LEAD Network Data Protection Policy

Last updated: 17 June 2024

Introduction

1.1 LEAD Network (the ‘organisation’) collects, holds and processes data about its Members, staff and contractors to carry out its business and organisational functions.

1.2 Data Protection legislation defines ‘personal data’ as any information relating to an identified, or an identifiable natural person (‘data subject’). An identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Personal data also includes any expression of opinion about the data subject and what is intended for them.

1.3 The organisation is committed to protecting the rights and freedoms of individuals with respect to the processing of their personal data.

Purpose and Scope

2.1 The purpose this policy is to ensure compliance with the General Data Protection Regulation (GDPR) and related European Union (EU) and national legislation (‘Data Protection legislation’). Data Protection legislation applies to the processing of personal data about living identifiable individuals (‘data subjects’).

2.2 The organisation is registered with the Dutch Data Protection Authority (‘Autoriteit Persoonsgegevens’) as a Data Controller. The policy outlines how the organisation will discharge its duties and obligations to comply with Data Protection legislation.

2.3 This policy applies to all parts of the organisation and to all personal data held and processed by the organisation. This includes data held in any system or format, whether electronic or manual.

2.4 This Policy applies to all members of staff except when acting in a private or non-organisation capacity. The term ‘staff’ means anyone working in any context within the organisation. This includes but is not limited to temporary, honorary, visiting, casual, voluntary and agency workers, contractors, interns employed by the organisation, and external members of committees. This Policy also applies to all locations from which personal data is stored and accessed.

2.5 This policy applies to all third-parties when processing personal data on behalf of the organisation, but not in any other situation including when acting in a private or non-organisation capacity.

2.6 This policy is not, and should not be confused with, a Privacy Notice (a statement which informs data subjects how their personal data is used by the organisation).

2.7 This policy should be read in conjunction with responsibilities and obligations outlined in the following documents, which supplement this policy where applicable:

  • Staff employment contracts and comparable documents which impose confidentiality obligations in respect of information held by the organisation;
  • Any other contractual obligations or staff policies which impose confidentiality or data management obligations in respect of information held by the organisation;
  • The Records Retention Schedule which governs the appropriate retention and disposal of personal data;
  • The organisation’s Data Breach Policy which sets out the procedure to be followed if a personal data breach takes place;
  • IT and information security policies, procedures and terms and conditions which concern the confidentiality, integrity and availability of organisation information including rules about IT acceptable use, user accounts, internet, email, and network and wireless facilities.

Policy Statement

3.1 The organisation is committed to complying with Data Protection legislation through its everyday working practices.

3.2 Complying with Data Protection legislation may be summarised as, but is not limited to:

  • understanding, and applying as necessary, the data protection principles when processing personal data;
  • understanding, and fulfilling, when necessary, the rights given to data subjects under Data Protection legislation;
  • understanding, and implementing as necessary, the organisation’s accountability obligations under Data Protection legislation.*

3.3 In accordance with Data Protection legislation, additional conditions and safeguards will be applied to ensure that special category data (sensitive personal data) is handled appropriately. Special category personal data is information relating to an individual’s:

  • race or ethnic origin;
  • political opinions;
  • religious beliefs or other beliefs of a similar nature;
  • trade union membership;
  • genetic data;
  • biometric data (where used for identification purposes);
  • health;
  • sex life or sexual orientation.

3.4 Criminal convictions or offences (alleged or proven) are not technically defined as special category personal data but are afforded similar protections.

Data Protection Principles

4.1 Data Protection legislation requires that the organisation, its staff and others who process or use any personal information, comply with the data protection principles.

4.2 The data protection principles state that personal data should be:

  • processed lawfully, fairly and in a transparent manner;
  • collected for specified, explicit and legitimate purposes;
  • adequate, relevant and limited to what is necessary;
  • accurate and where necessary kept up to date;
  • kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which those data is processed
  • processed in a manner that ensures appropriate security of the personal data.

4.3 Accountability is central to Data Protection legislation, and Data Controllers are responsible for compliance with the principles and must be able to demonstrate this to data subjects and the Autoriteit Persoonsgegevens.

Data Subject Rights

5.1 The rights given to data subjects under Data Protection legislation are:

  • the right to be informed;
  • the right of access to the information held about them (though a Data Subject Access Request);
  • the right to rectification;
  • the right to erasure;
  • the right to restrict processing;
  • the right to data portability;
  • the right to object;
  • rights in relation to automated decision-making and profiling.

