Introduction

In carrying out its work, the OA collects and uses information about a variety of people. These may include current, past and prospective employees, trustees, volunteers, consultants, contractors, temporary workers, clients, beneficiaries and suppliers. This personal information must be handled and dealt with properly, however it is collected, recorded and used, and whether it be on paper, in computer records or recorded by any other means. The OA regards the lawful and correct treatment of personal information as very important to its successful operation and to maintaining confidence between it and whom it aims to help and those with whom it carries out business.

To this end the OA fully endorses and adheres to the Principles of Data Protection as set out in the OA’s Privacy Policy.

Handling of Personal Data

The OA will, through appropriate management and the use of strict criteria and controls:

• Observe fully conditions regarding the fair collection and use of personal information, including obtaining and recording consent where needed;
• Meet the legal obligations to specify the purpose for which information is used;
• Collect and process appropriate information and only to the extent that it is needed to fulfil operational needs or to comply with any legal requirements;
• Ensure information is accurate and kept up to date;
• Ensure information is not kept for longer than is necessary for the intended purpose;
• Ensure information is processed in accordance with the rights of data subjects under current legislation;
• Ensure information is kept secure i.e. protected by an appropriate degree of security;
• Ensure methods of handling personal information are regularly assessed and evaluated.

Implementation

All line managers and staff must take steps to ensure that personal data is kept secure at all times against unauthorised or unlawful loss or disclosure and in particular will ensure that:

• Paper files and other records or documents containing personal data are kept in a secure environment;
• Personal data held on computers and other information communications technology (ICT) systems is protected in accordance with the OA’s Information Security Policy and its associated security procedures.

All trustees, presidents, vice-presidents, volunteers, contractors, consultants, associates and partners, must:

• Ensure that they and all of their staff, where relevant, who have access to personal data held or processed for or on behalf of the OA, are aware of this policy and are fully aware of their duties and responsibilities, ensuring that they apply the same standards for the handling of such data;
• Follow other supplementary data protection policies or procedures specific to their role;
• Allow data protection audits by the OA of data held on its behalf (if requested);
• If they fail to follow OA policies and procedures, indemnify the OA against any prosecutions, claims, proceedings, actions or payments of compensation or damages, without limitation.

All contractors, suppliers and partners who are users of personal information supplied by the OA will be required to confirm that they will abide by the requirements of data protection legislation with regard to information supplied by us, either through the contract between the two parties and in a data sharing agreement.

All trustees, presidents, vice-presidents, employees, volunteers, consultants, associates, temporary workers, contractors and suppliers shall:

• Take all reasonable steps to prevent any personal data they process, access or transfer in the course of their employment or association with the OA from being disclosed to or accessed by any unauthorised person;
• Comply with the General Data Protection Regulation 2016 and any relevant data protection legislation when processing any personal data in the course of their employment or association with the OA;
• Take all reasonable steps to ensure that any third party to whom they transfer or give access any personal data not only complies with relevant data protection legislation but also prevents it from being disclosed to or accessed by any unauthorised person;
• Report immediately on becoming aware of any actual or suspected breach of data protection legislation in accordance with the OA’s Data Security Breach Procedure.