In compliance with the principles of the Data Protection Act 1998
Mentor Match needs to keep certain information about its volunteers and users to monitor performance and feedback, for example. It also needs to process information in order to improve its service and comply with any legal obligations which may apply.
To comply with the law, information must be collected and used fairly, stored safely and not disclosed to any other person unlawfully. To do this, Mentor Match must comply with the Data Protection Principles, which are set out in the Data Protection Act 1998. In summary these state that personal data shall:
- Be obtained and processed fairly and lawfully and shall not be processed unless certain conditions are met.
- Be obtained for a specified and lawful purpose and shall not be processed in any manner incompatible with that purpose.
- Be adequate, relevant and not excessive for those purposes.
- Be accurate and kept up-to-date.
- Not be kept for longer than is necessary for that purpose.
- Be processed in accordance with the Data Subject's rights.
- Be kept safe from unauthorised access, accidental loss or destruction.
- Not be transferred to a country outside the European Economic Area, unless that country has equivalent levels of protection for personal data.
Status of the Policy
Mentor Match, its volunteers or others who process or use any personal information must ensure that they follow these principles at all times. In order to ensure that this happens, Mentor Match has developed this Data Protection Policy. Any user or volunteer, who considers that the policy has not been followed in respect of personal data about themselves, should raise the matter with the Designated Data Controller initially. If the matter is not resolved it should be raised as a formal grievance.
The Data Controller and the Designated Data Controller
Mentor Match is the Data Controller under the Act. Any query relating to the implementation of the Data Protection Act 1998 should be referred to email@example.com.
Responsibilities of Volunteers
As necessary, all volunteers are responsible for:
- Checking that any information they provide to Mentor Match in connection with their work is accurate and up-to-date.
- Informing Mentor Match of any error or change to the information they have provided, for instance a change of address. Mentor Match cannot be held responsible for any such errors unless the volunteer has informed Mentor Match of them.
All volunteers are responsible for ensuring that:
Any personal data held by them is kept securely, for instance, computerised data, should be password protected; and Personal information is not disclosed either orally or in writing, accidentally or otherwise to any unauthorised third party.
Responsibilities of Users
Users should ensure that any contact details provided to Mentor Match are accurate and up-to-date.
Right to Access Information
As per the Data Protection Act 1998, volunteers, users and other Data Subjects of Mentor Match have the right to request access to any personal data that is being kept about them.
Any person who wishes to exercise this right should complete a Subject Access Request in writing and submit it to Mentor Match. Mentor Match aims to comply with requests for access to personal information as quickly as possible, but will ensure it is provided within 40 days.
Subject Consent and Processing Sensitive and Personal Information
Mentor Match has to process personal information to efficiently manage its day-to-day operations. Agreement to Mentor Match processing some specified types of personal data is a condition of becoming a user or volunteer.
Mentor Match may also have to process some sensitive personal information to best serve its purpose. Agreement to Mentor Match processing some specified types of sensitive data is a condition of becoming a user or volunteer.
In compliance with the Data Protection Act 1998, a list of types of information that are considered to be sensitive data can be found in the Glossary section.
Retention of Data
Different categories of data will be retained for different periods of time. Mentor Match will need to keep some data on volunteers and users indefinitely. This will include information necessary in the case of any future research or service improvements.
Compliance with the Data Protection Act 1998 is the responsibility of all volunteers of the Mentor Match.
Any deliberate breach of the Data Protection Policy may lead to disciplinary action being taken, or even a criminal prosecution.
Any questions or concerns about the interpretation or operation of this policy should be forwarded to firstname.lastname@example.org.
Mentor Match is obliged to abide by all legal requests for information made by law enforcement or judicial bodies.
Glossary of Terms
Any information which will be processed, or, used on or by a computerised system, additionally it also includes information contained within a “relevant filing system” of information. Data can therefore be written, tape, photographic or digital.
Personal data means data which relates to a living individual who can be identified:
from that data; or 2. for that data and other information which is in the possession of, or is likely to come into the possession of, Mentor Match; and includes any expression of opinion about the individual and any indication of the intentions of Mentor Match or any other person in respect of the individual. Examples of data which would fall into this category include:
- Date of birth
- Employment details
- Emails, phone number and personal address
- IP address from where registration forms are sent
- Career interests
This means data which relates to sensitive aspects of a living and identifiable individual’s life Examples of data which would fall into this category include:
- Photos of an individual
- Disability information
- Equal opportunity information - ethnicity, sexual orientation, religion, marital status etc.
Covers almost anything which is done with or to the data, including:
- Obtaining data
- Recording or entering data onto the files
- Holding data, or keeping it on file without doing anything to it or with it
- Organising, altering or adapting data in any way
- Retrieving, consulting or otherwise using the data
- Disclosing data either by giving it out, by sending it on email, or simply by making it available
- Combining data with other information
- Erasing or destroying data
- Using the data within research
The European Data Protection Directive defines this as “any freely given specific and informed indication of his wishes by which the Data Subject signifies his agreement to personal data relating to him being processed”. Consent can be withdrawn after it has been given. Where data is “sensitive”, express consent should be sought before the data is given to a third party.
Under the Data Protection Act a recipient is defined as “any person to who the data are disclosed, including any person to whom they are disclosed in the course of processing the data for the Data Controller (e.g. an employee of the Data Controller, a Data Processor or employee of the Data Processor)”.