1. At Sustrans we collect personal data in support of our mission of making it easier for people to walk and cycle, but we never forget that this personal data ultimately belongs to the people we work for, and work with, not to the charity.
2. We are committed to people’s privacy and to being transparent about how we collect and use personal data; we aim to go above and beyond our obligations under data protection and privacy legislation. This policy sets out Sustrans’ obligations in relation to personal data, and our commitment to data protection and the rights of the people whose personal data we use.
3. This policy applies to the personal data of supporters, volunteers, project participants, job applicants, employees, workers, contractors, apprentices and anyone who had any of these roles in the past. It also applies to the personal data of clients, funders, customers of our online shop, members of the public or other personal data processed for business purposes.
4. In support of this policy. we have produced a number of data protection statements which provide further clarification of the specific procedures we use for processing particular types of personal data, such as that of employees, volunteers and supporters.
5. Sustrans has appointed a Data Protection Officer (DPO) as the person with responsibility for data protection compliance within the charity. Our DPO can be contacted at [email protected]. Questions about this policy, or requests for further information, should be directed to the DPO.
Definitions, and why they matter
6. “Personal data” is any information that relates to a living individual who can be identified, or be identifiable, from that information.
7. “Processing” is any use that is made of data, including collecting, storing, amending, disclosing or destroying it.
8. “Special category personal data” means information about an individual's racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, genetics, sex life or sexual orientation and biometric data.
9. “Criminal offence data” means information about an individual's criminal convictions and offences, and information relating to criminal allegations and proceedings.
10. “Sensitive data” means information about an individual that may result in a high risk to an individual’s interest if it would be mishandled. Special category and criminal record data are considered sensitive by default, but also data not formally classified as special category or criminal office data may be sensitive. Some data not classified as ‘personal data’ may still be classified as ‘sensitive data’ and will then be subject to similar safeguards. For example, data related to a yet to be submitted government bid.
11. “Data protection impact assessment” Sustrans incorporates data protection into our project management system, to include data protection impact assessments when planning projects. This means we carefully assess if the collection of personal data is necessary, lawful and fair to the individuals involved, and whether the personal data processed in the scope of a project merits increased technical and organisational safeguards.
12. “Personal data breaches” are the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. If Sustrans discovers that there has been a possible breach of personal data that poses a risk to the rights and freedoms of individuals, it will report it to the Information Commissioner within 72 hours of discovery and, when relevant, Sustrans will instantly notify partners who may have provided Sustrans with personal data as part of a Data Controller – Data Processor agreement or Joint Controller agreement.
If the breach is likely to result in a high risk to the rights and freedoms of individuals, Sustrans will promptly notify affected individuals that there has been a breach and provide them with information about its likely consequences and the mitigation measures we have taken. Sustrans will record all data breaches regardless of their effect.
13. “Data sharing” Sustrans has never sold personal data, and we never will. However, Sustrans may, under strictly defined circumstances, disclose personal data to:
- Government, law enforcement agencies, the courts and regulatory bodies when Sustrans is legally required to do so, or where required to protect individuals.
- Specific partner organisations where individuals have expressly consented to this data sharing, and only if there is a formal written data protection arrangement between Sustrans and this third party.
- Companies or contractors who work on our behalf, also known as “data processors”. Examples are data centres and mailing houses. Where Sustrans engages third parties to process personal data on its behalf, or provide the charity with services that give a third party (potential) access to personal data held by Sustrans, such parties do so on the basis of written instructions. They will be under a duty of confidentiality and will be obliged to implement appropriate technical and organisational measures to ensure the security of data.
Sustrans has taken all reasonable steps to ensure that any third parties we work with have sufficient safeguards in place.
14. “International data transfers” Under data protection legislation personal data may be stored anywhere in the European Economic Area, storing data outside of the EEA is considered an ‘international data transfer’ and may only be done under specific conditions. Sustrans will not normally transfer personal data to countries outside the EEA, but in a limited number of circumstances names, email addresses or similarly non-sensitive data may, on the charity’s behalf, be processed by trusted data processors with servers based in the United States, or similar. In these situations Sustrans has ensured that these data processors are correctly accredited under the Privacy Shield Framework or equivalent, or that Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs) are in place.
