Data Protection Policy

Contents

The Green Party, a political party registered in England and Wales

With the Electoral Commission No. PP63

Data Protection Policy in accordance with UK Data Protection Law

____________________________________________________________

1. Scope 

The Green Party, hereafter referred to as ‘The Organisation’, its Party Executive and its management team, with a registered address at PO Box 78066, London, SE16 9GQ, United Kingdom are committed to being fully compliant with all applicable UK and EU data protection legislation in respect of personal data, as well to safeguarding the “rights and freedoms” of persons whose information the organisation may process pursuant to the EU General Data Protection Regulation (“EU GDPR”), the Data Protection, Privacy and Electronic Communications Regulation 2019 (“UK GDPR”) and the Data Protection Act 2018 and any other applicable legislation. All policies, procedures and staff guidance developed by the organisation are strictly followed to ensure such processing is lawfully implemented, maintained and periodically reviewed and where required amended by an appropriately appointed and accountable person who reports to the executive team.

The organisation’s data protection policy framework shall take into consideration the following:

The organisation’s management responsibility, organisational structure jurisdiction and geographical location and as such; how such obligations affect the processing of personal data where such activities may be controlled by a defined part of the organisation or as a whole.

2. Objectives

The organisation’s objectives for this policy statement are as follows:

     2.1 To enable the organisation to broadly meet its data protection obligations in relation to how personal information is managed.

     2.2 To support and promote democratic engagement in accordance with Electoral Law.

     2.3 To assist and support regional parties.

     2.4 To demonstrate that the organisation is accountable for such processing in accordance with Article 5(2) of the GDPR. 

     2.5 To support the organisation’s aims and objectives and its legitimate interests.

     2.6 To safeguard individuals whoever they may be, their families, and any other individuals should it be judged they may be at risk.

     2.7 To set appropriate systems and controls according to the organisation’s technical and organisational security standards.

     2.8 To ensure data protection is built into the design of new projects which include the processing of data, so that data privacy is evidenced by default.

     2.9 To undertake regular risk analysis concerning the processing of data, implement change in accordance with any findings.

     2.10 To ensure that the organisation is compliant with all applicable obligations, whether statutory, regulatory, contractual, or professional.

     2.11 To safeguard personnel and stakeholder interests.

3. Good practice

The organisation shall ensure compliance with data protection legislation and good practice:

     3.1 Processing personal information only when to do so is necessary for the purpose that has been identified.

     3.2 Ensuring the principle of minimisation is followed and that the least possible amount of personal data is processed, and that personal data is never processed unduly.

     3.3 Ensuring the principle of transparency is followed and that individuals are informed of how their personal data is or will be used, by whom and who it may be shared with.

     3.4 Processing is adequate and compatible with the purpose for which it is collected.

     3.5 Processing personal data is fair and proportionate.

     3.6 Keeping a record of all categories of personal data processed.

     3.7 Ensuring all personal data is kept accurate, up to date and rectifiable.

     3.8 Retaining personal data no longer than required by statute or regulatory body, or for organisational purposes.

     3.9 Where possible, giving individuals the right of ‘access’ to data that may directly or indirectly identify them, as well as all other individual rights pertaining to their personal data.

     3.10 Ensuring that all personal data is maintained securely in accordance with this policy, both technical and physical.

     3.11 Transferring personal data outside of the EEA only in situations where it shall be appropriate and where safeguards are in place. Suitable safeguard may include EU Standard Contractual Clauses (SCCs). The organisation monitors the guidance of the regulator to ensure such transfers remain lawful.

     3.12 Applying various statutory exemptions and exceptions, where appropriate, but only where suitable supporting policy allows.

     3.13 Implementing a data protection activity/breach incident record, pursuant to this policy.

     3.14 Identifying stakeholders, both internal and external, documenting their responsibilities and any purpose for processing and ensuring suitable agreements are in place.

     3.15 Identifying personnel that are responsible and appointing an identifiable accountable person.

4. Notification

The organisation has registered with the Information Commissioner as a ‘data controller’ that engages in processing personal information of data subjects. The organisation has identified all of the personal data that it processes and a record of such is maintained.

The organisation’s data protection accountable person shall retain a copy of all notifications made by the organisation to the Information Commissioner’s Office (“ICO”) and the activity log shall be used as a record.

The activity log will be reviewed on an annual basis from October 2020 and the accountable person shall be responsible for each annual review of the details of the notification, keeping in mind any changes to the organisation’s activities. These changes shall be updated by reviewing in the activity log and the management review. Data protection impact assessments (DPIAs) shall be used to ascertain any additional relevant requirements. 

