Scientific Exploration Society Data and Privacy Protection Policy

STATEMENT
a. The Scientific Exploration Society (the SES) is committed to safeguarding the privacy of all stakeholders.
This statement explains how we collect, use and disclose information. It applies to all information gathering, including online and our website. The SES collects and uses information about people with whom it communicates.
b. This personal information must be dealt with properly and securely however it is collected, recorded and used. There are safeguards to ensure this in the UK Data Protection Act 1998 up to and until it is superseded by the law which transposes the EU General Data Protection Regulation into UK Law (together “Data Protection Law”) which is enforced by the Information Commissioner’s office.
c. The SES regards the lawful and correct treatment of personal information as a priority. It is essential to the successful and efficient performance of its functions, and to maintain confidence between the SES and those with whom it deals. To this end, the SES aims to adhere fully to the Principles of Data Protection, as set out in Data Protection Law.

The SES as a body is a Data Controller under Data Protection Law, and its Council of Trustees is ultimately responsible for the policy’s implementation.

Definitions:
Data Owner – is the person or entity which can authorise or deny access to certain data and is responsible for its accuracy and integrity.
Data Subject – the individual who is the subject of the personal information.
NB; Data Protection Law does not count as a data subject, an individual who has died or who cannot be distinguished from others.
Data Controller – ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Data processing – the carrying out of operations on data – to retrieve, transform, or classify information.
SES Archive – means the SES record management system.

PRINCIPLES
Data Protection Law regulates the data processing relating to living and identifiable individuals. This includes the obtaining, holding, using or disclosing of such information, and covers computerised records as well as manual filing systems. The principles apply to ‘personal and sensitive personal data’ from which the subjects of that data are identifiable. The Scientific Exploration Society’s employees, volunteers and trustees who process, use or have access to any personal information in the course of their duties will ensure that these principles are followed at all times.

Data users must comply with the data protection principles of good practice which underpin Data Protection Law. To comply with the law, information must be collected and used fairly, stored safely and not disclosed to any other person unlawfully.

The SES follows the Data Protection Principles set out in Data Protection Law which are summarised below.

  •   Personal data will be processed fairly and lawfully.
  •   Data will only be collected and used for specified purposes.
  •   Data will be adequate, relevant and not excessive.
  •   Data will be accurate and up to date.
  •   Data will not be held any longer than necessary.
  •   Data subject’s rights will be respected.
  •   Data will be kept safe from unauthorised access, accidental loss or damage.
  •   Data will not routinely be transferred to a country outside the European Economic Area, unless that country has equivalent levels of protection for personal data*.

* It may sometimes be necessary to transfer personal information overseas. Any transfers made will be in compliance with Data Protection Law. In some cases, the SES will need to provide personal data to local agents outside the European Economic area in order to apply for named permits or in order to provide emergency support. The SES will make all possible endeavours to contract with local agents appropriately to protect the personal data of all its stakeholders.

What is meant by ‘personal information‘
Personal information means information that identifies someone as an individual, such as:

  •   personal details
  •   family details (next of kin)
  •   education and employment (financial details)
  •   visual images

The SES’s commitment to data owners/subjects
a. We will seek your consent to hold your personal data.
b. We will only hold your personal data for as long as is necessary for clearly specified purposes.
c. Where we ask for personal data, we will be clear with you why we need it, and who will have access to it.
d. We will only share personal information with relevant persons to enable them to undertake specific duties at the Society.
e. We will additionally seek your consent to hold your personal data for the purposes of membership of the SES.
f. We will additionally seek your consent to hold any personal data for the benefit of the SES Archive.
g. We will not share your personal data with third parties for their marketing purposes.
h. We will take appropriate measures to ensure that your personal information is protected from unauthorised access or modification, unlawful destruction and improper use.
i. If you wish to see records of any communication you have sent to us, or if you have a query or complaint about our data and privacy policy, we have an online facility on our website (www.ses-explore.org) for you to get in touch with us.
j. The SES will make every effort to secure consent from staff, explorers, volunteers and trustees before displaying images in which they appear. Our contractual arrangements with explorers include global, in-perpetuity permission to publish all images, on any platform, in connection with their training and expeditions with the SES. We will, however, remove any image from the public domain, if it is within our power to do so if a complaint is received where for whatever reason it has not been possible to secure consent in advance.

