Introduction and Overview



The FBU takes the security and privacy of personal data seriously. The FBU will process data in accordance with the data protection principles.



All members, officers, staff, contractors and volunteers will comply with this policy and help the FBU put this policy into practice.



  1. Data Protection Principles



  1. Personal data must:
  • be processed fairly, lawfully and transparently;
  • be collected and processed only for specified, explicit and legitimate purposes;
  • be adequate, relevant and limited to what is necessary for the purposes for which it is processed;
  • be accurate and kept up to date. Any inaccurate data must be deleted or rectified without delay;
  • not be kept for longer than is necessary for the purposes for which it is processed; and
  • be processed securely.




Personal data



  1. This refers to information which relates to a living person who can be identified from that data (a ‘data subject’) on its own, or when taken together with other information which is likely to come into our possession. It does not include anonymised data.



  1. This policy applies to all personal data whether it is stored electronically, on paper or on other materials.



  1. Data processing



  1. This refers to any operation which is performed on personal data such as:
    • collection, recording, organisation, structuring or storage;
    • adaption or alteration;
    • retrieval, consultation or use;
    • disclosure by transmission, dissemination or otherwise making available;
    • alignment or combination; and
    • access, destruction or erasure.

This includes processing personal data which forms part of a filing system and any automated processing.



  1. Security and Confidentiality



Everyone to whom this policy applies has some responsibility for ensuring data is collected, stored and handled lawfully and in accordance with this policy.


  1. The FBU’s Data Protection Officer (DPO) is Tam McFarlane, National Officer.  The DPO is responsible for reviewing this policy and updating the National Officer (Staffing) on the FBU’s data protection responsibilities and any risks in relation to the processing of data.  You should direct any questions in relation to this policy or data protection to the DPO.



You should only access personal data covered by this policy if you need it for the work you do for, or on behalf of, the FBU and only if you are authorised to do so. You should only use the data for the specified lawful purpose for which it was obtained.



  1. You should not share personal data informally.



You should keep personal data secure and not share it with unauthorised people.



You should regularly review and update personal data which you have to deal with for work.  This includes telling us if your own contact details change.



  1. You should not make unnecessary copies of personal data and should keep and dispose of any copies securely.



  1. You should use strong passwords and lock your device when not at your desk or you are away from your device.  Devices include personal computers, laptops, tablets, mobile phones or any other device used for data.



Personal data should be encrypted before being transferred electronically to authorised external contacts. [Speak to IT for more information on how to do this.]  Consider anonymising data or using separate codes so that the data subject cannot be identified.



Do not save personal data to your own personal computers or other devices.



Personal data should never be transferred outside the European Economic Area except in compliance with the law and authorisation of the DPO.



  1. You should lock drawers and filing cabinets if they contain personal data. Do not leave paper with personal data lying about.



You should not take personal data away from FBU premises without authorisation from your line manager or DPO.



  1. Personal data should be shredded and disposed of securely when you have finished with it in accordance with our retention policy.



  1. You should ask for help from our DPO if you are unsure about data protection or if you notice any areas of data protection or security we can improve upon.



Any deliberate or negligent breach of this policy by you may result in disciplinary action being taken against you in accordance with our disciplinary procedure.



It is a criminal offence to conceal or destroy personal data which is part of a subject access request (see below). This conduct would also amount to gross misconduct under our disciplinary procedure, which could result in your dismissal.



  1. Data Breaches



  1. You must notify the DPO immediately you become aware of any data breach and, if you are a member of staff, notify your line manager.  The DPO will investigate the breach and may delegate the investigation.  You should co-operate with any investigating.   Should a breach of personal data occur (whether in respect of you or someone else) you must take notes and keep evidence of that breach. If the breach is likely to result in a risk to the rights and freedoms of individuals the DPO must also notify the Information Commissioner’s Office within 72 hours of anyone in the FBU becoming aware of the breach.  You must help her comply with that obligation.  If we fail to report the breach within 72 hours the ICO could fine the FBU.



We will do all we can to avoid data breaches.  When they happen we will do what we can to avoid any damage to the individual.  We will also review our practices and procedures to avoid such breaches in the future.



  1. Subject access requests



Data subjects can make a ‘subject access request’ (‘SAR’) to find out the information we hold about them. This request must be made in writing.  If you receive such a request you should forward it immediately to the DPO who will coordinate a response.  We have to respond within a month.



  1. Retention policy


  1. We will only keep data for as long as necessary and in accordance with our retention policy – for a copy of our retention policy please email [email protected].