This policy applies to all employees including contractors and subcontractors and any other persons that are authorised to access the data for which the organisation is the controller. Concerning employees, breaches of the GDPR policy shall be dealt with according to the organisation’s disciplinary procedure. Contractors, subcontractors and other parties may be subject to appropriate legal action in accordance with the organisation’s processor or data sharing agreement. If there is a possibility that the breach could amount to a criminal offence, the matter shall be referred immediately to the relevant authorities.

All third parties which are separate legal entities working with, or for the organisation, who have or may have access to personal data are required to read, understand and fully comply with this policy at all times. All aforementioned third parties are required to enter into a legally binding data processor or data sharing agreement. The data protection obligations imposed by these agreements shall be no more onerous as those to which the organisation has agreed to comply with. The organisation shall, at all times, have the right to audit any personal data accessed by third parties pursuant to the confidentiality agreement.

5. GDPR background

The purpose of the GDPR is to ensure the “rights and freedoms” of living individuals, and to protect their personal data by ensuring that it is never processed without their knowledge and, when possible, their consent.

6. Definitions taken from the GDPR;

6.1 Child; means anyone under the age of 16. It is only lawful to process the personal data of a child under the age of 13 upon receipt of consent from the child’s parent or legal custodian.

6.2 The data controller; may be a natural or legal person, whether a public authority, agency or other body which, individually or jointly with others, is in charge of ascertaining the purposes and means by which personal data shall be processed. Where data protection law predetermines the purposes and means of processing personal data, the data controller or, if appropriate, the specific criteria for selecting the data controller, may be provided for by such laws;

6.3 The accountable person; is the staff member of the organisation who oversees data protection at the organisation;

6.4 Data subject; refers to any living person who is the subject of personal data (see below for the definition of ‘personal data’) held by an organisation. A data subject must be identifiable by name, ID, address, online identifier or other factors such as physical, physiological, genetic, mental, economic or social;

6.5 Data subject explicit consent and consent; refers to any specific action by the data subject that signifies consent to the processing of personal data. Consent may be gathered by way of a written or oral statement or by clear, unambiguous action given freely and where the data subject is informed of the purpose of processing;

6.6 Establishment; refers to the administrative head office of the ‘data controller’ in the EU, where the main decisions regarding the purpose of its data processing activities are made. ‘Data controllers’ based outside of the EU are required to appoint a representative within the jurisdiction in which they operate to act on its behalf and liaise with the relevant regulatory and supervisory authorities;

6.7 Filing system; refers to any personal data set which is accessible on the basis of certain benchmarks, or normal procedures and can be centralised, decentralised or dispersed across various locations;

6.8 Personal data; Means any information that identifies, directly or indirectly, a data subject;

6.9 Personal data breach; refers to a security breach which results in the disclosure, alteration, destruction or loss of personal data, as well as unauthorised access to personal data that is stored, transmitted or processed by any other means, whether accidentally or unlawfully. All personal data breaches must be reported to relevant regulatory authority by the ‘data controller’ unless the controller decides there is no risk to the fundamental rights and freedoms of those that may be identified by the data The decision to inform the data subjects of a data breach when it is likely that the breach will have an adverse effect on his or her privacy or personal data will be made at the sole discretion of the controller;

6.10 Processing; refers to any action taken in relation to personal data including, but not limited to, collection, adaptation, alteration, recording, storage, retrieval, consultation, use, disclosure, dissemination, combination or deletion, whether by automated means or otherwise;

6.11 Profiling; refers to any form of personal data processing that is automated, with the intention of assessing personal aspects of a data subject or analysing a data subject’s employment performance, economic status, whereabouts, health, personal preferences and behaviour. The data subject has a right to object to profiling and a right to be informed of the fact that profiling is taking place, as well as the intended outcome(s) of the profiling;

6.12 Special categories of personal data; referring to personal data covering such matters as racial or ethnic origin, beliefs – whether religious, political or philosophical – membership of a trade-union and data relating to genetics, biometric identification, health, sexual orientation and sex life;

6.13 Territorial scope; the GDPR applies to all EU based ‘data controllers’ who engage in the processing of data subjects’ personal data as well as to ‘data controllers’ located outside of the EU that process data subjects’ personal data so as to provide goods and services, or to monitor EU based data subject behaviour;

6.14 Third party; is a natural or legal person other than the data subject who is authorised to process personal data, whether a public authority, agency or a data processor or any other person(s) under the direct authority of the controller or processor. A third party may also be a data controller processing data in accordance with its own policies.

7. Responsibilities under the GDPR

The organisation is a Data Controller pursuant to section 1, Article 24(1) of the GDPR. If the organisation is a joint controller of data and determines the purpose for processing jointly with another organisation, it does so in accordance with article 26(1-3) of the GDPR.

Appointed employees of the organisation with managerial or supervisory responsibilities are responsible for ensuring that good personal data handling practices are developed, reviewed and encouraged within the organisation in accordance with their individual job descriptions. Among other ways to develop awareness of such responsibilities, the organisation regularly delivers data protection awareness training to its management team.

