Establishment Stage - المرحلة التأسيسية

Data Protection Policy

International Syrian Association for Education Development

This policy covers all of the associations’ activities and processes that deal with personal information in print or electronic format.

Data Protection Policy

1. Purpose & Scope

1.1 This policy covers all the Syrian Association activities and processes in which personal data is used, whether in electronic or hard copy form.

1.2 This policy applies to all members of the Syrian Association including staff, students and others acting for, or on behalf of, the Association or who are otherwise given access to the Association’s information infrastructure.

1.3 This policy takes precedence over any other Syrian Association policy on matters relating to data protection.

2. Definitions

2.1 The following terms are defined in data protection legislation:

• Personal data – any information relating to an identifiable person who can be directly or indirectly identified, in particular by reference to an identifier (e.g. name, identification number, location data or online identifier).

• Special category personal data – the following types of personal data (specified in data protection legislation) which are particularly sensitive and private in nature, and therefore more likely to cause distress and damage if compromised:

  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Health related conditions (physical or mental health)
  • Sex life and sexual orientation
  • Commission or alleged commission of any criminal offence
  • Genetic data
  • Biometric data, where processed to uniquely identify an individual

• Data subject – the individual to whom the personal data relates

• Data controller – determines the purposes and means of processing personal data

• Data processor – responsible for processing personal data on behalf of a controller

• Data breach – a security incident that affects the confidentiality, integrity or availability of personal data. A data breach occurs whenever any personal data is:

  • lost;
  • corrupted;
  • unintentionally destroyed or disclosed;
  • accessed or passed on without proper authorisation; or made unavailable and this unavailability has a significant negative effect on the data subjects

3. Policy

3.1 The international Syrian Association for Education Development (“the Syrian Association”) is committed to complying with the General Data Protection Regulation (GDPR) and any legislation enacted in the UK in respect of the protection of personal data (together “data protection legislation”).

3.2 To do this, the Syrian Association will:

a) Only use personal data where strictly necessary, and will rely on an appropriate lawful basis for processing personal data

b) Inform data subjects of the lawful basis and explain the purpose and manner of the processing in the form of privacy notices and other similar methods

c) Keep personal data secure and manage incidents effectively when things go wrong

d) Observe the rights of individuals under data protection legislation

e) Ensure staff are trained appropriately in managing personal data

f) Ensure that records containing personal data are managed effectively

g) Only share personal data with third parties where adequate standards of data protection can be guaranteed and, where necessary, contractual arrangements are put in place

h) Implement comprehensive and proportionate governance measures to demonstrate compliance with data protection legislation principles

3.3 Further details on the meaning and the steps the Syrian Association must take to comply with these points is contained in the Data Protection Procedure.

4. Roles and responsibilities

4.1 Every individual who works or volunteers for, or on behalf of, the Syrian Association and who will have access to personal information must ensure that they have completed the Syrian Association’s mandatory online GDPR training course within the last two years. Individuals must also ensure any personal data they handle is processed in accordance with this policy and the data protection legislation principles (see Data Protection Procedure).

4.2 The Senior Management Team (Managing Director, HR, Media, IT, & Programmes Managers) is responsible for approving this policy and ensuring that the Syrian Association meets its data protection legislation obligations.

4.3 The Data Protection Officer (Managing Director) is responsible for:

• Informing and advising the Syrian Association of its data protection obligations

• Monitoring compliance

• Awareness-raising and training of staff involved with processing operations

• Undertaking internal audits of data protection

• Providing advice on data protection impact assessments

• Cooperating with the Information Commissioner and acting as the contact point for any issues relating to processing

4.4 Heads of Services, Projects, Departments and Divisions, whose staff and volunteers will have access to personal information are responsible for ensuring awareness of, and compliance with, this policy in their respective areas. In particular, they are responsible for ensuring their staff members have completed the Syrian Association’s mandatory online GDPR training within the last two years.

