NTM-UK Data Protection Policy

NTM-UK data protection policy

New Tribes Mission, U.K. (known as NTM-UK), attaches great importance in both protecting and using appropriately the personal data we control. We are committed to keeping your personal data safe and treating it confidentially as required by UK legislation including the General Data Protection Regulations and the Data Protection Act (2018)

New Tribes Mission is a registered charity in England and Wales with charity number 278627. NTM is registered with the Information Commissioner’s Office (ICO) as a data controller, reference number Z5904410.

Trading names: New Tribes Mission: NTM-UK: North Cotes College.

Nature of work:
– Charity
– College
– Childcare

Contact Information
Address: New Tribes Mission
Kenneth Campbell Road
North Cotes
DN36 5XU
United Kingdom
Telephone: 01472 387700
Email: Data.Control@ntm.org.uk

1. Introduction

New Tribes Mission, UK (NTM-UK), process personal information for the following reasons:
• To promote the interests of the charity, including sending out the Link magazine and prayer updates
• To enable us to provide a voluntary service for the benefit of the national public as specified in our constitution
• Maintain financial accounts and records
• Administer membership records for members, associates, and volunteers
• Care for our members, visitors, and their families
• To care for and teach students of the North Cotes College (NCC)
• Provide a safe environment for those children of both members and students on site
• Attendance at an NTM Conference or event
• Staying in guest accommodation
• The use of CCTV systems for the prevention of crime

We do not retain this data for longer than is necessary and we have communicated with the data subject the reason for retention of their data, how it will be processed and for how long we will retain the data before it is archived or deleted.

This personal information, whether it is collected on paper, stored in a computer database, or recorded in any other form; must be collected and processed appropriately, including the provision of safeguards to ensure this data complies with the General Data Protection Regulation 2018.

To understand how your own personal information is processed you may need to refer to any personal communications you have received, check any privacy notices the organization has provided or contact the organization to ask about your personal circumstances.

2. Data Protection Officer

The NTM Data Protection Officer’s responsibilities include:
• Briefing the NTM-UK trustees on Data Protection responsibilities
• Reviewing Data Protection and related policies
• Advising other members on Data Protection issues
• Ensuring that Data Protection induction and training takes place
• Notification – Notifying the Information Commissioner about the data processing activities, including any data breaches that occur
• Handling subject access requests
• Approving unusual or controversial disclosures of personal data
• Approving contracts with Data Controllers and Processors

The trustees of NTM-UK have the overall responsibility for ensuring that the organisation complies with its legal obligations.

3. Data Controller

Each department where personal data is handled has its own Data Controller. Within NTM-UK there are Data Controllers who supervise the processing of data in the following departments; College, Contingency, Finance, Hospitality, Personnel and Safeguarding.

The Data Controller’s responsibilities include:
• responsible for drawing up their department’s specific operational procedures
• Induction and training to ensure that good Data Protection practice is established and followed
• Determine what personal information is being held, the use and the duration that it will be retained, which is clearly documented
• Informing the Data Protection Officer immediately when they become aware of any data breaches
• Informing the Data Protection Officer of any changes in their uses of personal data that might affect the organisation’s notification to ICO (Information Commissioner’s Office)

4. Data Subject

A data subject is a living individual who is the subject of personal data.

5. Data Transmission

NTM-UK may transmit data to other agencies such as the local authority. There may also be transmission within departments.
They may transmit data in one of four main ways. These way are as follows;
• Disclosure: when the recipient is told what data is held but no copies of the data are provided
• Sharing: when the recipient receives access to the same copy of data as the giver is holding
• Transfer: when the recipient receives their own copy of the data
• Transfer Entirely: when all copies of the giver are given to the recipient so that the giver no longer has access to any copies of the data

The Data Subject will be made aware how and to whom their information will be transmitted unless there is legal reason why NTM-UK should not share this information. There are circumstances where the law allows NTM-UK to transmit data (including sensitive data) without the Data Subject’s consent.