How do we collect personal information
Personal information may be collected in a variety of ways:

  •   membership applications and renewals
  •   volunteer applications and feedback forms
  •   social events
  •   explorer applications
  •   award and competition entries
  •   expedition content for example journals/diaries/projects
  •   additional recruitment information such as interviews and assessment notes
  •   fundraising events registrations
  •   donation pledges
  •   fundraising forms
  •   newsletter registrations
  •   requests for information
  •   job applications
  •   new staff forms
  •   applications for individuals to join the SES Council

The SES may also collect personal information when you download resources from our website, complete a survey or if you contact us by email. In addition, we use software to identify which areas of our site are visited most frequently. This helps us to understand how our website is being used so that we can make it more useful for visitors and members.

 

What is personal information collected used for?
Information we collect may be used to:

  •   process applications and establish identity
  •   process payments
  •   keep a record of essential contact details
  •   engage staff
  •   pay staff
  •   maintain personnel records
  •   engage volunteers and make any appropriate arrangements for them
  •   process donation pledges
  •   promote the SES
  •   respond to requests for information
  •   provide newsletters or details of events: contact stakeholders with current and future information about our work, events, campaigns and activities, or any other features of the SES
  •   for our business purposes, such as data analysis, audits, fraud monitoring and prevention, enhancing, improving or modifying our services, identifying usage trends, determining the effectiveness of campaigns and operating and expanding our charitable activities
  •   as we believe to be necessary or appropriate: (1) under applicable law, including laws outside any specific country of residence; (2) to comply with legal process; (3) to respond to requests from public and government authorities including public and government authorities outside any specific country of residence; (4) to enforce our terms and conditions; (5) to protect our operations; (f) to protect our rights, privacy, safety or property and/or that of our stakeholders; and (6) to allow us to pursue available remedies or limit the damages that we may sustain.
  •   to contribute to our Archive

Who is information shared with
We sometimes need to share the personal information we process with the individual themselves, the data subject, and also with other organisations. Where this is necessary we are required to comply with all aspects of Data Protection Law. This means that any data to be shared will be:

  •   processed fairly and lawfully
  •   processed for limited, defined purposes and in an appropriate way
  •   adequate, relevant and not excessive for the purpose
  •   accurate and up to date
  •   not kept longer than necessary for the purpose
  •   processed in line with a data subject’s rights
  •   secure
  •   not transferred to people or organisations without adequate protection

The following is a list of the types of organisations with whom we may need to share some of the personal or sensitive information we process for one or more reasons. Where necessary we share information with:

  •   family, associates or representatives of the person whose personal data we are processing
  •   employees<
  •   volunteers
  •   partners
  •   trustees
  •   third party service providers including emergency services
  •   current, past and prospective employers
  •   healthcare, social and welfare organisations
  •   statutory bodies including HMRC
  •   providers of goods and services
  •   educator and examining bodies
  •   financial organisations
  •   employment and recruitment agencies
  •   survey and research organisations
  •   business associates and professional advisers
  •   police forces
  •   other voluntary and charitable organisations

PROCEDURES
Procedures have been developed to ensure that the SES meets its Data Protection responsibilities. Data collected, stored and used by the SES falls into two broad categories.

The SES as a body is a DATA CONTROLLER under Data Protection Law, and its Council of Trustees is ultimately responsible for the policy’s implementation.

