Last updated May 2018. Revisions agreed October 2019.

Definitions

Charity means United Kingdom Literacy Association (UKLA), a registered charity.

GDPR means the General Data Protection Regulation.

Responsible Person means Patricia Latorre

Register of Systems means a register of all systems or contexts in which personal datais processed by the Charity.

1. Data protection principles

UKLA is committed to processing data in accordance with its responsibilities under the

GDPR. Article 5 of the GDPR requires that personal data shall be:

  1. processed lawfully, fairly and in a transparent manner in relation to individuals;

2. General provisions

  1. This policy applies to all personal data processed by UKLA.

3. Lawful, fair and transparent processing

  1. To ensure its processing of data is lawful, fair and transparent, UKLA shall maintain a Register of Systems.

4. Lawful purposes

  1. All data processed by UKLA must be done on one of the following lawful bases: consent, contract, legal obligation, vital interests, public task or legitimate interests.

5. Data minimisation

UKLA shall ensure that personal data are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

6. Accuracy

  1. UKLA shall take reasonable steps to ensure personal data is accurate.
  2. Where necessary for the lawful basis on which data is processed, steps shall be put in place to ensure that personal data is kept up to date.

7. Archiving / removal

  1. To ensure that personal data is kept for no longer than necessary, UKLA shall put in place an archiving policy for each area in which personal data is processed and review this process annually.
  2. The archiving policy shall consider what data should/must be retained, for how long, and why.

8. Security

  1. UKLA shall ensure that personal data is stored securely using modern software that is kept-up-to-date.
  2. Access to personal data shall be limited to personnel who need access and appropriate security should be in place to avoid unauthorised sharing of information.
  3. When personal data is deleted this should be done safely such that the data is irrecoverable.
  4. Appropriate back-up and disaster recovery solutions shall be in place.

9. Breach

In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, UKLA shall promptly assess the risk to people’s rights and freedoms and if appropriate report this breach to the ICO.