Scientific Exploration Society (SES) - Data and Privacy Protection Policy
- Scientific Exploration Society (SES) is committed to safeguarding the privacy of all stakeholders.
- This statement explains how SES collects, uses and discloses information. It applies to all information gathering. SES collects and uses information about people with whom it communicates.
- This personal information is dealt with properly and securely however it is collected, recorded and used. There are safeguards in place to ensure this in the UK Data Protection Act 1998 up to and until it is superseded by the law which transposes the EU General Data Protection Regulation into UK Law (together “Data Protection Law”) which is enforced by the Information Commissioner’s office.
- SES regards the lawful and correct treatment of personal information as a priority. It is essential to the successful and efficient performance of its functions, and to maintain confidence between SES and those with whom it deals. To this end, SES aims to adhere fully to the Principles of Data Protection, as set out in Data Protection Law.
- SES as a body is a Data Controller under Data Protection Law, and its Council of Trustees is ultimately responsible for the policy’s implementation.
Data Owner – is the person or entity which can authorise or deny access to certain data and is responsible for its accuracy and integrity.
Data Subject – the individual who is the subject of the personal information.
NB: Data Protection Law does not count as a data subject, an individual who has died or who cannot be distinguished from others.
Data Controller – ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Data processing – the carrying out of operations on data – to retrieve, transform, or classify information.
SES Archive – means SES record management system.
Data Protection Law regulates the data processing relating to living and identifiable individuals. This includes the obtaining, holding, using or disclosing of such information, and covers computerised records as well as manual filing systems. The principles apply to ‘personal and sensitive personal data’ from which the subjects of that data are identifiable. SES part time staff, volunteers and trustees who process, use or have access to any personal information in the course of their duties will ensure that these principles are followed at all times. Data users must comply with the data protection principles of good practice which underpin Data Protection Law. To comply with the law, information must be collected and used fairly, stored safely and not disclosed to any other person unlawfully. SES follows the Data Protection Principles set out in Data Protection Law which are summarised below.
- Personal data is processed fairly and lawfully.
- Data is only collected and used for specified purposes.
- Data collected is adequate, relevant and not excessive.
- Data collected is accurate and up to date.
- Data is not be held any longer than necessary.
- Data subject’s rights are respected.
- Data is kept safe from unauthorised access, accidental loss or damage.
- Data is not routinely transferred to a country outside the European Economic Area, unless that country has equivalent levels of protection for personal data*.
* It may sometimes be necessary to transfer personal information overseas. Any transfers made are in compliance with Data Protection Law. In some cases, SES will need to provide personal data to local agents outside the European Economic area in order to apply for named permits or in order to provide emergency support. SES makes all possible endeavours to contract with local agents appropriately to protect the personal data of all its stakeholders.
What is meant by 'personal information'
Personal information means information that identifies someone as an individual, such as:
- Personal details.
- Family details (next of kin).
- Education and employment (financial details).
- Visual images.
SES commitment to data owners/subjects
- SES seeks consent to hold personal data.
- SES only holds personal data for as long as is necessary for clearly specified purposes.
- Where SES asks for personal data, it will be clear why it is needed and who will have access to it.
- SES only shares personal information with relevant persons to enable specific duties at the Society to be understaken.
- SES will additionally seek consent to hold personal data for the purposes of SES membership.
- SES additionally seeks consent to hold any personal data for the benefit of SES Archives.
- SES will not share personal data with third parties for their marketing purposes.
- SES will take appropriate measures to ensure that personal information is protected from unauthorised access or modification, unlawful destruction and improper use.
- SES makes every effort to secure consent from staff, explorers, volunteers and trustees before displaying images in which they appear. SES contractual arrangements with explorers include global, in-perpetuity permission to publish all images, on any platform, in connection with their training and expeditions with SES. SES will, however, remove any image from the public domain, if it is within its power to do so if a complaint is received where for whatever reason it has not been possible to secure consent in advance.
How SES collects personal information
Personal information may be collected in a variety of ways:
- SES membership applications and renewals.
- Volunteer applications and feedback forms.
- Social events.
- Explorer Award applications.
- Award and Competition entries.
- Expedition content for example journals/diaries/projects.
- Charity events registrations.
- Donation pledges.
- Fundraising forms.
- Newsletter registrations.
- Requests for information.
- Job applications.
- New staff forms.
- Applications for individuals to join SES Council.
SES may also collect personal information when resources are downloaded from its website, surveys completed or if contacted by email. In addition, SES uses software to identify which areas of its site are visited most frequently. This helps in understanding how the website is being used so that it can be made more useful for visitors and members.
What is personal information collected used for?
