Policy Statement
RBGE collects and uses information about people, including:
- Staff, volunteers and applicants for jobs and voluntary posts
- Supporters, visitors, donors, and enquirers
- Students and researchers
This personal information will be managed appropriately and securely - however it is collected, recorded, and used, whether on paper or digitally– in compliance with the Data Protection Act 2018 (DPA) and the General Data Protection Regulation (GDPR).
The purpose of this policy is to ensure that RBGE has robust procedures in place for demonstrable compliance with GDPR/DPA.
Breaching this policy may result in disciplinary action for misconduct, including dismissal. Obtaining (including accessing) or disclosing personal data in breach of RBGE’s data protection policies may also be a criminal offence.
Principles
Data users must comply with the data protection principles. Whenever RBGE works with personal data it will be:
a) processed fairly, lawfully, and transparently (see RBGE Privacy Notice)
b) collected for specific purposes and not used for incompatible purposes
c) adequate, relevant, and limited to what is necessary
d) accurate and, where necessary, kept up to date
e) retained no longer than necessary (see RBGE Records Retention Schedule)
f) kept securely
The principles apply to “personal data” - any information from which an individual is identifiable.
RBGE staff and volunteers who process or use any personal information in the course of their duties must ensure that these principles are always followed.
Responsibilities
The Senior Information Risk Owner (SIRO) - The Director of Resources and Planning has specific senior responsibility for data protection within RBGE.
The Records Management Working Group, led by Director of Resources and planning, is responsible for monitoring records management policies, procedures, and compliance across the Garden. This group also acts as a focus group raising awareness of data protection issues and discussing requirements.
Information Asset Owners (IAOs) are senior/responsible individuals involved in running a relevant business area. Their main responsibility is to ensure that the information asset is managed appropriately to meet the requirements of the organisation and that risks, and opportunities are monitored. They must also ensure that all staff who manage personal data on their behalf have undertaken Data Protection training and that this is refreshed regularly. Examples of IAO’s include the Head of People and Organisational Development, the Head of Finance, Corporate Governance and Risk, the Head of Education, the Director of Enterprise and the Director of Science.
Each IAO has responsibility for ensuring that the information under their control is collected, processed, and held in accordance with this policy and the GDPR and that there is a current accurate description of all information assets for which they are accountable in the RBGE Information Asset Register.
The Data Protection Officer (DPO) is responsible for advising on and monitoring RBGE’s compliance with GDPR and providing a point of contact for data subjects and the Information Commissioner’s Office (ICO). The DPO is also a member of the Records Management Working Group. The RBGE DPO is Jane McCrorie.
All RBGE staff, volunteers, students and any contractors or agents performing work for or on behalf of RBGE and any other individuals with access to RBGE’s information have a responsibility to ensure that personal information is always protected. This includes using personal data only within their authorised role and in compliance with this policy and other ICT and Information Security policies.
All RBGE staff, volunteer, students and any contractors or agents performing work for or on behalf of RBGE have a responsibility to report to the DPO any observed or suspected incidents threatening the confidentiality, integrity or availability of personal data held by RBGE.
All RBGE staff, have a responsibility to undertake data protection training promptly when requested. Any enquiries about data protection training should be sent DPO@rbge.org.uk.
Processing personal data at RBGE
RBGE collects and uses personal data for a variety of reasons:
- Recruitment and selection
- Administration of contracts of employment e.g., salaries and allowances, pensions and associated benefits, appraisal, training and development, compliance with statutory requirements - Employee Privacy Notice
- Financial information (e.g., bank account details and credit card information)
- Health and safety
- Management of volunteers
- Management of students - Education Privacy Notice
- Marketing, promotion, and fundraising - Development Privacy Notice
- Collections information (e.g., donors, vendors, loans)
- Identification purposes, such as library user records, staff photographs
- Membership records, contacts, databases and mailing lists
- Contacts for collaborative research
Staff, volunteers, and contractors working under the auspices of RBGE must only access or use personal data held by or within RBGE in accordance with this policy and for specific authorised purposes. All staff must keep network usernames and passwords secure and use information systems in line with the appropriate procedures and training.
Retention of Data
Personal data must not be retained for longer than is necessary. RBGE IAO’s and managers are responsible for ensuring that the Record Retention Schedule is applied to all records and documents holding personal data, by having regular or automated deletion or destruction of personal data in systems, paper files and on network folders.
All documents containing personal data should be disposed of securely in accordance with the Data Protection principles.
Transfer of Personal Data
Any mobile device or digital media (such as a laptop, mobile phone, tablet, or USB memory device) holding personal data or used for processing RBGE personal data, (whether that device is RBGE or privately owned) must be encrypted. Further guidance for staff can be found in Green Pages.
If you need to send personal information by email then please read the guidance on protecting documents for sending by email on Green Pages.
Personal data rights
RBGE will ensure individuals’ rights are respected about their personal data. Rights under GDPR include:
- the right to be informed that processing is being undertaken (GDPR art 13 and 14)
- the right of access to one's own personal data and to specific information about the processing (GDPR art 15) - Subject Access Request Information
- the right to object to and prevent processing in certain circumstances (GDPR art 21)
- the right to rectify or restrict inaccurate data (GDPR art 16 and 18)
- the right to erase data or to data portability in certain circumstances (GDPR art 17 and 20)
All requests relating to GDPR rights should be directed to the DPO at DPO@rbge.org.uk.
Personal data incidents and breaches
Any incident which may impact on the confidentiality, integrity or availability of personal data held by RBGE should be reported immediately to the DPO. The Data Breach policy and form can be found on Green Pages (link is attached to the information Data Breach policy).
Such incidents could include events such as:
- Loss of RBGE records, laptops, or media
- Unauthorised access to RBGE information systems
- Personal data being misdirected to an incorrect recipient
The DPO will record the incident, ensure appropriate mitigation measures are put in place and consider whether the incident meets the GDPR definition of a personal data breach which presents a risk to individuals.
The DPO will present a report to the Director of Resources and Planning including, if appropriate, a recommendation on whether to report a breach to the ICO within 72 hours of RBGE becoming aware of the incident.
If the Director of Resources and Planning concludes that an incident constitutes a reportable breach, the DPO will report the incident to the ICO and liaise as appropriate.
Governance of Data Protection
RBGE will maintain robust oversight and transparency in the management of personal data. We will meet our record-keeping duties through the maintenance of:
- Up-to-date privacy notice information (see article 13 and 14 of GDPR)
- An Information Asset Register describing the content, purpose, controls and the RBGE staff member with accountability for each data system or set of records holding personal data
- A log of information security incidents
- The RBGE Information Security policy
RBGE will apply Privacy by Design principles for new systems and business processes. This means that privacy and data protection will be a key consideration in the early stages of any project, and then throughout its lifecycle. Taking a privacy by design approach will help minimise privacy risks and will build trust. As appropriate, the relevant Information Asset Owner may be asked to complete a Data Protection Impact Assessment (DPIA) in line with a template and guidance from the ICO. DPIA information.
All contracts with organisations processing personal data on behalf of RBGE (data processors) will have GDPR-compliant contract clauses and be subject to appropriate levels of review and oversight.
All RBGE staff and volunteers will receive training and awareness-raising on data protection and information security relevant to their role.
For personal data processed for electronic direct marketing purposes (newsletters and other promotional materials sent by email or text message) RBGE will only use contact details for private individuals where they have explicitly opted-in (consented) to receive such communications from RBGE.
How to complain
If you have any concerns about our use of your personal information, you can make a complaint to us at DPO@rbge.org.uk
You can also complain to the ICO if you are unhappy with how we have used your data.
The ICO’s address:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Helpline number: 0303 123 1113
ICO website: https://www.ico.org.uk
Version 1.0
- Policy approved May 2018
- Review date - January 2021
Version 2.0
- Version 2 agreed - May 2021
- Planned review Date January 2023