The appointment of a Data Protection Officer

The organisation has assessed the need for a Data Protection Officer and has accordingly appointed such a representative. The duties of the DPO are in accordance with the GDPR section 4 Art. 37, 38 and 39.

Generally, it is expected that all individuals as well as staff that work at the organisation are personally responsible for ensuring that all personal data they have provided or has been provided about them to the organisation is accurate and up to date.

Risk Assessment

It is vital that the organisation is aware of all risks associated with personal data processing. This may be evidenced by conducting risk assessments. The organisation may also conduct assessments of the personal data processing undertaken by other organisations where those organisations act as data processors and process data on behalf of the organisation.

Where personal data processing is carried out by using new technologies, or when a high risk is identified in relation to the “rights and freedoms” of natural persons, the organisation is required to engage in a risk assessment of the potential impact. More than one risk may be addressed in a single assessment (also known as a ‘Data Protection Impact Assessment’ (“DPIA”). The organisation have developed and agreed upon a procedure for completing a DPIA. This procedure is always followed where there is a need to measure risk. The procedure is completed by the accountable person and if necessary, the opinion of a professional GDPR practitioner is taken into account. 

In addition to this, and if the outcome of a DPIA points to a higher risk that the organisation intended and personal data processing could result in distress and/or may cause ‘damage’ to data subjects, it is for the accountable person to decide whether the organisation ought to proceed and the matter should be escalated to them. In turn, the accountable may escalate the matter to the regulatory authority (prior agreement) if significant concerns have been identified.

It is the role of the accountable person to ensure that appropriate controls are in place to ensure that the risk level associated with personal data processing is kept to an acceptable level, as per the requirements of the GDPR and the organisation’s data protection policy.

The organisation takes a cautious approach to risk. The organisation aims to reduce the risks associated with processing personal data as far as possible by following a clear set of policies and procedures, providing training to all staff, and carefully assessing the privacy impact of any new activity.

8. Principles of data protection

The principles of personal data processing are as follows:

     8.1 All personal data must be processed lawfully, fairly and with transparency in mind at all times and in accordance with the organisation’s policies.

     8.2 Policies and notices made available to data subjects and published in the public domain must also be clear, drafted using clear and plain language and written in such a way that everyone may understand the content and therefore intended purpose for processing.

     8.3 The data subject must be provided with the following information in accordance with article 13 and 14 of the GDPR:

          8.3a Controller; the identity and contact details of the data controller and any of its representatives, if appropriate;

          8.3b Purpose; the purpose or purposes and legal basis of processing;

          8.3c Storage period; the length of time for which the data shall be retained;

          8.3d Rights; confirmation of the existence of the following rights;

               8.3.d.i Right to request access, please refer to section 28 of this policy for details of information that may or may not be revealed;

               8.3.d.ii Right of rectification;

               8.3.d.iii Right of erasure;

               8.3.d.iv Right to raise an objection to the processing of the personal data;

               8.3.d.v Right to restriction of processing;

               8.3.d.vi Right to know if automated decisions are made concerning the processing outcome;

               8.3.d.vii Right to be informed about the processing of data;

               8.3.d.viii Right of portability, the right to have data transferred to another organisation.

         8.3.e Categories; each of the categories of personal data to be processed;

         8.3.f Recipient; the recipients and/or categories of recipients of personal data, if applicable;

         8.3.g Location; if the controller intends to make a transfer of personal data to a third country* or where consideration may be required concerning the UK’s adequacy, the level of data protection necessary and safeguards required by the laws will be provided; and

          8.3.h Further information; any further information required by the data subject, will be provided in the most convenient way in order to ensure that the processing is fair and lawful. Where data is shared with the organisation by any party and where the data was gathered by the organisations acting as the main controller, the organisation acting as a secondary controller will initially process such data based upon the lawful grounds with which it was shared or originally processed. As such if the condition used was consent, the organisation will comply with UK GDPR Art.14. Subsequent processing may be undertaken using an alternative condition in accordance with the UK GDPR Art.6.

*A third country is any country that has not received an ‘adequacy’ decision awarded by the EU Commission. Adequacy enables the free flow of data cross border and requires no special safeguards to be in place. Adequate countries include all 27 EU members along with Canada, Lichtenstein, Switzerland and Japan. 

     8.4 Personal data may only be collected for specified, explicit and legitimate reasons. When personal data is obtained for specific purposes, it must only be used in relation to that purpose and cannot be processed further unless those purposes are compatible.

     8.5 Personal data must be adequate, relevant and restricted to only what is required for processing;

          8.5.a Ensure that personal data which is superfluous and not necessarily required for the purpose(s) for which it is obtained, is not collected;

          8.5.b Approve all data collection forms, whether in hard-copy or electronic format;

          8.5.c Carry out an annual review of all methods of data collection, checking that they are still appropriate, relevant and not excessive; and

          8.5.d Securely delete, destroy or anonymise any personal data that it is no longer necessary to process in accordance with the organisation’s technical and organisational standards.

