Privacy Policy

1.0 Overview

Masks for Heroes confirms its commitment to compliance with all relevant EU and Member State laws in respect of personal data, and the protection of the “rights and freedoms” of individuals whose information collects and processes in accordance with the General Data Protection Regulation (“GDPR”).  

2.0 About this Policy

This Policy sets out the rules on which Masks for Heroes will collect and use Personal Data.  It also sets out rules on how Masks for Heroes uses, handles, uses, transfers stores Personal Data. It applies to all Personal Data stored electronically, in paper form, or otherwise.

3.0 Definitions

3.1. Organisation – Masks for Heroes 

3.2. Staff – Any volunteer of Masks for Heroes who has been authorised to access any of the Organisation’s Personal Data and will include volunteers and temporary Staff hired to work on Masks for Heroes behalf.  

3.3. Controller – Any entity (e.g. company, organisation or person) that makes its own decisions about how it is going to collect and use Personal Data. A Controller is responsible for compliance with Data Protection Laws. Examples of Personal Data the Organisation is the Controller of data including employee details. The Organisation will be viewed as a Controller of Personal Data if it decides what Personal Data the Organisation is going to collect and how it will use it. A common misconception is that individuals within businesses are the Controllers. This is not the case it is the Organisation itself which is the Controller. 

3.4. Data Protection Laws – The General Data Protection Regulation (Regulation (EU) 2016/679) and all applicable laws relating to the collection and use of Personal Data and privacy and any applicable codes of practice issued by a regulator including in the UK, the Data Protection Act 2018.

3.5 EEA – Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden and the UK. 

3.6. ICO – the Information Commissioner’s Office, the UK’s data protection regulator. 

3.7. Individuals – Living individuals who can be identified, directly or indirectly, from information that Masks for Heroes has. For example, an individual could be identified directly by name, or indirectly by gender, job role and office location if you can use this information to work out who they are. Individuals include volunteers and primary care workers, also including limited companies, partnerships and sole traders. 

3.8. Personal Data – Any information about an Individual (see definition above) which identifies them or allows them to be identified in conjunction with other information that is held. It includes information of this type, even if used in a business context. Personal data is defined broadly and covers things such as name, address, email address (including in a business context, email addresses of Individuals in companies such as, IP address and also more sensitive types of data such as trade union membership, genetic data and religious beliefs. These more sensitive types of data are called “Special Categories of Personal Data” and are defined below. Special Categories of Personal Data are given extra protection by Data Protection Laws. 

3.9. Processor – Any entity (e.g. company, organisation or person) which accesses or uses Personal Data on the instruction of a Controller. A Processor is a third party that processes Personal Data on behalf of a Controller. This is usually as a result of the outsourcing of a service by the Controller or the provision of services by the Processor which involve access to or use of Personal Data. Examples include: where software support for a system, which contains Personal Data. 

3.10.Special Categories of Personal Data – Personal Data that reveals a person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data (i.e. information about their inherited or acquired genetic characteristics), biometric data (i.e. information about Sensitivity: Public their physical, physiological or behavioural characteristics such as facial images and fingerprints), physical or mental health, sexual life or sexual orientation and criminal record. Special Categories of Personal Data are subject to additional controls in comparison to ordinary Personal Data.

4. Staff’s general obligations 

4.1. All Staff must comply with this policy. 

4.2. Staff must ensure that they keep confidential all Personal Data that they collect, store, use and come into contact with during the performance of their duties. 

4.3. Staff must not release or disclose any Personal Data other than to those authorised as stated in the Privacy Notice: 

4.3.1. outside the Organisation; or 

4.3.2. inside the organisation to Staff not authorised to access the Personal Data, without specific authorisation; this includes by phone calls or in emails. 

4.4. Staff must take all steps to ensure there is no unauthorised access to Personal Data whether by other Staff who are not authorised to see such Personal Data or by people outside the Organisation.

