Skip to main content

GDPR

8. GDPR 

LEAD Consortium Data Protection Policy  

 1. Purpose 

The purpose of this policy is to ensure compliance with data protection laws and regulations and to establish guidelines for the proper management and processing of information by the LEAD consortium members and its stakeholders. 

 

  1. Introduction 


The following policy outlines the data protection practices and procedures of the LEAD consortium members (hereafter LEAD; intended to cover Plymouth Energy Community PEC, Tamar Energy Community TEC, South Dartmoor Community Energy SDCE, 361 energy, Dartmoor Energy, Exeter Community Energy ECOE). This policy is designed to ensure compliance with the Data Protection Act 2018 (hereafter DPA), which incorporates the provisions of the EU's General Data Protection Regulation (GDPR) into UK law. This legislation binds us by law to effectively manage our data, as failure to do so could result in criminal charges against individuals or fines amounting to up to 5% of members turnover. 

Our management of data also carries substantial reputational risks. LEAD members are entrusted with a significant amount of personal and confidential information from our community. This information is shared with the utmost confidence that we will act in their best interests and our funders share this expectation. Managing this information responsibly is a vital responsibility we undertake to honour the trust placed in us.  

This policy outlines the principles and provisions that guide the Organisation's data processing activities. It ensures that personal data is processed lawfully, fairly, and transparently, while taking appropriate measures to maintain its stakeholdersaccuracy, security, and confidentiality. This policy applies to all personal data processed by LEAD members. Supporting policies, codes of practice, procedures and guidelines provide further details, including the IT Security Management Policy and Data and IT Security Staff Protocol. 

This policy applies to all Employees, Directors, Volunteers, and contractual third parties and agents associated with LEAD members.  Managers within departments are responsible for implementing appropriate controls to minimize the risk of policy breaches, however compliance with this policy and data protection laws is the responsibility of all staff and directors.  


  1. Objectives  


By achieving the following objectives, the data protection policy aims to create a framework that enables LEAD MEMBERS to handle personal data responsibly, maintain compliance with data protection laws, protect individuals' privacy, and preserve the trust and confidence of its stakeholders. 


  • Ensure Compliance: The policy aims to ensure compliance with the DPA 

  • Protect Personal and Confidential Information: The policy emphasizes the responsible management of personal and confidential information entrusted to LEAD MEMBERS by individuals and the community. It aims to uphold the confidentiality, security, and integrity of this information and minimize reputational risks associated with data mishandling.  

  • Establish Clear Responsibilities: The policy assigns responsibilities within LEAD MEMBERS. Clear governance and oversight structures are established to ensure accountability and proper implementation of data protection measures. 

  • Uphold Individuals' Rights: The policy affirms individuals' rights regarding their personal information. It outlines how LEAD MEMBERS will ensure these rights are met.  


 


  1. Integration with other LEAD MEMBERS documentation 


This Data Protection Policy interacts with the following other LEAD MEMBERS documents: 

 


  • Privacy  Statements (see below) 

  • IT Security Management Policy, which provides a framework that helps to ensure business continuity by defining standards and practices that reduce the opportunity for, and impact of, IT and data related security incidents 

  • Data Retention and Deletion Standards. 

  • Data and IT Security Staff Protocol, which seeks to inform staff about required behaviour in relation to LEAD MEMBERS’s IT and data systems including the use of computing facilities and mobile phones. 


 


  1. Data Protection Principles.  


In accordance with the DPA, LEAD MEMBERS will ensure the data it holds will be:  


  1. processed lawfully, fairly and in a transparent manner in relation to individuals; 

  1. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes; 

  1. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed; 

  1. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay; 

  1. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the DPA in order to safeguard the rights and freedoms of individuals; 

  1. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures. 


 

These principles will form the basis of this policy and the related procedures used to ensure compliance with the DPA. 

 


  1.  Roles and responsibilities 


This policy distributes responsibilities within the organisation. The table below describes the different roles that may be held by individuals or groups and a broad summary of their responsibility. 

 

Role  

Responsibility 

Trustees/Directors 

Each board is the accountable Data Controller for their organisation. The controller is responsible for complying with the DPA. This means being able to demonstrate compliance with the principles and that appropriate technical and organisational measures have been taken to ensure processing is in line with GDPR. The controller sets the purpose and means of processing and anybody processing data on behalf of that controller must operate within these parameters.  

Data and IT Security responsible person 

The Data and IT Security responsible person for each member organisation is responsible for implementing the systems that control and review how LEAD MEMBERS processes data and the compliance with the parameters set out by the Data Controller(s). This person will take a lead role in ensuring all of LEAD MEMBERS’s obligations to maintain data subject’s rights; for alerting the data controller to breaches; and recommending changes to policy or procedure governed by the Data Controller(s) 

Project Managers 

Are responsible for delivery of some of the processes to control and review how LEAD MEMBERS processes data and the compliance with the parameters set out by the Data Controller(s). They also carry a key role for setting the culture for how LEAD MEMBERS interacts with customers and their data.    

