UWC Great Britain General Data Protection Policy
This policy aims to ensure that the United World Colleges National Committee of Great Britain (UWCGB) complies with General Data Protection Regulations (GDPR), as transposed into the law of England and Wales by the Data Protection Act 2018 (DPA). UWCGB protects the rights and safety of its trustees, volunteers, staff members and people who come into contact with the charity through its work.
Personal Data Collection
Personal data is any physical or virtual information which is related to an identified or identifiable natural person.
UWCGB is responsible for ensuring that the following principles of GDPR and the DPA legislation are adhered to throughout data collection and management.
- be processed fairly and lawfully;
- be obtained only for specific, lawful purposes;
- be adequate, relevant and not excessive;
- be accurate and up to date;
- not be held for any longer than necessary;
- processed in accordance with the rights of data subjects;
- be protected in appropriate ways; and
- not be transferred outside the European Economic Area, unless that country or territory also ensures an adequate level of protection of personal data.
Data Protection Rights
Under GDPR, individuals have the following rights:
- the right to be informed - Individuals have the right to be informed about the collection and use of their personal data, and UWCGB must be transparent in the collection, use and storage of personal data.
- the right of access - Individuals have the right to access and obtain confirmation that you are processing their personal data and a copy of their personal data.
- the right to rectification - individuals have the right to have inaccurate personal data rectified, or completed if it is incomplete.
- the right to erasure - Individuals have the right to have their personal data erased if:
- the personal data is no longer necessary for the purpose which it was originally collected or processed for;
- UWCGB is relying on consent as its lawful basis for holding the personal data, and the individual withdraws their consent;
- UWCGB is processing the personal data for direct marketing purposes and the individual objects to that processing;
- UWCGB has processed the personal data unlawfully;
- UWCGB has to do it to comply with a legal obligation; or
- UWCGB has processed the personal data to offer information society services to a child.
- the right to restrict processing - Individuals have the right to request the restriction or suppression of their personal data in certain circumstances
- the right to data portability - Individuals have the right to obtain and reuse their personal data for their own purposes across different services.
- the right to object - Individuals have the right to object to the processing of their personal data in certain circumstances.
- rights in relation to automated decision making and profiling - Individuals have the right not to be subject to solely automated decisions, including profiling, which have a legal or similarly significant effect on them.
UWCGB will respond to queries and requests in connection with these rights within one calendar month of receipt of the query or request. UWCGB will, where applicable, confirm to the relevant individual that the necessary steps have been taken to comply with the individual’s request.
Roles and Responsibilities
The role of the Data Protection Officer (DPO) is to:
- to inform and advise about obligations to comply with the GDPR and other data protection laws;
- to monitor compliance with the GDPR and other data protection laws, and with your data protection policies, including managing internal data protection activities, raising awareness of data protection issues, training staff and conducting internal audits;
- to advise on, and to monitor data protection impact assessments;
- to cooperate with the supervisory authority; and
- to be the first point of contact for supervisory authorities and for individuals whose data is processed (employees, customers etc).
Trustees, volunteers and staff members must:
- only access personal data where it is relevant to their role;
- not share personal data informally;
- attend all relevant training provided by UWCGB;
- follow all relevant data protection guidance provided by UWCGB;
- seek advice from the Data Protection Officer ([email protected]) or their Supervisor in the event they are unsure how to proceed regarding data in a given circumstance;
- ensure that personal data collected is stored securely; and
- securely dispose of any unnecessary personal data in their possession in both digital and alternate formats.
Breach of Policy
Trustees, staff members and volunteers should report any inadvertent breaches of this policy to the DPO ([email protected]).
A malicious or negligent breach of this policy will be treated as a disciplinary matter and action will be taken under UWCGB’s Disciplinary Policy and Procedures.
Point of Contact
If you have questions or concerns about this policy, or a request regarding personal data relating to you which you believe UWCGB may be using, please contact our Data Protection Officer at [email protected]
Review & Revision
This policy will be reviewed no later than:
- January 2022; or
- when relevant new legislation comes into place, if earlier.
This policy was:
- Adopted on: 25th May 2014;
- Last reviewed and updated: 30th September 2020
Sources of Further Guidance:
- General Data Protection Regulation (GDPR)
- Information Commissioner's Office - Guide to GDPR
- Data Protection Act 2018