These are:
• Carrying out a legal duty or as authorised by the Secretary of State
• Protecting vital interests of a Data Subject or other person
• The Data Subject has already made the information public
• Conducting any legal proceedings, obtaining legal advice or defending any legal rights
• Monitoring for equal opportunities purposes – i.e. race, disability or religion
• Providing a confidential service where the Data Subject’s consent cannot be obtained or where it is reasonable to proceed without consent: e.g. where we would wish to avoid forcing stressed or ill Individuals to provide consent signatures

NTM-UK shares data with other global partner’s with whom we are connected in accordance with the Global Partnership Agreement.
NTM-UK regards the lawful and correct treatment of personal information as very important to successful working, and to maintaining the confidence of those with whom we deal.
NTM-UK intends to ensure that personal information is treated lawfully and correctly.

To this end, NTM-UK will adhere to the Principles of Data Protection, as detailed in the Data Protection Act 2018. Specifically, the Principles require that personal information:
• Shall be processed fairly and lawfully and, in particular, shall not be processed unless specific conditions are met
• Shall be obtained only for one or more of the purposes specified in the Act, and shall not be processed in any manner incompatible with that purpose or those purposes
• Shall be adequate, relevant and not excessive in relation to those purpose(s)
• Shall be accurate and kept up to date
• Shall not be kept for longer than is necessary
• Shall be processed in accordance with the rights of data subjects under the Act
• Shall be kept secure by the Data Controller(s) who takes appropriate technical and other measures to prevent unauthorized or unlawful processing or accidental loss or destruction of, or damage to, personal information
• Shall not be transmitted to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of Individuals and Service Users in relation to the processing of personal information

6. Data collection

NTM-UK will, through appropriate management and strict application of criteria and controls:
• Observe fully the conditions regarding the fair collection and use of information
• Meet its legal obligations to specify the purposes for which information is used
• Collect and process appropriate information, and only to the extent that it is needed to fulfill its operational needs or to comply with any legal requirements
• Ensure the quality of information used
• Ensure that the rights of people about whom information is held, can be fully exercised under the Act. These include:
o The right to be informed that processing is being undertaken
o The right of access to one’s personal information
o The right to prevent processing in certain circumstances and
o The right to correct, rectify, block or erase information which is regarded as wrong information
o The right to data portability
o Rights in relation to automated decision making and profiling
• Take appropriate technical and organizational security measures to safeguard personal information
• Ensure that personal information is not transmitted abroad without suitable safeguards
• Treat people justly and fairly whatever their age, religion, disability, gender, sexual orientation or ethnicity when dealing with requests for information
• Set out clear procedures for responding to requests for information

All data subjects are permitted to make a Subject Access Request (SAR) regarding their own information. They may be asked to provide proof of their identity before NTM-UK discloses any information. A data subject is entitled to the following
• The reasons why their data is being processed
• The description of the personal data concerning them
• A copy of all records including e-mails where they are mentioned
• Information about anyone who has received or will receive their personal data
• Details of the origin of their data if it was not collected from them

The Data Protection Officer will be responsible for handling SARs and delegating requests to the appropriate controllers. NTM-UK has 30 days to provide the requested information or to provide a reason as to why the information cannot be given. The data subject will be made aware of any reason and their right to complain to an appropriate supervisory authority.

Informed consent is when a Data Subject clearly understands why their information is needed, who it will be shared with, the possible consequences of them agreeing or refusing the proposed use of the data, and how to revoke consent and the data subject agrees to that use of the data.
NTM-UK will ensure that data is collected within the boundaries defined in this policy.
This applies to data that is collected in person, or by completing a form.