15. “Access controls” Sustrans has a policy of, where appropriate, restricting access to personal data to only a limited number of authorised staff, volunteers or contractors, or by technically restricting the ability of staff to manipulate personal data. Certain data processing activities also leave an auditable trail, showing who accessed what individual’s records, why and when.
16. “Record of Processing Activities” Sustrans keeps a full and up to date record of the charity’s processing activities, such as processing purposes, data sharing and retention together with a description of Sustrans’ technical and organisational security measures.
How we process personal data
17. Sustrans processes personal data in accordance with the following data protection principles:
- Sustrans processes personal data lawfully, fairly and in a transparent manner.
- Sustrans collects personal data only for specified, explicit and legitimate purposes, data will not be further processed in a manner that is incompatible with those purposes.
- Sustrans processes personal data only where it is adequate, relevant and limited to what is necessary for the purposes of processing.
- Sustrans keeps accurate personal data and takes all reasonable steps to ensure that inaccurate personal data is rectified and that individuals can efficiently and without delay check, and if needed erase or rectify, the data we have on them.
- Sustrans keeps personal data only for the period necessary for processing.
18. Sustrans adopts appropriate technical and organisational measures to make sure that personal data is secure, and protected against unauthorised or unlawful processing, and accidental loss, destruction or damage. These will be regularly reviewed to ensure best practice.
Sustrans works according to “Cyber Essentials” principles, the UK government scheme that encourages good practice in information security. All Sustrans staff, and all Sustrans volunteers handling personal data receive training on the use of personal data. Key data handlers within Sustrans may be subject to background checks or additional requirements. Breaches of this policy may constitute gross misconduct and could lead to dismissal and legal action.
19. Individuals have a number of rights in relation to their personal data.
Access to information
20. Individuals have the right to make a Subject Access Request. If an individual makes a subject access request, Sustrans will tell them:
- Whether or not their data is processed and if so why, the categories of personal data concerned, when possible what data we have in detail, and the source of the data if it is not collected from the individual.
- To whom their data is or may be disclosed, including to recipients located outside the European Economic Area (EEA) and the safeguards that apply to such transfers.
- For how long their personal data is stored (or how that period is decided).
- Their rights to rectification or erasure of data, or to restrict or object to processing.
- Their right to complain to the Information Commissioner’s Office if they feel we have failed to comply with their data protection rights.
- Whether or not Sustrans carries out automated decision-making and the logic involved in any such decision-making.
21. Sustrans will also provide the individual with a copy of the personal data undergoing processing, except when disclosure would disproportionately harm another individual’s rights and freedoms or data is legally privileged. If the individual has made a request electronically data will normally be provided in electronic form, unless agreed otherwise.
22. To ensure that a Subject Access Request is processed without delay the individual should send the request to Sustrans’ Data Protection Officer: [email protected]. In most cases, Sustrans would need to ask for proof of identification before the request can be processed. Sustrans will inform the individual promptly if it needs to verify an individual’s identity and the documents we require, or if we require additional information in order to correctly process the request.
23. Sustrans will normally comply with a request within a period of one month from the date it is received. In exceptional cases, such as where Sustrans processes large amounts of an individual's data, we may respond within three months of the date the request is received. Sustrans will write to the individual within one month of receiving the original request to tell them if this is the case, and why.
24. If a Subject Access Request is manifestly unfounded or excessive, Sustrans is not obliged to comply. Alternatively, Sustrans can agree to respond but will charge a fee, which will be based on the administrative cost of responding to the request. A Subject Access Request is likely to be manifestly unfounded or excessive where it repeats a request to which Sustrans has already responded. If an individual submits a request that is unfounded or excessive, Sustrans will notify them that this is the case, whether or not the charity will respond to it, and will inform the individual about their right to refer the matter to the Information Commissioner’s Office.
25. Individuals have a number of other rights in relation to their personal data. They can require Sustrans to:
- Rectify inaccurate data.
