Data protection policy

We recognise and respect applicable privacy and data protection laws.

1. Purpose

The British Stammering Association, trading as STAMMA ('STAMMA') recognises and respects applicable privacy and data protection laws.

This GDPR Data Protection Policy (the 'Policy') sets out the minimum requirements to ensure compliance by STAMMA with the UK Data Protection Act 2018 (collectively 'Data Protection Requirements').  

2. Scope

This Policy applies to all processing of personal data acquired from employees, volunteers, agents, consultants, contractors, vendors, service providers, donors, and others ('Personal Data').

This Policy must be implemented and followed by all employees, temporary staff, consultants and volunteers of STAMMA when processing Personal Data. 

This Policy is supplemented by additional STAMMA policies and guidance dealing with specific aspects of Data Protection Requirements. 

Where any employee becomes aware of any laws or regulations that prevent them from complying with this Policy or any breach of this Policy, including any data security breach, they must inform Jane Powell, CEO, immediately upon becoming aware of such laws, regulations or breaches. Questions about about this policy, or requests for further information, should be directed to Vidya Bijarnia. Email: data@stamma.org, phone 0208 983 1003 or write to us at STAMMA, Box 140, 43 Bedford Street, London WC2E 9HA.

3. Data Protection Principles 

STAMMA has adopted the following principles to govern its processing of Personal Data: 

• Personal Data shall be processed fairly and lawfully in compliance with Data Protection Requirements. See Sections 4 and 5 below. 
• Personal Data shall be processed only for specified, explicit, lawful, and legitimate purposes, and shall not be further processed in any manner incompatible with those purposes except: (i) with the valid consent of the individual to whom the Personal Data relates (a 'Data Subject'); or (ii) where allowed by Data Protection Requirements. 
• Personal Data shall be adequate, relevant and not excessive in relation to the purposes for which the Personal Data are processed. 
• Personal Data shall be accurate, complete and kept up to date as appropriate to the purposes for which the Personal Data are processed. 
• Personal Data shall not be kept in a form which permits identification of the Data Subject for longer than necessary for the permitted purposes. 
• Personal Data shall be collected and processed in accordance with the rights of Data Subjects. See Section 8 of this Policy.
• Appropriate technical and organisational measures shall be taken in relation to Personal Data. See Section 10 of this Policy.
• Personal Data must not be transferred from the EEA/UK to a country outside the EEA/UK unless the country is deemed to provide an adequate level of data protection or unless one of the circumstances described in Section 10 of this Policy applies.   

4. Legal Grounds for Processing

Personal Data of Data Subjects must be processed lawfully. In order to do so, the processing must be based on one or more specific legal grounds. The most relevant legal grounds, for processing Personal Data, include:

• The Data Subject having unambiguously given his or her consent.
• The processing is necessary for the performance of a contract to which the Data Subject is a party (e.g., an employment contract) or in order to take steps at the request of the Data Subject prior to entering into a contract. 
• The processing is necessary for STAMMA to comply with an EU/Member State/UK legal obligation that is applicable to STAMMA.
• The processing is necessary for the purposes of the legitimate interests pursued by STAMMA unless such interests are overridden by the rights of the Data Subject. In making such a determination, STAMMA will conduct a legitimate interest assessment. 

Where consent is the ground being relied on this must be a freely given, specific, informed and unambiguous indication of the Data Subject's wishes. The Data Subject must provide an active indication that he or she agrees to the processing of his or her Personal Data. The consent shall be in writing or other legally permissible means. The Data Subject has the right to withdraw consent at any time and must be informed of this right. For these reasons STAMMA should generally rely where possible on the alternative grounds identified above when processing Personal Data other than in those limited circumstances where consent is absolutely required (e.g. for direct marketing purposes. See Section 9 below).

Where STAMMA processes special categories of Personal Data (e.g., health data), an additional condition for processing must be satisfied. The processing of special categories of Personal Data will be kept to a minimum and in any event only as strictly necessary.

5. Data Protection Notices

Personal Data of Data Subjects must be processed fairly. In order to do so, a data protection notice setting out the information below must be provided to a Data Subject before processing their Personal Data, or where received from a third party as soon as possible after receiving the Personal Data, unless the Data Subject already has the information.

