HISTORY TEAM
DURBAN GIRLS SURF TOO INDEPENDENT LIVING
TOFO SURF CLUB
spacer.png
 
SNSC - Important Policies - banner 1.jpg
 

important policies

 
 
 

privacy Policy


This privacy policy notice is for this website; www.surfnotstreets.org and served by Surfers Not Street Children UK (9 North Down Road, Braunton, EX33 2EE) and governs the privacy of those who use it. The purpose of this policy is to explain to you how we control, process, handle and protect your personal information while browsing or using this website, including your rights under current laws and regulations. If you do not agree to the following policy you may wish to cease viewing / using this website.

Policy key definitions:

  • "I", "our", "us", or "we" refer to the business, Surfers Not Street Children UK.

  • "you", "the user" refer to the person(s) using this website.

  • GDPR means General Data Protection Act.

  • PECR means Privacy & Electronic Communications Regulation.

  • ICO means Information Commissioner's Office.

  • Cookies mean small files stored on a users computer or device.



PROCESSING OF YOUR PERSONAL DATA

Under the GDPR (General Data Protection Regulation) we control and / or process any personal information about you electronically using the following lawful bases.

  • We are exempt from registration in the ICO Data Protection Register because we are an NGO

  • Lawful basis: Legal obligation

  • The reason we use this basis: is to comply with GDPR regulation.

  • We process your information in the following ways: Store contact information for newsletter, securely store donation information via our bank Charities Aid Foundation.

  • Data retention period: We will continue to process your information under this basis until you withdraw consent or it is determined your consent no longer exists.

  • Sharing your information: We do not share your information with third parties.

If, as determined by us, the lawful basis upon which we process your personal information changes, we will notify you about the change and any new lawful basis to be used if required. We shall stop processing your personal information if the lawful basis used is no longer relevant.



YOUR INDIVIDUAL RIGHTS

Under the GDPR your rights are as follows. You can read more about your rights in details here;

  • the right to be informed;

  • the right of access;

  • the right to rectification;

  • the right to erasure;

  • the right to restrict processing;

  • the right to data portability;

  • the right to object; and

  • the right not to be subject to automated decision-making including profiling.

You also have the right to complain to the ICO [www.ico.org.uk] if you feel there is a problem with the way we are handling your data.

We handle subject access requests in accordance with the GDPR.



INTERNET COOKIES

We use cookies on this website to provide you with a better user experience. We do this by placing a small text file on your device / computer hard drive to track how you use the website, to record or log whether you have seen particular messages that we display, to keep you logged into the website where applicable, to display relevant adverts or content, referred you to a third party website.

Some cookies are required to enjoy and use the full functionality of this website.

We use a cookie control system which allows you to accept the use of cookies, and control which cookies are saved to your device / computer. Some cookies will be saved for specific time periods, where others may last indefinitely. Your web browser should provide you with the controls to manage and delete cookies from your device, please see your web browser options.



DATA SECURITY AND PROTECTION

We ensure the security of any personal information we hold by using secure data storage technologies and precise procedures in how we store, access and manage that information. Our methods meet the GDPR compliance requirement.



TRANSPARENT PRIVACY EXPLANATIONS

We have provided some further explanations about user privacy and the way we use this website to help promote a transparent and honest user privacy methodology.



EMAIL MARKETING MESSAGES & SUBSCRIPTION

Under the GDPR we use the consent lawful basis for anyone subscribing to our newsletter or marketing mailing list. We only collect certain data about you, as detailed in the "Processing of your personal date" above. Any email marketing messages we send are done so through an EMS, email marketing service provider. An EMS is a third party service provider of software / applications that allows marketers to send out email marketing campaigns to a list of users.

Email marketing messages that we send may contain tracking beacons / tracked clickable links or similar server technologies in order to track subscriber activity within email marketing messages. Where used, such marketing messages may record a range of data such as; times, dates, I.P addresses, opens, clicks, forwards, geographic and demographic data. Such data, within its limitations will show the activity each subscriber made for that email campaign.

Any email marketing messages we send are in accordance with the GDPR and the PECR. We provide you with an easy method to withdraw your consent (unsubscribe) or manage your preferences / the information we hold about you at any time. See any marketing messages for instructions on how to unsubscribe or manage your preferences, you can also  unsubscribe from all MailChimp lists, by following this link, otherwise contact the EMS provider.

Our EMS provider is; Google. We hold the following information about you within our EMS system;

  • Email address

  • I.P address

  • Subscription time & date

 
 
 

child protection Policy


Surfers Not Street Children UK is a British charity focused on the global phenomenon of street involved children (street children). It is particularly interested in the impact that adventure sports, such as surfing, can have alongside mentorship in empowering street children around the world.

 

Surfers Not Street Children UK seeks to impact positively the lives of street-involved children through: advocacy, partnering with organisations overseas who work directly with them, and grant-giving to those organisations. In our partnering and grant-giving work, we require evidence of high standards of policy and practice in child protection. Consistent with that, our own child protection policies mirrors that which we would expect to see in our partner front line organisations.

 

1. Definitions

Child

For the purposes of this policy, a “child” is defined as anyone under the age of 18, in line with the UN Convention on the Rights of the Child.

Child abuse

  • According to the World Health Organisation, “Child abuse” or “maltreatment” constitutes ‘all forms of physical and/or emotional ill-treatment, sexual abuse, neglect or negligent treatment or commercial or other exploitation, resulting in actual or potential harm to the child’s health, survival, development or dignity in the context of a relationship of responsibility, trust or power.’1

  • NSPCC similarly specify “cruelty to children” or “child abuse” as ‘behaviour that causes significant harm to a child. It also includes when someone knowingly fails to prevent serious harm to a child. All forms of cruelty are damaging – it can be harder to recover from the emotional impact than from the physical effects.’ 2

  • These definitions therefore point to four types of cruelty:

o Physical abuse: including hurting or injuring a child, inflicting pain, poisoning,

drowning, or smothering.

