1. Purpose of the policy

1.1. This Data Protection Policy ensures that the RSA complies with the Data Protection Act 2018, the UK General Data Protection Regulation, and such other legislation as may be passed; in this document all such legislation is collectively referred to as 'the Legislation'.

2. Responsibilities

2.1 The Executive Team

The Executive Team is responsible for supporting and driving the broader data protection and information security agenda at the RSA, as well as providing assurance that effective best practice mechanisms are in place across the business. Within the context of data protection the Executive Team is responsible for:

• Reviewing, contributing to, and recommending to the Board or its Committees data protection-related strategies and policies;
• Ensuring the provision of resources to deliver approved strategies, and monitoring performance;
• Reviewing the operational status of data protection compliance across the business and acting as a point of escalation for related issues; and
• Ensuring that the Data Protection Officer has appropriate levels of autonomy and adequate support and resources to enable them to undertake their role effectively and to fulfil the requirements of the role.

2.2 Data Protection Officer

RSA’s Chief of Staff (or their nominee) is the Data Protection Officer. The Data Protection Officer is responsible for monitoring internal compliance with data protection legislation and reporting data protection matters to the Audit and Risk Committee.

The Data Protection Officer is also responsible for informing all staff of and advising them about their data protection obligations in relation to a number of compliance matters, including:

• The processing of special category and criminal convictions data;
• Handling data subject requests;
• Approving arrangements with Data Processors;
• International data transfers;
• Carrying out Data Protection Impact Assessments (DPIA) and privacy by design; and
• Reporting data breaches.

The Data Protection Officer is the contact point for data subjects and the Information Commissioners Office.

2.3 Heads of Department

Heads of Department are responsible for ensuring that staff in their teams are aware of this policy and their responsibilities (as outlined above), including completion of mandatory data protection training.

Heads of Department are expected to encourage and promote a culture of compliance with regard to data protection within their teams.

Heads of Departments should work in conjunction with nominated staff within their teams to identify, record, and manage data risks.

2.4 All Staff

All RSA staff are responsible for:

• Familiarising themselves with this policy and ensuring that they adhere to the data protection principles when processing personal data as part of their work for the RSA;
• Consulting with the Data Protection Officer for guidance and advice in relation to data protection compliance matters, including the processing of special category and criminal convictions data, handling data subject requests, international data transfers, carrying out Data Protection Impact Assessments, and reporting data breaches;
• Completing data protection-related training as required by the RSA;
• Reporting any personal data breaches they become aware of to the Data Protection Officer immediately via the personal data breach-reporting process (see Appendix 1);
• Keeping personal data in accordance with the IT Security and Usage Policy, and the Archive Policy;
• Ensuring that personal information is not disclosed deliberately or accidentally orally, electronically, or in writing, to any unauthorised third party;
• Promptly forwarding all initial requests for personal data to the Data Protection Officer or to their nominee, and within two working days;
• Providing responses to requests by the Data Protection Officer for information and reviews within the requested timeframe; and
• Ensuring that the information provided to the RSA in connection with their employment or service contract is kept accurate and as up to date as possible.

It is important to understand that it is the responsibility of the individual collectors, keepers, and users of personal data to apply the provisions of the Legislation, such as keeping records up to date and accurate.

3. Data Protection Principles and Processing

The Legislation is not intended to prevent the processing of personal data, but to ensure the fair and proper use of information about people. It is about treating people fairly and openly, recognising their right to have control over their own identity and their interactions with others.