4.5 The IT Security Team is responsible for managing information security across the Syrian Association . The purpose of the Team is to review the information security landscape (both digital and physical), assess the Syrian Association ’s performance and readiness, and ensure risk reduction, remediation and response.

DATA PROTECTION PROCEDURE 

SECTION 1: Implementing the Data Protection Policy                          

1. The Syrian Association will only use personal data where strictly necessary, and will rely on an appropriate lawful basis for processing personal data                                                                                                                         
1.1  As an organisation that supports students, the Syrian Association collects personal data when registering students in new projects, employing staff and providing services to students. The Syrian Association will only collect and use personal data where strictly necessary.                                                      
1.2  The Syrian Association must have a valid lawful basis to process personal data. The Syrian Association will satisfy at least one of the six available lawful bases (See Section 2), contained in data protection legislation, before processing any personal data.
                                                                                                                       
1.3  Consent to process data will only be relied upon as the lawful basis when individuals have a real choice and control over the processing. Requests for consent will be prominent and separate from other terms and conditions. Consent will be based on a positive opt-in; pre- ticked boxes and other opt-out methods of consent will not be used. Explicit consent (one of the conditions available for processing special category personal data) will be based on a clear and specific statement of consent. Individuals will be given the ability to withdraw their consent at any time.
                                                                                                                                               
1.4  If the Syrian Association offers online services directly to children, it will only seek consent if it has age-verification measures (and parental-consent measures for children under-13) in place.
                                                                                                                                               
1.5  The Syrian Association will keep a record of when and how it obtained consent from individuals, and what they were told at the time.
                                                                       
1.6  When the Syrian Association processes special category personal data, it will also identify a condition contained in data protection legislation for processing such data (see Section 2).                                       

2. The Syrian Association will inform people of the lawful basis and explain the purpose and manner of the processing in the form of privacy notices and other similar methods

                                                           
2.1  The Syrian Association will, at the time the data is obtained, provide information to individuals about why their personal data is needed, the lawful basis for the processing and how it will be used, typically through a privacy notice.
                                                                       
2.2  Privacy notices will be:
                                                                                   

  • concise, transparent, intelligible and easily accessible;
                                                   
    • written in clear and plain language, particularly if addressed to a child; and
                                                                                                     
    • free of charge.

2.3  Individuals will be informed at the point of collection when there is an intention to use their personal data for marketing or other additional purposes and will be asked to provide their consent by actively opting in.
                                                                       

2.4  The Syrian Association will not carry out automated decision-making or automated processing (including profiling) when a decision has a legal or similar significant effect on an individual unless:             

  • a data subject has explicitly consented;
                                                                                                   
    • the processing is authorised by law (this ground cannot be used for special category personal data); or
                                                                                         
    • the processing is necessary for the performance of, or entering into, a contract (this ground cannot be used for special category personal data).

2.5  If a decision is to be based solely on automated processing (including profiling), then data subjects must be informed when the Syrian Association first communicates with them of their right to object. This right must be explicitly brought to their attention and presented clearly and separately from other information. Further, suitable measures must be put in place to safeguard the data subject’s rights and freedoms and legitimate interests.
                                                                       

2.6  We must also inform the data subject of the logic involved in the decision making or profiling, the significance and envisaged consequences and give the data subject the right to request humanitarian intervention, express their point of view or challenge the decision. In accordance with paragraphs 8.6 and 8.7, a data protection impact assessment must be carried out before any automated processing (including profiling) or automated decision- making activities are undertaken.