1 The WHO definition of Child Abuse as defined by the Report of the Consultation on Child Abuse Prevention WHO – 1999.

2 Definition taken from Are you worried about the safety of a child?, NSPCC, 2002, available to download from http://www.nspcc.org.uk/documents/safetyofchild.pdf.

o Sexual abuse: including direct or indirect sexual exploitation or corruption of children by involving them (or threatening to involve them) in inappropriate sexual activities.

o Emotional abuse: repeatedly rejecting children, humiliating them or denying their worth and rights as human beings.

o Neglect: the persistent lack of appropriate care of children, including love, stimulation, safety, nourishment, warmth, education, and medical attention.

  • A child who is being abused may experience more than one type of cruelty.

  • Discrimination, harassment, and bullying are also abusive and can harm a child, both physically and emotionally.

 

CHILD PROTECTION

A broad term to describe philosophies, policies, standards, guidelines and procedures to protect children from both intentional and unintentional harm. In the current context, it applies particularly to the duty of Surfers Not Street Children UK– and individuals associated with Surfers Not Street Children UK– towards children in their care.

DIRECT CONTACT WITH CHILDREN

Being in the physical presence of a child or children in the context of Surfers Not Street Children UK’s work, whether contact is occasional or regular, short or long term. In the UK this could involve delivering talks to schools, churches and youth groups. Overseas this could involve project/site visits and attending conferences at which children are also present. [N.B. this list of examples is not exhaustive].

INDIRECT CONTACT WITH CHILDREN

  1. 1)  Having access to information on children in the context of Surfers Not Street Children UK’s  work, such as children’s names, locations (addresses of individuals or projects), photographs and case studies.

  2. 2)  Providing funding for organisations that work ‘directly’ with children. Albeit indirectly, this nonetheless has an impact on children, and therefore confers upon the donor organisation responsibility for child protection issues. [N.B. this list of examples is not exhaustive].

PARTNER

For the purposes of this policy:

  • 3)  An overseas organisation that receives funding from Surfers Not Street Children UK, whether funding is occasional or regular, short or long term, for a specific project or towards core costs and regardless of the amount of money involved.

4)  An overseas organisation involved in project work with Surfers Not Street Children UK, whether the project relationship is short or long term, a one-off or regular/ongoing arrangement, and regardless of whether or not any funding is involved.

POLICY

‘A statement of intent that demonstrates a commitment to safeguard children from harm and makes clear to all what is required in relation to the protection of children. It helps to create a safe and positive environment for children and to show that the organisation is taking its duty and responsibility of care seriously.’3

2. Surfers Not Street Children UK’s core child protection principles and values

• The legal basis – the UNCRC: Surfers Not Street Children UK’s Child Protection Policy is firmly based on the principles of the UN Convention on the Rights of the Child. Taken holistically, the CRC provides a comprehensive framework for the protection, provision and participation of all children without discrimination to ensure their survival and development to the maximum extent possible. On the understanding that the CRC must be read as a whole, the following articles nevertheless form the specific basis of child protection: 1 (definition of ‘child’), 2 (non- discrimination), 3.1 (the best interests of the child), 3.2 (duty of care and protection), 3.3 (standards of care), 6 (survival and development), 12 (participation), 13 (freedom of expression), 19 (protection from violence), 25 (periodic review of placements), 32, 33, 34, 36, 37(a) (protection from economic exploitation, substance abuse, sexual abuse and exploitation, ‘all other forms of exploitation’; torture, cruel, inhuman or degrading treatment or punishment), 39 (physical and psychological recovery and social reintegration).

  • The moral basis – a non-negotiable duty: Surfers Not Street Children UK believes that NGOs working for street children’s rights have an absolute duty to protect this already vulnerable group from abuse, mistreatment, and exploitation from within organisations intended for their benefit. This duty is imperative and non-negotiable. Without adequate standards and mechanisms of protection in place, an organisation is not only failing in its primary duty of care, but may also be negligently or recklessly fostering an environment of abuse.

  • An end to silence: Silence breeds abuse and exploitation of children. Paedophiles will seek out organisations with weak communication structures and thrive where secrecy and shame prevail. Furthermore, without proper

 

policies and explicit procedures in place, NGOs are extremely vulnerable to false allegations of child abuse. Surfers Not Street Children UK therefore believes in:

o creating an environment where issues of child protection are discussed openly and are understood between children and adults;

o promoting open lines of communication both internally and externally within and between organisations to improve awareness and implementation of child protection policies and practices;

o creating a framework to deal openly, consistently and fairly with allegations concerning both direct and indirect abuse.

  • Children’s participation – a space and a voice: Creating a space where children feel able and willing to speak out about abuse, free from abusers, empowers them to become actors in their own protection without further discrimination or shame. “Children have the right to communication – to enable them to receive information, to ask questions, to make choices, and to make decisions.”4 Surfers Not Street Children UK believes that helping children to find a voice is an essential step to helping them to claim their individual rights. Children will only benefit from this policy if they are aware of their rights and are given the proper environment in which to exercise them.

  • Taking it further: Child protection is not just about reading and signing a piece of paper: the policy sets out guidelines and standards that must be put into practice. These include, amongst other measures: recruitment procedures, review of management structures, creation of a space for children to speak out, staff training, and development of transparent protocols. ‘Above all, it must be remembered that it is the children, not the standards, that are sacrosanct; and although abuse must never be tolerated, the standards are no more than a tool in the service of promoting the welfare of children.’5

Challenging complacency: Resistance to addressing child protection issues may come from lack of understanding of the nature of child abuse, lack of commitment to the organisation/programme, and a sense that child abuse happens elsewhere. Organisations

should ask themselves: “If safety and well being of children are not at the centre of the organisation’s programme/activities, then why not?” ‘It is unfortunate and unacceptable that it will take an horrendous incident to shock some organisations into action’. Surfers Not Street Children UK will challenge complacency as a matter of course.6

  • 4 Quoted from Sense International Child Protection Policy, Section 2.1.2

5 Setting the Standard: A common approach to Child Protection for international NGOs, anonymous INGO quotation, p.6.

• These principles underpin all of the following standards set out in this document.

