This policy constitutes the Institute's position on the use of personal information in fulfilling its obligations to the public.

Introduction

This website is hosted by the Institute for European Intelligence and Security. Representatives of the Institute may be reached via the contact page.

The Institute needs to gather and use certain information about individuals in order to function. This can include contact details, security, medical, financial and other personal information. This policy describes the Institutes position on how this information must be collected, handled and stored.

This policy ensures that the Institute:

• Complies with data protection law and follows good practice.
• Protects the rights of individuals.
• Stores and processes data in a transparent way.
• Protects itself from the risks of data breach.

This policy applies to:

• All staff and directors.
• All volunteers and registrants.
• All customers and other recipients of Institute services.
• All contractors, suppliers and others working on behalf of the Institute.

The policy applies to all data that the Institute holds relating to identifiable individuals. This can include any information relating to individuals including but not limited to:

• Sensitive information: Information which may be harmful to the data subject if inappropriately disclosed such as medical conditions, political or religions opinions, criminal convictions (inc. alleged offences), lifestyle profiles, financial stability, opinions/analysis etc.
• Personal information: Information that is privately held or permanently linked to an individual such as full names, education, training, home postal addresses, personal e-mail addresses, home telephone numbers, etc.
• Non-personal information: Information that is publicly available or not permanently linked to an individual such as work addresses, office telephone numbers/extensions, professional e-mail addresses, etc.

This policy helps to protect the Institute from data security risks, including:

• Breaches of confidentiality.
• Legal damages.
• Reputational damage.

Policy Statement

Information provided to the Institute shall be treated in full accordance with the EU regulations and standards.

Personal data will:

• Be processed fairly and lawfully.
• Be obtained only for a specific and lawful purpose.
• Be adequate, relevant and not excessive.
• Be accurate and kept up to date.
• Not be held longer than is necessary.
• Processed in accordance with the rights of data subjects.
• Protected proportionately.
• Not be transferred outside of the European Economic Area (EEA), unless that country or territory also ensures an adequate level of protection.

Everyone who works for or with the Institute has some responsibility for ensuring data is collected, stored and handled in line with this policy and data protection principles. However, these roles have key areas of responsibility:

• The central committee is ultimately responsible for ensuring that the Institute meets its legal obligations.
• The data controller is responsible for:
  • Keeping the central committee updated about data protection responsibilities, risks and issues.
  • Conducting an annual review of all data protection procedures and related policies.
  • Arranging data protection training and advice for those covered by this policy.
  • Handling data protection questions from those covered by this policy.
  • Dealing with requests to view, correct or delete data the Institute holds about them.
  • Checking and approving any contracts or agreements with third parties that may handle the Institute's data.
  • Ensuring all systems, services and equipment used for storing data meets acceptable security standards.
  • Performing regular checks and scans to ensure security hardware and software is functioning properly.
  • Evaluating third-party services the Institute is considering using to store or process data.
  • Approving any data protection statements attached to communications.
  • Addressing data protection queries from journalists or media outlets.
  • Working with others to ensure any marketing activities abide by data protection principles.

All those covered by this policy are required to follow general protection guidelines for personal data:

• Only those with a need to know should be able to access personal data.
• Personal information should be formally requested and access authorised.
• Access will not be granted to personal data until data protection training has been received.
• Personal data must be kept secure.
• Computers should be locked when unattended.
• Strong passwords must be used, regularly changed and never shared.
• Anyone possessing personal data is obligated to protect against unauthorised disclosure.
• Personal data should be regularly reviewed and updated. If it is out of date or no longer required it should be safely disposed of in a manner that would prevent recovery.
• Whenever possible personal data should be stored using pseudonymisation or anonymisation.
• If unsure about any aspect of data protection request assistance from the data controller.

These guidelines describe how and where personal data should be safely stored. Further questions about storing data can be directed to the data controller:

• All data should be stored securely in a compartmentalised fashion so as to prevent inadvertent unauthorised disclosure.
• Physical files should not be left unattended but locked in a drawer or filing cabinet when not in use.
• Physical files should be shredded when no longer required.
• Electronic files should be protected from unauthorised access, accidental deletion and malicious hacking attempts.
• If electronic files are stored on removable media, these should be locked away securely when not in use.
• Electronic files should only be stored on designated drives and servers and not uploaded to cloud services.
• Servers containing personal data should not be co-located in general office space.
• Electronic data should be backed up incrementally and backups should be tested annually.
• Electronic data should never be saved directly to mobile devices.
• All servers and computers containing personal data should be protected by approved security software.

Personal data is at the greatest risk of loss, corruption or theft at the point of access. Therefore, personal data should:

• Be securely communicated.
• Be encrypted before being transferred electronically.
• Never be saved to private computers.
• Always be accessed centrally.

The law requires that the Institute take reasonable and proportional steps to ensure data is accurate and up to date:

• Data must only be held in as many places as is necessary. Unnecessary duplicates must not be created.
• Every opportunity should be taken to verify and validate data.
• The Institute must, where possible, enable others to update their own information.
• Data should be updated as inaccuracies are discovered.