3.1. The Principles

The RSA is committed to processing data in accordance with its responsibilities under the Legislation, which requires that personal data should be:

Processed lawfully, fairly, and in a transparent manner in relation to individuals (the "lawfulness, fairness and transparency principle");

• Collected for specified, explicit, and legitimate purposes, and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific purposes, historical research purposes, or statistical purposes shall not be considered incompatible with the initial purposes (the “purpose limitation principle”);
• Adequate, relevant, and limited to what is necessary with relation to the purposes for which they are processed (the "data minimisation principle");
• Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data are accurate, having regard to the purposes for which they are processed, are erased, or rectified without delay (the "accuracy principle");
• Kept in a form that permits identification of data subjects for no longer than is necessary for the purpose(s) for which the data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific purposes, historical research purposes, or statistical purposes, subject to implementation of the appropriate technical and organisational measures required to safeguard the rights and freedoms of individuals (the "storage limitation principle");
• Processed in a manner that ensures appropriate security of personal data, using appropriate technical and organisational measures to protect the data against unauthorised or unlawful processing, accidental loss, destruction, or damage (the "integrity and confidentiality principle");
• The Data Controller is responsible for, and is able to demonstrate compliance with, Principles as above (the “accountability principle”).

3.2. Processing – Personal data

The RSA can process personal data when at least one of the following lawful bases applies:

• An individual has given clear consent for the RSA to process their personal data for a specific purpose;
• Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract; for example, when we need to store details of someone in our accounts system in order to pay them;
• Processing is necessary for compliance with a legal obligation; for example, when ordered to do so by law such as through a court order or warrant;
• Processing is necessary to protect the vital interests of a data subject or another person; one example would be to protect someone’s life;
• Processing is necessary for the performance of a task carried out in the public interest or for an official function, and the task or function has a clear basis in law; and
• Processing is necessary for RSA’s legitimate interests or for those of a third party, except where there is a good reason to protect the individual’s personal data that overrides RSA’s legitimate interests.

The legal basis for processing should always be determined before the data is processed and documented. The RSA’s Privacy Policy broadly outlines the legal bases for processing carried out as part of RSA’s standard functions.

3.3 Processing – Special Category Data and Criminal Offence Data

In order to lawfully process special category data and criminal offence data, additional conditions must be met, and the Data Protection Officer should be consulted in relation to these.

3.3.1 Special Category Data

UK GDPR sets a higher bar to justify the processing of special categories of personal data. These are defined as "data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation." (Article 9(1)).

The RSA can process personal data when at least one of the lawful bases in 3.3 is met and one of the conditions below also applies:

• Explicit consent by the data subject;
• For carrying out obligations and exercising rights in relation to employment, social security, and social protection law;
• To protect vital interests where the data subject is incapable of giving consent;
• Processing by not-for-profit bodies;
• Personal data has manifestly been made public by the data subject;
• Necessary for exercise of defence of legal claims or judicial acts;
• Necessary for the purpose of substantial public interest;
• Necessary for health or social care systems and services;
• Necessary for the reason of public health; and
• Necessary for archiving, research and statistics.

Staff who wish to process special category data should seek advice from the Data Protection Officer to ensure that the data can be lawfully processed.

3.3.2 Criminal Offence Data

The UK GDPR gives extra protection to “personal data relating to criminal convictions and offences or related security measures”. This covers a wide range of information about offenders or suspected offenders in the context of:

• Criminal activity;
• Allegations;
• Investigations; and
• Proceedings.

Staff who wish to process criminal offence data should seek advice from the Data Protection Officer to ensure that the data can be lawfully processed.

3.4 Processing – CCTV

The RSA processes personal data through the use of CCTV to monitor and collect visual and audio records to provide a safe environment for staff and visitors to our House and for the purposes of security.

Such personal data may be used for the prevention and detection of crime; for evidential purposes to support criminal, civil, and internal proceedings, including disciplinary investigations; and to assist in Health and Safety requirements and other legal or regulatory compliance obligations.

4. Data subject rights

4.1. The Data Protection Legislation ensures that data subjects have the following rights:

• The right to be informed: to be informed about the collection and use of their personal data;
• The right of access: to access and receive copies of their personal data;
• The right to rectification: to have inaccurate personal data rectified or completed (if incomplete);
• The right to erasure (or ‘to be forgotten’): to ask for personal data to be erased; however, this is not absolute and only arises in quite a narrow set of circumstances, notably where the controller has no legal ground for processing the information;
• The right to restrict processing: to request restriction or suppression of their personal data; again, this only applies in certain circumstances, and storage of the data is still permitted;

• The right to data portability: to obtain and reuse their personal data for their own purposes across different services;
• The right to object: to object to the processing of their personal data in certain circumstances; and
• Rights in relation to automated decision-making and profiling.

