Data Protection Policy

1. Policy Statement

National Blue Badge acquires, maintains, and processes personal information about customers, employees, and other relevant stakeholders. As such, it is bound by legal duties under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018).

National Blue Badge sees the lawful and correct treatment of personal data as crucial to its service delivery and the trust it fosters with stakeholders.

2. Introduction

The UK GDPR outlines six key principles for handling personal data, enforced by the Information Commissioner’s Office (ICO):

Legitimacy, Fairness, and Transparency: Personal data must be processed lawfully, fairly, and transparently.
Purpose Limitation: Data must be collected for specific, legitimate purposes and not further processed in a manner that is incompatible with those purposes.
Data Minimisation: Data collected should be adequate, relevant, and limited to what is necessary.
Accuracy: Data must be kept accurate and up to date.
Storage Limitation: Data should be retained only as long as necessary for processing purposes.
Integrity and Confidentiality: Personal data must be processed in a manner that ensures appropriate security.

This policy applies to all personal data processed by National Blue Badge, covering both physical and electronic records.

3. Definitions and Terms

Personal Data: Information relating to a living individual who can be identified, directly or indirectly.
Special Category Data: Sensitive personal information, such as racial or ethnic origin, political opinions, religious beliefs, health data, etc.
Data Controller: The entity that determines the purposes and means of processing personal data.
Data Processor: The entity that processes personal data on behalf of the controller.
Processing: Any operation performed on personal data, such as collection, storage, alteration, retrieval, or deletion.
Data Subject: The individual to whom personal data relates.

4. Subject Access Requests

Data subjects have the right to access their personal data, known as a Subject Access Request (SAR). National Blue Badge encourages individuals to submit requests in writing to avoid confusion. All requests will be verified to ensure the applicant’s identity, and responses will be provided within one month, with an option for extension in complex cases.

5. Compliance with the Principles of Data Protection

National Blue Badge ensures compliance with data protection laws by:

Collecting only necessary data for specified purposes and using it only for those purposes.
Ensuring data is accurate, up to date, and retained only as long as necessary.
Implementing adequate security measures to protect personal data from unauthorised access or loss.
Providing data protection training to all employees.
Maintaining contracts with appropriate provisions for external data processors.

6. Data Protection Officer (DPO)

Under the UK GDPR, National Blue Badge is required to appoint a Data Protection Officer (DPO). The DPO is responsible for advising the organisation on its data protection obligations, monitoring compliance, and being the point of contact for the ICO and data subjects.

The DPO for National Blue Badge is:

Name:	Jamie Dotcom
Email:	[email protected]
Phone:	0113 887 0420
Address:	PO Box 451, Leeds, LS14 9NG

7. Breach Reporting

In the event of a personal data breach, National Blue Badge must report the breach to the ICO within 72 hours, where feasible. Employees are required to notify the DPO of any data protection breaches without undue delay. An internal investigation will be conducted to determine the severity of the breach and whether it needs to be reported to the ICO and data subjects.

8. Data Protection Impact Assessments (DPIAs)

National Blue Badge will conduct Data Protection Impact Assessments (DPIAs) for any processing activities that pose high risks to individuals’ rights and freedoms. Employees must consult the DPO or Information Governance Service before initiating new high-risk data processing activities to determine if a DPIA is necessary.

9. Record of Processing Activity (ROPA)

National Blue Badge maintains a Record of Processing Activities (ROPA) for high-risk personal data processing operations. Any new processing activities must be logged with the DPO, who will ensure that the ROPA is updated accordingly.

10. Individual Rights

Data subjects have several rights under the UK GDPR, including:

Right to be informed about how their data is being used.
Right of access to their personal data.
Right to rectification of inaccurate data.
Right to erasure (in some circumstances).
Right to restrict processing, data portability, and to object to data processing.
Rights regarding automated decision-making and profiling.

National Blue Badge is committed to respecting these rights and has established procedures for handling such requests.

11. Data Security and Retention

National Blue Badge has implemented strict security protocols to protect personal data, including encryption, access control, and regular audits. The Retention Schedule outlines how long different types of data are kept before being securely destroyed or anonymised.

12. Training and Awareness

All employees, contractors, and volunteers at National Blue Badge receive data protection training during induction and on a regular basis to ensure ongoing compliance with GDPR and data protection laws.