or copies of documents containing personal data stored in thier individual mailbox or OneDrive.
An email has been sent to the MEAL team requesting them to fully anonymise any spreadsheets, documents or
lists containing personal data that is no longer required to be retained after the programme closes.
Programme records containing personal data have been transferred to the country HQ and filed/archived in
accordance with the IRW/INF/001 Records Management Policy, for example, closed files have been archived and
have a retention date clearly identified on the label and/or recorded on the closed file register.
A project file close checklist form has been completed and submitted to IRW HQ.