The data protection notice must be communicated in a clear manner and shall include the following minimum information:

• the identity and contact details of the controller (i.e., the person who determines the purpose and manner in which the Personal Data are processed) and where applicable, its data protection representative and/or data protection officer
• the purposes and legal basis for the processing, including the legitimate interest(s) pursued by the controller if this is the legal basis for processing
• the recipients or categories of recipients of the Personal Data
• the details of any international transfers outside of the EEA/UK and how to obtain a copy of the relevant safeguards
• the retention period for the Personal Data, or where this is not possible the criteria used to determine this period
• the existence of the Data Subject's rights and the right to withdraw consent 
• the right to lodge a complaint with the data protection authority ('DPA')
• whether the provision of Personal Data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the Data Subject is obliged to provide the Personal Data and the possible consequences of failure to provide such information
• the existence of automated decision-making (including profiling) and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing.

6. Disclosure of Personal Data to Data Processors and other Third Parties

A data processor processes Personal Data on behalf of and in accordance with instructions from a data controller, for example a vendor hosting Personal Data for STAMMA. Personal Data may not be provided to or accessed by any data processor unless a written data processing agreement has been entered into containing specific data processing provisions. Template data processing provisions that all data processors must agree to comply with can be obtained from data@stamma.org. 

To the extent STAMMA discloses Personal Data to third parties who are not acting as data processors (for example, disclosures in response to a request made by the police or a regulator), STAMMA will take reasonable and appropriate steps to maintain the required level of data privacy as provided for in this Policy and data@stamma.org should be consulted prior to making any such disclosures to determine that any legal requirements have been dealt with.

7. Transfers of Personal Data from the EEA/UK

Personal Data must not be transferred from the EEA/UK to a country which is not considered to provide an adequate level of protection unless an exemption applies, for example: 

• The data exporter in the EEA/UK and the data importer outside the EEA/UK have entered into Model Contracts.
• The data importer in the US is self-certified under the US Privacy Shield framework ('Privacy Shield').

8. Data Subject Rights 

Data Subjects have certain rights under Data Protection Requirements which may be subject to limitations and/or restrictions. These rights include the right:

• to request access to and rectification or erasure of their Personal Data
• to obtain restriction of processing or to object to processing of their Personal Data
• to withdraw consent to processing of their Personal Data
• to ask for a copy of their Personal Data to be provided to them, or a third party, in a digital format
• not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning the Data Subject or significantly affects the Data Subject
• to lodge a complaint about the processing of their Personal Data with a DPA
• Stamma has in place internal guidelines for responding to such requests from Data Subjects.

9. Marketing Activities

Subject to applicable laws and STAMMA's policies and guidance on promotional activities, Personal Data may only be processed to send marketing information to a Data Subject (including any employee) where the requirements of this Policy including in particular Section 5 (data protection notices) are met.

Marketing communications must only be sent to recipients in the EEA/UK where they have previously consented to receive such marketing communications (i.e. via opt-in) or where an exemption can be relied on.

Recipients of marketing communications sent by e-mail must be given the opportunity to object, free of charge, to the use of his or her electronic contact details at the time the contact details are collected and when each message is sent. Processing Personal Data for direct marketing purposes must stop where so requested by the Data Subject.

10. Data Security 

Appropriate physical, technical, and organisational measures must be adopted to protect Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, having regard to the cost of implementation, the nature of the data, and the risks to which they are exposed. 

Employees who are required as part of their job description to process Personal Data will receive training and guidance on the security of data. However, STAMMA expects all of its employees to be aware of the basic security principles as set out in this Policy and STAMMA's Information Security Policy.  

It is the responsibility of all employees to report all personal data breaches, or suspected personal data breaches, relating to loss of, or unauthorised access to or disclosure of Personal Data, as soon as possible to jane.powell@stamma.org.

Where STAMMA considers that a personal data breach is required to be notified to the UK's Information Commissioner's Office ('ICO), STAMMA will notify the ICO without undue delay and no later than 72 hours after becoming aware of a personal data breach. 

STAMMA will notify Data Subjects affected by a personal data breach without undue delay where STAMMA considers that the breach is likely to result in a high risk to the rights and freedoms of the Data Subjects, unless:

• appropriate technical and organisational protection measures have been implemented with regard to the Personal Data affected by the breach; 
• STAMMA has taken subsequent measures which ensure that the high risk to the Data Subjects is no longer likely to materialise; or
• notification would involve a disproportionate effort. In such case, Data Subjects will be informed in an equally effective manner.

11. Implementation

This Policy shall be made available to employees through training and other means of notification as STAMMA may deem appropriate. 

This Policy may be revised at any time. Notice of significant revisions shall be provided to employees through appropriate mechanisms.  

12. Questions and Complaints 

Any queries or complaints in relation to this Policy, application of the Data Protection Requirements or the processing of Personal Data may be addressed to data@stamma.org