Relief International has an obligation to obtain, store, process and use data in appropriate ways. This is especially true of the personal data about individuals who apply for jobs, work for the organization, donate money or resources to the organization, or who are beneficiaries of RI’s work.
This Policy complies with the European Union’s (EU’s) General Data Protection Regulation (GDPR) and the United Kingdom’s (UK’s) Data Protection Act 1998. These laws regulate the way organizations gather, process, store and use personal information.
To comply with the law, personal information must be collected and used fairly, stored safely and not disclosed unlawfully.
RI will ensure that any personal information:
- Be processed fairly, lawfully and transparently;
- Be obtained only for specific, explicit and lawful purposes, and not processed in any additional way;
- Be adequate, relevant and limited to what is necessary to achieve the purposes for which it was collected;
- Be accurate and kept up to date, and that reasonable steps are taken for rectification or erasure of inaccurate data;
- Not be held for any longer than necessary;
- Be processed in ways that ensure security of the data and protect it from unauthorized use;
- Not be transferred outside the European Economic Area (EEA), unless the non-EEA country or territory also ensures an adequate level of protection.
Personal data can include:
- Names of individuals, names of family members;
Postal addresses, e-mail addresses and telephone numbers;
Electronic messaging addresses, posts on social networks, and IP addresses;
Medical information;
National identification numbers, passport numbers and social security numbers;
Images;
Any other personally identifying information relating to individuals.
Reporting Requirements
Relief International is obligated to report any breaches of personal data to the UK Information Commissioner’s Office (ICO) and the UK Charity Commission. Whenever possible, breaches must be reported to the ICO within 72 hours of discovery. Data subjects must also be notified as soon as practicable. In the United States, RI is obligated to comply with data subject notification requirements of Delaware Code tit. 6 $ 12B-101 et seq.
Data Accuracy Guidelines
The law requires Relief International to take reasonable steps to ensure data is kept accurate and up to date. The more important it is that the personal data is accurate, the greater the effort Relief International should put into ensuring its accuracy. Relief International will strive to achieve the following:
- Ensure data is updated. For instance, by confirming donors’, employees’ and candidates’ details when they contact RI.
- Make it easy for data subjects to update the information Relief International holds about them. For instance, personal donors can contact the organization through the RI website.
- Correct or remove data as inaccuracies are discovered. For instance, if an employee, donor, or candidate can no longer be reached on their stored telephone number or e-mail address, it should be removed from the database.
- Ensure marketing databases are checked against industry suppression files every six months.
Subject Access Request Guidelines
All individuals who are the subject of personal data held by Relief International are entitled to:
- Ask what information the organization holds about them and why.
- Ask how to gain access to it.
- Be informed how to keep it up to date.
- Be informed how the organization is meeting its data protection obligations. If an individual contacts the organization requesting this information, this is called a subject access request.
Subject access requests from individuals should be made by email, addressed to the Relief International (the controller) at [email protected]. The data controller can supply a standard request form, although individuals do not have to use this.
Individuals may be charged reasonable fees to cover the cost of complying with a subject access request. The data controller will aim to provide the relevant data within 14 days.
The data controller will always verify the identity of anyone making a subject access request before handing over any information.
Disclosing Data for Other Reasons
In certain circumstances, the Data Protection Act allows personal data to be disclosed to law enforcement agencies without the consent of the data subject. Relief International’s Data Protection Officer will respond to these requests.
Prior to responding, the Data Protection Officer will ensure the request is legitimate, seeking assistance from the board and from the organization’s legal advisers where necessary.
Providing Information
Relief International aims to ensure that relevant individuals are aware that their data is being processed, and that they understand:
- How the data is being used
- How to exercise their rights
To these ends, the organization has a privacy statement, setting out how data relating to individuals is used by the organization.
Relevant Legislation
The UK Data Protection Act (DPA) 1998 describes how organizations, including Relief International, must collect, handle and store personal information. The EU General Data Protection Regulation (GDPR) is designed to harmonize data protection laws across Europe became effective 25 May 2018. In the United States, RI must comply with Delaware Code tit. 6 $ 12B-101 et seq; The Health Insurance Portability and Accountability Act (HIPAA) (42 U.S.C. 1301 et seq.) regulates medical information; and the California Security Breach Notification Law as well as other state laws.
For questions or further information, please contact Relief International at [email protected].