General Data Protection Regulations (GDPR) and Data Protection Policy

To be read in conjunction with Confidentiality policy Introduction to GDPR

ANVOB is committed to meeting its data protection obligations and being transparent about the processing of personal data as defined under the General Data Protection Regulations 2018. As an organisation, we have a need to obtain and use personal data about those with whom we come into contact, whether this be employees, professional contacts, members of the public etc., in order to carry out our work. Under GDPR legislation we are required to handle and process this data lawfully. This policy details the requirements and responsibilities in this respect, as well as our actions to ensure compliance. This policy applies to the personal data of job applicants, employees, workers, and former employees. This type of data is referred to as HR-related personal data.

Data Protection Lead

ANVOB Data Protection Lead is the Chief Officer Nick Robinson Their role will be to inform and advise ANVOB on our data protection obligations and to be a main point of contact for data protection matters. They can be contacted on nrobinson@vaef.org.uk

Definitions

GDPR is concerned with the following aspects:

• Personal Data - information which relates to an identifiable or identified living individual (the data subject). This may include items such as a name, a reference number, location data or other specific factors that identify the person
• Data Processing – includes organising, adapting or altering data; the use or retrieval of data; disclosure of data; destruction or erasure of data
• Sensitive Personal Data – relates to one or more of the following – race; political opinion; religious belief; trade union membership; health – physical or mental; sexual orientation or life; biometric data; criminal offences
• Criminal Records – information regarding an individual’s criminal convictions and offences or information relating to criminal allegations or proceedings

Data Protection Principles

ANVOB will process HR related personal data in line with the six data protection principles:

1. Process data in a transparent and fair manner and in accordance with the law
2. Collect personal data only for necessary purposes (legitimate and specified)
3. Processes data only where it is adequate, relevant and limited to what is necessary for the purpose of processing
4. Keep accurate personal data and take all reasonable steps to delete inaccurate data without delay
5. Keep personal data only for necessary timescales
6. Adopt measures to ensure data is secure

This Policy should be read in conjunction with ANVOB employee privacy notice which informs employees of the reasons for processing their personal data, how it uses such data and the legal basis for processing such data.

Data Storage

Any personal data held, either in electronic or paper formats, will be stored securely and only used for the purposes for which it has been obtained. This personal data will be stored for appropriate timescales as determined by legislation. Any electronic devices, i.e. computer systems, mobile phones, tablets etc., will be completely reset and wiped before they are sold on/disposed of or no longer used by ANVOB. Where ANVOB relies on third parties to process or handle personal data on its behalf, such parities are subject to written contracts with regards to compliance with necessary legislation and requirements.

Data Access and Accuracy

All individuals have the right to access personal data held about them. ANVOB will take steps to ensure this information is up to date, by making any changes it is notified of, and/or routinely ensuring that information is still correct and accurate. Individual Rights Data subjects have eight rights under the GDPR legislation in relation to the processing of their personal data, these are:

• That they will be informed that their personal data is being processed by the company. This is laid out in this policy and the employee privacy notice.
• The right to access their data.
• The right to have their personal data rectified if it is incorrect or incomplete.
• The right to have their personal data erased or deleted where there is no compelling reason or lawful ground for its continued processing.
• The right to restrict data processing where there is no compelling reason or lawful ground for its continued processing.
• The right to object to the processing of their personal data.
• The right to have their personal data moved e.g. movement of pension or payroll data to another provider
• Where the company uses automated profiling or automated decision, they have the right to ask that the assessment is performed by a human.

Subject Access Requests

Individuals can make a request from which ANVOB will confirm to him/her:

• whether their data is processed and to whom their data is disclosed
• how long the data will be held
• their rights with regards to the correction or erasure of data
• their rights to complain to the Information Commissioner
• their rights around automated decision-making processes

ANVOB will also provide to the individual a copy of the personal data undergoing processing. To make a Subject Access request please email jfoile@ANVOB.org.uk where ANVOB will aim to deal with the request as soon as is reasonably practical and within one month of the request being made. It should be noted where the request is manifestly unfounded or excessive ANVOB is not legally obliged to comply with the request. Data Breaches

If you are a member of staff or a volunteer and you identify a potential data breach it is your responsibility to report it to the Data Protection Lead or your Line Manager as soon as possible. Any data breaches that pose a risk to individuals will be reported by the Data Protection Lead to the Information Commissioner’s Office within 72 hours. All breaches will be recorded regardless of whether they are reportable and a report will be produced explaining what happened, the action to be taken, and changes to be implemented going forward to minimise future risk. If the breach is likely to result in high risk, the individuals concerned will be notified and provided with information regarding actions taken. The Data Protection Lead is: Nick Robinson, Chief Officer – 07967 726851 or nrobinson@vaef.org.uk Deputy Data Protection Leads are: Ray Harris, rharris06@yahoo.co.uk John Price, jprice@avisionofbritain.org

International Data Transfers ANVOB does not transfer HR related personal data outside of the UK.

Individual Responsibilities Employees are responsible for keeping their own data up to date and notifying ANVOB immediately of any changes to it. Employees should also ensure that any data they handle is managed in accordance with the law, and that any concerns are raised to their line manager in the first instance. Failure to deal with these requirements and act in accordance with the policy may be treated under the formal disciplinary procedure. Significant or deliberate breaches may constitute gross misconduct.

Induction All new members of staff are made aware of this policy. Ongoing questions are encouraged at any time, and support will be made available to any employees who require it.

Created 7/03/24 Reviewed and amended 3/3/25