5. Data Protection Principles

5.1. When using Personal Data, Data Protection Laws require that the Organisation complies with the following principles. These principles require Personal Data to be: 

5.1.1. processed lawfully, fairly and in a transparent manner; 

5.1.2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; 

5.1.3. adequate, relevant and limited to what is necessary for the purposes for which it is being processed; 

5.1.4. accurate and kept up to date, meaning that every reasonable step must be taken to ensure that Personal Data that is inaccurate is erased or rectified as soon as possible;

5.1.5. kept for no longer than is necessary for the purposes for which it is being processed 

5.1.6. processed in a manner that ensures appropriate security of the Personal Data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. 

5.2. These principles are considered in more detail in the remainder of this Policy.

6. Lawful use of personal data 

6.1. In order to collect and/or use Personal Data lawfully the Organisation needs to be able to show that its use meets one of a number of legal grounds. For further information about the detailed grounds please click on the following link

6.2 In addition, when the Organisation collects and/or uses Special Categories of Personal Data, the Organisation has to show that one of a number of additional conditions is met. For further information about the additional conditions attached to Special Categories of Personal Data, please click on the following link 

6.3 The Organisation has carefully assessed how it uses Personal Data and how it complies with the obligations set out in paragraphs 6.1 and 6.2. If the Organisation changes how it uses Personal Data, the Organisation needs to update this record and may also need to notify Individuals about the change. 

7. Transparent processing – Privacy Notice

7.1 Where the Organisation collects Personal Data directly from Individuals, the Organisation will inform them about how the College uses their Personal Data. This is in a privacy notice. 

7.2 If the Organisation receives Personal Data about an Individual from other sources, the Organisation will provide the Individual with a privacy notice about how the Organisation will use their Personal Data. This will be provided as soon as reasonably possible and in any event within one month. 

7.3 If the Organisation changes how it uses Personal Data, the Organisation may need to notify Individuals about the change. 

8. Data quality – ensuring the use of accurate, up to date and relevant personal data 

8.1 Data Protection Laws require that the Organisation only collects and processes Personal Data to the extent that it is required for the specific purpose(s) notified to the Individual in a privacy notice. The Organisation is also required to ensure that the Personal Data the Organisation holds is accurate and kept up to date.

8.2 All Staff that collect and record Personal Data shall ensure that the data subject confirms their personal data is accurate as at the date of submission, the Personal Data is recorded accurately, is kept up to date and shall also ensure that they limit the collection and recording of Personal Data to that which is adequate, relevant and limited to what is necessary in relation to the purpose for which it is collected and used. 

8.3 All Staff that obtain Personal Data from sources outside the Organisation shall take reasonable steps to ensure that the Personal Data is recorded accurately, is up to date and limited to that which is adequate, relevant and limited to what is necessary in relation to the purpose for which it is collected and used. This does not require Staff to independently check the Personal Data obtained. 

8.4 The Organisation recognises the importance of ensuring that Personal Data is amended, rectified, erased or its use restricted where this is appropriate under Data Protection Laws. 

9. Personal Data must not be kept for longer than needed 

9.1 Data Protection Laws require that the Organisation does not keep Personal Data longer than is necessary for the purpose or purposes for which the Organisation collected it. 

10. Data security 

The Organisation takes information security very seriously and the Organisation has security measures against unlawful or unauthorised processing of Personal Data and against the accidental loss of, or damage to, Personal Data. The Organisation has in place procedures and technologies to maintain the security of all Personal Data from the point of collection to the point of destruction.

11. Data breach

11.1 Whilst the Organisation takes information security very seriously, unfortunately, in today’s environment, it is possible that a security breach could happen which may result in the unauthorised loss of, access to, deletion of or alteration of Personal Data. If this happens there will be a Personal Data breach and Staff must comply with the Organisation’s Data Breach Notification Policy. Please see paragraphs 11.2 and 11.3 for examples of what can be a Personal Data breach. Please familiarise yourself with it as it contains Sensitivity: Public important obligations which Staff need to comply with in the event of Personal Data breaches. 

11.2 Personal Data breach is defined very broadly and is effectively any failure to keep Personal Data secure, which leads to the accidental or unlawful loss (including loss of access to), destruction, alteration or unauthorised disclosure of Personal Data. Whilst most Personal Data breaches happen as a result of action taken by a third party, they can also occur as a result of something someone internal does. 

