This policy applies to all SSAFA trustees, employees (whether temporary or permanent), volunteers, contractors and consultants processing personal data on behalf of the following SSAFA legal entities:

• Soldiers, Sailors, Airmen and Families Association- Forces Help
• SSAFA Forces Help Enterprises Limited
• SSAFA Family Health Services
• SSAFA CMS Limited

The organisation chart explaining the reporting structure for Data Protection within SSAFA is shown below.

As the Data Controller, SSAFA is responsible for establishing policies and procedures in order to comply with data protection law.

Everyone processing personal data on behalf of SSAFA must comply with the six principles of Data Protection as set out in the UK General Data protection Regulation (UK GDPR). We must always observe these data protection principles in respect of the processing of all personal data. They are summarised as follows:

• processed lawfully, fairly and in a transparent manner (lawfulness, fairness and transparency).
• collected only for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes (purpose limitation).
• adequate, relevant and limited to what is necessary in relation to the purposes for which it is Processed (data minimisation).
• accurate and where necessary kept up to date (accuracy).
• kept in a form which permits identification of data subjects for longer than is necessary for the purposes for which the personal data is processed (storage limitation).
• processed in a manner that ensures its security, using appropriate technical and organisational measures to protect against unauthorised or unlawful processing and against accidental loss, destruction or damage (security, integrity and confidentiality).

SSAFA trustees are legally responsible and accountable for ensuring that we comply with all UK and overseas relevant legislation.

SSAFA’s Controller and Directors are responsible for the implementation of this policy and the lawful processing of all personal data, overseeing the good governance of data protection in their areas of responsibility.

The Chair of the Regional Chairs Committee is accountable and responsible for the implementation of the data protection policy and the lawful processing of all personal data and overseeing the good governance of data protection across SSAFA volunteers.

Shared oversight of the implementation of the data protection policy and the lawful processing of all personal data and the good governance of data protection across SSAFA volunteers.

Regional Chairs, Branch Chairs and Service Committee Chairs are responsible and accountable for the lawful processing of all personal data in their areas of responsibility.

Managers are to ensure that their employees or volunteers comply with this policy, that they complete the mandatory annual data protection training and any other training as required by SSAFA.

Project managers (of, for example the implementation of any new systems or processing activities) are responsible for carrying out Data Protection Impact Assessments (DPIA) and Legitimate Interests Assessments (LIA) when they are necessary. This includes the addressing and closure of actions raised, as well as seeking advice and guidance from the Data Governance Manager.

Employees and Volunteers who process personal data about data subjects or any other individual must comply with the requirements of this policy. They must ensure that:

• all personal data is kept securely;
• no personal data is disclosed either verbally or in writing, accidentally or otherwise, to any unauthorised third party;
• personal data is kept in accordance with SSAFA’s information and records retention policy;
• any queries regarding data protection, including subject access requests and complaints, are promptly directed to the Data Governance Manager (DGM);
• any data protection breaches are swiftly brought to the attention of the DGM and that they support the investigation and resolution of breaches;
• where there is uncertainty around a data protection matter advice is sought from the DGM.

Where employees and/or volunteers are responsible for supervising the work of others which involves the processing of personal information (for example in research projects), they must ensure that those others are aware of the data protection principles.

Anyone who is unsure about who are the authorised third parties to whom they can legitimately disclose personal data should seek advice from DGM.

The DPO for SSAFA is responsible for:

1. advising SSAFA of its obligations under UK GDPR.
2. monitoring compliance with UK GDPR and other relevant data protection laws, SSAFA’s policies with respect to this and monitoring training and audit activities related to UK GDPR compliance.
3. to provide advice as requested on data protection impact assessments (DPIA).
4. to cooperate with and act as the contact point for the UK Information Commissioner’s Office (ICO).

In the performance of their tasks the DPO shall have due regard to the risk associated with processing operations, considering the nature, scope, context and purposes of processing.

The DGM for SSAFA is responsible for:

1. providing ongoing advice and guidance to SSAFA trustees, managers, employees and volunteers.
2. overseeing the management of individual rights requests including Subject Access Requests (SAR),
3. overseeing and managing data breaches and liaising with the DPO,
4. overseeing the maintenance of SSAFA’s data processing activities and for maintaining accurate records of events and incidents related to (b) and (c) above.
5. Overseeing and providing guidance on the completion DPIAs and LIAs and for keeping a register of assessments and tracking to closure of actions raised in each.
6. reviewing and maintaining the currency and relevance of data protection training and guidance.
7. ensuring that this policy and associated guidance is reviewed and updated to reflect data protection law and external good practice.
8. regular reporting of data protection programme maturity and incidents to senior management, including the Controller’s Meeting.