3. The Syrian Association will keep personal data secure and manage incidents effectively when things go wrong

3.1  The Syrian Association will process personal data in a manner that ensures its security. Appropriate technical (e.g. encryption, access control) or organisational (e.g. policies and procedures, training) measures will be used to protect against unauthorised or unlawful processing and against accidental loss, destruction or damage.
                                                                       

3.2  The Syrian Association will maintain an Information Security Policy and an associated framework of technical support and guidance. Physical and technical security breaches, including data breaches, will be monitored and subject to routine reports and action by the Security Review Group.
                                                                       

3.3  Where it is lawful to do so, the Syrian Association may access user accounts and intercept communications on its systems for legitimate purposes (e.g. to investigate suspected misuse), under the terms specified in the Syrian Association’s IT policies.
                                                                       

3.4  The Syrian Association will follow a data breach management procedure for addressing data breaches. All suspected and actual data breaches will be reported to Data.Protection@Association-sy.org as soon as possible.
                                                                       

3.5  The Syrian Association will, where feasible, notify the Information Commissioner of a data breach within 72 hours of becoming aware of it, unless the breach is unlikely to result in a risk to the rights and freedoms of any individuals. It will also notify affected individuals about a breach without undue delay when it is likely to result in a high risk to their rights and freedoms. The risk level of a breach will be determined using the severity assessment tool in the breach management procedure.
                                                                       

3.6  A termly report of any serious data breaches will be made to the Management Committee.
                                                                                   

4. The Syrian Association will observe the rights of individuals

4.1  The rights of data subjects under data protection legislation will be respected and supported. Individuals have several rights under data protection legislation, including the right to have their personal data rectified, erased and restricted; the right to move, copy or transfer their personal data in electronic form; the right to object to processing; and rights relating to automated decision-making and profiling.
                                                                       

4.2  The right of access to personal data gives individuals the right to access their personal data and supplementary information and to be made aware of, and verify, the lawfulness of the processing. The Syrian Association will respond without delay and no later than one month after receipt of the request, subject to ID verification and any applicable exemptions. All access requests will be dealt with in accordance with the Syrian Association’s published procedure.                                                              

5. The Syrian Association will ensure staff are trained appropriately and advised on managing personal data

                                                                                                                                                            5.1  The Data Protection Officer is responsible for ensuring compliance with data protection legislation by providing advice, guidance and training to the Syrian Association.
                                                                       

5.2  All staff & volunteers whose work requires access to data must complete the Syrian Association’s mandatory online data protection training course within one month from the date of commencing employment and thereafter every two years.
                                                                       

5.3  Completion rates will be monitored by the Data Protection Officer and reported to senior managers at regular intervals. Failure to complete the mandatory training, in accordance with paragraph 5.2, will constitute a breach of this procedure and the Data Protection Policy and may result in disciplinary action.
                                                                       

5.4  The data protection pages of the staff & volunteers intranet (Workplace) will feature guidance and practical information for staff & volunteers around data protection.
                                                                       

5.5  The data protection pages of the Syrian Association’s website will feature the Data Protection Policy and procedures relating to implementation of the policy.
                                                                       

5.6  Staff and data subjects can contact the Data Protection Officer and the Information Compliance team by email on (data.protection@association-sy.org) with any data protection queries.
                                                                       

5.7  Face-to-face, tailored training sessions are available from the Data Protection Officer and the Information Compliance team, on request and subject to availability.

5.8 Every person who needs to collect personal information (through online forms, surveys, google forms) should liaise with the Data Protection Officer first

5.9 The Data Protection Officer will have “owner” access to the form and provide/remove access to all stakeholders. No one give access to personal data other than the Data Protection Officer

5.10 Under no circumstances, personal data should be downloaded to personal equipment (personal laptops, phones, etc), and if it was absolutely necessary to do so, the person should take the approval of the Data Protection Officer first, and delete the personal data completely once processing data is done.

5.11 All access to the person whose role does not require access to personal data anymore (whether change of role or even resignation) should be stopped immediately, and the person should handover/ delete any personal data he or she has when moving/resigning. 
                                                                       

6. The Syrian Association will ensure that records containing personal data are managed effectively

6.1  The Syrian Association will seek to maintain standards of data quality and avoid duplication, inaccuracies and inconsistencies across personal data sets by utilising master data management principles wherever possible. Master data management is the practice of defining and maintaining consistent definitions of widely used business critical data (or master data sets), then making these definitions available to be used in multiple IT systems across an organisation. Master data is likely to come from the central student, HR and finance systems. For example, student addresses and qualifications.
                                                                       