- Stop processing or erase data that is no longer necessary for the purposes of processing.
- Stop processing or erase data if the individual's interests override the charity's legitimate grounds for processing data (where Sustrans relies on its legitimate interests as a reason for processing data).
- Stop processing or erase data if processing is unlawful.
- Stop processing data for a period if data is inaccurate or if there is a dispute about whether or not the individual's interests override the charity's legitimate grounds for processing data.
26. To ask Sustrans to take any of these steps, the individual is requested to contact the charity’s Data Protection Officer: [email protected]
Supporting policies and procedures
- Record of processing activities: A full and up to date record of the charity’s processing activities, such as processing purposes, data sharing and retention together with a description of Sustrans’ technical and organisational security measures.
- Employee and recruitment data protection statement: A detailed description of what personal data Sustrans collects at different stages of recruitment, during employment and post-employment.
- Volunteer data protection statement: A detailed description of what personal data Sustrans collects from our volunteers, before, during and after their volunteering experience at Sustrans.
- Supporter data protection statement: A description of how supporters’ data is processed and how the data of the charity’s supporters is protected.
- Event participants and service user’s data protection statement: Explains what data we may collect of the people who participate in Sustrans events, either as individuals or within the context of our schools’ and workplaces’ challenges, and of those may benefit from our services such as personalised travel advice.
- Policy on data protection in the scope of research and monitoring: A short document that explains to (potential) Sustrans partners and to members of the public the steps that Sustrans’ Research and Monitoring Unit has taken to safeguard personal data that falls within the scope of our analysis, for instance anonymisation, data hashing, access controls and< retention policies.
- IT security policy: Sustrans’ rules on the use of IT tools, including hardware, email and network access, provided by Sustrans, the very limited ways own devices may be used for Sustrans purposes.
- Safeguarding policy and procedures on children and young people
- Whistleblowing policy
- Clear desk policy
- Policy on use of CCTV and traffic monitoring cameras
Responsibilities of staff and volunteers
29. Staff and volunteers are responsible for helping Sustrans keep their personal data up to date. Individuals should let the charity know if data provided to the charity changes, for example if an individual moves house or changes their bank details.
30. Staff and volunteers may have access to the personal data of other individuals in the course of their role at Sustrans Where this is the case, Sustrans will provide all appropriate guidance and tools but relies on individuals to help meet its data protection obligations.
31. Individuals who, due to their role at Sustrans, have (potential) access to personal data are required:
- To access only data that they have authority to access and only for authorised purposes.
- Not to disclose data except to individuals (whether inside or outside Sustrans) who have appropriate authorisation.
- To keep data secure (for example by complying with rules on access to premises, computer access, including password protection, and secure file storage and destruction).
- Not to remove personal data including on paper, or devices containing or that can be used to access personal data, from Sustrans’ premises without adopting appropriate security measures to secure the data and the device. By default all of Sustrans’ laptops and mobile data carriers are fully encrypted;
- Not to store personal data on local drives, unauthorised cloud services, private email accounts or personal devices and to immediately report possible data breaches of which they become aware to the Data Protection Officer.
32. Failure to observe these requirements may amount to a disciplinary offence, which in the case of staff will be dealt with under Sustrans’ disciplinary procedure. In the case of volunteers, this would be dealt with in line with the terms outlined in our volunteers’ handbook.
Significant or deliberate breaches of this policy, such as accessing employee or customer data without authorisation or a legitimate reason to do so, may constitute gross misconduct and could lead to dismissal without notice and legal action.
33. All staff and all volunteers handling personal data receive training about data protection as part of the induction process and as required thereafter. Data protection training is documented as part of Sustrans’ record of processing activities.
34. Individuals whose roles require regular access to personal data, or who are responsible for implementing this policy or responding to subject access requests under this policy, will receive role-specific training to help them understand their responsibilities and enable them to provide adequate support within their team.
Review of this policy
35. This policy is effective as of 25 May 2018, it will be reviewed on an annual basis and whenever legislative or other developments warrant an earlier review. It is next scheduled for review on 30 April 2019.