September 2019 v0.1

1. Introduction

Mermaids needs to keep certain information relating to its employees, volunteers, service users and trustees to carry out its day to day operations, to meet its objectives and to comply with legal obligations. It recognises that it is in a position of trust to handle data that is very sensitive.

The organisation is committed to ensuring any personal data will be dealt with in line with:

  • Data Protection Act 2018
  • General Data Protection Regulation 2016/679
  • Privacy and Electronic Communications Regulations 2003 (and updates)
  • Common law of confidence
  • Any other applicable law

All of these collectively will be refereed hereafter as ‘privacy laws’ in this policy.

2. Data Protection Officer 

Mermaids processes special category personal data but has concluded that this is not large scale enough to appoint a DPO. However, it will keep this decision under review at least annually.

3. Accountability

All Mermaids staff and volunteers are responsible:

  • Attending training to which they are invited on privacy laws
  • Referring to guidance and policies that are made available to help them manage personal data
  • To ask for help or support from their line manager or the CEO where they are unsure
  • To help report any breaches or concerns and help continuously improve how Mermaids handles data. 

All managers are responsible for:

  • Ensuring they support staff and volunteers to understand privacy laws and promote reference to guidance and policies
  • Encourage and enable staff and volunteers to attend training
  • Refer to the information asset register and update this with new uses of personal data
  • Undertaking data protection impact assessments

The CEO is accountable for:

  • Oversight of day to day privacy law issues
  • Providing urgent advice on data breaches
  • Reporting to the Trustees on information risk and breaches
  • Obtaining expert advice from external resources as needed on privacy laws

The Trustees are responsible for:

  • Receiving reports from the CEO and providing strategic support and advice
  • Promoting a culture of privacy

4. ICO Registration

Although it is not obliged to, Mermaids will register with the ICO as a data controller on a voluntary basis. The CEO is accountable for maintaining this registration

5. Policies and Training

  • Mermaids will provide annual training for staff and volunteers
  • Mermaids will maintain a suite of policies and guidance for staff, which will include:

a. Handling information guidance, which includes:

  • Tell people what you are doing with their data    
  • Do a data protection impact assessment  
  • Screening questionnaire   
  • Full DPIA    
  • Understand the legal basis for your activity    
  • Understand consent or legitimate interests    
  • Minimise the data you collect    
  • Amend your information asset register    
  • Secure data collection
  • Records Management 
  • Storing in the cloud    
  • Storing outside the European Economic Area    
  • Encryption    
  • Website    
  • Email 
  • Removable media    
  • Hard copies in the office and transit
  • Passwords    
  • Hard copy archiving    
  • Aligning use with the privacy notice    
  • New uses    
  • Sharing and disclosing data
  • Sharing for child or vulnerable adult protection    
  • Social media    
  • Secure deletion  

2. DPIA process

3. Privacy notice guidance

4. Retention policy

5. Legitimate interests guidance

6. Breach incident policy and process

7. Data processing agreement

8. Data sharing agreement

9. Due diligence

10. IT policy

This policy will be reviewed at least annually and signed off by the Trustees.