BAPN – the Association for Professional Nannies
Data Protection / Information Security Policy
BAPN is committed to complying with both the General Data Protection Regulation (‘GDPR’) 2016/679 and the Data Protection Act 2018. This policy sets out our approach to the handling of personal data. As a business, we recognise that the correct and lawful treatment of our members’ personal data will maintain their confidence in us and will provide for successful business operations. Protecting the confidentiality and integrity of personal data is something that BAPN takes extremely seriously. BAPN is exposed to potential fines for failure to comply with the provisions of the GDPR. Bapn recognises the role of the Information Commissioner (ICO) in regulating data protection here in the U.K.
All directors, employees, and volunteers of BAPN are required to comply with this policy when processing personal data on our behalf. Compliance with this policy is mandatory. Directors of BAPN are responsible for ensuring that this policy is complied with.
Common terms and application
Personal data - this is any information relating to an identified or identifiable (from information in the possession of BAPN or when put together with other information BAPN might reasonably access) individuals typically a nanny or indeed any individual. This policy applies to all personal data BAPN processes regardless of the media on which that data is stored. The law (and this policy) applies to:
1) personal data processed by automated means such as computers, phones, etc. or,
2) (structured) personal data held in a ‘relevant filing system’ for example any paper file containing personal data or if it is intended to form part of such a file.
Processing includes receiving information, storing it, considering it, sharing it, destroying it etc. BAPN recognises that the law applies to all processing activities.
Recipient - means an organisation or someone outside of BAPN who we share personal data with.
BAPN is the controller of personal data as we determine what is collected, why, and how it is used.
The nanny who is the focus of the information is known as the data subject.
A data breach - means a breach of our security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to member personal data transmitted, stored, or otherwise processed.
Commitment to the (General Data Protection) principles
Anyone working for or representing BAPN as a BAPN volunteer MUST:
(a) process personal data fairly, transparently, and only if there is a legal basis to do so.
To comply with this, we will inform individuals when collecting their personal data (concisely and using clear and plain language so that they understand) the following:
that BAPN is the “data controller”
our contact details;
why we are processing their information and in what way the law allows it;
if we rely on our ‘legitimate interests’ or those of others for processing personal data we will tell them what those interests are;
the identity of any person/ organisation to whom their personal data may be disclosed,
how long we will store their information, and,
their rights - including the right to complain to the ICO.
IF we receive their information by way of referral we will let the individual know the source of the information and the categories of information referred to us.
(b) only collect personal data for specified, explicit, and legitimate purposes.
We will not further process any personal data in a manner that is incompatible with the original purposes; we will be clear as to what BAPN will do with a person’s personal data and why and only use it in a way that they would reasonably expect.
(c) ensure that the personal data we collect is adequate, relevant, and limited to what is necessary to carry out the purpose(s) it was obtained for;
We will only collect the personal data that we need to fulfil that purpose(s) and no more. We will ensure that any personal data collected is adequate and relevant for the intended purpose(s).
(d) ensure that the personal data we process is accurate and, where necessary, kept up to date.
(e) keep personal data in a form that identifies individuals for no longer than is necessary for the purpose(s) that it was obtained.
We will periodically review what personal data is held and erase/destroy or anonymise that which is no longer needed.
(f) process personal data (whatever the source) in a manner that ensures appropriate security of the same including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures.
Legal basis for processing ordinary personal data.
BAPN will generally process personal data ONLY if one or more of the following circumstances exist:
a) we process ordinary personal information to perform a task. We also process this information to further our legitimate interests (the effective operation of the business).
BAPN will always consider and ensure that we have the correct lawful basis to process personal data on behalf of BAPN before we process it. This includes the sharing (disclosure) of information with/ to third parties.
Individuals have rights when it comes to how BAPN handles their personal data. These include rights to:
(a) receive certain information when BAPN collects their personal data;
(b) request access to their personal data;
(c) have BAPN correct inaccurate information;
(d) ask BAPN to erase their personal data;
(e) restrict the way BAPN uses their information;
(f) be notified about any recipients of their personal data when they have asked for rectification, erasure, or restriction;
(g) object to any processing undertaken by BAPN in the pursuit of our legitimate interests or those of another;
(h) be notified by BAPN of a personal data breach where it is likely to result in a “high risk” to their rights and freedoms.
Procedures exist (which will be followed) if a person seeks to exercise any of the above rights.
In certain circumstances, we are permitted to restrict the above rights and our obligations as well as depart from the principles. Any restriction will be in accordance with the law. Examples would be where there is a need to prevent, investigate, detect or prosecute crime or to protect the individual concerned or others.
BAPN treats the security of its members’ personal information (whether it is in a physical or electronic form) extremely seriously. It is committed to implementing appropriate technical and organisational measures to keep it safe. The following procedures should be followed:
a) all hard copy personal data that is not needed will be shredded.
b) any personal data taken out of the office will be securely transported.
c) any confidential email sent will be encrypted/ password protected and access to electronic data will be restricted, and password protected.
d) personal data held on a laptop will be encrypted and backed up securely.
e) sharing (disclosure) of information will be on a strict need to know/ use basis.
Procedure in the event of a security incident
In the unlikely event that there is a breach of our security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to a person’s personal information then the following steps should then be taken:
Contain and recover
There will be an investigation of the breach. This may involve calling in specialist I.T support. We will establish whether anything can be done to recover any losses and limit the damage the breach can cause.
In appropriate cases, the police will be informed. We will notify the member(s) without undue delay.
There will be an assessment of the potential adverse consequences for the affected individual, how serious or substantial these are, and how likely they are to happen.
Notification of breaches
We will (unless it is unlikely that there is a risk to the individual concerned) notify the Information Commissioner’s Office. We will do so without undue delay and whenever possible not later than 72 hours after first becoming aware of the breach.
We will (when dealing with the Commissioner’s office):
(a) describe the nature of the breach including where possible, the categories and approximate number of individuals affected, and the categories and approximate number of personal data records concerned;
(b) communicate the name and contact details of someone within BAPN - where more information can be obtained;
(c) describe the likely consequences of the personal data breach;
(d) describe the measures taken or proposed to be taken by us to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects. If the breach is likely to result in a high risk to the interests of the affected individual(s), we will communicate the fact of the breach to them without undue delay.
(a) communicate to the individuals affected a name and contact details of someone within BAPN - where more information can be obtained;
(b) describe the likely consequences of the breach; and
(c) describe the measures taken or proposed to be taken by us to address the breach, including, where appropriate, measures to mitigate its possible adverse effects.
Policy approved by BAPN Management.
Review date 1 September 2019