Foundation Year Network operates under UK General Data Protection Regulation (UKGDPR). Our policy documents are available below.

FYN Privacy Notice v0.1
Glossary
PERSONAL DATA PROCESSING STATEMENT
Public Interest Disclosure (Whistleblowing) Policy

Glossary

1. Introduction

In order for Foundation Year Network to deliver its core functions, operate effectively, and meet legislative, contractual and statutory obligations, it needs to process personal data relating to present, past and prospective Members, employees, supporters, suppliers, and others with whom it has dealings. The Network is a data controller and therefore must comply with data protection legislation.

2. Purpose

This policy helps provide the demonstrable commitment to, and support of, compliance with data protection legislation by the Network. This policy also helps support the Network Strategy, since delivery of our core functions is reliant upon accurate, available and usable personal data and the trust of our stakeholders. Compliance with data protection legislation also enables efficient working practices and resource savings and significantly reduces the likelihood of an information security breach and its wider effects including causing harm/distress to data subjects, reputational damage, large potential fines and undertakings from the Information Commissioner.

3. Scope

This policy applies to all those individuals and organisations that process personal data on behalf of the Network, including but not limited to:

  • Employees, consultants, contractors and temporary workers
  • Members and public undertaking paid or voluntary work for the Network
  • Arms’ length organisations associated with, and officially recognised by, the Network
  • Third parties associated with the Network, such as event collaborators.

4. Policy Statement

Lawful processing of personal data is vital to the successful operation and reputation of Foundation Year Network, and for maintaining the trust of our Members and other stakeholders. The Network is committed to protecting the rights and freedoms of individuals in accordance with the provisions of data protection legislation. In order to achieve this, the Network shall ensure that personal data is handled appropriately and consistently.

Foundation Year Network shall ensure that personal data is:

  • Processed lawfully, fairly and in a transparent manner in relation to individuals
  • Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, or statistical purposes shall not be considered to be incompatible with the initial purposes
  • Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
  • Accurate and, where necessary, kept up to date; every reasonable step shall be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay
  • Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data shall be stored for longer periods insofar as the personal data shall be processed solely for archiving purposes in the public interest, or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals
  • Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Foundation Year Network, as a data controller, shall be responsible for, and be able to demonstrate, compliance with the principles of data protection legislation.

All processing of personal data by third parties on behalf of the Network, where the Network is data controller, shall be covered by contract and include adequate data protection clauses.

5. Sharing of Personal Data

Ensuring that personal data is shared appropriately is vital to the successful operation and the reputation of the Network, and for maintaining the trust of our employees, Members, and other stakeholders. In order to achieve this, the Network shall:

  • Undertake a data protection impact assessment screening for any new initiatives that involve the sharing of personal data. Where sharing is likely to result in a high risk to the rights and freedoms of natural persons (particularly where new technology is involved) a full data protection impact assessment shall be completed.
  • Identify a clear objective, or set of objectives, for the sharing of personal data
  • Identify a lawful basis in data protection legislation for the sharing of personal data
  • Ensure that the sharing of personal data is necessary to achieve the identified objective(s). Anonymised or pseudonymised data shall be shared where the identification of data subjects is not required
  • Share the minimum amount of personal data required to achieve the objective(s)
  • Provide data subjects with privacy notices and, where data subjects have a choice, seek consent for the sharing of their personal data
  • Clearly distinguish factual information from opinions
  • Record all decisions to share personal data
  • Ensure that a written agreement between the parties to a data sharing arrangement is in place where personal data is shared on a systematic basis or there is a large scale transfer of personal data. Such agreements shall, as a minimum, include:
    • The classes, or specific items, of personal data to be shared
    • The source(s) of the personal data
    • The objective(s) of the data sharing arrangement
    • The lawful basis for sharing the personal data
    • The individuals/groups that will have access to the personal data
    • The methods by which the personal data will be transferred, including any controls for protecting the data from loss, destruction or unauthorised access
    • The frequency with which the personal data will be shared
    • Storage requirements for the personal data, including any controls for protecting the data from loss, destruction or unauthorised access
    • The parties’ responsibilities for ensuring the accuracy of the personal data
    • Retention and disposal requirements
    • Arrangements for enabling data subjects to exercise their rights
    • Processes and procedures for handling information security incidents.

6. Appointment and Support of the Data Protection Officer (DPO)

The Network shall designate a DPO on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39. The Network shall enable the effective performance of the DPO’s tasks and ensure that the DPO is given sufficient autonomy, time, resources and support to carry out their tasks effectively, including active support by the Clerk and Responsible Financial Officer.