5.2 Under Data Protection legislation, data subjects have the right of access to their personal data held by the organisation.

5.3 Any individual who wishes to exercise this right should make the request by emailing operations[@]theleadnetwork.net

Roles and Responsibilities

6.1 As a Data Controller (or when acting as a joint Data Controller or a Data Processor), the organisation has a responsibility for the following:

  • complying with Data Protection legislation and holding records to demonstrate this;
  • cooperating with the Autoriteit Persoonsgegevens;
  • responding to regulatory / court action and paying administrative levies and fines issue by the Autoriteit Persoonsgegevens.

6.2 The Chief Operating Officer is responsible for reviewing and approving this policy.

6.3 The Board of Directors is responsible for assessing the overall risk profile of the organisation and ensuring appropriate resources and processes are in place and implemented to enable compliance with Data Protection legislation.

6.4 The Chief Operating Officer is responsible for:

  • monitoring the organisation’s compliance with Data Protection legislation including managing internal data protection activities and conducting internal audits;
  • advising the organisation on its Data Protection obligations
  • providing advice, guidance, training and tools / methods to assist the staff in complying with this policy
  • advising on, managing and / or handling Data Protection Impact Assessments, data subject complaints, and personal data breaches,
  • publishing and maintaining core Privacy Notices and other organisation-wide data protection documents;
  • acting as the organisation’s point of contact for the Autoriteit Persoonsgegevens with regard to Data Protection legislation;
  • acting as an available point of contact for data subjects.
  • handling Subject Access Requests;
  • taking account of Autoriteit Persoonsgegevens guidance and relevant case law.

6.5 The Leadership Team are responsible for:

  • ensuring that all staff within their areas are aware of this policy, and understand the role of data protection principles in their day-to-day working practices through induction, training, and performance monitoring;
  • ensuring that personal data within their areas is processed in line with this policy and associated policies and procedures;
  • supporting internal and external audits to ensure compliance with Data Protection legislation;
  • developing and reviewing information surveys to document information assets containing personal data in their areas, including databases, relevant filing systems, and the purposes of processing, to inform the organisation’s Record of Processing Activities.

6.6 Compliance with Data Protection legislation is the personal responsibility of all members of the University who process personal data.

6.7 New members of staff are required to view mandatory GDPR training videos as part of their organisation induction.

6.8 Staff members, as appropriate for their role and in order to enable the organisation to comply with Data Protection legislation, are responsible for:

  • watching the GDPR training videos;
  • ensuring that any personal data they process adheres to this policy and any associated information security policies;
  • ensuring any personal data they process complies with the data protection principles;
  • following relevant advice, guidance and tools / methods provided in relation to data protection;
  • only processing personal data on behalf of the organisation as necessary for their contractual duties and / or other organisation roles and not disclosing it unnecessarily or inappropriately;
  • recognising, reporting internally with immediate effect, and cooperating with any remedial work arising from personal data breaches in accordance with the Data Breach Policy;
  • recognising, reporting internally with immediate effect, and cooperating with the fulfilment of Data Subject Access Requests;

The organisation may have a duty to disclose personal data to authorised bodies, such as the police and other organisations in order to comply with its legal or statutory obligations under Data Protection legislation. Any requests to disclose personal data for reasons relating to national security, crime and taxation should be directed to operations[@]theleadnetwork.net, who will respond on behalf of the organisation.

6.9 Any breach of this policy may be treated as misconduct under the organisation’s relevant disciplinary procedures and could lead to disciplinary actions or sanctions.

Policy Review

7.1 This policy will be updated as necessary to reflect best practice, relevant case law, and to ensure compliance with any changes or amendments to Data Protection legislation.

7.2 This policy was reviewed and approved by the Chief Operating Officer in June 2024. It is next scheduled for review in June 2027, or sooner if there is any significant change in Data Protection legislation.

* The accountability obligations include: implementing appropriate data protection policies; implementing data protection by design and default in projects, procurement and systems; using appropriate contracts with third party Data Controllers and Data Processors; holding relevant records about personal data processing; implementing appropriate technical and organisational security measures to protect personal data; reporting certain personal data breaches to the Autoriteit Persoonsgegevens; conducting Data Protection Impact Assessments where required; and ensuring adequate levels of protection when transferring personal data out of the European Economic Area.

How to contact us

If you have any questions or concerns, please contact our Chief Operating Officer who will be pleased to help you.

Chief Operating Officer

LEAD Network
Keizersgracht 241

1016 EA Amsterdam

operations[@]theleadnetwork.net