     8.6 Personal data must be accurate and up to date:

          8.6.a Data should not be kept unless it is reasonable to assume its accuracy, and data that is kept for long periods of time must be examined and amended, if necessary;

          8.6.b All staff must receive training on privacy and data protection. It is the responsibility of the accountable person to ensure all those that process data for which is the controller understand the importance of collecting and maintaining accurate personal data;

          8.6.c Individuals are personally responsible for ensuring that the personal data held by the organisation is accurate and up to date. The organisation will assume that information submitted by individuals via data collection forms is accurate at the date of submission;

          8.6.d All employees of the organisation are required to update the organisation as soon as reasonably possible of any changes to personal information, to ensure records are up to date at all times;

          8.6.e The Data Controller may from time to time, assess the accuracy of the data it processes;

          8.6.f The accountable person shall, on an annual basis, carry out a review of all personal data controlled by the organisation and decide whether any data is no longer required to be held and where required arrange for that data to be deleted or destroyed in accordance with the GDPR.

          8.6.g The accountable person shall also ensure that where inaccurate or out-of-date personal data has been passed on to third parties, that the third parties are duly informed and instructed not to use the incorrect or out-of-date information as a means for making decisions about the data subject involved. The accountable person shall also provide an update to the third party, correcting any inaccuracies in the personal data.

     9. The form in which the personal data is stored must be such that the data subject can only be identified when it is necessary to do so for processing purposes. The following principles apply:

          9.a Where personal data is kept beyond the retention period detailed in the RoPAs there must be either a justified purpose which is detailed in the RoPAs or the data must be anonymised;

          9.b Personal data must be retained according to the RoPAs and must be destroyed or deleted in accordance with the data retention period in a secure manner and within a reasonable timeframe; and;

         9.c Should any personal data be required to be retained beyond the retention period set out in the Data Retention Policy, this may only be done with the express written approval of the accountable person, which must be in line with data protection requirements.

     9.1 The processing of personal data must always be carried out in a secure manner;

     9.2 Personal data should not be processed in an unauthorised or unlawful manner, nor should it be accidentally lost or destroyed at any time and the organisation shall implement robust technical and organisational measures to ensure the safeguarding of personal data.

10. Security controls

Security controls are necessary to ensure that risks to personal data identified by the organisation are appropriately mitigated as much as possible to reduce the potential for damage or distress to data subjects whose personal data is being processed and are subject to regular audit and review.

Personal data shall not be transferred to a country outside of the EEA unless the country provides appropriate protection of the data subject’s ‘rights and freedoms’ in relation to the processing of personal data.

11. Adequacy of transfer

The following safeguards and exceptions are in place to ensure that data is not transferred to a country outside of the EEA, with the transfer being off limits, unless one or more of the safeguards or exemptions listed below apply. However, where data is transferred outside of the EEA suitable contractual safeguards are implemented.

Safeguards

     11.1 Assessing the adequacy of the transfer, by reference of the following:

          11.1.a The nature of the personal data intended to be transferred, such as special category data;

          11.1.b The country of origin and country of intended destination, where there isn’t adequacy;

          11.1.c The nature and duration of the personal data use;

          11.1.d The legislative framework, codes of practice and international obligations of the data subject’s country of residence; and

          11.1e (UK only) the security measures to be implemented in the country of intended destination in relation to the personal data.

     11.2 Binding corporate rules

The organisation is free to implement approved binding corporate rules in relation to personal data transfer outside of the EU, however only with prior permission from the relevant regulatory body.

     11.3Standard contract clauses

The organisation is free to implement model contract clauses in relation to personal data transfer outside of the EU and there will be an automatic recognition of adequacy of transfer, should the model contract clauses receive approval from the relevant regulatory body.

Exceptions and exemptions to data protection law

In the absence of an adequacy decision, including binding corporate rules and standard contract clauses, no transfer of personal data to a third country may take place unless one of the following preconditions is satisfied:

         11.3.a Explicit consent has been provided by a fully informed data subject, who has been made aware of all possible risks involved in light of appropriate safeguards and an adequacy decision;

         11.3.b The personal data transfer is a prerequisite to the performance of a pre-existing contract between the data controller and the data subject or when the data subject requests that pre-contractual measures are implemented;

         11.3.c The personal data transfer is a prerequisite to the conclusion or performance of a pre-existing contract between the data controller and another person, whether natural or legal, if it is in the interest of the data subject;

         11.3.d The personal data transfer is in the public interest or for a public task;

         11.3.e The personal data transfer is required for the creation, exercise or defense of legal claims;

         11.3.f The data subject is not capable of giving consent, whether due to physical or legal limitations or restrictions, and the personal data transfer is necessary for the protection of the key interests of the data subject or of other persons;

         11.3.g The personal data transfer is made from an approved register, confirmed by data protection law as having the intention of providing public information and which is open to consultation by the public or by an individual demonstrating a legitimate interest, but only so far as the legal requirements for consultation are fulfilled. 

