Owner: CEO
Last updated: July 2022
- Introduction
inHive (referred to as “inHive”, “we”, “us” or “our”), of 21-27 Lamb’s Conduit Street, Holborn, London WC1N 3GS, is committed to protecting the rights and Personal Data of individuals in accordance with the Data Protection Act 2018 (“DPA”) and, where applicable, the General Data Protection Regulation (2016/679) (“GDPR”) (collectively, “Data Protection Laws”). This includes following good practice, being open about how we store and process individuals’ data, and taking steps to protect against the risks of a Personal Data Breach.
The principles of the GDPR will continue to have effect in the UK even after the UK exits the European Union.
Non-compliance with this Data Protection Policy (“Policy”) may be considered to be a disciplinary matter, or may result in the termination of your engagement or employment with Future First Global.
If you have any questions about this Policy, please contact our Privacy Champion, Gemma May (gemma@inhiveglobal.org).
- Purpose and scope
In the course of our activities, we will collect and use Personal Data about individuals. This may include Special Categories of Personal Data. Such individuals may include board members, partners, contractors, suppliers, employees, volunteers, programme participants and other people InHive has a relationship with, or may need to contact. As a result of collecting this Personal Data, we are the Controller of this Personal Data, and we are subject to the requirements of Data Protection Laws.
This Policy establishes how we collect and use Personal Data, to ensure that we comply with Data Protection Laws. Annex 1 contains guidance on how we implement compliant practices internally.
- Definitions
‘Controller’ means InHive as the entity that determines the purposes and means of processing of Personal Data.
‘Personal Data’ means any information related to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
‘Personal Data Breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed by us, or a third party engaged by us.
‘process’, ‘processing’, and ‘processed’ means any operation or set of operations which is performed on Personal Data sets or on Personal Data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
‘Special Categories of Personal Data’ is a subset of Personal Data which may contain information relating to a person’s race or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
- Data Protection Principles
We are required to process Personal Data in a fair, lawful and transparent manner, and in accordance with the principles of Data Protection Laws, as listed below:
- Purpose limitation. We will only process Personal Data for the specified, explicit and legitimate purposes for which the Personal Data was obtained. If it becomes necessary to change the purpose for which the Personal Data is processed, if may be necessary to provide individuals with a notice informing them of any changes.
- Data minimisation. We will only process Personal Data that is strictly necessary for its defined business purpose. Personal Data that is not necessary for the intended business purpose, for example because it is inadequate, irrelevant or excessive, must not be processed.
- Accuracy. We will check that Personal Data is accurate, complete, reliable and kept up to date as necessary for the purposes of which the Personal Data is held and used. Such steps will be taken at the point of collection of the Personal Data and at regular intervals afterwards.
- Storage limitation / retention. We will not keep Personal Data for longer than is necessary for the purpose or purposes for which it was obtained, in accordance with our records retention policy found in our Data Audit Spreadsheet, which is maintained by the Privacy Champion.
- Integrity and confidentiality. Appropriate technical, physical and organisational measures shall be taken against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of Personal Data.
- Personnel Personal Data
(1) Categories of Personal Data
We process the following categories of Personal Data about our employees, contractors, board members (“Personnel”):
- Personal details (such as name, address, email address, telephone number, date of birth, national insurance number, and photographs).
- Family and social (such as emergency contact details).
- Employment details (such as employment status, passport or work permit details, information provided to us by referees, education and employment history, CV, appraisals, professional development plans, and annual leave records).
- Any email correspondence that is sent or received using InHive email addresses.
- Financial information (such as bank account details, tax reference number, salary details, student loan details, and information relating to employees’ mortgages or leases).
- Criminal record (such as criminal background data).
- Special Categories of Personal Data (such as health conditions or allergies, information related to any sick leave, and ethnicity).
(2) Purpose of processing Personnel Personal Data
We process Personnel Personal Data:
- For the performance of the contract of employment or engagement.
