Data protection policy

Data protection policy

1. Introduction

1.1 Purpose of Policy

HIV i-Base needs to collect and use certain information about individuals in order to provide our services. These include individual users, subscribers, suppliers, employees and other people the organisation has a relationship with or may need to contact.

This policy describes how this personal data will be collected, handled and stored to comply with the General Data Protection Regulation (GDPR).

1.2 Policy Statement

HIV i-Base is committed to protecting the rights and privacy of service users, staff and others in accordance with GDPR.

HIV i-Base commits to:

  • Comply with both the law and good practice.
  • Respect individuals’ rights.
  • Be open and honest with individuals whose data we hold.
  • Provide training and support to staff who handle personal data, so that they can act confidently and consistently.
  • Register i-Base with the Information Commissioner’s Office (ICO), as an organisation that processes personal data .

1.3 Personal Data

HIV i-Base holds data for the following purposes:

  • To provide HIV treatment information to individuals.
  • To distribute publication orders and subscriptions.
  • For staff administration.

1.4 Data Protection Principles

There are six data protection principles that are core to the GDPR. HIV i-Base will make every possible effort to comply with these principles at all times in our information-handling practices. The principles are:

  • Lawful, fair and transparent – data collection must be fair, for a legal purpose and we must be open and transparent as to how the data will be used.
  • Limited for its purpose – collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Further processing for archiving purposes in the public interest, scientific or historical research purposes shall not be considered to be incompatible with the initial purposes.
  • Data minimisation – any data collected must be necessary and not excessive for its purpose.
  • Accurate – the data we hold must be accurate and kept up to date.
  • Retention – we cannot store data longer than necessary.
  • Integrity and confidentiality – the data we hold must be kept safe and secure.

2. Responsibilities

The responsible person/s shall take responsibility for:

  • The charity’s ongoing compliance with this policy.
  • The annual review of this policy.

3. Data recording, security and storage

3.1 Data accuracy and relevance

HIV i-Base will ensure that any personal data we process is accuate, adequate, relevant and not excessive, given the purpose for which it was obtained. We will not process personal data obtained for one purpose for any other reason unless the individual concerned has agreed to this or would reasonably expect this.

3.2 Data security

HIV i-Base will keep personal data secure against loss or misuse. Where other organisations process personal data as a service on our behalf, we will establish what, if any, additional specific data security arrangements need to be implemented in contracts with those third-party organisations.

3.3 Storing data securely

  • In cases when data is stored on printed paper, it will be kept in a secure place where only authorised people can acess it.
  • Printed data will be shredded when it is no longer needed.
  • Data stored on a computer will be password protected.
  • Cloud services used to store personal data will be assessed for compliance with GDPR principles.
  • Appropriate back-up and disaster recovery solutions shall be in place.
  • Appropriate technical measures will be put into place to keep data secure

3.4 Data retention

HIV i-Base will retain personal data for no longer than is appropriate. Routine audits will review the time that personal data is held.

Any individual or organisation can ask about their information and this can be deleted on request.

4. Accountability and Transparency

HIV i-Base will ensure accountbility and transparency in all our use of personal data. We will keep written up to date records of all data processing activities that we do and ensure that they comply with each of the GDPR principles.

We will regularly review our data processing activities and implement measures to ensure privacy by design including data minimisation, pseudonymisation, transparency and continuously improving security and enhanced privacy procedures.

5. Consent

HIV i-Base will ensure that consents are specific, informed and plain English. This is to make sure that individuals understand why their information will be collected, who it will be shared with, and the possible consequences of them agreeing or refusing the proposed use of data.

Where consent is relied upon as a lawful basis for processing data, evidence of opt-in consent shall be kept with the personal data.

Where communications are sent to individuals based on their consent, the option for the individual to withdraw their consent will be clearly available. We will have systems to ensure such requests are reflected accurately in our systems.

6. Subject access requests

Individuals have the right to access their personal data.

HIV i-Base will provide an individual with a copy of the information requested free of charge.

This will occur within one month of receipt.

7. Breach of security

In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, HIV i-Base shall promptly report this breach to the ICO within 72 hours.

Last updated: 10 May 2018.