This data protection policy is designed to ensure that the rights to privacy of individuals are protected.
BRITISH METALS RECYCLING ASSOCIATION [BMRA] is committed to the principles set out in the General Data Protection Regulation and has reviewed its personal data processing activities so as to carry on its business as a TRADE ASSOCIATION in compliance with the provisions of the Regulation.
Data protection lead: The name of the data protection lead is ROBERT FELL. The Data Protection Lead is responsible for: ensuring compliance with policies and procedures on data protection; providing staff training; conducting audits, risk assessments; data protection impact assessments; responding to requests from data subjects; and, dealing with data breaches. He also handles queries and complaints from data subjects about the processing of their data, including from members of staff.
Data subject: An individual whose personal data is processed. BMRA processes personal data belonging to suppliers, customers, contractors, and employees.
Personal data: Any information from which a living individual can be identified, either directly or indirectly. It is not limited to names and identification numbers, or to photographs or addresses. The categories of personal data BMRA processes include:
- Banking details of members, suppliers and employees.
- Invoices and copy receipts, copy cheques and BACS payments receipts.
- Accounts, tax, VAT returns and related information.
- Names, addresses, personal email addresses and telephone numbers of members of staff.
- CVs, contracts of employment, references, appraisals and salaries of members of staff.
Special category data: This is information revealing an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic and biometric data, health information and data in relation to a person’s sex or sexual orientation. The special category personal data BMRA holds includes:
- Trade Union membership.
Processing: Covers any activity involving personal data, including holding, storage and destruction. The Information Commissioner says it is difficult to image an activity involving personal data that does not fall within the definition. BMRA processes personal data during business transactions concerning the membership of a trade association, and when carrying out other functions necessary to its business.
Data processing: Data processing activities carried out by BMRA include: sending and receiving emails internally and externally; submitting invoices and filing them with receipts; uploading documents onto the cloud; using a customer relationship management system; holding staff details on hard copy/electronic personnel files; and, archiving and destroying material.
Sharing of personal data: BMRA shares personal data internally, and externally only when necessary to achieve its business purposes. Unless expressly communicated, there is no transfer of data abroad. BMRA shares data with the following types of organisation:
- Membership benefit and support providers
- Website providers
- Cloud storage and/or IT support providers
- Accountants
- HMRC
- VAT Commissioner
Data controller: As controller, BMRA decides the why and the how of personal data processing. It decides why it needs to collect personal data and how to process it.
Data processor: Processes personal data in accordance with the written instructions of the data controller. BMRA may share personal data with are processors.
Legitimising conditions: The processing of personal data is unlawful unless a legitimising condition, or lawful basis, applies. BMRA generally relies on the following legitimising conditions:
- Contract (with employees)
- Legislation
- Legitimate interest as a business.
When processing special category data, BMRA generally relies on one of the following additional legitimising conditions:
- Legal claims
- Explicit consent.
BMRA tries to avoid relying on the consent basis where possible but endeavours to ensure it has been freely given and confirms that a mechanism exists for it to be easily withdrawn.
Data protection principles: Where there is a lawful basis for processing personal data, BMRA makes sure it carries out its personal data processing activities in accordance with various conditions or principles contained in the GDPR.
Accountability: This principle is designed to ensure that data protection is embedded in an organisation at all levels of decision making and becomes fundamental to its culture. All staff have received training in BMRA’s policies and the Data Protection Lead ensures that they are followed.
Data protection by design: Data protection risks are evaluated and eradicated and reduced at the very earliest stage, whenever there is a significant change in processes or procedures which entail a risk to data subjects. Examples: a substantial upgrade to an IT system or outsourcing such as engaging a new cloud provider. Data Protection Impact Assessments will be carried out by the Data Protection Lead in these circumstances.
Data protection by default - minimisation: In short, no more data will be collected, shared and stored than is strictly necessary. The retention periods for the personal data the company stores are appended to this policy.
Security: BMRA takes physical, organisational and technical measures to ensure that its personal data is secure. Hard copy as well as electronic data is processed in accordance with the company’s security policy. All members of staff must comply with BMRA’s security policy; failure to do so is a disciplinary offence that may result in dismissal.
Personal data breach: The Data Protection Lead is responsible for responding to personal data breaches. He will notify the Information Commissioner as necessary, and data subjects when the risk to them is high. Breaches that carry any risk to data subjects will be reported to the Information Commissioner’s Office (ICO) within 72 hours, together with a summary of the nature of the breach, the steps taken, and to be taken, to reduce the risk to data subjects, as well as the measures to prevent the breach from happening again.
All personal data breaches will be recorded, whether they are reportable to the ICO or not. A data breach policy is attached.
Rights of data subjects: Data subjects have eight rights, which include:
- Right of access to personal data by means of a subject access request.
- Right to rectification of inaccurate data.
- Right to erasure, otherwise known as the right to be forgotten in some circumstances.
- Right to object to processing.
BMRA will respond to requests from data subjects within one month. The procedure for responding to requests is appended to this policy.
Human Resources: Hard copy files will be stored securely while electronic files will be stored securely whether they are on a computer, server or in the cloud. Access to these files is restricted. Special category data will be further restricted using encryption.
Data Protection Risk Register: All personal data processing activities are recorded in the data protection risk register held by the Data Protection Lead. The risk register contains a copy of all audits, risk assessments and Data Protection Impact Assessments.
Enforcement and disciplinary action: Failure to comply with the General Data Protection Regulation is a criminal offence in many cases and can result in large fines. All staff are aware of this policy, receive training in data protection, and ensure that this policy is properly implemented. Any staff failure to comply with this and its associated policies is a disciplinary offence, which may lead to disciplinary action and dismissal.