- To comply with our legal obligations.
- To fulfil our legitimate business interests, including for the operation of standard business functions such as human resource management, legal and/or regulatory compliance and/or administrative and managerial purposes, including without limitation;
- (i) pay, remuneration and expense reimbursement,
- (ii) administration of pension, insurance and other benefits, and
- (iii) appraisals and performance.
We process Special Categories of Personnel Personal Data on the basis of our legitimate charitable activities, relying on GDPR Article 9(2)(d).
(3) Disclosure of Personnel Personal Data
In connection with the purposes described above, we may need to transfer or disclose Personnel Personal Data to the following categories of recipients:
- Other Personnel of inHive, whose access is necessary to perform their role.
- Third party service providers that provide services for us that involve data processing, including payroll, audit, accountancy, insurance, tax, pensions, medical, benefits, legal and other professional advisors.
- Competent public authorities (such as tax authorities or law enforcement authorities) where required by law.
- International Transfers of Personal Data
We may transfer any Personal Data we hold to a country outside of the United Kingdom and the European Economic Area (“EEA”). Data Protection Laws prohibit transfers of Personal Data to countries outside the EEA, unless measures have been implemented to ensure adequate protection for Personal Data. Where we make such transfers we do so on the basis of the legitimate interests set out in GDPR Article Art 49(1).
In any situation where it is proposed that Personal Data will be transferred internationally, the Privacy Champion must be consulted before any transfer takes place.
- 7. Personal Data Breaches
Data Protection Laws require InHive to report Personal Data Breaches in certain circumstances. Once we learn of an actual or suspected Personal Data Breach, we may be required to notify the Information Commissioner’s Office (“ICO”), the UK’s data protection authority, and possibly the affected individuals.
- Individuals’ Rights
All individuals whose Personal Data is held by us have the following rights in relation to the Personal Data:
- right of access
- right to rectification
- right to erasure (also known as the ‘right to be forgotten’)
- right to restriction of processing
- right to data portability
- right to object
- rights against automated decision making including profiling.
The most commonly-exercised right is the right of access. This entitles individuals to request access to all of the Personal Data related to them, and held by us, at the time of the request (a “Subject Access Request”).
On receipt of a request, we may request additional information from an individual, to confirm their identity and for security purposes, before disclosing the information requested. Any request will be processed in line with Data Protection Laws.
Individuals may also have the right to lodge a complaint with the ICO at www.ico.org.uk or by phone on 0303 123 1113.
- Review
This Policy will be reviewed regularly to ensure it remains up to date and compliant with Data Protection Laws. If you have any queries or comments regarding the application of the contents of this Policy, please contact the Privacy Champion.
Annex 1 – Guidance
This Annex provides guidance about how InHive implements some of the practices outlined in the Policy. The guidance applies to all Personnel who come into contact with Personal Data held by us, including board members, partners, contractors, suppliers, employees and volunteers.
Responsibilities
Everybody has responsibility for ensuring that Personal Data is collected, stored, and handled in compliance with the Data Protection Laws, and with this Policy.
The key areas of responsibility are set out below.
Board of Trustees | Ultimately responsible for ensuring that InHive meets its legal obligations. |
Privacy Champion | Keeping the CEO updated about data protection responsibilities, risks, and issues. Reviewing all data protection procedures and related policies, in line with an agreed schedule. Arranging data protection training and advice for the people covered by this Policy. Handling data protection questions from Personnel and anyone else covered by this Policy. Approving any data protection statements attached to communications and the website. Providing training and ensuring Personnel understand their responsibilities. Identifying opportunities for further training. Where necessary, working with Personnel to ensure their work abides by data protection principles. Advising Personnel on data protection issues. Notifying the ICO where necessary, and generally cooperate with the ICO including acting as a point of contact. Handling Subject Access Requests. Approving unusual or controversial disclosures of Personal Data. Monitor compliance with Data Protection Laws. |
Everybody | Compliance with this Policy Reporting any actual or suspected Personal Data Breaches to the Privacy Champion without undue delay after becoming aware of it. |
General Personnel Guidelines
- Access to Personal Data shall only be given to those whose access is necessary to perform their role.