12. Accountability

According to the GDPR accountability principle under Article 5 (2), the data controller is responsible both for ensuring overall compliance with the GDPR and for demonstrating that each of its processes is compliant with the GDPR requirements. To this extent data controllers are required to:

     12.1 Maintain all relevant documentation regarding its processes and operations;

     12.2 Appoint an accountable person;

     12.3 Ensure your organisation is registered as a Controller under the ICO, if applicable;

     12.4 Implement proportionate security measures;

     12.5 Train its staff in data protection awareness;

     12.6 Ensure it has, and continues to have, up to date data processor and data sharing agreements in place;

     12.7 Carry out Data Protection Impact Assessments (“DPIAs”) and implement the outcome;

     12.8 Comply with prior notification requirements;

     12.9 Seek the approval of relevant regulatory bodies; and

     12.10 Appoint a DPO;

     12.11 Seek the opinion of a professional data protection practitioner if deemed necessary;

     12.12 Publish the mandatory Privacy Promise in the public domain.

13. The rights of data subjects

Data subjects enjoy the following rights in relation to personal data that is processed and recorded:

     13.1 The right to make access requests in respect of personal data that is held and disclosed;

     13.2 The right to refuse personal data processing, when to do so is likely to result in damage or distress;

     13.3 The right to refuse personal data processing, when it is for direct marketing purposes;

     13.4 The right to be informed about the functioning of any decision-making processes that are automated which are likely to have a significant effect on the data subject;

     13.5 The right not to solely be subject to any automated decision-making process;

     13.6 The right to claim damages should they suffer any loss as a result of a breach of the provisions of the GDPR;

     13.7 The right to take appropriate action in respect of the following: the rectification, blocking and erasure of personal data, as well as the destruction of any inaccurate personal data;

     13.8 The right to request that the ICO carry out an assessment as to whether any of the provisions of the GDPR have been breached;

     13.9 The right to be provided with personal data in a format that is structured, commonly used and machine-readable;

     13.10 The right to request that his or her personal data is sent to another data controller; and

     13.11 The right to refuse automated profiling without prior approval.

14. Data access requests

Subject Access Request staff guidelines set out the procedure for making data access requests and outline how the organisation will comply with the requirements of the GDPR regarding this.

15. Complaints

All complaints about the organisation’s processing of personal data may be lodged by a data subject directly with the Data Controller by providing details of the complaint. The data subject must be provided with a copy of this data protection policy statement.

Complaints may also be made by a data subject directly to the relevant regulatory body and the organisation will provide the relevant contact details.

All complaints in relation to how a complaint has been handled and any appeals following the submission of a complaint shall be dealt with by the Data Controller and the data subject is required to submit a further complaint.

Explicit Consent to the processing of personal data by the data subject must be:

     16.1 Freely given and should never be given under duress, when the data subject is in an unfit state of mind or provided on the basis of misleading or false information;

     16.2 Explicit;

     16.3 Specific;

     16.4 A clear and unambiguous indication of the wishes of the data subject;

     16.5 Informed;

     16.6 Provided either in a statement or by unambiguous affirmative action;

     16.7 Demonstrated by active communication between the data controller and the data subject and must not be inferred or implied by omission or a lack of response;

     16.8 In relation to sensitive data, consent may be provided in writing; if given verbally must be acknowledged in writing, unless there is an alternative legitimate basis for the processing of personal data.

The organisation may collect Consent when attendees of conferences, supporters and members and other individuals use its website to engage with the organisation. The privacy notice on our website clearly explains the reason and purpose for collecting the data, the Legitimate Interest of the organisation, the name of the data protection lead, details of its data retention policy, information about International transfers, ways to withdraw consent and details of how to complain about the organisation to the ICO. Consent is always collected specifically for the purpose the data will be processed.

In accordance with the GDPR and in particular with the PECR. Consent may be valid when the individual indicates their Consent by making an affirmative action. Consent may be used in certain circumstances to promote the aims and objectives of the organisation and to deal with contractual arrangements or to answer a request for information about the party.

Consent is for the time being, and always ensure the individual is informed of their right to withdraw consent whenever they wish.

18. Legitimate Interest as a condition for processing data

The organisation’s aim is to create a just, equitable and sustainable society. We focus our efforts primarily through the electoral system. 

To do this we carry out a range of marketing and fundraising activities, including direct appeals, promotion of events, and recruitment of members and regular givers. This is our legitimate interest as an organisation and means we will from time to time use this as a condition to process the data of our supporters, members and any other individual.