4.2. The RSA must have appropriate processes in place to comply with data subject requests, and within the associated statutory timescale. The Data Protection Officer should be contacted whenever one of the above requests is received from a data subject.

5. International Transfers

5.1. Personal data must not be transferred outside of the United Kingdom unless appropriate safeguards are in place to ensure an equivalent level of data protection. Generally, such safeguards will be limited to the following:

• The United Kingdom has made a decision that the third country ensures an adequate level of protection (an adequacy decision); or
• An appropriate transfer mechanism is in place, such as the use of an International Data Transfer Agreement (IDTA).

5.2. Where the transfer is to a country without an adequacy decision, advice should be sought from the Data Protection Officer at the very earliest opportunity.

6. Data Protection Impact Assessments

6.1. Under data protection legislation, organisations are required to complete a Data Protection Impact Assessment (DPIA) for types of processing that are likely to result in a high risk to the rights and freedoms of Data subjects.

6.2. Staff undertaking DPIAs should include consultation with the Data Protection Officer, as well as other relevant individuals or stakeholders, where appropriate.

7. Records and Retention Management

7.1. The RSA depends upon the reliability, integrity, and accessibility of its records for the efficient and effective discharge of its responsibilities. Records created in the course of RSA business belong to the RSA, rather than the individuals that create or use them. However, everyone within the RSA has defined and shared responsibilities for managing records. These responsibilities and the system to be followed is set out in Appendix 2.

8. Data Breaches

8.1. A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes.

8.2. All personal data breaches must be reported to the Data Protection Officer, who will decide whether they are reportable to the Information Commissioner’s Office or to Data subjects. The Data Protection Officer will also advise on action that is required internally and provide guidance to assist with mitigating risks of future breaches.

8.3. The RSA must report certain types of personal data breaches to the Information Commissioner’s Office within 72 hours of it becoming aware of the breach. As such, breaches should always be reported to the Data Protection Officer immediately. Should the Data Protection Officer be absent, the Chief Operating Officer or another member of the Executive should be contacted.

8.4. Guidance on the reporting of a data breach is included in Appendix 1.

9. Glossary of Terms

9.1. PERSONAL DATA means any information relating to an identified or identifiable individual. This might be anyone, including a customer, client, employee, partner, member, supporter, business contact, public official, or member of the public.

9.1.1. It doesn’t need to be ‘private’ information: even information that is public knowledge or is about someone’s professional life can be personal data.

9.1.2. It doesn’t cover truly anonymous information, but if you could still identify someone from the details, or by combining it with other information, it will still count as personal data.

9.1.3. It includes paper records if you intend to put them on a computer (or on any other digital device) or file them in an organised way.

9.2. SPECIAL CATEGORY DATA is personal data that needs more protection because it is sensitive. It includes data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data (used to uniquely identify someone), data concerning health, or data concerning a person's sex life or sexual orientation.

9.3. PROCESSING means any operation or set of operations performed on personal data or on sets of personal data (whether or not by automated means, such as collection, recording, organisation, structuring, storage, alteration, retrieval, consultation, use, disclosure, dissemination, restriction, erasure, or destruction)

9.4. DATA SUBJECT is the identified or identifiable living individual to whom personal data relates.

9.5. DATA CONTROLLER is the person or entity which, alone or jointly with others, determines the purposes and means of processing personal data. The RSA is a data controller.

9.6. DATA PROCESSOR is a person or entity that processes personal data on behalf of a controller. Whenever a third party is used to process personal data for the RSA, staff must ensure that the appropriate legal/contractual arrangements are in place, and the RSA must be assured that the processor can demonstrate compliance with data protection legislation requirements. Arrangements with processors should be approved by the Data Protection Officer.

