Introduction

Concordia (UK) Ltd (Concordia or ‘we’),is registered as a controller[1] with the Information Commissioner’s Office (ICO), the UK’s independent body set up to uphold information rights.

We have a legal duty to protect the personal information[2] that we collect and use.  If we are found to have not complied with the requirements of data protection law we could be fined and prosecuted by the ICO. This would damage our reputation with our members, supporters and the general public and we could face a fine of up to €20m.

Who this policy applies to

This policy applies to all members of staff, volunteers and agents that process[3] personal information. It is designed to protect the personal data of Concordia’s data subjects[4] including our members, seasonal workers, employees, volunteers and seasonal workers.

Why we process personal information

Concordia records and processes personal information in order to:

  • Provide people with the services, products or information that they ask for
  • Manage membership payments, donations and other financial transactions, including processing gift aid
  • Keep a record of our relationships with members, supporters, stakeholders, service users, volunteers and staff
  • Keep records relating to any donations, feedback or complaints
  • Manage volunteers, service users and customer communication and marketing preferences[5]
  • Provide people with information about us and our work, including Volunteer placements, farm updates, events, courses and campaigns, when they have consented to this
  • Tailor online advertising according to someone’s interests, preferences and other characteristics
  • Direct advertisements and other communications to people who might have similar interests or other characteristics to our
  • members, supporters and service users
  • Invite people to participate in surveys and research
  • Undertake research and equal opportunities monitoring
  • How we comply with data protection legislation

We are committed to complying with privacy and data protection laws and being transparent about what we are doing. We have a legal responsibility to ensure that personal information that we collect and process is:

  • used fairly and lawfully
  • used for limited, specifically stated purposes
  • used in a way that is adequate, relevant and not excessive
  • kept accurate and up to date
  • kept for no longer than is absolutely necessary
  • handled according to people’s data protection rights
  • kept safe and secure
  • not transferred outside the EEA[6] without adequate protection


There are a number of data protection rights that we must provide to our members, seasonal workers, employees and volunteers. This includes the right to:

  • request a copy of or more detail about the personal information that we hold and how we use it
  • change the ways in which we communicate with them
  • take away their consent for how we use their information
  • ask us to stop using their personal information
  • ask us to delete their personal information where there is no compelling reason for us having their information
  • object to us processing their personal information
  • Responsibilities of staff and authorised third parties

Concordia Data Controller

Concordia’s designated Data Controller is Chief Executive Stephanie Maurel. She has the responsibility to ensure that:

  • Staff and authorised third parties comply with the data protection principles, as set out in the legislation
  • Staff receive appropriate data protection guidance and training
  • Concordia maintains an up-to-date notification with the Information Commissioner’s Office.


Data Protection Officer

Concordia’s Data Protection Officer, who is Craig Warren, is required to:

  • Provide compliance advice to staff
  • Be the focal point for the administration of all subject access requests relating to personal data held by Concordia
  • Advise staff on the interpretation of this policy and to monitor compliance
  • Directors, managers and staff and volunteers

All staff & volunteers when processing personal information, whether held manually or electronically, are responsible for working in compliance with the data protection principles, as set out in this policy.

This includes:

  • Ensuring that any personal information provided to Concordia in connection with their employment, registration or other contraction agreement is accurate
  • Informing Concordia of any changes to any personal information which they have provided, e.g. changes of address
  • Responding to requests to check the accuracy of the personal information held on them and processed by Concordia and informing Concordia of any errors or changes to be made.


Data subject rights

Concordia respects the right of its staff, volunteers and agents to access personal data about them which is being held by Concordia, either electronically or in a relevant filing system, to check that it has been fairly obtained, that it is accurate, and to have such data corrected where necessary. It also recognises the right of a data subject to withdraw consent to the processing of personal data where such processing could cause them significant damage or distress.

Data security

It is the responsibility of all staff, volunteers and agents to ensure that personal information, whether held electronically or manually, is kept securely and not disclosed unlawfully.

All staff and volunteers should comply with Concordia’s IT policies.

Redress

Anyone who considers that this policy has not been followed in respect of personal information about themselves or others should raise the matter with the Data Protection Officer.

Status of this policy

All staff will be trained in data protection and made aware of this policy.

Data protection awareness will also be included in induction training.

This policy does not form part of the formal contract of employment, but it is a condition of employment that employees will abide by the rules and polices made by Concordia.

Compliance is the responsibility of all staff and volunteers.

Any questions or concerns about the interpretation or operation of this policy should be taken up with the Data Protection Officer.

Concordia provides data protection training for its staff and volunteers.

Data protection procedures

As a member of staff or volunteer using personal information you are required to adhere to the following points to help ensure that we comply with the legislation and miminise the risk of something going wrong.

Personal information collected and recorded must be relevant for the purpose you are collecting the information. You must not record information if it is not actually needed.


Explicit consent of the individual concerned must be obtained and recorded when collecting special categories of personal data[7].


Personal information will not be shared with organisations outside of Concordia for their own use unless we have prior documented consent from the individual concerned or are required to do so by law.


Inform the CEO if you need to use a third party organisation to process personal information on our behalf, for example we might use a membership mailing house to print and send our member information from us. In these situations we’ll put in place a contract to ensure that the personal information that we provide to them is properly protected and treated in accordance with data protection requirements.


[1] A controller is an organisation which determines the purposes for which and the manner in which personal data is processed.

[2] Personal information includes personal and sensitive personal data. It is information, facts or opinion, which identifies a living individual.

[3] Processing is

[4] Data subjects are the people whose personal information we hold and use

[5] Also regulated by the ICO under its Guide to Privacy and Electronic Communications Regulations

[6] The European Economic Area covers the EU states plus Lichtenstein, Iceland and Norway.

[7] Personal information relating to someone’s race or ethnicity, political opinions, trade union membership, health, religion, sex life, criminal proceedings or convictions