When collecting data, NTM-UK will ensure that the Data Subject:
• Clearly understands why the information is needed
• Understands what it will be used for and what the consequences are should they decide not to give consent to processing
• Grants explicit consent for data to be processed when necessary
• Is, as far as reasonably practicable, competent enough to give consent and has given so freely without any duress
• Has received sufficient information on why their data is needed and how it will be used
• Is made aware of their rights that they can request to see the data held by the organization on them, they have rights to rectification, to erase, right to receive their data in a portable manner, that they have the right to object and be involved in automated decision making and profiling
• Is aware of their ability to withdraw consent if given

We collect and process data necessary for legitimate interests pursued by the Data Controller or relevant third party. If the data subject does not wish to have their information processed for this purpose, they can opt-out of having their data processed but are responsible for repercussions from the relative authority. In certain circumstances, NTM-UK is required to hold data for specific purposes, and therefore we may not be able to comply with their request to withdraw consent. Care will be taken to protect the fundamental rights and freedoms of the data subject, particularly in reference to Children.

7. Data Storage

Information and records relating to Data Subjects will be stored securely and will only be accessible to authorised members and volunteers.
Information will be stored for only as long as it is needed or required statute and will be disposed of appropriately. Each Controller will have a specific policy in place for the separate departments and the type of data that is held.
It is NTM-UK’s responsibility to ensure all personal and company data is non-recoverable from any computer system previously used within the organisation.

8. Data Security

NTM-UK has put several systems in place to ensure the security of data that is held.
There is a CCTV system set up around campus for the protection of the interests of NTM-UK and its members.

9. Data Breach
If there is a data breach then the department data controller must inform the Data Protection Officer without delay. The Data Protection Officer then has 72 hours to contact relevant authorities to inform them of the breach and any repercussions of the breach. All data subjects whose information has been compromised will be informed of the breach without delay and kept up to date with any advances in the case. If any deadlines cannot be met, the Data Protection Officer has to make note of why the deadline was not met and any possible consequences. The Data Protection Officer will then record the incident and keep at least one copy of this record electronically and one hard copy.

10. Health and Safety

NTM-UK will have a designated Health and Safety Officer who will keep accounts of all accident reports for NTM-UK. These will be stored indefinitely either as a filed hard copy or on a server which only the Health and Safety Officer can access. The Health and Safety Officer will process this information on behalf of each Controller individually and NTM-UK as a whole.

11. Variations in Collection by Website or Social Media

There is a privacy policy on the NTM-UK website (www.ntm.org.uk) which covers all data processing for the website. There are also popups which appear when a data subject is about to submit information to ensure that the data subject is aware of the reasons for processing and their rights as an individual. The privacy policy also applies to the North Cotes College website http://www.ntm-bible-college.org.uk/
The privacy policy covers the official websites and does not include any sites linked to it.

The Facebook pages for NCC and for the Reach Conference that promote the college and conferences, and often has data subject communication, are processed under the guidance of the publications department and their policy concerning the NTM-UK website and social media pages.

12. Data access and accuracy

All Data Subjects have the right to obtain the information NTM-UK holds about them. NTM-UK will also take reasonable steps ensure that this information is kept up to date by asking data subjects to inform them if there are any changes.

In addition, NTM-UK will ensure that:
• It has a Data Protection Officer with specific responsibility for ensuring compliance with Data Protection
• Everyone processing personal information understands that they are contractually responsible for following good data protection practice
• Everyone processing personal information is appropriately trained to do so
• Everyone processing personal information is appropriately supervised
• Anybody wanting to make enquiries about handling personal information knows what to do
• It deals promptly and courteously with any enquiries about handling personal information
• It describes clearly how it handles personal information
• It will regularly review and audit the ways it holds, manages and uses personal information
• It regularly assesses and evaluates its methods and performance in relation to handling personal information
• All processors are aware that a breach of the rules and procedures identified in this policy may lead to disciplinary action being taken against them
• When a data subject requests access to their data held the Data Protection Officer will handle the request and delegate to the relevant controller
• This policy will be updated as necessary to reflect best practice in data management, security and control and to ensure compliance with any changes or amendments made to the Data Protection Act 2018

In case of any queries or questions in relation to this policy, please contact the NTM-UK Data Protection Officer.