11.3 There are three main types of Personal Data breach which are as follows: 

11.3.1 Confidentiality breach – where there is an unauthorised or accidental disclosure of, or access to, Personal Data e.g. hacking, accessing internal systems that a Staff is not authorised to access, accessing Personal Data stored on a lost laptop, phone or other device, people “blagging” access to Personal Data they have no right to access, putting the wrong letter in the wrong envelope, sending an email to the wrong student, or disclosing information over the phone to the wrong person; 

11.3.2 Availability breach – where there is an accidental or unauthorised loss of access to, or destruction of, Personal Data e.g. loss of a memory stick, laptop or device, denial of service attack, infection of systems by ransom ware, deleting Personal Data in error, loss of access to Personal Data stored on systems, inability to restore access to Personal Data from back up, or loss of an encryption key; and 

11.3.3 Integrity breach – where there is an unauthorised or accidental alteration of Personal Data.

 12. Individuals’ rights  

12.1 GDPR gives individuals more control about how their data is collected and stored and what is done with it. 

12.2 The different types of rights of individuals are reflected in this paragraph. 

12.3 Subject Access Requests

12.3.1 Individuals have the right under the GDPR to ask an Organisation to confirm what Personal Data they hold in relation to them and provide them with the data. This is not a new right but additional information has to be provided and the timescale for providing it has been reduced from 40 days to one month (with a possible extension if it is a complex request). In addition, you will no longer be able to charge a fee for complying with the request. 

12.3.2 Subject Access Requests are becoming more and more common and are often made in the context of a dispute which means that it is crucial that they are handled appropriately to avoid a complaint being made to the ICO. 

12.4 Right of Erasure (Right to be Forgotten) 

12.4.1 This is a limited right for individuals to request the erasure of Personal Data concerning them where: the use of the Personal Data is no longer necessary; their consent is withdrawn and there is no other legal ground for the processing; the individual objects to the processing and there are no overriding legitimate grounds for the processing; the Personal Data has been unlawfully processed; and the Personal Data has to be erased for compliance with a legal obligation. 

12.4.2 In a marketing context, where Personal Data is collected and processed for direct marketing purposes, the individual has a right to object to processing at any time. Where the individual objects, the Personal Data must not be processed for such purposes. 

12.5 Right of Data Portability 

12.5.1 An individual has the right to request that data concerning them is provided to them in a structured, commonly used and machine readable format where: Sensitivity: Public the processing is based on consent or on a contract; and the processing is carried out by automated means 

12.5.2 This right isn’t the same as subject access and is intended to give individuals a subset of their data. 

12.6 The Right of Rectification and Restriction

12.6.1 Finally, individuals are also given the right to request that any Personal Data is rectified if inaccurate and to have use of their Personal Data restricted to particular purposes in certain circumstances.

12.7 The Organisation will use all Personal Data in accordance with the rights given to Individuals’ under Data Protection Laws.

13. Marketing & consent

13.1 The Organisation will sometimes contact Individuals to send them marketing or to promote the Organisation. Where the Organisation carries out any marketing, Data Protection Laws require that this is only done in a legally compliant manner.

13.2 Marketing consists of any advertising or marketing communication that is directed to particular individuals. GDPR will bring about a number of important changes for organisations that market to individuals, including: 

13.2.1 providing more detail in their privacy notices, including for example whether profiling takes place; and 

13.2.2 rules on obtaining consent will be stricter and will require an individual’s “clear affirmative action”. The ICO like consent to be used in a marketing context. 

13.3 The  is aware of the Privacy and Electronic Communications Regulations (PECR) that sit alongside data protection. PECR apply to direct marketing i.e. a communication directed to particular individuals and covers any advertising/marketing material. It applies to electronic communication i.e. calls, emails, texts, faxes. PECR rules apply even if you are not processing any personal data 

13.4 Consent is central to electronic marketing. It is best practice is to provide an un-ticked opt-in box. 

For a PDF version of this privacy policy, see here.