SSAFA processes the personal data of many individuals, which are grouped as those to whom we provide a service and those who work on behalf of SSAFA, whether as an employee or a volunteer. We process different sets of data depending on the individual’s relationship with SSAFA and the purpose we are trying to achieve.

SSAFA maintains a register of all its data processing activities, including the identification of the data; who or where it is collected from; who has access to it/who it is shared with; the purpose and the lawful basis for its processing as well as where it is stored and for how long. This Register of Processing Activities (RoPA) is regularly reviewed and updated.

SSAFA must have a lawful basis for which it gathers and processes personal data. At least one of the following must apply whenever we process personal data:

• Consent: the individual has given clear consent for us to process their personal data for a specific purpose. We must also recognise and inform the individual that their consent can be withdrawn at any time.
• Contract: the processing is necessary for a contract we have with the individual, or because they have asked us to take specific steps before entering into a contract.
• Legal obligation: the processing is necessary for us to comply with the law (not including contractual obligations).
• Vital interests: the processing is necessary to protect someone’s life or wellbeing.
• Public task: the processing is necessary for us to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law.
• Legitimate interests: the processing is necessary for our legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.

There are two main categories of personal data SSAFA processes, these are “personal data “ and “special category (or sensitive) data”.

Examples of personal data are:

• a name and surname;
• a home address;
• an email address such as [email protected] or perhaps [email protected]
• an identification card number;
• location data (for example the location data function on a mobile phone);
• an Internet Protocol (IP) address;
• a cookie ID;

The UK GDPR singles out some types of personal data as likely to be more sensitive, and gives them extra protection:

• personal data revealing racial or ethnic origin;
• personal data revealing political opinions;
• personal data revealing religious or philosophical beliefs;
• personal data revealing trade union membership;
• genetic data
• biometric data (where used for identification purposes);
• data concerning health;
• data concerning a person’s sex life; and
• data concerning a person’s sexual orientation.

Special category data needs to be treated with greater care because collecting and using it is more likely to interfere with these fundamental rights or open someone up to potential discrimination.

Processing special category data requires us to meet one of the additional conditions for doing so, which include:

• gaining explicit consent of the individual.
• carrying out obligations in the field of employment and social security.
• to protect the vital interests of an individual where they are physically or legally incapable of giving consent.
• a foundation, association or not-for-profit body with political, philosophical, religious or trade union aims which is carrying out legitimate activities, with appropriate safeguards.
• processing that relates to personal data which have been manifestly made public by the data subject.
• the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity.
• reasons of substantial public interest proportionate to the aim pursued, with appropriate safeguards and interests of the data subject.
• for the purpose of preventive or occupational care, such as the assessment of the working capacity of an employee or the provision of health or social care treatment, subject to appropriate safeguards.
• for reasons of public interest in the area of public health
• for archiving purposes in the public interest, scientific or historical research or statistical purposes.

Personal data relating to criminal convictions and offences, which includes personal data relating to criminal allegations and proceedings, should be treated like special category data given its high sensitivity.

Under UK GDPR individuals have a number of rights associated with their personal data, these are summarised as:

• The right to be informed
• The right of access
• The right to rectification
• The right to erasure
• The right to restrict processing
• The right to data portability
• The right to object
• Rights in relation to automated decision making and profiling.

We provide information to all individuals in our various Privacy Notices for:

• Beneficiaries, mentees and supporters (published on our external website)
• Applicants (employed roles)
• Applicants (volunteer roles)
• Workers and volunteers

When an individual exercises one of their rights, we must respond to their requests. They can submit their response using the provided forms, by letter, by email or verbally if they wish and we will respond within one month of receiving their request.

The DGM should be notified all requests to ensure that they are recorded on our register and are satisfied across the organisation (e.g. many individuals’ data is held and processed by SSAFA for more than one purpose and by more than one part of the organisation).

When an individual submits a Data Subject Access Request (SAR) they are entitled to receive copy of their personal data which is held by SSAFA.