Information SES collects may be used to:
- Process applications and establish identity.
- Process payments.
- Keep a record of essential contact details
- Engage staff.
- Pay staff.
- Maintain personnel records.
- Engage volunteers and make any appropriate arrangements for them.
- Process donation pledges.
- Promote SES.
- Respond to requests for information.
- Provide newsletters or details of events: contact stakeholders with current and future information about our work, events, campaigns and activities, or any other features of SES.
- Assist its business purposes, such as data analysis, audits, fraud monitoring and prevention, enhancing, improving or modifying our services, identifying usage trends, determining the effectiveness of campaigns and operating and expanding our charitable activities as we believe to be necessary or appropriate:
- (1) under applicable law, including laws outside any specific country of residence;
- (2) to comply with legal process;
- (3) to respond to requests from public and government authorities including public and government authorities outside any specific country of residence;
- (4) to enforce our terms and conditions;
- (5) to protect our operations;
- (6) to protect our rights, privacy, safety or property and/or that of our stakeholders; and
- (7) to allow us to pursue available remedies or limit the damages that we may sustain.
- To contribute to its Archive.
Who is information shared with
SES sometimes needs to share the personal information it processes with the individual themselves, the data subject, and also with other organisations. Where this is necessary, SES is required to comply with all aspects of Data Protection Law. This means that any data to be shared will be:
- Processed fairly and lawfully.
- Processed for limited, defined purposes and in an appropriate way.
- Adequate, relevant and not excessive for the purpose.
- Accurate and up-to-date.
- Not kept longer than necessary for the purpose.
- Processed in line with a data subject’s rights.
- Not transferred to people or organisations without adequate protection.
The following is a list of the types of organisations with whom SES may need to share some of the personal or sensitive information we process for one or more reasons. Where necessary SES shares information with:
- Family, associates or representatives of the person whose personal data we are processing.
- Third party service providers including emergency services.
- Current, past and prospective employers
- healthcare, social and welfare organisations
- statutory bodies including HMRC
- providers of goods and services
- educator and examining bodies
- financial organisations
- employment and recruitment agencies
- survey and research organisations
- business associates and professional advisers
- police forces
- other voluntary and charitable organisations
Procedures have been developed to ensure that SES meets its Data Protection responsibilities. Data collected, stored and used by SES falls into two broad categories. SES as a body is a DATA CONTROLLER under Data Protection Law, and its Council of Trustees is ultimately responsible for the policy’s implementation.
1. INTERNAL DATA RECORDS
Purposes - SES obtains personal data (names, addresses, phone numbers, email addresses, application forms, references and in some cases other documents) from staff, volunteers and trustees. This data is stored and processed for the following purposes:
- Equal opportunities monitoring.
- Volunteering opportunities.
- To distribute relevant organisational material e.g. meeting papers.
- To meet statutory obligations (Charity Commission, Companies House, etc).
- To meet Health and Safety requirements.
The contact details of staff, volunteers and trustees will only be made available as appropriate to other staff and trustees. All information supplied on application will be kept in soft copy and used only for the purpose for which it was supplied. Contact details of staff, volunteers and trustees will not be passed on to anyone outside the organisation without their explicit written consent. All staff and volunteer emergency contact details will be kept in SES CRM for Health and Safety purposes to be used in emergency situations e.g. fire/ bomb evacuations.
2. EXTERNAL DATA RECORDS
Purposes - SES obtains personal data (such as names, addresses, and phone numbers) from members. This data is obtained, stored and processed to assist staff and volunteers in the efficient running of SES and to ensure high standards of care and positive experiences for its members. This personal data is stored and processed only for the purposes outlined in this policy or as otherwise authorised (for example by acknowledging terms and conditions online) by members.
Consent - Personal data may also be updated/collected over the phone and using other methods such as email. This will only occur after members have already consented to the collection of personal data and will remain within the same scope of collection, processing and use as already consented to.
Access - Only specific SES staff and volunteers will normally be given access to personal data of members. All staff, volunteers and trustees are made aware of this policy and of their obligation to handle personal data with absolute discretion. Information supplied is kept in secure filing, paper and electronic systems and is only accessed by those individuals involved in the delivery of the services of SES. Information will not be passed on to anyone outside the organisation without their explicit written consent. Members will be supplied with a copy of any of their personal data held by SES within a maximum of 40 days free of charge if a request is made.
Accuracy - SES will take regular steps to keep personal data up to date and accurate by contacting data subjects/owners. Personal data will be stored/destroyed/de-identified according to the schedule and the guidelines in Annex A. If an error in the personal data SES holds is identified by an individual and a request is received from them to amend their records during the retention period, SES will do so if it can verify the identity of the individual and can confirm the accuracy of the proposed amendment to the personal data held.