All staff, volunteers, and sub-contractors 

Are responsible for: 


  • acting in accordance with the data protection principles; 

  • acting within the parameters set by the Data Controller, namely the purposes and means of processing; 

  • supporting data subjects to exercise their rights under the data protection act; 

  • acting in accordance with procedures and guidance provided.  

 

LEAD MEMBERS will not appoint a Data Protection Officer as the scope and the nature of the personal data held is not sufficient to warrant this. 


  1. Rights 


LEAD MEMBERS will ensure that data subjects are able to exercise their rights in accordance with the DPA, as outlined in the table below.  

  

Right 

How LEAD MEMBERS will enable this 

The right to be informed 

  • Data subjects will be supplied with a concise, transparent and accessible privacy statement written in Plain English See individual members privacy statement/policy.  

The right of access 

  • LEAD MEMBERS’s project managers will encourage a culture of transparency that minimises the need for customers to assert rights of access.  

  • LEAD MEMBERS’s Data and IT Security responsible person for each organisation will encourage this culture through training. (see section 9). 

  • LEAD MEMBERS’s Privacy Policy will outline an accessible process for subject access requests. 

  • LEAD MEMBERS’s Data and IT Security responsible person for each organisation will be responsible for responding to subject access requests in compliance with the DPA.  

The right of rectification 

  • Guidance and training will be supplied to all staff to encourage a proactive approach to ensuring incorrect data is identified and rectified.  

  • LEAD MEMBERS’s Privacy Statement will inform customers of their right to rectify data held and an accessible procedure for doing this.  

  • LEAD MEMBERS’s Data and IT Security responsible person for each organisation will oversee any formal requests for rectification to ensure this is completed in compliance with the DPA, specifically including that this is completed within one calendar month.  

The right of erasure 

  • LEAD MEMBERS’s Privacy Statement will inform customers of their right to erasure of data held by LEAD MEMBERS and an accessible procedure for doing this.  

  • LEAD MEMBERS’s Data and IT Security responsible person for each organisation will assess any requests, form a judgment regarding whether the right applies within this circumstance and, if not, whether LEAD MEMBERS are willing to erase the data anyway. 

  • LEAD MEMBERS’s Data and IT Security responsible person for each organisation will document all decisions and share details of such decisions with the relevant board for review quarterly.  

Right to restrict processing 

  • LEAD MEMBERS’s Privacy Statement will inform customers of their right to restrict processing of data held by LEAD MEMBERS and an accessible procedure for doing this.  

  • LEAD MEMBERS’s Data and IT Security responsible person for each organisation will assess any requests, form a judgment regarding whether the right applies within this circumstance and, if not, whether LEAD MEMBERS are willing to erase the data anyway. 

  • LEAD MEMBERS’s Data and IT Security responsible person for each organisation will document all decisions and share details of such decisions with the relevant board for review quarterly. 

Right to data portability 

  • Due to the highly limited quantity and scope of data that LEAD MEMBERS control which would be subject to this right, LEAD MEMBERS’s Privacy Statement will inform data subjects to approach LEAD MEMBERS with a right of access request in this circumstance. 

Right to object 

  • All staff will ensure that any direct marketing provides a simple and accessible option to object to future use of personal data to be used in this manner. 

  • LEAD MEMBERS’s Privacy Statement will inform customers of their right to object to processing of data held by LEAD MEMBERS and an accessible procedure for doing this.  

  • LEAD MEMBERS’s Data and IT Security responsible person for each organisation will assess any requests, form a judgment regarding whether the right applies within this circumstance and, if not, whether LEAD MEMBERS are willing to erase the data anyway. 

  • LEAD MEMBERS’s Data and IT Security responsible person for each organisation will document all decisions and share details of such decisions with the relevant board for review quarterly. 

Rights related to automated decision making including profiling 

  • Data subjects will be supplied with details related to automated decision making within privacy statements. This processing will take place with the explicit consent of data subjects only. These statements will outline an accessible option to have a human review any decision  

 

 

 


  1. How we ensure lawful processing is carried out. 


 

Privacy Statements 

Data subjects will be provided with a privacy statement at the point they provide data to LEAD MEMBERS. To balance the need to keep data subjects fully informed with the need to ensure information is concise, relevant, and accessible, three tiers of privacy notice will be used. 

 

Level of privacy notice  

It’s role 

Privacy Statement  

To communicate global, LEAD MEMBERS wide information about how we use data which is of less interest to most service users. This will include information on data storage and retention, data sharing, website and cookies and data subject rights.  