3. The need for a Child Protection Policy

‘Any international NGO should have a Child Protection Policy if its direct or indirect beneficiaries include individuals under the age of 18’7

  • It is the duty of Surfers Not Street Children UK to ensure that the promotion of children’s rights includes specifically protecting children from accidental harm as well as deliberate abuse within organisations intended for their benefit. This policy will assist in fulfilling this duty.

  • Street-involved children are especially vulnerable to abuse, exploitation, and ill-treatment at the hands of carers, other project workers, and those with access to their personal information. In the case of children who have run away from home, many have already experienced ruptured relationships of trust or abuse of an adult-child relationship in the form of physical, psychological or sexual abuse.

  • Organisations working with vulnerable children have been, are and will continue to be vulnerable to harbouring abuse until the issues are brought into the open.

  • Organisations without protection policies, guidelines and systems are more vulnerable to false or malicious accusations of abuse.

  • Without proper policies, guidelines and procedures in place, allegations of abuse, whether founded or unfounded, can destroy an organisation’s reputation. This will have serious implications for fundraising (thus undermining an organisation’s entire portfolio of work, even beyond the scope of the particular project concerned) as well as damaging the reputation of the street children NGO sector as a whole.

 

  • 4. The Surfers Not Street Children Child Protection Policy

Staff and Personnel

As a condition of working with our organisation, all trustees, employees, officers, staff, interns, volunteers, researchers, consultants, and advisers of the Surfers Not Street Children UK are required to undergo the following:

  1. Satisfactory clearance through a police check conducted by the Disclosures DBS.

  2. Both acceptance of and commitment to our Child Protection Policy and Code of Conduct for working with children.

  3. Signing a personal declaration stating any criminal convictions, including spent convictions.

  4. Providing the name and contact information of two character references they have known for no less than two years, excluding family members.

6 Adapted, with selected quotations, from ECPAT Australia, Choose with Care, p.34.

7 Setting the Standard: A common approach to Child Protection for international NGOs, Standard 1 (Policy).

Training and Education

Training and education are essential to implementing the Child Protection Policy. Surfers Not Street Children UK is a very small organization with minimal staff but we will endeavor to ensure that appropriate training is given.

Behaviour Protocols

Any trustee, employee, officer, staff member, intern, volunteer, researcher, consultant, or adviser who has direct contact with children either in the UK or overseas will be fully informed of Surfers Not Street Children UK’s Code of Conduct. The Code of Conduct includes guidance on appropriate behaviour of adults towards children and of children towards children (see attached).

Communications about Children

All publications and the website that include images and text related to children will not contain the following:

  • Manipulated or sensationalised text and/or images

  • Discriminatory and degrading language

  • Images in which children are inappropriately clothed

  • Information that could be used to identify the location of the child and cause them to be put at risk

  • Photos of children that will be included on the website or any of our publications must be taken with the child’s verbal permission. In addition, all information relating to children is limited to those members of staff who need to know and will be treated as confidential.

  • Reporting Incidents

All witnessed, suspected or alleged violations of the Child Protection Policy will be immediately reported to Chair of the board, who will record and act on these in a confidential manner. Surfers Not Street Children UK will take appropriate action to protect the child/children in question from further harm and others in the organisation during and following an incident or allegation. The relevant contact details for child protection services, local social services department, police, emergency medical help and help lines (e.g. NSPCC) will also be readily available and easily accessible.

Ramifications of Misconduct

We will immediately suspend any employee, adviser, consultant, trustee, intern or volunteer who is alleged to have violated the Child Protection Policy, pending the outcome of an investigation. Surfers Not Street Children UK reserves the right to take any disciplinary action against any of the above who have been proven guilty in an investigation, which may include reporting the incident to the police.

 
 
 

data protection Policy

OVERVIEW

This policy recognises that Surfers Not Street Children has a duty to protect the personal information of staff, volunteers, donors and contacts it is responsible for.

Download here

Surfers Not Street Children understands that it is the custodian of personal information. Surfers Not Street Children recognises the importance of handling personal information securely and appropriately.

  1. PURPOSE AND OBJECTIVE

This Data Protection Policy defines

  • how personal data will be handled in order that it remain confidential, maintains its integrity and is available when needed.

  • how Surfers Not Street Children will meet its obligations as a Data Controller under the Data Protection Act 1998.

This policy will enable Surfers Not Street Children to demonstrate

  • recognition of how important the management of personal information is;

  • that reasonable steps are being taken to meet legitimate expectations of confidentiality and privacy, and to reduce the risk of substantial distress or financial damage being caused to individuals where Surfers Not Street Children handles their personal information;

  • good governance with regards to the handling of personal data and sensitive personal data, to reduce the risk of damage to Surfers Not Street Children’s reputation and the goodwill and trust individuals have in Surfers Not Street Children;

  • how Surfers Not Street Children will achieve compliance with the data protection principles – by defining what is authorised and lawful so those who handle personal data when working for Surfers Not Street Children will know what is expected of them and where to go for further guidance.

  1. SCOPE

This policy outlines how Surfers Not Street Children will ensure compliance with the Data Protection Act 1998 and related statutory instruments.

The policy applies to all staff and volunteers who access or use personal data that Surfers Not Street Children is responsible for as a Data Controller.

  1. COMMITMENT ON THE HANDLING OF PERSONAL DATA

Surfers Not Street Children commits to ensuring that personal data is protected from the loss of confidentiality, integrity and availability and at the same time managed so that it can be used to provide services in an efficient and effective manner.

Protect from loss of

Intended outcome of policy

Confidentiality

Personal information is accessible only to authorised individuals.

Integrity

There are safeguards to ensure the accuracy and completeness of personal information and processing methods.

Availability

Authorised staff have access to relevant information when required.

The Surfers Not Street Children Director will review and ensure compliance with this policy and will provide updates to the trustees on an annual basis.

  1. PURPOSE FOR WHICH SURFERS NOT STREET CHILDREN USES DATA

Surfers Not Street Children’s stated purpose for which data is used is as follows:

Surfers Not Street Children manages the data and will use it to supply information to you about the work and events and ministry of Surfers Not Street Children (and of other organisations which Surfers Not Street Children partners with, where appropriate), but it will not be passed to Surfers Not Street Children partners or other third parties.  You can opt out of receiving our communications at any stage you wish by changing your Personal Preferences electronically or by notifying the Surfers Not Street Children office.

