Data Protection Policy

Scope

This policy applies to all EMCC UK activities, volunteers and contractors.

Purpose

The purpose of this policy is to ensure that EMCC UK, as a company collecting and handling personal information about individuals, meets its legal obligations to protect that information under the Data
Protection Act 1998.

Policy

EMCC UK will adhere to the eight principles set out in the Data Protection Act 1998:
1. Personal data shall be processed fairly and lawfully.
2. Personal data shall be obtained only for one or more specified and lawful purposes and shall not be further processed in any manner incompatible with that purpose or those purposes.
3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
4. Personal data shall be accurate and, where necessary, kept up-to-date.
5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or purposes.
6. Personal data shall be processed in accordance with the rights of data subjects under the Act.
7. Appropriate technical and organisational measures shall be taken against unauthorised or
unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedom of data subjects in relation to the processing of personal data.

The Act provides an exemption from registration with the Information Commissioner’s Office for some organisations. EMCC UK is not registered and is not required to register provided that:
the company was established for not-for-profit making purposes and does not make a profit (the company can make a profit for its own purposes, as long as the profit is not used to enrich others),
the company only processes information necessary to establish or maintain membership or support and: only processes information necessary to provide or administer activities for people
who are members of the company or have regular contact with it, and, only shares the information with people and organisations necessary to carry out the company’s activities (provided individuals give permission for their information to be shared), and, 
only keeps the information while the individual is a member or supporter or as long as necessary for member/supporter administration. 

If any EMCC UK volunteer becomes aware of the need to use data outside of those purposes they should inform a Director of EMCC UK.

Data Protection Act Implementation Guidance

The following guidance has been prepared to enable EMCC UK to comply with the eight Principles.
Principle 1 - Personal data shall be processed fairly and lawfully.

EMCC UK must:
have legitimate grounds for collecting and using the personal data,
not use the data in ways that have unjustified adverse effects on the individuals concerned,
be transparent about how it intends to use the data and give individuals appropriate privacy
notices when collecting their personal data,
handle people’s personal data only in ways they would reasonably expect, and, make sure it does nothing unlawful with the data.

Principle 2 - Personal data shall be obtained only for one or more specified and lawful purposes and shall not be further processed in any manner incompatible with that purpose or those purposes.

EMCC UK must:
be clear from the outset about why it is collecting personal data and what it intends to do with it,
comply with the Act’s fair processing requirements,
ensure that if it wishes to use or disclose the personal data for any purpose that is additional to, or different from, the original specified purpose, that the new use or disclosure is fair.

Principle 3 - Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

EMCC UK must ensure that it:
only holds personal data about an individual that is sufficient for the purpose it is holding it
for in relation to that individual, and
does not hold more information than it needs for that purpose.

Principle 4 - Personal data shall be accurate and, where necessary, kept up-to-date.

EMCC UK should:
take reasonable steps to ensure the accuracy of the personal data obtained,
ensure that the source of any personal data is clear,
carefully consider any challenges to the accuracy of the data, and 
consider whether it is necessary to update the information.

Principle 5 - Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or purposes.

EMCC UK must:
review the length of time it keeps personal data, considering the purpose for which it is held,
securely delete information that is no longer needed for the purpose, and
update, archive or securely delete information if it goes out of date.

Principle 6 - Personal data shall be processed in accordance with the rights of data subjects under the Act. This refers to the rights that data subjects have under the Act, which EMCC UK must comply with, which are: 
a right of access to a copy of the information which is held about them,
a right to object to processing which is causing or likely to cause damage or distress,
a right to prevent processing for direct marketing (unless the data subject has agreed to this) and,
a right to have inaccurate personal data corrected.

Principle 7 - Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to,
personal data.

EMCC UK needs to ensure that:
it has appropriate security to prevent the personal data held being accidentally or deliberately compromised,
it is clear who in the Company is responsible for ensuring information security, and
it is ready to respond to any breach of security swiftly and effectively.

Principle 8 - Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights
and freedom of data subjects in relation to the processing of personal data.

EMCC UK may transfer data to countries within the European Economic Area on the same basis that it transfers data within the UK. However, data may only be sent to a country or territory outside the
European Economic Area if that country or territory ensures an adequate level of protection for the rights and freedom of individuals in relation to processing personal data.