1. INTERNAL DATA RECORDS
  Purposes
The SES obtains personal data (names, addresses, phone numbers, email addresses, application forms, references and in some cases other documents) from staff, volunteers and trustees. This data is stored and processed for the following purposes:

  •   recruitment
  •   equal opportunities monitoring
  •   volunteering opportunities
  •   to distribute relevant organisational material e.g. meeting papers
  •   payroll
  •   to meet statutory obligations (Charity Commission, Companies House, etc)
  •   to meet Health and Safety requirements

The contact details of staff, volunteers and trustees will only be made available as appropriate to other staff and trustees. All information supplied on application will be kept in soft copy and used only for the purpose for which it was supplied. Contact details of staff, volunteers and trustees will not be passed on to anyone outside the organisation without their explicit written consent.

All staff and volunteer emergency contact details will be kept in our CRM for Health and Safety purposes to be used in emergency situations e.g. fire/ bomb evacuations.

2. EXTERNAL DATA RECORDS
a. Purposes
The SES obtains personal data (such as names, addresses, and phone numbers) from members. This data is obtained, stored and processed to assist staff and volunteers in the efficient running of the SES and to ensure high standards of care and positive experiences for our members. This personal data is stored and processed only for the purposes outlined in this policy or as otherwise authorised (for example by acknowledging terms and conditions online) by members.

b. Consent
   Personal data may also be updated/collected over the phone and using other methods such as email. This will only occur after members have already consented to the collection of personal data and will remain within the same scope of collection, processing and use as already consented to.

c. Access
Only specific SES staff and volunteers will normally be given access to personal data of members. All staff, volunteers and trustees are made aware of this policy and of their obligation to handle personal data with absolute discretion. Information supplied is kept in secure filing, paper and electronic systems and is only accessed by those individuals involved in the delivery of the services of the SES. Information will not be passed on to anyone outside the organisation without their explicit written consent. Members will be supplied with a copy of any of their personal data held by the SES within a maximum of 40 days free of charge if a request is made.

d. Accuracy
The SES will take regular steps to keep personal data up to date and accurate by contacting data subjects/owners. Personal data will be stored/destroyed/de-identified according to the schedule and the guidelines in Annex A. If an error in the personal data we hold is identified by an individual and we receive a request from them to amend their records during our retention period, we will do so if we can verify the identity of the individual and can confirm the accuracy of the proposed amendment to the personal data held.

e. Sharing of data/Chain of Custody
The work of the SES requires us, from time to time, to share specific pieces of personal information with key staff members and volunteers. Wherever possible, this information remains digital, is password protected, and is retained within the SES CRM system. We may need to provide paper documentation to a limited number of individuals for whom digital access cannot be assured.

f. Storage
Personal data may be kept in paper-based systems and/or on a password-protected computer system. Paper-based data are stored in organised systems.

RESPONSIBILITIES OF STAFF, VOLUNTEERS AND TRUSTEES
SES staff, volunteers and sometimes trustees will deal with personal information from members and volunteers. Staff and volunteers are expected to operate a clear-desk policy and to be conscious at all times of the sensitivity of any information on-screen, on a printer, or in any other format. They may also be told or overhear sensitive information while working for/on behalf of the SES. To comply with the law, personal information must be collected and used fairly, stored safely and not disclosed to any other person unlawfully. Staff, paid or unpaid, must abide by this policy. The SES will ensure that all staff, volunteers and trustees receive adequate guidance in:

  •   Data Protection Law as it affects the SES
  •   our Data Protection Policy
  •   our systems (website, CRM and finance system)
  •   the individual obligations of staff, volunteers and trustees

What a member of staff, volunteer or trustee should do if they have any concerns about data protection.

COMPLIANCE
a. Failures in our data protection management could lead to visits, investigation and enforcement notices from the Information Commissioners Office.
b. Any employee who breaches the terms of this policy will be dealt with in accordance with the terms of their contract of employment.
c. We expect the same professional standards in data protection from our volunteers as we do from our paid staff. Any volunteer who breaches this policy will participate in a formal review process with the SES and may be barred from future volunteering with us. Any such breach could also lead to criminal prosecution.
d. Any questions or concerns about the interpretation or operation of this policy should, in the first instance, be referred to your line manager.