Sharing of data/Chain of Custody - The work of SES requires it, from time to time, to share specific pieces of personal information with key staff members and volunteers. Wherever possible, this information remains digital, is password protected, and is retained within SES CRM system. SES may need to provide paper documentation to a limited number of individuals for whom digital access cannot be assured.
Storage - Personal data may be kept in paper-based systems and/or on a password-protected computer system. Paper-based data are stored in organised systems.
RESPONSIBILITIES OF STAFF, VOLUNTEERS AND TRUSTEES
SES staff, volunteers and sometimes trustees will deal with personal information from members and volunteers. Staff and volunteers are expected to operate a clear-desk policy and to be conscious at all times of the sensitivity of any information on-screen, on a printer, or in any other format. They may also be told or overhear sensitive information while working for/on behalf of SES. To comply with the law, personal information must be collected and used fairly, stored safely and not disclosed to any other person unlawfully. Staff, paid or unpaid, must abide by this policy. SES will ensure that all staff, volunteers and trustees receive adequate guidance in:
- Data Protection Law as it affects SES.
- SES Data Protection Policy.
- SES systems (website, CRM and finance system).
- The individual obligations of staff, volunteers and trustees.
What a member of staff, volunteer or trustee should do if they have any concerns about data protection.
- Failures in SES data protection management could lead to visits, investigation and enforcement notices from the Information Commissioners Office.
- Any employee who breaches the terms of this policy will be dealt with in accordance with the terms of their contract of employment.
- SES expects the same professional standards in data protection from its volunteers as we do from its paid part time staff. Any volunteer who breaches this policy will participate in a formal review process with SES and may be barred from future volunteering with SES. Any such breach could also lead to criminal prosecution.
- Any questions or concerns about the interpretation or operation of this policy should, in the first instance, be referred to your line manager.
RETENTION OF DATA/DATA DESTRUCTION SCHEDULE
No documents will be stored for longer than is necessary. For guidelines see Annex A. All documents containing personal and sensitive data will be disposed of securely in accordance with Data Protection principles.
- Paper-based data will be shredded. Any external shredding services handling personal and sensitive data will provide a chain of custody, be verified as secure and will be required to provide a certificate of destruction.
- Wherever possible information will be stored in an electronic format, as long as an original copy is capable of being produced from the electronic copy. (The term ‘original’ meaning a copy which is equivalent in every relevant legal respect in its characteristics to the original document no matter how many times removed it is from an original paper document.) This implies a high standard of legibility for electronic images such that no ambiguity of interpretation is introduced that does not derive from the original.
- Digital data will be deleted from its system according to the schedule in Annex A. SES's first obligation is to put data ‘beyond use’. It then commits to permanent deletion of the material as soon as possible. Deleted file items are retained for a month post-deletion, accessible only by the SES administrator, and are then permanently deleted. No deleted records are retained on individual SES PCs.
- SES will de-identify or ‘redact’ any information sources kept for use beyond our retention schedule for the purposes of analysis/planning/to provide trend data. Such information use is likely to include incidents, demographic data, medical information, campaign information.
- The only other sources of personal data to be retained beyond the schedule below are those where SES is in receipt of individual consent for addition to SES Archives, which is a permanent record.
- Destruction schedule: SES will destroy data on an annual cycle, within the calendar year of a due destruction date for any particular item.
DATA PROTECTION CONFIDENTIALITY STATEMENT
Personal information - 'Personal information' includes details such as addresses, phone numbers and health details supplied by staff/members/volunteers. Such information may be shared between staff and volunteers for work reasons but should not be given to anyone outside SES without explicit consent from the staff/member/volunteer. If such a situation arises, please ask a fellow member of staff for advice.
New members - All requests from new members/volunteers for any service offered by SES should be referred to the appropriate member of staff. If the appropriate member of staff is not available, please take a name and contact number only and pass the message on. This is particularly important when dealing with a third party (for example, if a relative or friend phones on behalf of someone else) as SES should not collect information about a person who has not given permission to use his/her details. In most cases, however, it is assumed that if a representative of a group contacts the SES, then that group has given permission to use their details.
Unlawful disclosure of personal information - Under Data Protection Law SES is committing a criminal offence if it discloses personal information ‘knowingly or recklessly’ to anyone it is not supposed to. As SES has an open-door policy for members to drop in anytime during opening hours, staff should seek to ensure that conversations are as private as possible and should be aware that conversations containing personal or sensitive information may be overheard by people who should not have access to such information.