Data Protection and Access Policy
Dudden Hill Foundation
CAC/IT/NO 149043
Adopted by the Board on: September 2021
Introduction
Dudden Hill Foundation (DHF/ The Foundation), in compliance with the General Data Protection Regulations, has drawn up this Data Protection Access Policy that serves to regulate the processing of personal information received by the Foundation.
The Foundation may collect personal data from users, partners, personnel, contractors, and other individuals (Data Subjects), for reasonable purposes only if there is consent or deemed consent and the Data Subjects have been notified of such purposes.
As part of their privileges/ responsibilities, DHF volunteers and staff (the “Data Users”) may have the opportunity to collect, access, use and/or process personal data of individuals who interact with DHF; and/or other databases managed by DHF (“DHF Data”).
Examples of personal data can include name, contact details, date of birth and pictures, etc. This data includes, but is not limited to, existing or new data sources and data obtained via websites, application forms, behavioural monitoring, and databases related to DHF users, members, non-members, service providers, and various other parties.
The Foundation may also collect, use or disclose personal data if it is required or authorized under relevant and applicable laws.
Data Protection Officer
A Data Protection Officer will be appointed for DHF, the officer will handle the following responsibilities:
- Monitor and ensure that DHF processes the personal data of its Data Subjects in compliance with this Policy and other local data protection laws;
- Identify and evaluate the Foundation’s data processing activities;
- Give advice and recommendations to the Foundation about the interpretation or application of the data protection rules;
- Draw the attention of the Foundation to any failure to comply with the applicable data protection rules.
- Collection of Personal Data
Personal data may be provided in forms filled out by the Data Subjects through face-to-face meetings, email and other correspondences, DHF website, or provided by third parties.
All such collected data will only be collected, held, processed, used, communicated, and/or disclosed in accordance with this policy. The personal data obtained by the Foundation may be used for the following;
- To provide services;
- To respond to the Data Subject’s request for the purposes of what such data is provided for;
- To maintain contact with partners and other contacts;
- To keep data subjects and other contacts informed of the products/services offered by DHF, industry developments, Webinars, trainings/ seminars and other events hosted by the Foundation, that may be of interest to them;
- For general management, reporting and accounting purposes;
- For such other purposes related to the aims and objectives DHF.
The Foundation recognizes the right of any Data Subject to unsubscribe from mailing lists, registrations, or decide not to receive further marketing information from DHF by contacting the Data Protection Officer.
- Ownership and Responsibility
DHF Data collected, used and/or managed by DHF Data Users belong to the Foundation. DHF shall be responsible for the actions of Data Users with respect to the processing and handling of the Data. Any third-party processing of DHF Data shall be subject to an agreement outlining the third party’s responsibility to comply with Dudden Hill Foundation Data Protection and Access Policy, including entering into a non-disclosure agreement.
- Accuracy, Accessibility and Correction of Personal Data
- DHF will make a reasonable effort to ensure that personal data collected by us or on our behalf is accurate and complete.
- The Foundation will correct any error or omission in any personal data that is in the Organization’s possession or control upon request.
- DHF Data is for access and use only by DHF Data Users and shall not be furnished to outside entities or be used for any purpose other than for approved purposes.
- Access to DHF Data shall be limited to those DHF Data Users who need access to perform their responsibilities on behalf of DHF.
- Data Users hereby acknowledge that compliance with the procedures outline herein helps DHF maintain proper data security and privacy consistent with industry best practices.
- Data Access
Data access shall be managed in line with the categories of data (as identified below) and the access levels authorized by the Data Protection Officer.
Data Categories:
- Public Information: Public information is available to all members of the DHF community and may be released to the general public. DHF reserves the right to control the content and format of Public information. Examples include information on websites, publications, and marketing materials.
- Internal Information: Information that is intended for use by and made available to members of the DHF community who have a need to know. Internal information is not intended for public dissemination but may be released to external parties to the extent there is a legitimate need. DHF reserves the right to control the content and format of internal information when it is published to external parties. Examples include employment data etc.
Recognizing that inappropriate disclosure of certain internal information may result in unauthorized use of the data, DHF reserves the right to designate that certain subset of internal information require training in the appropriate use and handling of the data.