The Network shall also ensure that the DPO is ‘involved properly, and in a timely manner, in all issues which relate to the protection of personal data’, that the opinion of the DPO is given due weight and that the DPO is consulted promptly once a data breach or another incident has occurred.

7. Roles and Responsibilities

7.1 Foundation Year Network shall ensure that the purposes and means of processing of personal data for which the Network is data controller are determined in compliance with legislation.

Responsibility for ensuring implementation of, and compliance with, this policy will be delegated to the Clerk, who is also delegated the role of Senior Information Risk Owner (SIRO).

7.2 All individuals and organisations that process personal data on behalf of the Network shall comply with this policy and associated data protection, information security, information management and information technology regulations, policies, processes and procedures.

7.3 The Data Protection Officer (DPO) is an advisory role and is concerned with the Network’s compliance with data protection legislation. The DPO shall:

  • provide advice, assistance and recommendations to the Senior Information Risk Owner (SIRO) in relation to data protection risks
  • enable compliance with data protection legislation
  • play a key role in fostering a data protection culture within the Network
  • help implement essential elements of data protection legislation, such as the principles of data processing, data subjects’ rights, data protection by design and by default, records of processing activities, security of processing and notification and communication of data breaches
  • review the planning, implementation and progress of the Network’s data protection initiatives periodically, reporting to Network
  • advise the SIRO in relation to any breaches of data protection legislation
  • be the Network’s point of contact with the Information Commissioner’s Office.

The DPO shall not determine the purposes of processing personal data, or the means by which any personal data processing activity is done.

7.4 The Senior Information Asset Owner (SIRO) is an accountable role and is concerned with the management of all information assets held by the Network. With regards personal data, the SIRO shall have overall responsibility for:

  • the processing of personal data (of which the Network is data controller) in compliance with data protection legislation, including the appropriate determination of the purposes of processing personal data, and the means by which any personal data processing activity is done
  • ensuring that the DPO is involved properly, and in a timely manner, in all issues which relate to the protection of personal data, that the opinion of the DPO is given due weight and that the DPO is consulted promptly once a data breach or another incident has occurred.
  • the management of data protection risks
  • planning, implementing and progressing the Network’s data protection initiatives
  • managing the implementation of essential elements of data protection legislation, such as the principles of data processing, data subjects’ rights, data protection by design and by default, records of processing activities, security of processing and notification and communication of data breaches
  • managing the response to breaches of data protection legislation
  • ensuring that an effective monitoring and reporting framework is established with regards data protection compliance, and that information asset owners and super information asset owners are designated, perform their roles and report regularly on data protection compliance in relation to their respective information assets and business units
  • ensuring that no individual is given access to personal data without having undertaken appropriate training and read relevant policy and guidance.

The SIRO shall also play a key role in fostering a data protection culture within the Network.

7.5 Information Asset Owners shall:

  • ensure that personal data held within their respective business units (committees, working groups, etc) are processed in compliance with this policy
  • identify and manage data protection risks within their respective business units
  • no individual is given access to that personal data without having undertaken appropriate training and read relevant policy and guidance
  • ensure that local processes and procedures are developed, implemented, followed and regularly reviewed
  • monitor and report on compliance in their business units as required by the Network.

7.6 Super Information Asset Owners shall:

  • ensure that personal data comprising Major Information Assets are processed consistently in compliance with this policy
  • identify and manage data protection risks for their respective Major Information Assets
  • ensure that no individual is given access to that personal data without having undertaken appropriate training and read relevant policy and guidance
  • ensure that consistent local processes and procedures are developed, implemented, followed and regularly reviewed
  • monitor and report on compliance in relation to Major Information Assets as required by the Network.

7.7 Third parties processing personal data on behalf of the Network shall comply with this policy alongside any specific terms and conditions agreed contractually.

8. Breaches of Policy

All breaches of this policy and data protection legislation shall be reported immediately in accordance with the Network Information Security Incident and Weakness Reporting Procedure. It may also be appropriate to report the breach in accordance with the Network’s Public Interest Disclosure (‘Whistleblowing’) Policy.

Third parties shall report via their Network point of contact. Breaches shall be managed in accordance with the Network Information Security Incident Management Procedure.

A breach of this policy by an employee or Member may result in disciplinary action. A breach by a third party may result in a termination of contract and/or compensation claim.

9. Policy Review and Maintenance

This policy shall be reviewed by the Network’s SIRO and DPO annually or whenever there is a significant change in legislation, strategy or organisation. Major changes shall be approved by Executive Committee.

Document Version: 1.0

Date Adopted:

Chair’s Signature: