(1) Who we are and application of this policy
We are the Expert Witness Institute (EWI). We are a membership organisation which represents the interests of expert witnesses. We provide membership services to our members.
We are committed to protecting your privacy. The policy sets out the standards and procedures required by the Expert Witness Institute to ensure that any personal data which it processes is processed in accordance with the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA 2018) (data protection law).
(2) Legislation and guidance
This policy meets the requirements of data protection law and guidance published by the Information Commissioner.
This policy uses the following definitions.
Personal data means ‘any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.’
This may include an individual’s:
- Name (including initials);
- Identification number;
- Location data;
- Online identifier, such as a username or IP address.
- It may also include factors specific to the individual’s physical, physiological, genetic, mental, economic, cultural or social identity.
Personal data is only information concerning a living person.
Special categories of personal data means personal data which is more sensitive and so needs more protection. It is information about an individual’s:
- Racial or ethnic origin;
- Political opinions;
- Religious or philosophical beliefs;
- Trade union membership;
- Health – physical or mental; and
- Sex life or sexual orientation.
Data breach means ‘a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed’.
Processing means ‘any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.’ It may be automated or manual.
Consent means any freely given, specific, informed, unambiguous and revocable positive act or statement by a data subject demonstrating their agreement to their data being processed.
Data subject means the identified or identifiable living individual whose personal data is held or processed.
Data controller means a person or organisation that, alone or jointly with others, determines the purposes and the means of processing of personal data.
Data processor means a person or other body, other than an employee of the data controller, who processes personal data on behalf of the data controller.
(4) Data controller
EWI is the data controller for the personal data it processes.
(5) Roles and responsibilities
The EWI Governors are responsible for:
- Ensuring EWI compliance with data protection law.
The EWI Chief Executive is responsible for:
- Oversight and implementation of this policy and monitoring compliance with data protection law, and developing related policies and guidelines where applicable.
(6) Data protection principles
The GDPR specifies data protection principles, which provide that EWI must ensure that personal data is:
- Processed lawfully, fairly and in a transparent manner;
- Collected for specified, explicit and legitimate purposes;
- Adequate, relevant and limited to what is necessary to fulfil the purposes for which it is processed;
- Accurate and, where necessary, kept up to date;
- Kept for no longer than is necessary for the purposes for which it is processed;
- Processed in a way that ensures it is appropriately secure;
They also require EWI to keep effective records of its data processing activities to comply with the GDPR’s accountability duty. This policy sets out how we will comply with these principles.
(7) Collecting personal data
Lawfulness, fairness and transparency
EWI will only process personal data where it may do so under one or more of the following lawful bases:
- The data needs to be processed so that we can carry out our legitimate purposes, such as processing employee data to enable us to carry out our activities, or to provide membership services;
- The data needs to be processed for contractual purposes;
- An individual has freely given clear prior consent to the processing.
We will ensure that data subjects are provided with sufficient information about its data processing activities through using a relevant Privacy Notice.
For special categories of personal data, we will also meet one of the special category conditions for processing which are set out in data protection law.
Limitation, minimisation and accuracy
EWI only collects personal data for specified, explicit and legitimate reasons. We will explain those reasons to data subjects when their personal data is first collected through our Privacy Notice.
We will only process personal data where it is necessary to do so for the purpose for which it was obtained.
If we want to use personal data for reasons other than those given when it was first obtained, it will inform the individuals concerned before doing so, and seek consent where necessary.
When personal data is no longer needed for the purpose for which it was obtained, it will either be deleted or anonymised. This will be done in accordance with our Record Retention and Disposal Schedule, which is described below.
We typically will process the following data from our members:
- Name, company name and job title;
- Curriculum Vitae;
- Bank details;
- Contact information including email address;
- Demographic information such as postcode;
- Other information relevant to customer surveys and/or offers.
(8) Using and sharing personal data
EWI will use its members’ personal data in the following ways:
- Name and contact details as well as the area of expertise will be available via our website for referral purposes. This personal data will thus be seen by people e.g. lawyers, looking to engage an expert witness;
- Manage payments and fees;
- Internal record keeping;
- Improvement of our products and services;
- To periodically send promotional emails about new services or other information which we think you may find interesting using the email you have provided;
From time to time, we may also use our members’ information to contact them for market research or events notification purposes. We may contact them by phone, post or mail.
We may use the information to customise the website according to their interests
We may share our employee’s data for purposes relating to their employment e.g., payroll, training, sickness records etc.
Except as referred to above, EWI does not normally share personally data with other organisations or individuals. We may however do so where:
- We need to do so in order to provide membership services;
- We need to comply with our obligations arising under employment contracts;
- We need to liaise with third parties;
- We are required to by law.
Where applicable we will ensure that an effective data sharing agreement, which complies with data protection law, is in place before we share data with any third party irrespective of whether the third party is within or outside the European Economic Area.
(9) Record keeping
EWI will keep records of our data processing activities. The Chief Executive is responsible for maintaining those records. The Governors will audit those records in May annually.
(10) Data subject rights
Data subjects have a right to make a ‘data subject request’ to gain access to personal information that we hold. This includes:
- Confirmation that their personal data is being processed;
- Access to a copy of the personal data (which does not mean a copy of the document within which that data is held);
- The purposes of the data processing;
- The categories of personal data concerned;
- With whom the data has been or will be shared;
- How long the data will be stored for, or if this is not possible, the criteria used to determine this period;
- The source of the data, if not the individual;
- Whether any automated decision-making is being applied to their data, and what the significance and consequences of this might be for the individual.
Our approach to dealing with data subject requests is set out in our Data Subject Request Policy.
