9.1Everyone who works for, or on behalf of, the Guild has some responsibility for ensuring data is collected, stored and handled appropriately, in line with this policy and the Guild’s Data Security and Data Retention policies.
9.2 The Guild’s Director of Operations is responsible for reviewing this policy and updating the Trustee Board on the Guild’s data protection responsibilities and any risks in relation to the processing of data. You should direct any questions in relation to this policy or data protection to this person.
9.3 You should only access personal data covered by this policy if you need it for the work you do for, or on behalf of the Guild and only if you are authorised to do so. You should only use the data for the specified lawful purpose for which it was obtained.
9.4 You should not share personal data informally.
9.5 You should keep personal data secure and not share it with unauthorised people.
9.6 You should regularly review and update personal data which you have to deal with for work. This includes telling us if your own contact details change.
9.7 You should not make unnecessary copies of personal data and should keep and dispose of any copies securely.
9.8 You should use strong passwords.
9.9 You should lock your computer screens when not at your desk.
9.10 Personal data should be encrypted before being transferred electronically to authorised external contacts or removed from Guild premises and system. Speak to IT for more information on how to do this.
9.11 Consider anonymising data or using separate keys/codes so that the data subject cannot be identified.
9.12 Do not save personal data to your own personal computers or other devices.
9.13 Personal data should never be transferred outside the European Economic Area except in compliance with the law and authorisation of the Data Protection Officer.
9.14 You should lock drawers and filing cabinets. Do not leave paper with personal data lying about.
9.15 You should not take personal data away from Guild’s premises without authorisation from your line manager or Data Protection Officer and only in line with the Data Security Policy.
9.16 Personal data should be shredded and disposed of securely when you have finished with it.
9.17 You should ask for help from our Data Protection Officer if you are unsure about data protection or if you notice any areas of data protection or security we can improve upon.
9.18 Any deliberate or negligent breach of this policy by you may result in disciplinary action being taken against you in accordance with our disciplinary procedure.
9.19 It is a criminal offence to conceal or destroy personal data which is part of a subject access request (see below). This conduct would also amount to gross misconduct under our disciplinary procedure, which could result in your dismissal.