The GDPR, the General Data Protection Regulation, has been in operation since May 2017 and enforceable from 25th May 2018. It's a Regulation by which the European Commission strengthened data protection for individuals within the European Union (EU). During the transition period, as the United Kingdom leaves the EU, this legislation still applies. After December 31, 2020 it will be incorporated into the Data Protection Act 2018 (DPA 2018). Its obligations include minimised collection of personal data, deletion of personal data that is no longer necessary, to restrict access, and to secure data through its entire lifecycle. Consequently, the legislation affects the way the Charity contacts its members and stores personal information about its membership. The equivalent to GDPR in Zambia is covered in sections of the Electronic Communications and Transactions Act (ECTA) 2002.

Exilda’s Angels will comply with the personal data requirements of GDPR and ECTA, and will request trustees, donors, supporters, contributors, beneficiaries and other key contacts to consent to their data being held in accordance with these policies.

Definitions

 

1. Data protection principles

The Charity is committed to processing data in accordance with its responsibilities under the GDPR and ECTA as detailed in Appendices 1 and 2.

2. General provisions

a. This policy applies to all personal data processed by the Charity.

b. The Responsible Person shall take responsibility for the Charity’s ongoing compliance with this policy.

c. This policy shall be reviewed at least annually.

3. Lawful, fair and transparent processing

a. To ensure its processing of data is lawful, fair and transparent, the Charity shall maintain a Register of Systems.

b. The Register of Systems shall be reviewed at least annually.

c. Individuals have the right to access their personal data and any such requests made to the charity’s Data Protection Officer (dpo@exildasangels.org) shall be dealt with in a timely manner.

4. Lawful purposes

a. All data processed by the charity must be done on one of the following lawful bases: consent, contract, legal obligation, vital interests, public task or legitimate interests

b. The Charity shall note the appropriate lawful basis in the Register of Systems.

c. Where consent is relied upon as a lawful basis for processing data, evidence of opt-in  consent shall be kept with the personal data.

d. Where communications are sent to individuals based on their consent, the option for the individual to revoke their consent should be clearly available and systems should be in place to ensure such revocation is reflected accurately in the Charity’s systems.  

5. Data minimisation

a. The Charity shall ensure that personal data are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

6. Accuracy

a. The Charity shall take reasonable steps to ensure personal data is accurate.

b. Where necessary for the lawful basis on which data is processed, steps shall be put in place to ensure that personal data is kept up to date.

7. Archiving / removal

a. To ensure that personal data is kept for no longer than necessary, the Charity shall put in place an archiving policy for each area in which personal data is processed and review this process annually.

b. The archiving policy shall consider what data should/must be retained, for how long, and why.

8. Security

a. The Charity shall ensure that personal data is stored securely using modern software that is kept-up-to-date.  

b. Access to personal data shall be limited to personnel who need access and appropriate security should be in place to avoid unauthorised sharing of information.

c. When personal data is deleted this should be done safely such that the data is irrecoverable.

d. Appropriate back-up and disaster recovery solutions shall be in place.

9. Breach

In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, the Charity shall promptly assess the risk to people’s rights and freedoms and if appropriate report this breach to the ICO (Information Commissioner’s Office) in the UK and equivalent in Zambia.

Appendix 1 UK and EC Legislation: General Data Protection Regulations

Article 5 of the GDPR requires that personal data shall be:

a. processed lawfully, fairly and in a transparent manner in relation to individuals;

b. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;

c. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;

d. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;

e. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and

f. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”

Appendix 2 Zambia Legislation: Electronic Communications and Transactions Act (ECTA) 2002

CHAPTER VIII (Section 51) of ECTA provides similar protections with Personal Information  defined in Chapter I.

(1)A data controller must have the express written permission of the data subject for the collection, collation, processing or disclosure of any personal information on that data subject unless he or she is permitted or required to do so by law,

(2)A data controller may not electronically request, collect, collate, process or store personal information on a data subject which is not necessary for the lawful purpose for which the personal information is required.

(3)The data controller must disclose in writing to the data subject the specific purpose for which any personal information is being requested, collected, collated, processed or stored.

(4)The data controller may not use the personal information for any other purpose than the disclosed purpose without the express written permission of the data subject, unless he or she is permitted or required to do so by law.

(5)The data controller must, for as long as the personal information is used and for a period of at least one year thereafter, keep a record of the personal information and the specific purpose for which the personal information was collected.

(6)A data controller may not disclose any of the personal information held by it to a third party, unless required or permitted by law or specifically authorised to do so in writing by the data subject.

(7)The data controller must, for as long as the personal information is used and for a period of at least one year thereafter, keep a record of any third party to whom the personal information was disclosed and of the date on which and the purpose for which it was disclosed.

(8)The data controller must delete or destroy all personal information which has become obsolete.

(9)A party controlling personal information may use that personal information to compile profiles for statistical purposes and may freely trade with such profiles and statistical data, as long as the profiles or statistical data cannot be linked to any specific data subject by a third party.

Exilda’s Angels Trustees

October 29, 2020

Data Protection Policy and Privacy Statement

The Story History

Chita Village Primary School School Growth Phase 1a Extension Chita Village Secondary School

Funding the Primary School Buiding the Primary School Opening the Primary School Links with the Primary School

Motorcycle Challenge Marathons Knit & Natter

Report on School Opening

Letters of Thanks Visits Knit & Natter Dresses

Alan Shand 2018 Alan Shand 2022

Mud Brick Buildings

Phase 1a Financials

Data Protection Policy and Privacy Statement Anti-Bribery and Corruption Policy