For practical guidance on how to comply, click on each Principle and, for further guidance, see the Glossary of Privacy Terms.
- Have access to Inspired Villages information, or
- Are responsible for deciding how to collect, use, store, manage, disclose, grant access to, protect, or dispose of Inspired Villages information, or
- Are responsible for authorising employees or third parties to access Inspired Villages information.
The Inspired Villages Privacy Principles
- 1. Treat people and their Personal Information fairly and lawfully
To ensure our collection and use of Personal Information is fair, we need to complete a Privacy & Information Security Assessment (PISA) before starting any new activity or implementing any new software or process involving Personal Information. This enables us identify risks to people and their Personal Information so we can put measures in place to protect them.
To collect and use Personal Information lawfully we must have either:
(a) A legal right or obligation to use it for a specified purpose, or
(b) Specific, informed, freely given and unambiguous consent from each individual to use it for the specific purpose.
This is known as the “legal basis” and we must publish the legal basis for each of our processing activities in our Privacy Notices.
- 2. Be open and transparent about our collection, use and sharing of Personal Information
We must provide details of all our Personal Information processing activities in our Privacy Notices, which are published on our website and mobile app.
The information must be comprehensive but also easy for the intended audience to.
Consult the Data Protection Officer before making any changes to a Privacy Notice.
- 3. Only use Personal Information for the purposes we specified at the time of collection
We can only use Personal Information for the purpose or purposes that we specified in a Privacy Notice at the time of collection unless the new purpose is “compatible” with the original purpose.
Consult the Data Protection Officer before using Personal Information for a new purpose.
- 4. Only collect and process Personal Information that is necessary for the specified purposes
Collect only the Personal Information we need for the specified purpose(s). Keep access and sharing to a minimum. Avoid printing and copying unless those print-outs and copies can easily be collected and destroyed after use.
If a task or process step can be performed without identifying individuals, de-identify the data.
Contact the Data Protection Officer for guidance on data de-identification.
- 5. Make sure that Personal Information is accurate and, where applicable, kept up to date
Using or even just holding inaccurate or out of date Personal Information may be harmful to the individual and could also put Inspired Villages at risk.
Work with the IT team to implement controls for checking and maintaining data accuracy and ensure that employees and customers keep their details up to date, e.g. via self-service portals.
- 6. Only keep Personal Information for as long as necessary for the specified purposes
Ensure that Personal Information is not kept for longer than the period specified in the Retention Schedule and is then deleted or destroyed in a secure manner.
- 7. Protect Personal Information from loss and unauthorised disclosure, use, alteration and destruction
To keep Personal Information safe:
· Always follow Inspired processes and procedures · Be familiar with and comply with the SPURs – your Security & Privacy User Responsibilities
· If you own or are responsible for a process, ensure that a Privacy Impact Assessment is completed before any new or modified application or process is implemented, whether by Inspired Villages or a third party.
Check with the Data Protection Officer that third party suppliers and vendors who will have access to Inspired Villages Personal Information have signed a contract that meets legal requirements.
- 8. Report and respond to Privacy Incidents appropriately and without delay
If you become aware of any Privacy Incident in which Personal Information may be at risk, immediately notify your manager without delay.
- 9. Protect people’s Privacy Rights and respond promptly to requests to exercise them
Individuals have legal rights relating to their Personal Information and our use of it.
Requests to exercise these rights are known as Data Subject Requests or “DSRs” and you can find details in the “Your Privacy Rights” section of our website Privacy Notice.
If you receive a Data Subject Request, forward it to [email protected] without delay.
- 10.Consider the risks to people and their Personal Information before changing or starting any new processing activity and implement appropriate safeguards by applying Privacy by Design principles.
Complete a Privacy Impact Assessment (PIA) before starting any project or activity that may involve the collection, processing, use, sharing, retention or disposal of Personal Information. This is particularly important when procuring, designing or developing any products, services or software that will access or process Personal Information.
Involve the Data Privacy Manager to help assess and mitigate any risks identified in the PIA.
Adherence to this policy will be monitored and failure to comply may result in disciplinary action up to and including dismissal.
Advice and Guidance
For advice on Privacy, contact: [email protected]