When we use our Legitimate Interest as a condition for processing data, we always consider the potential impact on any data subjects we may communicate with. The three-stage process we use to test this is;

     18.1 We measure whether the data subject might reasonably expect us to process their data. For example, if we have had a previous engagement or sent a previous communication with or to the data subject, we believe this might in many cases mean they would expect us to process their data unless they told us not to in the past. This assumes that they did not Opt-out of future communications, or object to our marketing or fundraising efforts. However, we also believe that there are occasions other than this where data subjects might understand we would Legitimately process their data using this condition.

     18.2 We look carefully to understand whether our Legitimate Interest might impact adversely on the data subject. For example, if a data subject was a person at risk or in a vulnerable circumstance, we would not process their data for marketing purposes. However, we would process their data to provide important information they may require about our services. We have a procedure for ensuring data subjects such as these are suppressed on our data base or forgotten where necessary.

     18.3 Thirdly, we carefully consider whether any safeguards should be in place to protect data subjects against harm when we process their data. We do this by completing a Legitimate Interest balancing test. The test measures whether the interests of the organisation outweigh the rights of the data subjects concerned. The outcome of such a test is documented in the activity log.

     18.4 Legitimate Interest as a condition for processing will not be adequate for processing special categories of data. Therefore, in addition to Legitimate Interest as a condition for processing regular data, the organisation may rely on Art.9(j) in order to process such data where processing is necessary for the purposes of statistical research in the public interest.

19. Public Task or processing data in the public Interest.

Where Electoral law (Representation of the People (England and Wales) Regulations 2001 (SI 2001/341) regulations 103-106 and Schedule 3 of the Representation of the People (England and Wales) (Description of Electoral Registers and Amendment) Regulations 2013 (2013/3198) and equivalent devolved legislation may be relied upon, data may be processed to for a clear common task or function such as to process data contained in the Electoral Register.

20. Special Category data

Special Category Data is defined under the GDPR as data revealing:

  • Racial or Ethnic Origin;
  • Political Opinions;
  • Religious or Philosophical beliefs;
  • Trade-union membership;
  • The processing of genetic data;
  • Biometric data;
  • Data concerning health; or
  • A natural person’s sex life or sexual orientation

Personal data which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms merit specific protection as the context of their processing could create significant risks to the data subject’s rights and freedoms.

The organisation will take additional protection when processing such highly sensitive data and apply appropriate safeguards. The organisation will provide a layered approach to our security measures and should only keep Special Category Data for as long as necessary for the purpose of processing.

Processing Special Category Data when the individual is at risk and where explicit consent cannot be gathered, the controller is not expected to gather consent or gathering consent might prejudice the purpose of processing. This processing may require an Appropriate Policy Document (APD) to be in place under the Data Protection Act 2018 Schedule 1 Parts 1 & 2. An ‘APD’ will be produced separately for each Exemption and used where the existing policy framework is considered inappropriate. Any such policy will be kept for a minimum of 6 months after the processing has ceased and will be made available to the Supervisory Authority free of charge upon demand.

It is acknowledged that the organisation may be exempt from its obligations to special category data when specifically processing data that may identify a political opinion. 

22. Data security

All employees of the organisation are personally responsible for keeping secure any personal data held by the organisation for which they are responsible. Under no circumstances may any personal data be disclosed to any third party unless the organisation has provided express authorisation and has entered into a confidentiality agreement, a data processor agreement or a data sharing agreement with the third party. The Data Controller is responsible for this activity. Some analytical information collecting when an individual visits our website is collected in accordance with our cookie policy and with the visitors consent.

23. Accessing and storing personal data

Access to personal data shall only be granted to those who have a good business reason to access it and only in accordance with the organisation’s policy. Because of the nature of the work undertaken by the organisation and the size of the team, all staff members have access to data for which the organisation is a data controller. This is reviewed regularly.

All personal data processed must be stored:

     23.1 In a locked room, the access to which is controlled; and/or

     23.2 In a locked cabinet, drawer or locker; and/or

     23.3 (In both of the above-mentioned areas paper-based files must be protected from destruction by both water damage and fire)

     23.4 If in electronic format and stored on a computer, security measures should be in accordance with the organisation’s IT requirements; and/or

     23.5 If in electronic format and stored on removable media, it will be password protected.

Before being granted access to any organisational data, all staff of the organisation must be provided a copy of this policy, read this policy and acknowledged that they understand the data protection policy statement.

Computer screens and terminals must not be visible to anyone other than staff of the organisation with the requisite authorisation.

No manual records may be accessed by unauthorised employees of the organisation and may not be removed from the business premises in the absence of explicit written authorisation of the accountable person. Manual records must be removed to secured archiving when access is no longer needed on a day-to-day basis.

