500 miles needs to keep certain information about you to carry out its day to day operations, to meet its objectives and to comply with legal obligations. The organisation is committed to ensuring any personal data will be dealt with in line with the Data Protection Act (DPA).
We take security and use of your data very seriously. We never sell or share our data with any third parties. 500 miles will ensure that personal data will:
- Be obtained fairly and lawfully and shall not be processed unless certain conditions are met
- Be obtained for a specific and lawful purpose
- Be adequate, relevant but not excessive
- Be accurate and kept up to date
- Not be held longer than necessary
- Be processed in accordance with the rights of data subjects
- Be subject to appropriate security measures
- Not to be transferred outside the European Economic Area (EEA)
The definition of ‘Processing’ is obtaining, using, holding, amending, disclosing, destroying and deleting personal data. This includes some paper based personal data as well as that kept on computer.
500 miles seeks to abide by the Personal Data Guardianship Code in relation to all the personal data it processes. The five key principles of the Code are:
- Accountability: those handling personal data followpubliciseddata principles to help gain public trust and safeguard personal data.
- Visibility: Data subjects should have access to the information about themselves that an organisation holds. This includes the right to have incorrect personal data corrected and to know who has had access to this data.
- Consent: The collection and use of personal data must be fair and lawful and in accordance with the DPA’s eight data protection principles. Personal data should only be used for the purposes agreed by the data subject. If personal data is to be shared with a third party or used for another purpose, the data subject’s consent should be explicitly obtained.
- Access: Everyone should have the right to know the roles and groups of people within an organisation who have access to their personal data and who has used this data.
- Stewardship: Those collecting personal data have a duty of care to protect this data throughout the data life span.
To meet its responsibilities, 500 miles will ensure:
- Any personal data is collected in a fair and lawful way;
- An explanation is given as to why it is needed at the start;
- That only the minimum amount of information needed is collected and used;
- The information used is up to date and accurate;
- There is a positive opt in or we have good reason to believe people whose data we keep have a legitimate interest in 500 miles and provide easy ability for people to unsubscribe
- It is kept safely;
- The rights people have in relation to their personal data can be exercised;
- Everyone managing and handling personal information is trained to do so;
- Anyone wanting to make enquiries about handling personal information, whether a Trustee or volunteer knows what to do if asked;
- Any disclosure of personal data will be in line with our procedures;
- Queries about handling personal information will be dealt with swiftly and politely
Before personal information is collected, 500 miles will:
- Consider the details that are necessary for keeping people informed of our work, thanking them for our support and inviting them to get involved in activities (name, address, email and phone);
- Consider the legal period of time for holding such data until we ask again for permission;
- Inform people why the information is being gathered, what the information will be used for and confirm that their personal data is never given to a third party
500 miles will take the following measures to ensure that personal information kept is accurate:
- Ask people to check their details
- Ask people to let us know if their details change
- On any non-specific communication, check that people want to continue to receive information from us
Anyone whose personal information we process has the right to know:
- What information we hold and process on them
- How to gain access to this information
- How to keep it up to date
- What we are doing to comply with the DPA.
They also have the right to prevent processing of their personal data in some circumstances and the right to correct, rectify, block or erase information regarded as wrong.
Individuals have a right under the DPA to access personal data being kept about them on computer and certain files. Any person wishing to exercise this right should apply in writing to the Data Controller – Olivia Giles, Executive Officer, 3a Abbotsford Crescent, Edinburgh. The following information will be required before access is granted:
- Full name and contact details of the person making the request
- Their relationship with the organisation
- Any other relevant information e.g. timescales involved