  1. REVIEW

Surfers Not Street Children will undertake to review this policy every 12 months. The policy will also be reviewed when necessary – for example, in the event of legislative or organisational change.

  1. EMPLOYMENT

This policy forms part of the Employment relationship Surfers Not Street Children has with its staff, and therefore forms part of the contractual and implied responsibilities employer and employee have together.

  1. What is ‘personal data’?

Personal data means information relating to a living individual who can be identified from the information, including any expression of opinion about the individual, or any intentions in respect to the individual. This can relate to a staff member, a personal supporter, or a ministry contact.

  1. TYPES OF PERSONAL DATA

There are two types of personal data

  1. STANDARD PERSONAL DATA

This includes information like;

  1. Name

  2. Address

  3. Email

  4. Phone number

  5. Donation history

  6. Family member names

  7. Date of birth

  8. Date of birth of family members

  1. SENSITIVE PERSONAL DATA

This includes information like;

  1. Race or ethnic origin

  2. Political opinions

  3. Beliefs

  4. Health or sex life (including orientation)

  5. Trade union membership

.

  1. Data protection principles

The Data Protection Act has eight key principles. This policy is not intended to be a comprehensive explanation of the Data Protection Act, but for completeness the principle headings are listed here. The policies adopted within this policy document seek to apply these principles. They are included here for information and reference.

  1. PRINCIPLE 1

Personal data shall be obtained lawfully and fairly.

  1. PRINCIPLE 2

Personal data should be obtained for one or more specified lawful purpose, and shall not be used in any manner incompatible with that purpose or purposes.

  1. PRINCIPLE 3

Personal data shall be adequate, relevant and not excessive in relation to the purpose for which they are used.

  1. PRINCIPLE 4

Personal data shall be accurate and, where necessary, kept up to date.

  1. PRINCIPLE 5

Personal data shall not be kept for longer than is necessary for the purpose it was initially collected.

  1. PRINCIPLE 6

Personal data shall be used in accordance with the rights the individual pertained to the information has under the Data Protection Act.

  1. PRINCIPLE 7

Appropriate technical and organisational measures shall be taken against unauthorised, unlawful use, accidental loss, or damage to personal data.

  1. PRINCIPLE 8

Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country ensures an adequate level of protection for the rights and freedoms of individuals the information pertains to.

  1. Using mobile devices (Laptops, tablets, phones, USB sticks) ‘B.Y.O.D – Bring Your Own Device’

 

  1. OVERVIEW

Some of our work takes places outside an office environment. Staff and volunteers all use mobile devices such as laptops, tablets, smartphones and USB sticks

The term that most organisations adopt when allowing staff to purchase their own equipment and use it for work purposes is BYOD, or Bring Your Own Device.

If the purchase price of the equipment is paid or reimbursed by Surfers Not Street Children then the device is owned by Surfers Not Street Children. If it has not been reimbursed then the equipment belongs to the individual staff member.

It’s important to highlight

  1. The personal data collected and stored on computing devices in relation to work with Surfers Not Street Children, irrespective of whether the equipment belongs to Surfers Not Street Children, is legally under the stewardship and responsibility of Surfers Not Street Children. This would include any list/database of our network and contacts.

  2. The equipment used is the responsibility of the staff member to maintain and support.

 

  1. RISKS OF USING MOBILE DEVICES

A staff member must be aware of the following risks when using their own devices.

  1. Unauthorised access. E.g. someone other than the staff member could access the device – a thief or family member.

  2. Unlawful processing. E.g. the use of the personal data by the staff member for a non-Surfers Not Street Children related purpose. The law says we cannot use the information we collect, for purposes other than it was collected for in the first place.

  3. Accidental loss. E.g. the data on your device is lost, or stolen.

  4. Accidental damage. E.g. you might only have one copy of a database that gets corrupted meaning the information cannot be retrieved.

  5. Accidental deletion. E.g. you may accidentally delete the information.

 

  1. POLICY

Surfers Not Street Children allows staff and volunteers to use their own devices when accessing personal data.

In light of the risks the staff member and volunteers, are responsible for the following.

  1. Ensure up-to-date virus and malware protection is installed on the device.

  2. Ensure personal data is backed up regularly, either in their Surfers Not Street Children Soonr account, the Mailchimp database, or another secure cloud storage facility. See Backup procedures later in this policy.

  3. The equipment containing the personal data is kept in sight at all times, or locked and secure. This includes not letting a non-staff member borrow the equipment as this means the information is no longer secure.

  4. In light of the fact USB sticks are easy to lose, the storing of personal data on USB sticks is prohibited, unless the USB stick is encrypted.

  5. Laptops will be password protected.

  6. Where there are more than 300 names, and personal details, relating to Surfers Not Street Children contacts on the device, then the device will be encrypted.

 

  1. Cloud Storage

    1. OVERVIEW

Surfers Not Street Children provide staff with cloud storage through their secure Soonr account.

Policy

If a staff member wishes to store personal data in an alternative cloud storage facility they are to ensure the following.

  1. Password – Follow the password policy in Section 6.2.

  2. Turning on two-factor authentication is strongly recommended.

 

  1. Passwords

    1. OVERVIEW

Simple passwords can be easily guessed and If the same password is used for every website account a staff member uses, all their ‘digital’ life is accessible for hacking.

If a low security website is hacked, the hacker can use the same login/password information for more secure websites.

  1. POLICY

Where personal data is stored the staff member needs to apply the following password policy.

  1. Be a minimum of seven characters long.

  2. Be a mixture of uppercase, lowercase characters and numbers.

  3. Not include real names. This includes names of spouse, children or pets.

  4. Not include any part of the login name. i.e. if the account login is fredbloggs the password should not be Fredbloggs1.