All deletion of personal data must be carried out in accordance with the organisation’s retention requirements. Manual records which have passed their retention date must be shredded and disposed of securely. Any removable or portable computer media such as hard drives as USB sticks must be destroyed in accordance with this policy

24. Data access rights

Data subjects have the right to access all personal data in relation to them held by the organisation, whether as manual records or electronic format. Data subjects therefore may at any time request to have sight of confidential personal references held by the organisation as well as any personal data received by the organisation from third parties. To do so, a data subject must submit a Subject Access Request, (guidelines for processing this request are circulated to all staff at the organisation.)

25. Unauthorised disclosure of data

The organisation must take appropriate steps to ensure that no personal data is disclosed to unauthorised third parties. This includes friends and family members of the data subject and governmental bodies. All employees of the organisation are required to attend specific training in order to learn how to exercise due caution when requested to disclose personal data to a third party.

Disclosure is permitted by the GDPR without the consent of the data subject under certain circumstances, namely:

     25.1 In the interests of safeguarding national security;

     25.2 In the interests of crime prevention and detection which includes the apprehension and prosecution of offenders;

     25.3 In the interests of assessing or collecting a tax duty;

     25.4 In the interests of discharging various regulatory functions, including health and safety;

     25.5 In the interests of preventing serious harm or where a data subject may be at risk; and

     25.6 In the interests of protecting the vital interests of the data subject i.e only in life and death circumstances.

The accountable person is responsible for handling all requests for the provision of data for these reasons and authorisation by the accountable person shall only be granted with the support of appropriate policy documentation.

26. Data retention and disposal

The organisation will not retain personal data for longer than is necessary. All types of data processed have been documented in the Records of Processing Activities (RoPAs) in accordance with article 30(1)(a-g) of the GDPR. The organisation recognizes the difference between certain types of data subject for which it may be processing identifiable personal information. For example, data necessary to employ staff. It equally recognizes that some categories of data are more sensitive and potentially more intrusive than others. Therefore, the organisation may retain some categories of data longer than others.

Personal data must be deleted and purged from storage arrangements in accordance with the organisation’s stated data retention requirements. Storage devices used to process such information may be dealt with in accordance with section 27 of this policy. 

27. Use of personal devices to process the data for which the organisation is the controller.

     27.1 If you use your own device for work, it is important to ensure that it and the information it contains is appropriately protected;

     27.2 Set and use a strong passcode to access your device. Whenever possible, use a strong passcode. Do not share the passcode with anyone;

     27.3 Set your device to lock automatically when the device is inactive for more than a few minutes;

     27.3 Take appropriate physical security measures. Ensure your device is asleep or closed when unattended;

     27.4 Keep your software up to date, download any patches as quickly as is feasible;

     27.5 Make arrangements to back up your documents on a separate drive or in a cloud;

     27.6 Wherever possible keep copies of work documents on the company server. Never save the data on your personal device;

     27.7 If other members of your household use your device, ensure they cannot access any business-related information, for example, with an additional account passcode. (Our preference is for you not to share the device with others.);

     27.8 Organise and regularly review the information on your device. Delete copies from your device when no longer needed;

     27.9 When you stop using your device (for example because you have replaced it) and when you leave your employment, securely delete all business-related information from your device;

     27.10 Encrypt the device (to prevent access even if someone extracts the storage chips or disks and houses them in another device);

     27.11 Report any data breaches to your line manager or the accountable person;

     27.12 Configure your device to maximize its security. For example, each new technology brings new enhanced security features. Take time to study and discover how to use these and decide which of them are relevant to you. Seek help from your IT support team if necessary;

     27.13 Control your device’s connections by disabling automatic connection to open, unsecured Wi-Fi networks and make risk-conscious decisions before connecting; 

     27.14 Disable services such as Bluetooth and wireless if you are not using them.

     27.15 Do not use removable storage devices to save or transport personal data unless the devices are encrypted.

28. Managing the disposal of electronic devices.

     28.1 Hard disks must be formatted and cleaned of all data and software before being reused or disposal:

     28.2 The secure disposal of electronic devices and storage media is the responsibility of the accountable person;

     28.3 The accountable person shall keep a log demonstrating what media has been sanitized, destroyed or disposed of, where, when and by whom;

     28.4 Hard disks must be cleaned and verified as such;

     28.5 If hard disks are cleaned and guaranteed by an external third party, then the details of the external service provider must be recorded;

     28.6 Removable storage media devices that contain confidential information may be destroyed using the in-house procedure;

     28.7 Removable storage media devices that contain confidential information must be sent for repair to an approved provider;

     28.8 There is an internal protocol for destroying removable storage media devices prior to disposal which is overseen by the accountable person;

     28.9 Paper based documents that contain confidential and restricted information should be shredded by the owners prior to being destroyed. The shredder is located at the main office of the organisation. Staff working remotely should bring documents into the organisation’s office for shredding.