Written privacy notice  

A statement that is specific to the service area (E.g. Fuel poverty advice data), covering: what information we collect; how we collect and process this information; the purposes for processing; the lawful basis for processing and a link to the privacy statement for further information  

This is provided in writing within online webforms, in email autoreplies and will be sent to people or shared in the performance of home visits.  

Verbal or brief written notice. 

Two to three sentences summarising the written notice for that area. This will be read by advisors, used in recorded messages before calls and may be used at events alongside call in sheets, or any other venue where the service user is likely to favour brevity. This will invite service users to request a copy of the relevant written privacy notice for the service  

 

LEAD MEMBERS will ensure that staff and third parties operating on behalf of LEAD MEMBERS will be familiar with the relevant privacy notice(s) they will be operating with. 

 

Documenting compliance 


  • Where explicit, informed consent is used as a basis for processing data, LEAD MEMBERS’s staff will ensure this is captured in a signed form, in a webform or on a recorded phone conversation.  

  • Where a legitimate interest basis is used for processing, LEAD MEMBERS’s Data and IT Security responsible person for each organisation will complete and document a legitimate interest assessment to validate the case for processing customer’s data in this manner.  

  • An Information Asset Register will be maintained to detail the types of data we hold, the purposes/legal bases for holding, where they are stored security measures and deletion/retention schedules.  

  • Project Initiation Documents will be used by project managers at the outset of a project. These will ask a project manager to review if project activities in relation to data are likely to exceed the remit of the privacy statement agreed for this service area, with amendments made and approved by the board as appropriate  

  • Substantive changes to how we process data, in particular when this exposes greater risk to data subjects and when automated decision making is in use, will be subject to a Data Protection Impact Assessment.(DPIA). All DPIAs will be assessed by the Data and IT Security responsible person for each organisation and the requests and decisions will be reported to the board/trustees quarterly. 

  • Data sharing agreements will be established with key regular partners where data is being sent and received. These will be reviewed and signed off by the Data and IT Security responsible person for each organisation  

  • A record of data breaches will be maintained including the reasons to or not to inform the ICO and data subject of the breach. This will be maintained by the Data and IT Security responsible person for each organisation and reported to the board quarterly.  


 


  1. Data Breaches  


All staff, volunteers and third parties contracted by LEAD MEMBERS are responsible for identifying and reporting any personal data breaches to the Data and IT Security responsible person for each organisation without delay. The Data and IT Security responsible person for each organisation will then report this to PEC and DESNZ.  A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This means that a breach is more than just losing personal data.  

 

Upon receipt of a data breach notification, the Data and IT Security responsible person for each organisation will: 


  • Determine if the breach is ongoing and, if needed, take the necessary action to secure the personal data.  

  • Review the scale of harm caused by the breach, following ICO Guidelines to review: 

  1. If the breach is likely to result in a risk to the rights or freedoms of individuals and so must be reported to the ICO within 72 hours of becoming aware of the breach.  

  1.  If a breach is likely to result in a high risk to the rights and freedoms of individuals and so the data subjects must be informed without undue delay.  

  1. If the above criteria aren’t met but the breach could conceivably (even if unlikely) be viewed to result in any harm or risk to the rights or freedoms of the data subjects, the default position should be to inform the data subjects, with the reviewer balancing this against other considerations at their discretion. 

  • Review the cause of the breach and determine any actions necessary to avoid future breaches. 

  • Record the details of the breach and the decisions taken above in a register.  

  • Report this register to the trustees or board on a quarterly basis. 


 


  1. Subject Access Requests and other right assertions 


All staff, volunteers and third parties contracted by LEAD MEMBERS are responsible for identifying and reporting any Subject Access Requests or other formal requests, such as for erasing data, to the Data and IT Security responsible person for each organisation without delay 

 

SeeUpon Appendixreceipt xof a Subject Access Request or other request based on the data subjects rights, the Data and IT Security responsible person for each organisation will: 


  • Determine the GDPRvalidity policyof suggestedthe request and make a judgment whether LEAD MEMBERS are compelled to comply. If we do not need to comply, a judgment should be made whether we should comply in the interests of transparency; 

  • Organise to meet the Data Subject’s request without delay and within one month of request; 

  • Document the process and the action taken. 


 


  1. Minimising data collection 


Individuals have a right to expect LEAD MEMBERS to minimise the data we process. We should collect no more information than we need to meet that purpose. We should also only process that only as necessary to meet the purpose. This principle protects LEAD MEMBERS and our clients from unnecessary exposure in the circumstances of a security breach. 

 

The Data and IT Security responsible person for each organisation LEAD.will deliver regular training (see Staff Training and Induction) and will work with project managers to ensure collection and processing of data is as minimal as necessary.  

 


  1. Staff training and induction 


Staff will receive training regarding staff responsibilities as listed in section 5 as well as specific training to understand the privacy notices relevant to their area of work.  

 

Refresher training will be delivered by the Data and IT Security responsible person for each organisation on an annual basis. 

Back to top