 

Many staff will have multiple online accounts each with different logins and passwords. It is tempting to have the same password for each of these accounts. The danger is if a particular website is compromised and passwords are stolen, this gives the thief access to all accounts with the same password. It is good practice to have different passwords for different accounts. A recommendation is password manager software like 1Password (https://agilebits.com/onepassword). This enables a staff member to store multiple account details in one place, making it more manageable to use different passwords on different accounts.


 

  1. Being open with people on how we are using their personal data. ‘Fair Processing (Privacy) Notice’

 

  1. OVERVIEW

Surfers Not Street Children has a duty to ensure that our network and contacts are informed about what will happen to their personal information. If personal information is not sensitive the need for explicit consent is reduced.

In relation to personal information, Surfers Not Street Children must

  1. Be open with our network and contacts about where personal information is stored, and be clear that it will only be used for purposes for which it was given.

  2. For Surfers Not Street Children Event Response cards, or similar information collection devices, a brief sentence will be included saying the data will be stored and processed by Surfers Not Street Children, and that we will not pass on details to a third party.

Example: “Please note that in receiving your details, we recognise our legal duties to store and protect data in accordance with the Data Protection Act 1998. Your details are managed by Surfers Not Street Children. We will not pass your details to any third parties.”

 

  1. Office 365, acceptable use

 

  1. USE OF EMAIL ACCOUNTS

Surfers Not Street Children provides an email system to support its activities. Access to this system is granted to staff and office volunteers on this basis.

Non-Surfers Not Street Children email accounts must NOT be used by staff or volunteers in their Surfers Not Street Children work i.e. information should not be or sent from, a non-Surfers Not Street Children email address or emailed by staff or volunteers to their own non-Surfers Not Street Children email address.   

 

  1. Clear desk, clear screen and secure waste

    1. OVERVIEW

It is recognised that, whether working at a permanent desk or temporary table in a coffee shop, information displayed on our screens or on a paper notepad may be visible to others. Printouts of personal data can also be seen by others.

  1. POLICY

  1. When working with personal data a staff member must be aware of their environment to ensure no one is eavesdropping or overlooking them.

  2. When working in the office, and you need to leave your desk, we recommend you ‘lock’ your computer screen so no one can start using your computer.

  3. When working in the office be aware of the paper on your desk. If someone were to stand over your desk would they get access to information they shouldn’t have? This applies to other staff members, visitors, and any intruder. There is a clear desk policy in place.

  4. Dispose of paper with personal data on it securely. Do not just put it in your paper recycling. Shred it first.

 

  1. Sharing personal information with other people/organisations

    1. OVERVIEW

Working in partnership with other organisations is an important part of Surfers Not Street Children’s work.

  1. POLICY

However, under NO circumstances will personal data be shared with an external organisation without the prior CONSENT of the person whose data it belongs to. Staff must NOT share first and seek permission later.

 

  1. Social media

    1. OVERVIEW

Social media is an important part of Surfers Not Street Children’s work and is encouraged to help fulfil Surfers Not Street Children’s aims and objectives. However, when using social media it can be incredibly easy unintentionally to share personal information. Doing so would represent a breach of our requirements in law.

  1. POLICY

  1. Staff must not allow their engagement with social media to harm working relationships with or between staff, the network or other contacts.

  2. Staff must not use social media as a method of publicly disclosing personal information about staff, the network or other contacts.

Staff must also be aware of their own personal online security when using social media. Staff should take appropriate steps to reduce the risk of

  1. identity theft – by using any available privacy settings to ensure that access to their account is limited

  2. their other online accounts being compromised – by not posting passwords, or any personal information that has been used as a password (or part of a password) such as birthdays, place of birth, names of spouse, children and/or pet.


 

  1. Websites

    1. OVERVIEW

In addition to the main Surfers Not Street Children website (www.Surfers Not Street Children.org.uk) and the Surfers Not Street Children Mailchimp account, most ministry areas of Surfers Not Street Children will have a Facebook group page to help in connecting with a specific target audience. All websites will come under this policy.

  1. POLICY

  1. Where ANY personal data is collected from a website, e.g. through a contact form, a privacy statement will be included on that website. This statement will give clear guidance to the reader on how that information is stored, and how it will be used, and what they can do to see a copy of the information stored on them.

  2. Payment processing will always be through a third party (e.g. PayPal) with a proven track record of secure payments.

  3. All domain names will be purchased through the office and centrally managed.  Should a website be hacked and content changed, the name can be redirected quickly to an alternative site.

 

  1. Credit Cards

    1. POLICY

  1. Surfers Not Street Children will never store credit card information.

  2. Payment processing on Surfers Not Street Children websites will always be via a trusted third party e.g. PayPal.

  3. Credit card details received over the telephone to the Surfers Not Street Children office may temporarily be written down to receive a donation, but will be immediately shredded follow the successful completion of the transaction. This is always within the same day.

 

  1. Backup procedures

    1. OVERVIEW

Surfers Not Street Children recognises the importance of handling personal information appropriately – including maintaining the availability and integrity of information.

Surfers Not Street Children therefore ensures that steps are taken to back up personal information. In the event of accidental loss, damage or destruction of information, these steps will enable the information to be restored.

If a staff member is using an external hard drive to backup files then there must be some physical security around that drive. Remember that drive will contain personal data. Recommendations are to encrypt the drive, or not take it out of your home.

 

  1. Retention and deletion of personal data

Surfers Not Street Children recognises that personal data must not be kept for longer than necessary.

Staff members storing personal data locally on their own devices are responsible for

  1. keeping that information up-to-date; and

  2. deleting the information once it is not needed for the purpose(s) it was collected.

 

  1. When someone makes a request to see the information held on them: ‘Subject Access Request’

 

If a formal request has come from a member of a public asking for a copy of information that is kept on them this will be dealt with by the Director of Surfers Not Street Children or someone appropriately nominated by the Director. This is relevant to personal data stored on individual laptops, team file stores, and within the office.

A staff member is responsible for informing the Director immediately should this request be made to them.

The Operations Director in responding to the member of the public will check the following;

  1. The identity of the person making the request.

  2. The authority of the person to make the request.

  3. The request; there needs to be enough detail in the request to ensure we can actually supply the information being requested.

A payment of £10 can be taken from the member of the public, (paid to Surfers Not Street Children) if responding adequately to the request(s) requires a lot of time.

Refer to the appendix for checklist to follow for a ‘Subject Access Request’.

 

  1. How is personal data secured? ‘Access Control’

Certain areas of the computer system and paper files are restricted. Only those people who need access to information will have access to it.

PERSONAL INFORMATION

THOSE WHO CAN ACCESS IT

Network Information

Access restricted to the Director and other people appropriately nominated by the Director.

Donor Information

Access restricted to the Chair of Trustees and other people appropriately nominated by the Chair of Trustees.

Employee Files

Access restricted to the Chair of Trustees, the Director and other people appropriately nominated by either of them.

Finance

Access restricted to the Chair of Trustees, the Director and other people appropriately nominated by either of them.  


 

 

Principle 7 of the Data Protection Act requires Surfers Not Street Children to ensure the personal data that is kept is appropriately secured so the people that don’t need to see the information can’t get to it. When allowing people to borrow your laptop, or tablet, remember that it will give them ability to access information they don’t need to see. You are responsible for protecting that personal data.

 

  1. Reporting accidental loss, or theft, of personal data

    1. OVERVIEW

If personal data has gone missing, is stolen, or corrupted, then the following process will take effect to ensure it is managed.

Under data protection legislation, significant breaches

  1. STAFF AND OFFICIAL VOLUNTEER RESPONSIBILITIES

It must be reported to the Director of Surfers Not Street Children if it is suspected that personal data may be missing, stolen, or open to those who shouldn’t have access. Common examples include is a laptop left on a train, a lost USB storage drive, or a stolen phone.

Report the suspicion immediately: the sooner we know, the quicker we can take steps to manage the situation. Do not wait until the end of the day/week to mention anything.

  1. WHAT WILL HAPPEN NEXT?

  1. Do not panic.

  2. Contain the breach and recover:  The Director of Surfers Not Street Children along with the staff member in question will identify what personal data is involved and map out the extent of the breach. Then they will contain the breach, arranging for relevant passwords to be changed.

  3. Assess the risks: The risks will be assessed. Could the data breach harm individuals (e.g. through financial damage, emotional distress, physical damage)? Is the volume of information significant, in terms of number of records? Is the volume of information significant, in terms of amount of information on an individual? Is the personal information sensitive?

  4. Decide whether to report to the Information Commissioner’s Office: They will consider whether the incident needs to be reported to the Information Commissioner’s office.

  5. Letting people know: Communicate to the individual(s) affected and/or the Information Commissioner’s Office, as required.

  6. Learn lessons: Review the situation and learn any lessons, improving practices or amending this policy as necessary Once the above is done review the situation. Can lessons be learnt?

A thorough ‘Information Security Incident Checklist’ is provided in the Appendix, which will be followed in such times.

 

  1. Guides produced by the Information Commission’s Office

    1. GUIDE TO DATA PROTECTION

As Surfers Not Street Children needs to comply with data protection legislation, it may be helpful to refer to the ICO’s guide for those who have day-to-day responsibility for data protection:  https://ico.org.uk/for-organisations/guide-to-data-protection/.

  1. GUIDE TO PRIVACY AND ELECTRONIC COMMUNICATIONS REGULATIONS

As Surfers Not Street Children sends out electronic marketing messages, it must also comply with the Privacy and Electronic Communication Regulations (“PECR”).  The PECR sit alongside the data protection legislation, giving specific privacy rights in relation to electronic communication. The ICO has produced a guide for organisations:  https://ico.org.uk/for-organisations/guide-to-pecr/.

In summary, under the PECR, the following are key considerations for Surfers Not Street Children (as derived from the above Guide):

  • The PECR are derived from European law, the e-privacy Directive.  They sit alongside the data protection legislation, giving people specific privacy rights in relation to electronic communications.  They give people specific statutory rights in relation to electronic communications.

  • Some of the PECR rules only apply to “service providers” that provide a public electronic communications network service, which of course Surfers Not Street Children does not; other rules apply even if you are not a service provider.

  • Electronic communications include emails.  “Direct marketing” is defined as “the communication (by whatever means) of any advertising or marketing material directed to particular individuals” (s11(3) Data Protection Act); this covers all advertising and promotional material including that promoting the aims of a not-for profit organisations, for example a charity.  So our Surfers Not Street Children emails are “direct marketing”.

  • Most of the rules of the PECR only apply to unsolicited marketing messages.  Our Surfers Not Street Children weekly emails are “unsolicited” within PECR: a solicited message is one that is actively requested i.e. where someone specifically asks us to provide particular information (and a solicited message can be provided without worrying about the PECR).  Even though someone has “opted in” to receiving marketing from Surfers Not Street Children, the message is still “unsolicited” because it has not been requested specifically. Any unsolicited message must comply with the PECR.

  • A person’s consent is often needed before sending them a marketing message.  The consent must be knowingly and freely given, clear and specific. (It is worth noting that consent must involve some sort of opt-in, or positive action e.g. ticking a box, clicking an icon, sending an email or subscribing to a service.) For Surfers Not Street Children, this will happen when the individual initially asks/agrees to go on our database.

  • There are tighter rules on “personal data breach” by a “service provider” under the PECR – effectively requiring notification within 24 hours every time there is a breach, whether or not it is significant.  However these do not apply to Surfers Not Street Children, as we are not a “service provider”. (A “data protection breach” is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a public electronic communications service”.)

  • So if there is breach, Surfers Not Street Children needs to comply (only) with the data protection legislation requirements, as set out in this Policy; essentially, the Information Commissioner wants to hear about serious data security breaches.






 

  1. Appendix

 

  1. TEN POINT CHECKLIST FOR GETTING STARTED

 

  1. I am aware what personal data is. (Section 2)

 

  1. I am aware that personal data collected and stored by myself in relation to my work with Surfers Not Street Children comes under this policy. (Section 5)

 

  1. I am aware it is my responsibility to have a virus checker on my computer. (Section 4)

 

  1. I am aware it is my responsibility to back up personal data on my computer. (Section 4)

 

  1. I have given consideration to where I am storing personal data, i.e. Dropbox, local computer, Mailchimp, Office 365, and I have followed the password policy. (Section 6)

 

  1. I am aware that I have a duty to be open with people about what will happen to the personal data I collect. (Section 7)

 

  1. I will never share personal data outside of Surfers Not Street Children. I can contact the Director of Surfers Not Street Children in the office should I have a question. (Section 10)

 

  1. I have given consideration to any personal data I have and confirmed it is up to date. (Section 15)

 

  1. I am aware that if someone brings me a formal request to see the information Surfers Not Street Children holds on him or her I will immediately pass that request on to Director of Surfers Not Street Children. (Section 16)

 

  1. If I suspect that I have lost any device that contains personal data (e.g. laptop, phone, tablet or USB stick), I am aware of my responsibility immediately to inform the Director of Surfers Not Street Children. (Section 18)

 

Name:

 

Date:

 

  1. SUBJECT ACCESS REQUEST CHECKLIST

 

Step 1 – Validate the Request

 

1.

Check identity

 

Q:  

Are you satisfied that the person is who they say they are?

 

You can ask for sufficient information from the requester to enable you to confirm their identity. This is because you must only disclose personal information to the individual (or their representative – see 2. below)

Note:  

Do not discuss a request, or whether you do or do not hold personal information, until you are satisfied of the requester’s identity. This is because even confirming that personal information is held could divulge information about someone.  

 

2.

Check authority

 

Q:

Are you satisfied that the person has the authority to make a request on behalf of someone else?

 

This will be relevant when someone is (I) asking to see someone else’s personal information, or (ii) is explicitly claiming to make a request on behalf of someone else.

No individual has an automatic right under the Data Protection Act to request access to someone else’s personal information. However, someone can agree to a representative making a request for them (e.g. a parent for a child; a solicitor for their client; where there is power of attorney). You therefore need to check this agreement.  

 

3.

Check request

 

Q

Do you have enough information to locate what is being requested?

 

You can ask for sufficient detail from the requester to enable you to locate the personal information they are seeking. This is because people only have a right of access to their own personal information.  

e.g.

If you have personal information for a number of people with the same name, you could ask for further details from the requester (e.g. date of birth) to distinguish them from the other people.  

e.g.

If the request is for ‘all personal information’ you could ask whether any specific information might satisfy the request, so that could be processed first.

 

 

4.

Check payment

 

Q

Are you going to ask for £10 to process the request?  

 

You are entitled to charge £10 for processing a Subject Access Request and we may decide to do so if responding to the request requires a lot of time.

Q

If so, have you received payment?

 

You do not have to start processing the request until you have received payment.

 





 

Step 2 – Locate the personal information


 

Electronic system name

Search undertaken

Result

If no personal information has been located – document any possible rationale

Names  

Dates / range of dates

 

 

 

 

 

 

 

 

 

 

 

 

Employee consulted

Search undertaken

Result

If no personal information has been located – document any possible rationale

 

 

 

 

 

 

 

 

 

 

 

Step 3 – Review the personal information  

 

Once the personal information subject to the request has been located, it must be reviewed.  

 

Review of Third Party Personal Information

The following should be considered for each piece of third party personal information:  

1. Can you disclose the personal information without disclosing information relating to, or identifying, anyone else?

 

Note: you should consider not only the information you are about to disclose, but also whether the information could be used with any other information you think the requester might have (or be able to get).

 

Yes

 

No / unsure

 

>> Include the third party personal information in the response.  

>> Continue to 6 >>

>> Continue to Q2 below >>

2. Are the third party’s details simply not part of the request?  

 

i.e. the third party’s name and information are unrelated to the requester. For example, on a list of attendees or list of names and addresses.  

Not part of the request

 

Are part of the request (or think they are)

 

>> Blank out / delete them from the response.  

>> Continue to 6 >>

>> Continue to Q3 below >>

It is not possible to separate the third party information from the personal information of the requester. Consider the questions below:

3. Can you consult the third party and ask for their consent?

 

Note: You must be sure that the requester is happy for you to approach the third party – i.e. because in doing so, you will be informing the third party that the requester has made a request (which in itself could be something the requester wants to keep private)

No

 

Yes

 

The requester did not want us to, or it is not possible (we do not know where they are) >> Continue to Q5

>>

>> Continue to Q4 >>

4. Has the third party agreed that the personal information, which involves them, can be disclosed to the requester?

 

Keep a record of the third party’s decision – whether there is agreement, or what the rationale is for not providing consent.  

No  

(or they are incapable of giving consent)

 

Yes

 

>> Continue to Q5

>>

>> Include the third party personal information in the response.  

>> Continue to 6 >>

 

There isn’t a question 5!

 

6. Summary – Third Party Personal Information

Provide an explanation of the decision you reached.  Include references to where the third party personal information was located and the decision reached in each instance.

Document / file name

Location of the third party personal information

Decision

Rationale

 

 

 

 

 

 

 

 

 

Review of possibly exempt personal information

Are there any other reasons for wanting to withhold some or all of the personal information subject to the request?

In general, the threshold for withholding personal information is high – you need a strong reason (or reasons) to justify withholding personal information from someone. For example, if you think that disclosure would be likely to harm a particular function or an individual, the ICO is clear that there should be a “substantial chance (rather than a mere risk) that complying with the [request] would noticeably damage the discharge of the function concerned.” Common reasons are outlined below:

a) Crime and taxation

Personal data processed for certain crime and taxation activities; these are:

  • the prevention or detection of crime;

  • the capture or prosecution of offenders; and

  • the assessment or collection of tax or duty.

b) Human Resource issues relating to the requester  

i.e. Confidential references / Management information / Negotiations  

c) Legal advice  

i.e. information subject to legal professional privilege

d) Social care

i.e. where providing access to information about social services, health or education would be likely to cause serious harm to the physical and/or mental health or condition of the requester or any other person.  

e) Health records

f) Education records

 

 

  1. INFORMATION SECURITY INCIDENT CHECKLIST

 

Step 1 - Do not panic

 

Step 2 - Contain the breach and recover

 

A

Designate an ‘incident lead.’

This should be someone senior enough to ensure actions are taken and sufficient resources allocated.  

 

 

 

B

If the threat is ongoing

Take measures to stop the breach, or reduce the risk of a further breach occurring – for example, by changing passwords or access codes / closing an account / deploying patches.

 

 

 

C

If there has been a suspected or actual loss of information

Try and locate the information. Where possible, work with the individual who raised the issue and attempt to have the information returned.

 

 

 

D

If there has been damage to data

Initiate backup procedures.  

         

E

Issue holding statements to

Users – so they are aware of the need to be vigilant, both to locate lost information and recognise an attempt to use lost or stolen data to access service user account unlawfully.  

The individual who raise the issue / who may have received the information in error – so they are aware that the information was not intended for them, and should be returned.  

 

 

 

F

Where appropriate at this stage, issue holding statements to

The individual(s) affected – e.g. where the breach may affect life or death, or cause physical harm, or otherwise cause imminent substantial damage or distress.    

The media – e.g. where the individual who raised the issue / who may have received the information in error, or anyone else, is planning to approach the media directly.

 

 

Step 3 - Assess the risks. Deciding whether to report to the Information Commissioner’s Office (ICO)

The most important aspect to consider is the harm, or potential harm, to the individual’s whose personal information is subject to the incident. Consider the following questions:

 

1. Could the breach cause harm to individuals?

The ‘potential detriment’ (i.e. harm) to the individuals is the overriding concern.

· Is someone at risk of one or more of the following:

a) Financial damage  

e.g. fraud, theft

b) Emotional distress

e.g. the knowledge that their sensitive information might be accessed or misused by someone who has no need or right to access it

c) Physical damage

e.g. being targeted and attacked.

· Are there any controls in place that will reduce the potential impact?

e.g. Is there encryption in place? e.g. Is the information already publicly available?

· What has happened to the information?

e.g. deliberately stolen (high likelihood of misuse); opportunist theft (lower likelihood of misuse); damaged or destroyed?  

· Could the information be used with other information to

increase the detail someone might hold about the individual(s)?  

e.g. trivial snippets of information could be combined with other, publicly available information (such as name and address) to provide more detail about someone.  

Answer:

 

Rationale:

 

 

2. Is the volume of information significant – in terms of number of records

A high number of records and a real risk of individuals suffering some harm.

e.g. 100 names, addresses, dates of birth, NI numbers.  

e.g. The loss of a backup tape containing 10,000 service user records.  

Answer:

 

Rationale:

 


 

3. Is the volume of information significant – in terms of amount of information about an individual (or individuals)

A high volume of personal information and a real risk of individuals suffering some harm.

 

e.g. Three faxes containing the entire case history of a person, which includes details of family members.

 

Answer:

 

Rationale:

 

 

4. Is the personal information sensitive?

There is a significant risk of individuals suffering substantial distress, financial loss or harm.  

Is the information sensitive personal data (as defined by the Data Protection Act) i.e.

  • Criminal record

  • Physical or mental health

  • Racial or ethnic origin

  • Religious beliefs

  • Trade Union Membership

  • Political opinions.

A breach involving a single record should be reported if the information is particularly sensitive – e.g. a detailed medical history.

Answer:

 

Rationale:

 

 

Consideration should also be given to the impact on  

  • your organisation’s reputation, and on your stakeholders.  

  • the wider public – e.g. risks to public health or loss of public confidence in the service you provide.  

 

 

    

Step 4 - Letting people know

 

If  

you answered yes to any of the questions in Step 3, you should report to the ICO.

If  

there is a doubt about reporting, the presumption should be to report:  

 

Reporting is not mandated by law, but has the following benefits:

  • The ICO makes clear that self-reporting of incidents is one of the ‘behavioural issues’ they consider as a positive ‘mitigating feature’ the ICO will take into account when deciding the amount of any fine. It demonstrates that you are proactively engaging with them.  

  • It demonstrates to those affected that you are being open, and are looking to help address their concerns.  

  • It will, once known, enable you to demonstrate to your stakeholders, and the wider public, that you approached the incident in an open manner, and were looking to address the issues raised and improve performance.

 

What to report to the ICO  

The ICO asks that serious breaches be reported using the ICO’s Security Breach Notification Form.  

 

 

What to say to the individual(s) affected

The communication should have a clear purpose, e.g. enabling them to take steps to protect themselves, such as cancelling credit cards or changing passwords, or to be vigilant for suspicious activity.  

The communication should

i.     be tailored to meet the needs of the individual or group of individuals affected.

e.g. the elderly (may have lower awareness of IT or social media) children; a vulnerable group (it may be read and acted upon by a carer or guardian).

ii.     only be made to those affected.  

i.e. informing those not affected could increase concern unnecessarily.   

iii.     be made in the most appropriate method depending on  

e.g. letter, email, text, message posted on a website, telephone call.

What to say to the individual(s) affected

 

  1. the urgency of the situation, and  

  2. the needs of the individual or group of individuals affected.

 

iv.     include explicit, clear advice on what the individual can do to reduce the risks. Consider whether there are any further steps you can offer to help.

e.g. subscription to anti-fraud measures; compensation.

 

 

What to say to the media

Include details of

  • what controls were in operation at the time of the breach,  

  • any other measures that you consider are likely to reduce the impact of the breach,  

  • details of the notifications made above (to the ICO, the individuals affected, the any other regulators) and  

  • what actions you are currently taking.


 

Step 5 - Lessons learnt  

It is important to:

 

  1. Consider the actions you took to address the incident,  

  2. Understand and evaluate the causes behind the incident,

  3. Document the lessons you learnt.  

This step might drive an action plan or other remedial measures to improve compliance or performance in the future.  

Examples include:

  • Review the level of ICT security in place – e.g. firewalls, patches.

  • Increase the amount of knowledge you have about the nature and extent of personal information handled by your organisation – e.g. by undertaking or reviewing your existing, information audit.   

  • Review existing policies and procedures – to ensure they sufficiently address all relevant data protection concerns.

back to top