29. Data breach policy and procedure – unauthorised access or loss of control of personal data.

A breach of data protection law will have occurred if data is accessed by an unauthorised party or where the controller has lost control of the data. However, not all such breaches will be reported to the supervisory authority. The decision to report such a breach will be made solely by the data controller. Factors that may determine whether a breach is reportable include;

     29.1 Sensitivity of the categories of data. For example, data identifying a health condition;

     29.2 Quantity of data concerned;

     29.3 Whether there is a potential for a high risk of harm to the data subjects concerned;

Mitigating factors that may be taken into account when not reporting a breach;

     29.4 The data is retrievable;

     29.5 Evidence that data has been contained and that those who may have access will not process the data in such a way as to cause harm or distress to the data subjects concerned;

When a data breach must be reported the following procedure will be adopted;

     29.6 The accountable person will make the report;

     29.7 The report will be made using the ICO’s website and in writing;

     29.8 The case number supplied by the ICO will be recorded in the activity log;

     29.9 Where appropriate the data subjects will be informed. But this will not occur should this cause more distress or harm than the incident itself, the data controller will make this decision.

     29.10 Make available any documents or records that the ICO requires to pursue their enquiries;

     29.11 Cooperate and assist the ICO;

     29.12 Record any guidance the ICO gives in accordance with the breach;

     29.13 Undertake risk assessments where required;

     29.14 Keep records of the incident;

     29.15 Train staff where required in order to ensure the breach doesn’t happen again.

     30.1 What is a cookie?

A cookie is a small amount of data, which often includes a unique identifier that is sent to and stored on an individual’s device when they browse a website. The organisation only uses certain types of cookie which it believes are less intrusive;

What do we use cookies for?

     30.2 Session cookies

The term ‘session’ refers to when an individual may visit our website, including all the pages visited and actions taken. A cookie is set for each session identifying the IP address of the visitor including movement from page to page.

     30.3 Usage statistics

The organisation uses Google Analytics to track how visitors are using its website, and includes measuring how many visitors use the site, the number of pages visited, actions taken and how people arrived on the website. Google Analytics sets cookies to associate multiple page visits with the same visitor. This information is important to the organisation understanding its audience better and making improvements to its website content in the future. Information such as this is only used for this purpose and only kept for as long as is necessary;

     30.4 Advertising effectiveness

Google and Facebook provide code to track and measure the effectiveness of our campaigns. This code sets cookies which assist the organisation to target advertising based on visiting particular pages or completing particular actions. For example, we may use Google tag manager to track behaviour which will be based on who is clicking a link embedded in an email or a social media post. This may be for example, to register for an event. We may also track user’s navigation of our website and their reactions to some pages to optimise our effectiveness. The organisation bases the use of cookies on consent and provides clear opt-out facilities via Google’s Ads Settings and Facebook Your Information pages. Individuals can also visit Your Online Choices and switch off behavioral advertising from a large number of third parties.

​​​​​​​     30.5 Embedded media

On occasion the organisation may embed videos and other media from sites such as YouTube. These sites set cookies to track viewing and preferences.

​​​​​​​     30.6 Managing cookies

It is possible to delete individual cookies or block cookies altogether via the browser settings over which we have no control and take no responsibility.

31. Staff training

Staff awareness of the need to protect data is critical to compliance with the law. Therefore, all staff that process personal information are trained in relevant aspects of data processing and security. The training occurs no less than annually and is delivered by a trusted source. Should a data protection policy vulnerability be identified, further training may be required in accordance with section 29.15 of this policy.

32. Subject access policy

The data subject has the right to access information that may identify them, directly or indirectly. The controller requires scope to the request, or the request may be deemed disproportionate in the effort required to fulfil it. There are a number of exemptions to the law which allow the controller to withhold some types of data. The organisation will use the exemptions where they may be applicable.    

The organisation will abide by the law and accordingly;

32.1 Where it might be necessary, request scope and direction to the request from the data subject;

     32.2 Follow the organisation’s Subject Access Request standard procedure;

     32.3 Keep the data subject informed of progress;

     32.3 Complete the request in one month;

     32.4 Not charge for the request unless it is necessary and in accordance with the law;

     32.5 Be reasonable and fair;

     32.6 Use any exemptions or exceptions to the law only where appropriate, and if so, the processing may be supported by an appropriate policy document.

33. Document owner

The accountable person is the owner of this policy document and must ensure that it is periodically reviewed according to the review requirements contained herein.

The latest version of this policy document dated December 2020 is available to all employees and officers of the organisation.​​​​​​​

This policy document was approved by the organisation’s management and is issued on a version-controlled basis.

Data Protection Officer: Stewart Christie, Head of Digital
Contact: dataprotection@greenparty.org.uk

Last updated March 4th, 2025.

To top