RETENTION OF DATA/DATA DESTRUCTION SCHEDULE
No documents will be stored for longer than is necessary. For guidelines see Annex A. All documents containing personal and sensitive data will be disposed of securely in accordance with Data Protection principles.
a. Paper-based data will be shredded. Any external shredding services handling personal and sensitive data will provide a chain of custody, be verified as secure and will be required to provide a certificate of destruction.
b. Wherever possible information will be stored in an electronic format, as long as an original copy is capable of being produced from the electronic copy. (The term ‘original’ meaning a copy which is equivalent in every relevant legal respect in its characteristics to the original document no matter how many times removed it is from an original paper document.) This implies a high standard of legibility for electronic images such that no ambiguity of interpretation is introduced that does not derive from the original.
c. Digital data will be deleted from our system according to the schedule in Annex A. Our first obligation is to put data ‘beyond use’. We then commit to permanent deletion of the material as soon as possible. Deleted file items are retained for a month post-deletion, accessible only by our administrator, and are then permanently deleted. No deleted records are retained on individual SES PCs.
d. We will de-identify or ‘redact’ any information sources kept for use beyond our retention schedule for the purposes of analysis/planning/to provide trend data. Such information use is likely to include incidents, demographic data, medical information, campaign information.
e. The only other sources of personal data to be retained beyond the schedule below are those where the SES is in receipt of individual consent for addition to the SES Archive, which is a permanent record.
f. Destruction schedule: The SES will destroy data on an annual cycle, within the calendar year of a due destruction date for any particular item.

ANNEX A
DATA PROTECTION CONFIDENTIALITY STATEMENT

Personal information
“Personal information” includes details such as addresses, phone numbers and health details supplied by staff/members/volunteers. Such information may be shared between staff and volunteers for work reasons but should not be given to anyone outside the SES without explicit consent from the staff/member/volunteer. If such a situation arises, please ask a fellow member of staff for advice.

New members
All requests from new members/volunteers for any service offered by the SES should be referred to the appropriate member of staff. If the appropriate member of staff is not available, please take a name and contact number only and pass the message on. This is particularly important when dealing with a third party (for example, if a relative or friend phones on behalf of someone else) as the SES should not collect information about a person who has not given permission to use his/her details. In most cases, however, it is assumed that if a representative of a group contacts the SES, then that group has given permission to use their details.

Unlawful disclosure of personal information
Under Data Protection Law you are committing a criminal offence if you disclose personal information ‘knowingly or recklessly’ to anyone you are not supposed to, so please be careful. As the SES has an open-door policy for members to drop in anytime during opening hours, please seek to ensure that conversations are as private as possible and be aware that conversations containing personal or sensitive information may be overheard by people who should not have access to such information.

Use of files, books and other paper records
In order to prevent unauthorised access and accidental loss or damage to personal information held on paper, please take good care of the files, books and other paper records you use while on duty and ensure that they are stored safely before you leave the building.

Disposal of scrap paper
You should be aware that names/addresses/phone numbers and other information written on scrap paper are also considered to be confidential. Please tear up or shred such notes before disposing of them in the waste paper bin.

Emergency contact details
Brief personal contact details and next of kin of staff and volunteers must be securely stored in a register in case of emergency. The register will be kept securely by the CEO and used only in emergency situations.

Your own personal information
You may be interested to know that under Data Protection Law you are entitled to access any personal information held on you, including that held by the SES. If you want to see this information, please talk to the CEO.

References
Unless informed otherwise by you, the SES will supply references to future employers if such information is requested. After seven years this will only contain brief details of the dates you were employed and the job title of the work undertaken.

Passwords
A list of all passwords must be provided to you and may not be changed without your knowledge.

May 2018