- Personal/ Confidential Data: includes personal information such as names, addresses, etc; or other information that is required to be protected by applicable law or statute, or which, if disclosed to the public could expose DHF to legal or financial obligations.
- Disclosure of Personal Data to Third Parties
DHF shall not disclose personal data to third parties except in the following circumstances:
- When required by law;
- When the Data Subject’s consent or deemed consent has been obtained to
disclose such personal information;
- Where a third party(ies) has been engaged such as data intermediaries or subcontractors, specifically to assist with the Foundation’s activities. In this case, such third parties will be bound contractually to keep all information confidential;
- Where such transfer is made to a successor-in-interest to the Foundation’s assets.
- Security And Protection Of Personal Data
- The Foundation has implemented generally accepted standards of technology and operational security to protect the personal data in its possession or under its control and to prevent unauthorized access, collection, use, disclosure, copying, modification, disposal or similar risks.
- Only authorized DHF personnel are provided access to personally identifiable information and these personnel have agreed to ensure confidentiality of these information.
- Withdrawal of Consent
Upon reasonable notice being given by a Data Subject of his/her withdrawal of any consent given or deemed to have been given in respect of the Foundation’s collection, use or disclosure of Data Subject’s personal data.
- Right to Restriction of Processing
All Data Subjects reserve the right to restrict processing of his/her personal data in defined circumstances and these include:
- Where the accuracy of the data is contested;
- Where the processing is unlawful; and
- Where the data is no longer required save for legal claims of the Data Subject.
- Objections by the Data Subject
The right of a Data Subject to object to the processing of his data shall always be safeguarded. Accordingly, a Data Subject shall have the option to:
- Object to the processing of Personal Data relating to him which the DHF intend to process for the purpose of marketing;
- Be expressly and manifestly offered the mechanism for objection to any form of data processing free of charge.
Guidelines for Data Collection, Management and Processing
Data Users must adhere to the following guidelines in the collection, processing, management or use of DHF Data.
- Data collectors must:
- Provide the Data Subject with a statement of the purpose for which the data is being collected.
- Provide the Data Subject with an option to agree to the specific terms and conditions associated with the stated purpose.
- Data processors/ managers must:
- Obtain consent of the Data Subject to agree to receive additional information outside of the purpose stated, including resource materials and events to be organized by DHF.
- Ensure that any mass email communication must include the ability for the Data Subject recipient to unsubscribe and not receive further communications as well as provide a link to DHF Data Protection Policy.
- Take precautions and ensure that DHF Data is stored and handled securely and is not accessible to unauthorized individuals.
- Data Users must ensure that the DHF Data is used only in a legal, ethical and responsible manner; and only in accordance with the authorizations received.
- Data Users will not:
- Disclose DHF Data to others, except as required by their job responsibilities.
- Use DHF Data for their own personal gain, nor for the gain or profit of others (save as authorized).
- Access personal data to satisfy their personal curiosity/ other frivolous purposes.
- Use DHF Data (in detail or summary) in any publication, seminar or professional presentation; save as authorised.
- Whenever possible, Data Users shall remove personally identifiable data and use aggregated data prior to processing. If data is to be publicly presented, all personal data must be removed or hidden, unless otherwise expressly consented to.
- Data Users must return all DHF Data to the Foundation on the termination of membership, employment or volunteering activities and delete any copy saved on personal devices.
Website and Online Privacy
This Policy also applies to any personal data collected via the Foundation’s websites. Cookies may be used on some pages of the websites. A visitor on the Foundation’s website is however permitted to decline cookies and still fully navigate the Organization’s websites however some functionality in the site may be impaired.
Amendment and Modifications
DHF reserves the right to modify or amend this Policy at any time. To keep its partners and other contacts informed, DHF will notify changes to this Policy by prominently identifying the alteration for a period of not less than two weeks on its home page at https://www.duddenhill.org/.
Policy Violation
Any Data User who acts in violation of this policy shall be subject to appropriate disciplinary action, including withdrawal of access, dismissal or prosecution under applicable law.