6.2  The Syrian Association will implement a data steward and data custodian framework to enable clear lines of data ownership and accountability.
                                                                       

6.3  The Syrian Association’s records management policy and records retention schedule will be followed to help avoid excessive retention or premature destruction of personal data.
                                                                       

7. The Syrian Association will only share personal data with third parties where adequate standards of data protection can be guaranteed and, where necessary, contractual arrangements are put in place

7.1 Whenever the Syrian Association uses a data processor, it must have a written contract in place so that both parties understand their responsibilities and liabilities.

7.2  The Syrian Association will use its own data protection legislation-compliant standard contract clauses whenever possible to ensure its contracts are consistent and compliant. Any substantial deviation from these clauses must first be checked with the Data Protection Officer.
                                                                       

7.3  The Syrian Association is liable for its compliance with data protection legislation and will only appoint data processors who can provide sufficient guarantees that the requirements of data protection legislation will be met, and the rights of data subjects protected.
                                                                       

7.4  The Syrian Association will not transfer personal data to countries outside the European Economic Area unless:
                                                                                   

  • the European Commission has issued a decision confirming that the country ensures an adequate level of protection for the data subjects’ rights and freedoms;
                                                                                                   
    • appropriate safeguards are in place, such as standard contractual clauses approved by the European Commission or an approved certification mechanism (e.g. the EU- US Privacy Shield Framework);
                                                                                                     
    • the data subject has provided explicit consent to the proposed transfer after being informed of any potential risks; or
                                                                                                     
    • the transfer is necessary for one of the other reasons set out in the GDPR including the performance of a contract between the Syrian Association and the data subject, reasons of public interest, to establish, exercise or defend legal claims or to protect the vital interests of the data subject where the data subject is physically or legally incapable of giving consent and, in some limited cases, for the Syrian Association’s legitimate interests. For further guidance, see the GDPR guidance page.                                                                                                                                              

7.5  Third parties (such as law enforcement bodies) may ask the Syrian Association to disclose information relating to an individual for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. Such requests should be made formally in writing (law enforcement bodies should submit their ‘data protection request’ form). The request should then be considered against the Syrian Association’s obligations under the data protection legislation, using a data protection impact assessment where appropriate (see paragraphs 8.6 and 8.7).
                                                                       

7.6  In urgent and emergency situations, the steps in paragraph 7.5 may be bypassed if it is deemed necessary and proportionate to do so. This judgement should be based on the risks of not sharing the data; keeping in mind data protection legislation does not prevent the sharing of data in situations where there is a danger to the health of a person.
                                                                       

8. The Syrian Association will implement comprehensive but proportionate governance measures to demonstrate compliance with data protection legislation principles

8.1  A termly report on data protection compliance will be made to the Syrian Association’s Management Committee
 

8.2  The Syrian Association has appointed a Data Protection Officer to inform and advise the Syrian Association about its obligations to comply with data protection legislation, to monitor compliance, and to be the first point of contact for the Information Commissioner and for individuals whose data is processed.

8.3  The Data Protection Officer will operate independently and report to the highest management level of the Syrian Association.
                                                                       

8.4  The Syrian Association will maintain a written record of its processing activities, which will be made available to the Information Commissioner on request. Records will be updated annually to reflect the Syrian Association’s current processing activities.
                                                                       

8.5  The Syrian Association will implement measures that meet the principles of data protection by design (designing projects, processes, products or systems with privacy in mind at the outset) and data protection by default. Measures could include:

  • Data minimisation
  • Pseudonymisation
  • Transparency
  • Allowing individuals to monitor processing
  • Creating and improving security features on an ongoing basis

8.6  The Syrian Association will use data protection impact assessments to help identify and reduce the data protection risks of its projects and meet individuals’ expectations of privacy.
                                                                                   
8.7  The Syrian Association will carry out data protection impact assessments when using new technologies and/or the processing is likely to result in a high risk to the rights and freedoms of individuals. This may include (but is not limited to) systematic and extensive processing activities, and large scale processing of special category personal data
                                   

SECTION 2: Lawful bases for processing personal data and conditions for processing special category personal data

The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever the Syrian Association processes personal data:

(a) Consent: The data subject has to give a clear consent to process his/her personal data for a specific purpose.                                 