9.7. ALL STAFF refers to employees, self-employed contractors, and agency temps.

10. Further information

• IT Security & Usage Policy
• Archive Policy
• Privacy Policy
• Data Breach Guidance

10.1. If you have questions or require further guidance, please contact the Data Protection Officer.

APPENDIX 1

RSA Personal Data Breach Guidelines

1. Introduction

1.1 The RSA collects, holds, processes, and retains personal data to deliver and support its business function.

1.2 Under the General Data Protection Regulation (GDPR) and Data Protection Act 2018 (DPA 2018) the RSA has an obligation to ensure the appropriate safeguards are in place when handling personal data.

1.3 The RSA needs to have in place a robust process for reporting and managing any incidents involving breach of personal data.

2. Definitions

2.1 The GDPR defines a “personal data breach” as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

3. Aim

3.1 The aim of this guidance is to standardise the RSA’s response to a personal data breach incident and to ensure incidents are reported, logged, and managed appropriately by adopting a standard, consistent approach. It ensures that:

• Incidents are reported in a timely manner and can be properly investigated;
• Incidents can be properly managed, and consideration given to referring to the Information Commissioners Office where appropriate to do so, ensuring the 72 hours statutory reporting period is met;
• All incidents are recorded and documented, and evidence is gathered and maintained;
• Data subjects and/or external bodies are notified where appropriate; and
• The impact of incidents and preventative actions taken are captured so that lessons can be learned to prevent the reoccurrence of a similar breach in the future.

4. Responsibilities

4.1 Heads of Departments are responsible for ensuring that staff in their area act in compliance with the Data Protection Policy and this guidance, and that Heads provide appropriate assistance to investigations as required.

4.2 Staff: When a staff member is aware of an actual or suspected personal data breach they should:

• Inform their Line manager immediately.
• Take steps to retrieve/contain the personal data.
• Alert the Data Protection Officer as soon as possible and complete the incident reporting form (Appendix 2). Send the completed form to the Data Protection Officer. In the absence of the Data Protection Officer, a member of the Executive Team should be contacted.
• Assist the Data Protection Officer with investigations as required, particularly if urgent action must be taken to prevent any further harm.

4.3 All staff should be aware that a breach of Data Protection legislation may be subject to the RSA’s disciplinary procedures

5. Data Protection Officer’s responsibilities

5.1 Once the Data Protection Officer has been notified they will undertake the following, as determined by the circumstances:

• Arrange for an investigation to be undertaken, with support from other areas of the business necessary.
• Take steps to contain the breach and any additional steps to prevent any further breach.
• Assess the severity, risk, and harm to individuals affected by the breach.
• Consider notification to individuals impacted by the breach and to relevant third parties.
• Maintain a record of the breach, mitigations to be implemented, and the outcome.
• Notify the Information Commissioners Office of personal data breaches, if necessary.
• Add the breach to the RSA’s personal data breach log.

6. Notification of Breach

6.1 The RSA has a duty to report to the Information Commissioner Office (ICO) a personal data breach that is likely to result in high risk to the rights and freedoms of individuals within 72 hours.

6.2 If the assessment of risk and impact identifies that the breach meets the threshold for referral, then the Data Protection Officer, following liaison with the Executive team, will report the notifiable breach to the ICO via the ICO’s online reporting form.

6.3 In any event, personal data breaches will be reported to the next Audit and Risk Committee meeting.

APPENDIX 2

Records and Retention Management

The procedure for managing the RSA's records aims to:

• Save time and money by promoting the use of simple, cost-effective, and easily manageable records and information retrieval systems throughout the RSA.
• Ensure that the RSA retains, and increasingly creates, only those records that it requires to conduct and document its business, and to comply with its legal and regulatory obligations.

1. Scope and Definitions

1.1. This procedure applies to all records created, received, and maintained by the RSA's staff in the course of RSA business.