The entitlement is not to documents per se but to such personal data as is contained in the document. The right relates to personal data held electronically and to limited manual records.

You should not alter, conceal, block or destroy personal data once a request for access has been made. You should contact the DGM before any changes are made to personal data which is the subject of an access request, including any decisions related to our intent to withhold or redact information.

We are required to implement privacy-by-design measures when processing personal data, by implementing appropriate technical and organisational measures in an effective manner, to ensure compliance with the data protection principles. SSAFA must ensure therefore that, by default, only personal data which is necessary for each specific purpose is processed. The obligation applies to the volume of personal data collected, the extent of the processing, the period of storage and the accessibility of the personal data. By default, personal data should not be available to an indefinite number of persons. You should ensure that you adhere to those measures.

As well as complying with SSAFA practices designed to fulfil reasonable expectations of privacy, you should also ensure that your own data handling practices default to privacy to minimise unwarranted intrusions in privacy e.g. by disseminating personal data only to those who need to receive it to discharge their duties.

SSAFA must conduct DPIA in respect of high-risk processing before that processing is undertaken. You should conduct a DPIA (and discuss your findings with the DGM in the first instance) in the following circumstances:

• the use of new technologies (programs, systems or processes), or changing technologies (programs, systems or processes);
• automated data processing including profiling;
• large scale processing of sensitive (special category) data; and
• large scale, systematic monitoring of a publicly accessible area.

The DGM has a procedure, forms and guidance to assist in the completion of a DPIA, which as a minimum includes:

• a description of the data processing, its purposes and our legitimate interests if appropriate;
• an assessment of the necessity and proportionality of the data processing in relation to its purpose;
• an assessment of the risk to individuals; and
• the risk-mitigation measures in place and demonstration of compliance.

New employees and volunteers are required to complete data protection training as part of their induction plan. Thereafter, data protection refresher training is mandatory for all SSAFA trustees, employees (whether temporary or permanent), contractors and volunteers on an annual basis.

Any suspected breach of this policy will be investigated, and access to systems may be suspended as a risk reduction measure until an investigation has concluded.

Non-compliance with this policy may result in individual consequences ranging from re-training then up to and including termination of employment (for employees); termination of engagement (for contractors and consultants); or termination of volunteering role (for volunteers), depending upon the circumstances.

There are wider consequences for SSAFA of non-compliance, which could take the form of regulatory sanctions and/or financial penalties imposed by the Information Commissioner’s Office (ICO) or other data protection Supervisory Authorities. As well as the risk of significant financial fines, there could be the loss of confidence and trust in SSAFA by our benevolent funders, service delivery partners, individual and corporate supporters, as well as our beneficiaries and clients – as well as untold damage to our valuable reputation.

Data Controller:

SSAFA

4 St. Dunstan’s Hill London EC3R 8AD

[email protected]

[email protected]

• IT Policy
• IT Policy – further information
• Privacy Notices
  • Employees and Volunteers
  • Beneficiaries, Mentees and Supporters
  • Applicants – Employed Roles
  • Applicants – Volunteer Roles
• GDPR Guidance
• Data breach management process

Biometric data: personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images.

Consent: any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Data controller: is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined.

Data processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Data protection law – means the UK General Data Protection Regulation, as tailored by the Data Protection Act 2018 (UK GDPR) and any applicable data protection laws of other countries where SSAFA is processing personal data.

Data subject: a natural person whose personal data is processed by a data controller or processor.

European Economic Area (EEA): includes EU countries of Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain and Sweden plus Iceland, Liechtenstein and Norway.

Genetic data: personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question.

International transfer: the transfer of personal data outside of the UK and the EEA. Such transfers are subject to restrictions imposed by the UK GDPR.

Personal data: any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Personal data breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Privacy impact assessment: a process designed to help organisations identify and mitigate privacy risks associated with proposed data processing activities. For further information, see the University's Privacy Impact Assessment guidance.

Principles: the fundamental principles imbedded within the UK GDPR which set out the main responsibilities for organisations.

Processing: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Profiling: any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

Pseudonymisation: the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, as long as such additional information is kept separately and technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

Restriction on processing: the marking of stored personal data with the aim of limiting their processing in the future.

Right of access: entitles the data subjects to have access to have access to and information about the personal data being processed by the data controller.

Special categories of personal data: personal data revealing a data subjects racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership or the processing of genetic data, biometric data for the purposes of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation