SCL Data Protection Policy

Policy Statement

The Smart Communities Limited (SCL) is a Company Limited by Guarantee, No. 11480430 and VAT Registered No.311926619, created in 2018 as a subsidiary of Community Council of Somerset (CCS) is a Charitable Company Limited by Guarantee, No. 3541219 and a Registered Charity No.1069260, established in 1926.

SCL is a trading arm of CCS, as a subsidiary sharing, staff, resources, office, I.T services and office space All data captured is captured by SCL as the Data Controller and CCS as the Data Processor using all physical resources.

In the process of undertaking our day to day work, SCL regularly has the need to collect and use information about people with whom we work – members, employees (current, past and prospective), Trustees, clients, consultants and suppliers. This personal information must be handled and dealt with properly, regardless of how it is collected, recorded and used, and whether it is in paper form, in computer records, memory stick, mobile phone, laptop, iPad or recorded by any other means.

Smart Communities Ltd (SCL) regards the lawful and correct treatment of personal information as imperative to our successful operation and to maintain confidence between us and those with whom we carry out business. We will ensure that we treat personal information lawfully and correctly.

The consequences of breaching Data Protection can cause harm or distress to service users if their information is released to inappropriate people or they could be denied a service to which they are entitled. Trustees, staff and volunteers should be aware that they can be personally liable if they use applicants’ personal data inappropriately. This policy is designed to minimise the risks and to ensure that the reputation of the charity is not damaged through inappropriate or unauthorised access and sharing.

To this end, we fully ee and adhere to the Principles of Data Protection as set out in the Data Protection Act 1998 and General Data Protection Regulation 2018.

1. Introduction to Data Protection and GDPR

Under the Data Protection Act and General Data Protection Regulation SCL will be:
Data Controller for its own business needs and employee and client details. SCL uses the trading arm subsidiary relationship with CSS to process data. CCS is the Data Processor for and on behalf of the clients that we have agreements and contracts with.

Information Commissioner’s Office registration
CCS registered with the Information Commissioners Office on 17 September 2012, registration No: Z3356691. The Data Protection Act 1998 requires every data controller who is processing personal data, to notify and renew their notification, on an annual basis. Failure to do so is a criminal offence.

Data privacy principles
SCL fully endorse and adhere to the data privacy principles. Personal data shall be:
1. processed lawfully, fairly and in a transparent manner in relation to the data subject;
2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
4. accurate and, where necessary, kept up to date – inaccurate data to be erased or rectified without delay;
5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed; and
6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss or destruction.
7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data
The data controller shall also be responsible for, and be able to demonstrate, compliance with the principles.

What is personal data?
Under the EU’s General Data Protection Regulation: Personal Data is defined as “any information relating to an identified or identifiable natural person (‘data subject’; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identify of that natural person”).

Certain data is classified under the Regulation as “special categories”:

• Racial
• Ethnic
• Political opinions
• Religious beliefs
• Trade‐union membership
• Genetic data
• Biometric data
• Health data
• Data concerning a natural person’s sex life
• Sexual orientation

Individual’s rights
GDPR sets out the rights of data subjects; the right to be informed, right of access, right to rectification, right of erasure, right to restrict processing, right to data portability, right to object, and the right not to be subject to automated decision-making.

Any living individual has the right to make a Data Subject Access Request. The individual must confirm their identity and complete a Data Subject Access Request form and submit to SCL. A copy of this form is available by contacting SCL using the main address or by emailing

2. Handling of personal/sensitive information
We will, through appropriate management and the use of strict criteria and controls comply with the principles of data privacy by:
• fully observing obligations regarding the fair collection, transparency and use of personal information;
• meeting our legal obligations to specify the purpose(s) for which information is used;
• collecting and processing appropriate information only in accordance with those purposes
• ensuring the quality and accuracy of information used;
• applying strict checks to determine the length of time information is held;
• ensuring that personal data is accurate and where necessary, kept up to date;
• ensuring that personal data shall not be kept for longer than is necessary for that purpose or those purposes, and then securely destroyed;
• maintaining physical and cyber security safeguards so as to ensure adequate security of data,
• observing the rights of data subjects and respond to requests within reasonable timescales;
• ensuring that all employees and Directors are aware of and understand their legal responsibilities regarding data protection, including this policy;
• regularly reviewing our practices for obtaining and processing personal information.

In order to ensure that SCL handles data correctly, we have ensured our Data Processor CCS
have undertaken some overarching steps to secure data. These include certification for Cyber Essentials (level 1) achieved in April 2018 to provide technical cyber security controls and ongoing compliance with the NHS Information Governance Toolkit to ensure the protection of client data.

