Zero Waste Scotland LTD needs to gather and use certain information about individuals.
These can include customers, suppliers, business contacts, employees and other people the organisation has a relationship with or may need to contact.
This policy describes how this personal data must be collected, handled and stored to meet the company’s data protection standards — and to comply with the law.
Zero Waste Scotland LTD is registered with the Information Commissioner’s Office as a Data Controller: Reference ZA054695
Why this policy exists
This data protection policy ensures Zero Waste Scotland LTD:
- Complies with data protection law and follows good practice
- Protects the rights of staff, customers and partners
- Is open about how it stores and processes individuals’ data
- Protects itself from the risks of a data breach
Data protection law
The Data Protection Act 1998 describes how organisations — including Zero Waste Scotland LTD — must collect, handle and store personal information.
The Data Protection Act 1998 covers the whole of the United Kingdom and works in two ways. Firstly, it gives you certain rights as an individual. And secondly, organisations that record and use personal data must be open about how the information is used and must follow the eight principles of the legislation, namely:
- Personal data shall be processed fairly and lawfully
- Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes
- Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed
- Personal data shall be accurate and, where necessary, kept up to date
- Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes
- Personal data shall be processed in accordance with the rights of data subjects under this Act
- Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data
- Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data
People, risks and responsibilities
This policy applies to:
- The head office of Zero Waste Scotland LTD
- All staff and volunteers of Zero Waste Scotland LTD
- All contractors, suppliers and other people working on behalf of Zero Waste Scotland LTD
Personal data applies to all data that the company holds relating to identifiable individuals, even if that information technically falls outside of the Data Protection Act 1998. This can include:
- Names of individuals
- Postal addresses
- Email addresses
- Telephone numbers
- Business Names
- Plus any other information relating to individuals
Data protection risks
This policy helps to protect Zero Waste Scotland LTD and all individuals who are the subject of personal data held by Zero Waste Scotland LTD from some very real data security risks, including:
- Breaches of confidentiality. For instance, information being given out inappropriately
- Failing to offer choice. For instance, all individuals should be free to choose how the company uses data relating to them
- Reputational damage. For instance, the company could suffer if hackers successfully gained access to sensitive data
Everyone who works for or with Zero Waste Scotland LTD some responsibility for ensuring data is collected, stored and handled appropriately.
Personal data is of no value to Zero Waste Scotland LTD unless the business can make use of it. However, it is when personal data is accessed and used that it can be at the greatest risk of loss, corruption or theft.
Zero Waste Scotland LTD may retain data for auditing and reporting purposes. This data will be held for a limited period only.
The law requires Zero Waste Scotland LTD to take reasonable steps to ensure data is kept accurate and up to date.
The more important it is that the personal data is accurate, the greater the effort Zero Waste Scotland LTD should put into ensuring its accuracy.
It is the responsibility of all employees who work with data to take reasonable steps to ensure it is kept as accurate and up to date as possible.
- Data will be held in as few places as necessary. Staff should not create any unnecessary additional data sets
- Zero Waste Scotland LTD will make it easy for data subjects to update the information Zero Waste Scotland LTD holds about them
Subject access requests
All individuals who are the subject of personal data held by Zero Waste Scotland LTD are entitled to:
- Ask what information the company holds about them and why
- Ask how to gain access to it
- Be informed how to keep it up to date
- Be informed how the company is meeting its data protection obligations
If an individual contacts the company requesting this information, this is called a subject access request.
Subject access requests from individuals should be made by email, addressed to DigitalTeam@zerowastescotland.org.uk. Zero Waste Scotland LTD can supply a standard request form, although individuals do not have to use this.
The data controller will aim to provide the relevant data within 14 days. The data controller will always verify the identity of anyone making a subject access request before handing over any information.
Disclosing data for other reasons
In certain circumstances, the Data Protection Act allows personal data to be disclosed to law enforcement agencies without the consent of the data subject.
Under these circumstances, Zero Waste Scotland LTD will disclose requested data. However, as a data controller the organisation will ensure the request is legitimate, seeking assistance from the board and from the company’s legal advisers where necessary.
Zero Waste Scotland LTD aims to ensure that individuals are aware that their data is being processed, and that they understand:
- How the data is being used
- How to exercise their rights