Responsibility for GDPR within the organisation
The Werkcenter Scotland GDPR (General DataProtection Regulation) policies are updated each year. The contacts within the organisation, including at board level, are Morag Cassidy and Pieter van Schie. Morag Cassidy is contactable on operational level at +447771516474 or firstname.lastname@example.org. Pieter van Schie can be contacted by email: email@example.com.
Hardware and software security
All our third-party software is encrypted and we have Data Processor Agreements or Data Processor Addenda for all of them, in line with GDPR regulations. These third-party software providers include:
- Microsoft Office 365
- Dropbox (EU-based, paid version)
- Mail Chimp
- Sabra Systems
We also use social media, such as Facebook, Twitter, WhatsApp and occasionally YouTube. These are all encrypted.
Our websites all have SSL certificates. They do not collect cookies. Whilst they do not collect information for ecommerce or marketing, some do have blog facilities where participants in our services write their own stories about their experience and include their name to the visibility that they choose.
Our phones are all android and iPhones which encrypt when locked, and have built-in antivirus and firewalls. Our laptops all have security passwords and have antivirus and firewall software. Further we work on the cloud which is secured by Sabra Systems. To enter the Sabra System cloud you also need to insert a unique username and password When left in the office out of office hours, they are stored in a locked cupboard.
Paper file handling
Our paper files are a small part of what we do, but they are kept in a locked filing cabinet overnight and when not required during the day.
When we dispose of unneeded paper documents, we obscure any personal data using a camouflage stamp roller so it is impossible to read, while being recycled.
Role-based access to data
Access to personal data is role-based, so we review who needs access to the data to do their work and provide access to only those staff, or occasionally interns. Where interns have access to personal data through their role, we ensure they use our own computers so the information stays in-house.
We provide GDPR review training annually and when considering new policies in other areas of the business, we consider the GDPR implications and update policies as necessary ensuring that all staff know the policies and their practical implications.
When we host interns, we have them review and confirm acceptance of our GDPR policy as part of their induction.
Subject Access Requests
- Subject access requests can be directed to either the nominated director for GDPR or to our admin specialist in GDPR. We will then draw together the information we hold from several sources:
- in the person’s personal folder in Dropbox (where they are an intern or former intern or job shadowing staff, a host employer or host family, or partner)
- their record in the Sabra Systems Cloud
- Messages in WhatsApp, SnapChat, Instagram, Twitter, Facebook Messenger or by email
This summary will be provided to the person making the request, along with a note of how long we need to keep each item and why, and the option, where available, to have any of their personal data deleted.
Personal data and consent
What we collect and how we use it
Most of the personal information we handle from incoming internships is collected by our partners and only processed by us. In our new contracts with partners, we explain how we process that data, and we ask them how long they need us to keep it, in line with their funders’ rules.
For data that we collect directly – from partners, interns, or suppliers – we outline in their contracts what we gather and why, how we use the data, and how long we keep it, as well as what to do if they find that the data we hold about them needs updating, or if they want to check what information we hold about them.
Employee personal information is held in Dropbox in folders available only to the directors. We share data for compliance only with funders of employment subsidies and with HMRC.
Photo-specific consent and use
At welcome meetings, we explain our social media and photo consent policy. The participants complete photo-specific consent forms that allow them to choose if and how we can use the photos (for example, on social media, in print media). We store the signed copy of this in their personal folder and note it in their record in Dropbox, so that we can easily check if and how we can use photos of them. We also link their record with its GDPR consent form to the record for any social media posts they feature in, so we can quickly verify consent.
Where one member of a group chooses not to be in social media posts but others are happy to, we ask only the people who want to be in the post to be in the photo, but offer to take a whole-group photo using the personal phone of someone in the group if they want.
In the text of social media posts or on our website, we use only first names and countries of interns, so they cannot easily be identified through an outside search. For host businesses or partners who choose to feature in social media posts, we may include a last name along with the organisation name, where it is useful for their publicity.
We request photos of host families, host employers and (for outgoing projects) partners to include in welcome packs and we explain how they are used and how to update us if they need to be changed or no longer used. As these are often done by email or messaging services instead of in person, we can take a screenshot of their consent instead.
To ensure the best fit and support for customers, we ask them about dietary requirements, allergies to pets (or other variable factors like dust) and if they have any physical mental health conditions and what’s required to manage them smoothly. We explain why this information is needed and who will receive it and ask for their consent. While someone could choose not to provide the information, it will practically result in their potentially staying somewhere that is not good for their health.
Third-party data sharing
We share data with third parties in two ways:
- Suppliers who are helping to deliver the service for the people whose data we share, or customers who receive our suppliers’ details to help them use the service
- Cloud-based services
As discussed above, under Hardware and Software Security, our cloud services are all encrypted.
The suppliers are provided with the relevant background and contact information about our customers to help them provide the service. At the end of the placement, we ask the customers if they would like the host employers or host families to delete or save their details. We then let the relevant hosts know if there is a request to delete their intern’s personal information. Many interns want to stay in touch with their hosts, so the deleting of personal data is on an as-requested basis.
We notify suppliers of the information that we share about them in welcome packs for interns and ask them to help us keep it up to date. We invite host families and host employers, along with partner contacts and anyone else that we work with regularly to let us know if they have updated personal data, or if their circumstances have changed and they no longer will be working with us. In that case, we will delete their personal data, unless they want to stay in touch.
Where we contact people for marketing purposes, we give them two chances to write back to us before removing their details from our potential contacts list. If they choose to also join a newsletter mailing list, they will have the Unsubscribe option available to use at any time if they no longer wish to receive our newsletters.
We gather and keep data for different reasons and lengths of time, depending on needs and requirements.
- For UK Government policies, we need to keep invoices for 5 years and HR paperwork for 6-7 years.
- For funded projects that we manage, we need to keep documents for 7 years after the end of the programme.
- For project documents for partners’ projects, they may need to be kept until the final report is submitted in case they are missing any of their own copies of the documents and need backups.
- Information on host families and host employers we keep for as long as they are hosting and check periodically that it is up to date.
- When they no longer host, we delete their personal details from Airtable and Suppliers folder in Dropbox, but their details will still need to be retained in the EU paperwork for the interns they have hosted, as long as we need to keep that.
- For sensitive information used simply for organising placements, we can delete that specific information at the end of the placement.
Data breaches and ICO
Our software and hardware is all encrypted so the chances of a data breach are minimal. However, we are registered with the Information Commissioner’s Office, and should we have a data breach, we would let them know within 72 hours, as well as notifying anyone affected by the breach.
International data sharing
The vast majority of our work is with partners in the EU, but we have customers from outside the EU (.e.g. Turkey). We only exchange data when this is needed for the financial procedures around the funding of the European Union.