We may occasionally need to share data with other agencies such as the local authority, funding bodies – no personal data is shared and demonstration of our work is anonymised with no identifiable content. The circumstances where the law allows the charity to disclose data (including sensitive data) without the data subject’s consent are:
a) Carrying out a legal duty or as authorised by the Secretary of State Protecting vital interests of a Data Subject or other person e.g. child protection
b) The Data Subject has already made the information public
c) Conducting any legal proceedings, obtaining legal advice or defending any legal rights
d) Monitoring for equal opportunities purposes – i.e. race, disability or religion
We regard the lawful and correct treatment of personal information as very important to successful working, and to maintaining the confidence of those with whom we deal.
We intend to ensure that personal information is treated lawfully and correctly.
Third party providers
SCL has identified third parties who either process personal data on our behalf or with whom we share data. Assurance is sought from third parties that they are compliant with DPA and GDPR requirements.

All contractors, consultants, partners, volunteers Trustees or Directors must:
• ensure that they and all of their staff who have access to personal/sensitive data held or processed for or on behalf of us, are aware of this policy and are fully aware of their duties and responsibilities under the DPA and GDPR. Any breach of any provision will be deemed as being a breach of any contract between the Company and that individual, company, partner or firm;
• allow data protection audits by us of data held on our behalf (if requested);
• indemnify us against any prosecutions, claims, proceedings, actions or payments of compensation or damages, without limitation.

SCL do not capture personal data on children anyone under the age of 13. If above the age 13 consent should be taken.

Code of Conduct
Compliance with the Act is the responsibility of all SCL staff and we will regard any unlawful breach of the Act by a staff member as a serious matter which will result in disciplinary action. Any employee who breaches this policy statement will be dealt with under the disciplinary procedure which may result in dismissal for gross misconduct. Any such breach could also lead to criminal prosecution. Staff must familiarise themselves with the data breach policy and cooperate with management to ensure that SCL can respond effectively within the 72-hour timescales.

Data security: Retention of records
The regulation requires that personal data is “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.” SCL has a retention of records policy which states how long records, including personal data, need to be kept.

Clear desk policy
It is important to keep desks clear of personal data when the office is closed or desks are left unattended to prevent unauthorised disclosure. This includes manual data but also mobile phones, memory sticks etc.

All personal data must be kept in a locked drawer or cabinet, and access to the keys should be restricted.

Personal data should not be left visible on screens. PCs and laptops should be logged out and shut down when staff have finished working. Screens must be locked when left, and will automatically be locked after 5 minutes of inactivity.

When manual records are no longer needed they should be shredded or moved to confidential waste, and in no circumstances left in regular waste.

Personal data should not be left on the printer/photocopier, but should be retrieved immediately or the locked print facility should be used.

All photos of individuals are classed as personal data and we aim to treat this securely in line with the GDPR 2018 regulation. All photos published via all marketing platforms must be the property of SCL or CCS (Community Council Somerset), not third-party images. Photos must have the permission of those photographed via the CCS Photo Consent form. Any photos supplied to SCL or CCS must be checked are consented before sharing. If a photo includes anyone under the age of (13) a person holding ‘parental responsibility’ must give their consent.

Data transfer and storage
Server – All personal information is stored on CCS’s cloud-based data server (where data is both secure and backed up). This service is provided by a third party – currently Cetsat. The server is backed up every weekday. Back up tapes in the office are kept in a locked, fireproof box.

Telephone – No SCL calls are recorded.

Email – SCL and CCS use Office 365 to exchange email and Mimecast encryption.
Emails that contain personal information must be encrypted and any attachment must be password protected. Each user will accept responsibility to ensure the correct recipient has been selected to receive the email.

PCs / laptops / other devices
SCL staff are issued with CCS PCs or laptops. These require log-ins and passwords to be able to access any systems or data. Data is not to be stored on desktop PC hard drives where it is not protected by the firewall. If this is necessary temporarily then it must be promptly moved to the secure network and any locally stored data deleted after use. Where personal devices are used and these are shared with other users, staff must remove any personal data to prevent unauthorised access.

Do not use passwords that are easy to guess. All your passwords should contain both upper and lower-case letters and preferably contain some numbers. Passwords should be a strong password at least 8 characters or more in length.

Protect Your Password:
• Common sense rules for passwords are: do not give out your password
• Do not write your password somewhere on your laptop
• Do not keep it written on something stored in the laptop case.

Mobile telephones – SCL staff have mobile phones to contact other professionals, and clients, access emails, and to take photographs of forms. These require a PIN to access the information or fingerprint security on a smartphone. Photographs are deleted once forwarded. In the event of loss of the device e-mail data on Office 365 can be wiped remotely, contact names and numbers will be blocked via the phone provider once reported.

USB memory sticks will not be used unless it is an operational requirement. If it is necessary then only encrypted memory sticks may be use and the files must be deleted after use.

Manual records – where it is necessary to remove manual records containing personal data from the SCL/ CCS office then the equipment will be provided to ensure secure storage.

Overall responsibility for this policy lies with the SCL Board of Directors / Trustees and its implementation with the Senior Management Team.

This policy is reviewed annually and updated as required. SCL reserves the right to change this Data Protection Policy as we may deem necessary from time to time or as may be required by law. Any changes will be immediately posted on the website and you are deemed to have accepted the terms of the Data Protection Policy on your first use of the website following the alterations.