All individuals who are the subject of personal data held by the Institute are entitled to:

• Ask what information the Institute holds about them and why.
• Ash how to gain access to it.
• Be informed how to keep it up to date.
• Be informed how the Institute is meeting its data protection obligations.

Requests for subject information should be made by e-mail, addressed to the data controller at the link below. The data controller can supply standard request forms but individuals do not have to use these.

Once a request for personal data is made by a data subject the data controller must provide the relevant data within 1 month.

Prior to releasing subject information individuals may be required to pay an administrative fee not exceeding €50 and proportional to the expenses incurred in processing the request. The identity of an individual making a request must always be verified prior to the release of any personal information.

In limited circumstances, a subject may make a request to prevent processing if it causes damage or distress. To do so a request must be made by e-mail stating what the objection is, how processing is unwarranted and reasons why handling is causing damage or distress.

Privacy Policy

The Institute aims to ensure that individuals are aware that their data is being processed and that they understand:

• How the data is being used.
• How to exercise their rights under the law.

For the reasons described in this policy outline how personal data is used by the Institute.

The Chair of the Institute is a designated data controller for the purposes of this policy and relating legislation. The Institute takes takes great care to ensure that personal information is handled appropriately and confidence in their security and discretion is maintained.

The Institute may obtain personal information from a variety of open and closed sources, including government agencies, private individuals and organisations.

Personal information is typically processed by the Institute to facilitate, protect and promote the:

• Interests of international security.
• Prevention of public disorder, international crime and terrorism.
• Maintenance of judicial authority and the rule of law.
• Protection of the fundamental rights and freedoms others.

Personal and non-personal information may be processed in the legitimate interests of the Institute when those interests are not overridden by the interests of the fundamental rights and freedoms of the data subject. However, it is strictly prohibited for sensitive information to be processed for ancillary support purposes (e.g. routine administration, public relations, advertising and other marketing activities).

Our website automatically gathers some impersonal information from your computer such as your general location, when and what you viewed. This is collected to provide some insight into our visitors (e.g what pages to people like to visit most, from what countries and when?) so we can improve our site and services. None of the data our site gathers is specific enough to identify an individual.

Cookie policy: Cookies are very small text files that are stored on your computer when you visit some websites. We use cookies to help identify your computer so we can tailor your user experience and track changes you have made to parts of our site (e.g. e-learning entries, messages and other interactive elements). Our website statistics program also uses cookies so we can tell what pages you find most interesting so we can improve the performance of our site. You can prevent your browser storing cookies on your computer, but this may stop our website from functioning properly. Our cookies are designed to provide you with the best user experience. Functional cookies help programs on our website work and targetting cookies allow you to share our data with other websites.

The Institute will never make decisions that may affect an individual based solely upon the automated analysis of personal data.

By voluntarily submitting personal data to the Institute the data subject explicitly grants the Institute permission to process it for the purpose for which it was originally supplied and to retain it for as long as may be required to fulfil that purpose and satisfy any legal obligations relating to it.

The Institute ensures that personal information is handled lawfully and justifiably. Personal information must be as accurate and current as possible, adequate and not excessive to the task, in respect of individual's rights.

The Institute complies with the relevant parts of European data protection regulation, common security policies and ISO27001 information security standards.

Any data breach likely to result in risks to the rights and freedoms of individuals will be reported to the relevant authority within 72 hours of the data controller becoming aware of it.

Oversight: The Inspectorate is the independent regulator responsible for overseeing data protection compliance. In limited circumstances complaints may also be lodged with the relevant national data protection or supervisory authorities. To find out where your relevant authority is located please contact the data controller who will aim to address your query within 14 days.

Sensitive Data Policy

For legal and security reasons the Institute is required hold some sensitive data on data subjects (e.g. in order to satisfy legal obligations to conduct security checks on delegates). Sensitive information is subject to rigorous security standards and may only be used in the interests of public safety and security. The use of such information for ancillary support (e.g. routine administration, public relations, advertising and other marketing activities) is strictly prohibited.

When processing sensitive data, the Institute and its personnel are typically subject to national security, law-enforcement, research/analysis or third-party exemptions.

Related Policy

Risk assessment and mitigation is required whenever specific risks to the rights and freedoms of data subjects are identified. Recurring high risk functions have been identified in legal disclosure, security vetting and unsolicited communication. All risks have been mitigated or reduced through the application of security procedures. Further details are available upon request.

Additional security regulations outlined in 2013/488/EU surround the use of sensitive, privileged and classified material and form the basis of the Institutes standard operating procedure for the protection of that material.

Additional policies regarding the terms and conditions of sale and use of services provided by the Institute are provided in the Institutes general terms and conditions.

Policy reference:	IEIS/0202/180524/1
Policy owner:	Data Controller
Authorised date:	14 May 2018
Operational date:	25 May 2018
Review schedule:	Annual