DATA PROTECTION Policy

Messengers of Peace > DATA PROTECTION Policy

DATA PROTECTION

Policy and Procedure

 
UPDATED JANUARY 2021

1.       Policy Statement

1.1    The Messengers of Peace Academy is a charitable organisation which aims to educate and enlighten others about Islam by breaking down barriers and clarifying misconceptions. This is done using the latest educational technology and training methods, and providing regular online learning courses, using modern academic standards.

 

1.2    In furtherance of its objective to promote Islamic learning and education, the Messengers of Peace Academy from time to time invites speakers and scholars from around the globe to discuss various topics.

 

1.3    Due to the nature of our work, we retain a large amount of personal data about our students and those interested in our work. Likewise, we hold the personal data of a large team of staff and volunteers.

 

1.4    The Messengers of Peace Academy recognises its responsibility to the students and staff who have trusted us with their data in the eyes of the law and under the boundaries of Islamic law.

 

1.5    As an organisation that holds and processes information about clients, employees or suppliers, we must comply with Data Protection Laws. There is a legal obligation to protect that information and guidance on how that information should be kept and used.  In order to comply with this information we will:

 

  • Only collect data that is absolutely necessary and that which has a specific cause.
  • Not hold the information we hold for longer than necessary and ensure that all of the data we keep is relevant and up to date.
  • Keep the information we keep secure and only allow the relevant people to have access to it.
  • Allow the individual to have access to the information we hold upon written request.

 

1.6   Data Controller – The CEO will act as Data Controller for the Messengers of Peace Academy and will appoint a designated Data Processor. The Data Processor will be responsible for;

 

  • Ensuring that all of the relevant policies and procedures are in place and are being practiced within the organisation.
  • That data is protected and the relevant systems are in place to ensure protection of the data.
  • Providing the necessary training for staff and volunteers regarding data protection compliance.
  • Deal with any requests for access to personal data.

1.7   Subject Access to Information

1.7.1    Individuals have a right to know what information has been stored by the Messengers Peace Academy. In response to a written request, the Data Controller will provide an emailed copy of all personal data about that Data Subject held at the time the application was made.

1.7.2    Certain data may be withheld, including Third Party material, especially if any duty of confidentiality is owed to the Third Party – in this case Third Party means either that the data is about someone else, or that someone else is the source.

1.7.3    Personal data includes name, address, telephone numbers and email or other contact information.

2.          Procedure

2.1        Confidentiality

2.1.1   All data held about individuals who join our courses, register for any webinars or mailing lists, or make donations, will be strictly confidential and access to that data will be limited only to relevant staff members and trustees who need it for the purposes related to our work.

2.1.2    Any personal information that is held about staff or volunteers will be kept strictly confidential and will not be shared with any third parties without the proper authority of the data controller. Breaching this will result in serious disciplinary action and can lead to dismissal depending on the scope of that breach.

2.1.3    We will not pass on data to a third party without proper authority of the data controller and under strict contractual agreements with the third party and the authority of the data subject.

2.1.4    We will only hold and use personal data for our own marketing and registration activities.

2.2                  Security and Storage

 2.2.1    All personal data will be held securely on a PC with a protected password or detachable hard drive in an encrypted folder, the password of which will be held by the chair or vice chair of trustees and the data controller.

2.2.2    Requests for data access by staff and volunteers need to be made to the data controller via email. This email can be accessed upon request to your line manager.

2.2.3    Passwords for laptops that hold personal information or encrypted folders should be changed regularly.

2.2.4    When passing on data to third parties, any transfer of data on USB or email will also take place in encrypted formats.

2.2.5    All hard copy files of staff and registrations will be kept securely in a filing cabinet that is locked with authorised access only.

2.3     Potential Obligation to Disclose Information

2.3.1    If any information is brought to light about a staff member or student that could affect the welfare of others. For instance, a team member or student  might reveal professional misconduct or a risk to public health. In these cases the need for the organisation to disclose information to an appropriate authority might override concerns about confidentiality.

Potential obligations to disclose include: public interest (where there is a real or serious risk that another individual, or the public at large, may be put in danger by the participant).

 

2.4                  Direct Marketing

2.4.1    We will only use personal data for marketing to existing users or people who have registered for our courses or webinars.  We will not pass this data to others for direct marketing without their consent.

2.4.2    We will not share contact details with other parties without the consent of the data subject.

2.4.3    We will not send unsolicited electronic communications without permission.

2.4.4    We will always provide subjects with opportunities for electronics to be removed from mailing lists.

2.4.5    Where information is shared with third parties with consent, we will gain their (third party) agreement to maintain the confidentiality and safety of our data.

 2.5     Subject Access

2.5.1    An individual can make a request for access to personal data to the organisation and this will be passed on to the data controller.

2.5.2    The data controller will ensure that the request is:-

  • Genuine and not frivolous.
  • The ID of the person making the request and the data subject is the same and genuine by requesting copies of ID.
  • The data does not contain third party confidential data.
  • A response is made within the legal limit of 40 days.
  • Agree the format in which the data is to be provided.

2.6     Transparency and Consent

2.6.1                In our marketing and mail shots and all our registration or other forms we will always make clear the purposes for which any personal data is going to be used.

2.6.2    We will provide an option to choose to opt out of receiving mail from us.

2.6.3                We will provide a tick box for permission for third party access for the purposes of our business.

2.6.4                We will review our data and lists annually  to ensure that any data we keep is up to date and relevant and any unnecessary data is deleted.

2.6.5    We will not collect unnecessary data.

2.6.6                We will destroy personal data securely so it cannot be accessed or be accessed by unauthorised persons.

 

2.7     Training and Policy Review

2.7.2                We will provide training to all staff and trustees on their responsibilities on Data Protection and implementation of policies.

2.7.3                New staff will be provided with induction training on responsibilities under the law.

2.7.4               We will review these procedures annually and ask the data controller to provide a report.