- Personal Data may only be transferred through inHive-approved systems, such as our email accounts and cloud computing service.
- You must keep all Personal Data secure by following the guidance in the section below: Data Storage and Security Guidelines.
- Personal Data should be updated regularly, to ensure that it remains accurate.
- Personnel should keep their Personal Data updated. If Personnel are aware of Personnel that needs to be updated, please inform the Privacy Champion.
- If the Personal Data is no longer reasonably necessary for the purpose for which it was originally collected, it should be deleted.
- InHive has a comprehensive records retention policy that details how long we retain Personal Data for. For more information, please contact the Privacy Champion.
- When deleting Personal Data, ensure that it is fully deleted. If it is hard copy, it must be shredded on site. If it is soft copy, it must be fully deleted from inHives’s cloud computing service and/or from hard drives.
- Inform the Privacy Champion if you have doubts about whether the collection of data has a sufficient legal basis.
- You should request help from your line manager or the Privacy Champion if you are unsure about any aspect of data protection.
Personal Data Collection Guidelines
A legal basis is required for the collection of any Personal Data. The most common legal bases under the GDPR include: by consent, for performance of a contract, for compliance with a legal obligation, and for purposes of a legitimate business interest.
The legal bases on which we collect Personal Data are set out in the Data Audit Spreadsheet, which the Privacy Champion maintains.
Where an individual’s Personal Data is collected on the basis of consent:
- The individual shall have the opportunity to ‘opt out’ at any time. This is outlined in our Privacy Policy, the email footer of any marketing emails, and in all occasional communications such as newsletters.
- In some circumstances, regardless of a withdrawal of consent, we may still be required to retain the Personal Data for a certain length of time.
- Where an individual is under the age of 16, consent must be given by an adult with parental responsibility over the child.
Where consent is obtained by our international partners, for example because photographs are being taken of students:
- The consent should be clearly documented by the international partners.
- We should receive assurances from the international partners that consent has been obtained.
- Ideally, we would also receive copies of this consent.
Personal Data Storage and Security Guidelines
These guidelines describe how and where Personal Data should be safely stored.
Hard copies
- Hard copies of Personal Data should only be produced when strictly necessary, and should be securely locked away when not being used.
- Hard copies of Personal Data should be kept in a secure place where unauthorised people cannot access it.
- Hard copies of Personal Data must not be left on desks.
Soft copies
- Personal Data should be protected by strong passwords that are changed regularly and never shared.
- If Personal Data is stored on removable media (for example, a USB stick or external hard drive), these should be password protected, and securely locked away when not being used.
- Personal Data should only be stored on designated drivers and servers, and should only be uploaded to the inHive-approved cloud computing service.
- Where personal devices are used for work purposes, all work must be uploaded to the cloud, and not stored locally or directly onto laptops or other mobile devices.
- If Personal Data is being held on personal devices, these personal devices must be password protected.
- All devices that contain Personal Data must be protected by inHive-approved security software and a firewall.
Password Protection
- Any devices, folders or cloud accounts that contain Personal Data must be password or PIN protected.
- The passwords and/or PINs for each device, folder or cloud account containing Personal Data must be complex. They must be:
- at least six characters in length for a numeric PIN; or
- at least eight characters in length for a password, with at least one upper case letter and one symbol.
- The passwords and/or PINS for each device, folder or cloud account containing Personal Data must be changed at least once every six months.
Personal Data Breach Guidelines
A Personal Data Breach can include:
- Access by an unauthorised third party;
- Deliberate or accidental action or inaction;
- Sending Personal Data to an incorrect recipient;
- Computing devices containing Personal Data being lost or stolen;
- Alteration of Personal Data without permission; and/or
- Loss of availability of Personal Data.