(b) Contract: The processing is necessary for a contract made with the data subject, or because he/she has asked to take specific steps before entering into a contract.            

(c) Legal obligation: The processing is necessary to comply with the law (not including contractual obligations).                           

(d) Vital interests: The processing is necessary to protect someone’s life.

(e) Public task: The processing is necessary to perform a task in the public interest or for official functions, when the task or function has a clear basis in law.   

(f) Legitimate interests: The processing is necessary for legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if the Syrian Association is processing data that falls under (e))

For guidance on each lawful basis, see the GDPR guidance page.

In order to lawfully process special category personal data, the Syrian Association must identify both a lawful basis under Article 6 and a separate condition for processing special category data under Article 9:

  • The data subject has given explicit consent to the processing.                                                     
  • Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law.                                                
  • Processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent.                          
  • Processing relates to personal data manifestly made public by the data subject.
  • Processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity.
  • Processing is necessary for reasons of substantial public interest.
  • Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.
  • Processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices.                                 
  • Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical.                                                                      
  • Note this is an edited list of Article 9 conditions and further conditions and required safeguards will be contained in the final provisions of data protection legislation.

For guidance on processing special category personal data, see the GDPR guidance page.                       

SECTION 3 – Data protection legislation principles                                           

Under the GDPR, the data protection principles set out the main responsibilities for organisations. Article 5 of the GDPR requires that personal data shall be:                               

“a) processed lawfully, fairly and in a transparent manner in relation to individuals;           

b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;

c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;                             

d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;                                   

e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and                             

f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”                                 

Article 5(2) requires that: “the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”

For guidance on each principle, see the GDPR guidance page.

Data Protection Policy & Procedure Key points

Before collecting data

  1. Every person whose role contains dealing with personal data should sign that he/she has understood this policy and will abide by this policy.
  1. Every person whose role contain dealing with personal data should complete the Syrian Association’s mandatory online GDPR training course within the last two years

When collecting data

  1. Every person who needs to collect personal information (through online forms, surveys, google forms) should liaise with the Data Protection Officer first
  2. The Data Protection Officer will have “owner” access to the form and provide/remove access to all stakeholders. No one give access to personal data other than the Data Protection Officer
  3. At the time the data is obtained, the Syrian Association will provide information to individuals about why their personal data is needed, the lawful basis for the processing and how it will be used, typically through a privacy notice.                                           
  4. When the Syrian Association collects personal data, the requests for consent should be prominent and separate from other terms and conditions
  5. Individuals will be informed at the point of collection when there is an intention to use their personal data for marketing or other additional purposes and will be asked to provide their consent by actively opting in.

Managing Data

  1. The Syrian Association will keep a record of when and how it obtained consent from individuals, and what they were told at the time.
  2. In case of a breach of data protection, the person who discovered the breach should report it immediately with no hesitation to the Data Protection Officer on Data.Protection@Association-sy.org
  3. If anyone asked to access, delete, amend his/her personal data, such request should be forwarded immediately to the Data Protection Officer on Data.Protection@Association-sy.org
  4. Under no circumstances, personal data can be shared with any third party before the approval of the Data Protection Officer, Senior Management, and the Managing Director
  5. Under no circumstances, personal data should be downloaded to personal equipment (personal laptops, phones, etc), and if it was absolutely necessary to do so, the person should take the approval of the Data Protection Officer first, and delete the personal data completely once processing data is done.

All access to the person whose role does not require access to personal data anymore (whether a change of role or even resignation) should be stopped immediately, and the person should handover/ delete any personal data he or she has when moving/resigning. 


Subscribe to our mailing list.