(11) Data protection by design and default
EWI will put measures in place to show that data protection is integrated into all of its data processing activities, including:
- Only processing personal data that is necessary for each specific purpose of processing;
- Completing Data Protection Impact Assessments where necessary;
- Integrating data protection into internal documents including this policy, any related policies and privacy notices;
- Ensuring EWI governors and staff have sufficient training in respect of data protection law, this policy, any related policies and any other data protection matters and doing so on a regular basis;
- Maintaining and auditing records of our processing activities, audits, and training activities.
(12) Data security and storage of records
EWI will protect personal data and keep it safe from unauthorised or unlawful access, alteration, processing or disclosure, and against accidental or unlawful loss, destruction or damage.
- Paper-based records and portable electronic devices contained personal data are kept secure through, for instance, using appropriate password protection and encryption and through ensuring they are not accessible when not in use;
- Papers containing personal data are not left where they can be accessed by individuals who have no legitimate reason to access them;
- Where we need to share personal data with a third party, we carry out due diligence and take reasonable steps to ensure it is stored securely and adequately protected.
(13) Disposal of records
Personal data that is no longer needed will be disposed of securely. We will retain and dispose of such data in accordance with our Record Retention and Disposal Schedule unless there is a reason for retaining the information beyond the specified time period. Where personal data is retained beyond a specified time period, the fact and reason for retention will be recorded by the Chief Executive in our Data Record Form. Continued retention of such data will be reviewed annually by the Chief Executive.
Where personal data has become inaccurate or out of date it will be updated, if still needed, or disposed of securely.
Record Retention and Disposal Schedule
Personal data will be disposed of in accordance with this schedule unless there is a specific reason for retaining the information. At the end of the retention period the personal data will be reviewed to ascertain if there is a need to retain the data for a further period. Further retention will only be authorised by the Chief Executive if it is necessary for the purpose for which it was processed. If personal data is retained beyond the retention period its continuing retention must thereafter be reviewed annually.
- Membership forms - 3 years after cessation of membership
- Membership subscription - 6 years after cessation of membership
- Emails or letters to members - 2 years
- Communications with third party organisations - 2 years
- Contracts - 6 years
- Financial records - 6 years
- Sickness records - 3 years
- Accident records - 3 years
- Governors details - 6 years following cessation of office
- Board minutes - Permanently
Membership complaint investigations
- Retained for 6 years
(14) Personal data breaches
EWI will make all reasonable steps to ensure that there are no personal data breaches. A personal data breach may occur if:
- Personal data is sent to someone who has no valid reason to receive it;
- Personal data is used or accessed for purposes other than those for which we are permitted to process or otherwise use it;
- A computer, tablet, phone, memory or USB stick/flash drive which contains personal data is viewed or accessed by someone who has no legitimate reason to do so, or is lost, stolen;
- Personal data is not stored securely;
When a breach occurs, or is suspected to have occurred, the Chief Executive will be informed immediately upon discovery. They will investigate the suspected or actual breach. They will take any necessary steps to mitigate the breach and its effects. They will then assess whether the breach is likely to pose a risk of harm to the data subject. Where there is a risk of harm the Chief Executive will take the following steps:
- Raise the matter with the Governors;
- Ensure that the Information Commissioner is notified of the breach within the statutory 72 hour period for notification (the 72 hour period runs from the date and time of discovery of the data breach) unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where this cannot be done notification will be given as soon as possible with reasons explaining why the 72 hour period could not be complied with; and
- Notify the data subject without undue delay if there is a high risk of harm to their rights and freedoms of the data subject;
- Take such steps as are appropriate to ensure that the breach does not occur again.
In notifying the Information Commissioner, the Chief Executive will provide the following information:
- The nature of the personal data, including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
- The name and contact details of the Membership Secretary from whom further details may be obtained;
- The likely consequences of the breach;
- The measures which have been taken or will be taken by EWI to address the breach, including measures taken to mitigate adverse effects of the breach.
The Chief Executive will also provide the following information to the data subject whose personal data was involved in the breach:
- The name and contact details of the Chief Executive from whom further details may be obtained;
- The likely consequences of the breach;
- The measures which EWI has or will take to address the breach, including measures taken to mitigate adverse effects of the breach.
Where it would require disproportionate effort to notify each data subject then notification may be made via a public notification. Where the following apply notification to the data subject is not required:
- EWI has put in place appropriate technological and organisational measures to render the data subject to the breach unintelligible to any person not authorised to access it; or
- EWI has taken measures following the breach to ensure that the high risk to the rights and freedoms of the data subjects involved is no longer likely to materialise.
The Chief Executive will ensure that all actual or suspected data breaches are logged on our Data Breach Record Log. This will be reviewed every quarter by the Governors to ascertain if there are any systemic problems concerning compliance with this policy and our data protection obligations. Where there are such problems, the Governors will take such steps as are appropriate to remedy the problems.
(15) Training and awareness
All EWI Governors and staff are required to undertake data protection training as part of their induction process and annual refresher training thereafter. Records will be kept of training undertaken.
(16) Monitoring arrangements
The Chief Executive is responsible for monitoring and reviewing this policy on an annual basis. The outcome of each review, with any recommendations for revision will be submitted to the Governors. The first a review will be on 25 May 2019, and annually in May thereafter.
(17) Links with other documents
This Data Protection Policy is linked to our:
- Privacy Notice;
- Data Subject Access Policy
- Data Protection Processing Record Form;
- Data Breach Record Log.
(18) Contact details:
The Chief Executive can be contacted on: firstname.lastname@example.org