In the event of an actual or suspected Personal Data Breach:
- Inform the Privacy Champion of the actual or suspected Personal Data Breach without undue delay.
- The Privacy Champion will assess whether notification to the ICO is necessary.
Subject Access Requests
If an individual wishes to exercise their right of access, they can make a Subject Access Request.
Subject Access Requests are dealt with by the Privacy Champion. However, the following steps should be followed if you receive a Subject Access Request, or anything that purports to be a Subject Access Request:
- Forward anything which might relate to a Subject Access Request to the Privacy Champion without undue delay.
- Anyone who makes a Subject Access Request can be asked to prove their identity to the Privacy Champion before any information is given.
The type of personal information we collect
We currently collect and process the following information:
- Personal identifiers, contacts and characteristics (for example, name and contact details)
- Email addresses
- Financial information
- Employee and contractor data
- Website and newsletter statistics
- Gender
- Educational and career background data
- Geographical data
How we get the personal information and why we have it
Most of the personal information we process is provided to us directly by you for one of the following reasons:
- For the purposes of creating a contract
- Monitoring and evaluation for impact measurement
- For the purposes of sending updates through newsletters and emails
- For legitimate business purposes
We also receive personal information indirectly, from the following sources in the following scenarios:
- Your organisation or guardian provides the information for the purposes of a specific contact we have with them
- For monitoring and evaluating our projects from organisations that have worked with us in the past
We use the information that you have given us in order to:
- Measure our impact when it comes to alumni networks
We may share this information with Nexus Global Network.
Under the General Data Protection Regulation (GDPR), the lawful bases we rely on for processing this information are:
(a) Your consent which will be given through written consent by either signing a data consent form or specific written (on or offline) consent. You are able to remove your consent at any time. You can do this by contacting gemma@inhiveglobal.org.
(b) We have a contractual obligation.
(c) We have a legal obligation e.g. employees providing passport or ID data.
(d) We have a vital interest e.g. employees and contractors working in the field providing medical and emergency contact data.
(e) We need it to perform a public task if deemed necessary.
(f) We have a legitimate interest.
How we store your personal information
Your information is securely stored on our secured shared drive Sharepoint, only accessible to employees and contractors and in some cases our online secure CRM system E-Tapestry by Blackbaud. Financial and employee data is kept on our secure accounting system Sage. We intend to keep personal information on Sharepoint up to 6 months after a contract has finished and on E-Tapestry indefinity unless you ask for it to be removed. Information on Sage will be deleted 6 months after a contract has finished.
We keep personal data such as name, email address, physical address, financial data for 6 months after a contract has finished. We will then dispose of your information by deleting from our systems and emails.
Your data protection rights
Under data protection law, you have rights including:
Your right of access – You have the right to ask us for copies of your personal information.
Your right to rectification – You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
Your right to erasure – You have the right to ask us to erase your personal information in certain circumstances.
Your right to restriction of processing – You have the right to ask us to restrict the processing of your personal information in certain circumstances.
Your right to object to processing – You have the the right to object to the processing of your personal information in certain circumstances.
Your right to data portability – You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.
You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.
Please contact us at
Address: Griffin Stone Moscrop & Co, Lamb’s Conduit St, London WC1N 3GS
Email: gemma@inhiveglobal.org
if you wish to make a request.
How to complain
If you have any concerns about our use of your personal information, you can make a complaint to us at:
Address: Griffin Stone Moscrop & Co, Lamb’s Conduit St, London WC1N 3GS
Email: gemma@inhiveglobal.org
You can also complain to the ICO if you are unhappy with how we have used your data.
The ICO’s address:
Information Commissioner’s Office
Wycliffe House,
Water Lane,
Wilmslow,
Cheshire,
SK9 5AF.
Helpline number: 0303 123 1113
ICO website: https://www.ico.org.uk