1.2. A Record is a document in any format that has been generated or received by the RSA in the course of its activities and has been, or may be, used by the RSA as evidence of its actions and decisions, or because of its information content.

1.3. Records management is a series of integrated and embedded systems related to the core processes of the RSA by which the RSA seeks to control the creation, distribution, filing, retrieval, storage, and disposal of those records created or received by the RSA in the course of its business.

1.4. Archives are records selected for permanent preservation as part of the RSA's corporate memory and as a resource for research.

2. Key Objectives

2.1. The objectives of this procedure are to ensure:

• RSA records systems are authentic, reliable, protected against unauthorised alteration, comply with regulatory and other business needs, and remain accessible to those that need to use them for as long as they are required.
• Records and other data that are not required are deleted quickly and efficiently.
• The information records contain can be retrieved accurately and quickly to aid decision-making and increase management effectiveness.
• RSA records are managed cost effectively, avoid unnecessary duplication, and are retained only as long as required.
• All files are held securely, in a manner commensurate with their value and retention period, and in the medium most appropriate for the task they perform.
• All files vital to the survival of the RSA are identified and protected.
• That files that are no longer current will be stored cheaply, retrieved promptly, and reviewed and disposed of only in accordance with a defined approval process.
• Files worthy of permanent preservation as archive are identified and at the appropriate point preserved in the RSA Archive.

3. Responsibilities

3.1. Effective records management is a shared responsibility.

3.2. The RSA Executive Team is responsible for approving and promoting compliance with the Filing and Retrieval Policy and Procedures throughout the RSA.

3.3. The Chief Operating Officer has overall responsibility for the efficient storage of records across the organisation and for the integrity of the RSA’s filing processes.

3.4. The Data Protection Officer is responsible for personal data across the organisation and ensuring the RSA's obligations under relevant legislation.

3.5. The Head of Archive of the RSA has responsibility for promoting and supporting compliance with the Procedure.

3.6. The Head of IT has responsibility for developing and maintaining systems to ensure that records will remain authentic, reliable, and usable throughout any system change, including format conversion, migration between hardware and operating systems, or specific software applications, for the entire period of their retention.

3.7. Team Managers and Departmental leads are responsible for ensuring the accuracy of the Schedule of Personal Data, including Archive Processes and compliance with the agreed retention periods.

3.8. All staff are responsible for creating and maintaining records in compliance with relevant RSA policies and procedures.

4. Implementation

4.1. All records, including all personal data collected and stored by departments, are required to be listed on the Schedule of Personal Data, including Archive Processes. This sets the retention policy and period for all records and personal data across the RSA. It ensures:

• Retention of records for permanent preservation and the periods for which other records are to be retained;
• A clear list of records retention/disposal schedules for each department;
• Appraisal and destruction of time-expired records, including a permanent record of why records were destroyed, when, and on whose authority;
• Storage and destruction of non-current records; and
• Compliance with the procedure represented by the RSA's strategy to preserve, document, and provide long-term access to electronic records to be kept permanently as archives.

5. Record Systems

5.1. Files are stored either in paper within departments or on SharePoint.

5.2. Except for the Executive Team, the RSA does not have a policy of archiving e-mail, so all relevant information should be moved to SharePoint as part of the work processes of teams.

5.3. Once Departments no longer require records, these should be passed to the Archive for either electronic archive or to be kept in the physical archive.

6. Record Retention and Archive

6.1. It is the responsibility of team heads to ensure adherence to the list policy.

6.2. Live records defined as those within the schedule must be retained by the relevant department. For project work this is usually the life of the project; for other records, unless otherwise specified, this is two years.

6.3. Digital records potentially requiring archive are thereafter transferred to a designated folder within SharePoint for review by the Head of Archive before formally being accepted into the archive or being disposed of.

6.4. Paper records are passed to the Head of Archive for review by the same before being accepted into the archive or being disposed of.