At OXFORDSHIRE MOTOR PROJECT (TRAX AND TRAX SE), we take the utmost care to prevent the unauthorised use or disclosure of information our partners, parents and students, employees and partners provide. Our Board of Trustees works closely with our Partners, Human Resources and Services Development groups to develop, maintain and enforce robust privacy and information security policies and practices at OXFORDSHIRE MOTOR PROJECT (TRAX AND TRAX SE).

Our success depends directly on the confidence our partners have in the capability, performance and security of our services. To ensure this, we have policies and controls in place to provide privacy protection for personally identifiable information maintained by OXFORDSHIRE MOTOR PROJECT (TRAX AND TRAX SE). Our policies follow industry best practices, including the use of encryption technology and data loss protection software.

GDPR REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons regarding the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) follows practises outlined in data protection procedures. OXFORDSHIRE MOTOR PROJECT (TRAX AND TRAX SE) have identified policies and procedures that support GDPR in addition to its data protection policy. We have ensured all decision makers and key people in OXFORDSHIRE MOTOR PROJECT (TRAX AND TRAX SE) are aware that the law is changing to the GDPR. OXFORDSHIRE MOTOR PROJECT (TRAX AND TRAX SE) have documented what personal data we hold, where it came from and who we share it with and identified processing activities related to the data. We have reviewed our current privacy notices and put a plan in place which will be completed before 25th May 2018. When we collect personal data we currently give people certain information, such as your identity and how you intend to use their information. This is usually done through a privacy notice. Under the GDPR there are some additional things we will tell people. For example, we will explain the lawful basis for processing the data, the data retention periods and that individuals have a right to complain and how to do this in the first instance writing to the Finance Director setting out your complaint. This does not dilute, reduce or effect the rights of partners, parents or students.

GDPR and how it impacts individual rights:
➢ the right to be informed
➢ the right of access
➢ the right to rectification
➢ the right to erasure
➢ the right to restrict processing
➢ the right to data portability
➢ the right to object
➢ the right not to be subject to automated decision-making including profiling

The right to restrict data portability and automated decision making including profiling are new as part of GDPR and in addition to OXFORDSHIRE MOTOR PROJECT (TRAX AND TRAX SE) data protection policy. OXFORDSHIRE MOTOR PROJECT (TRAX AND TRAX SE) have implemented a policy internally to ensure any private data held for reasonable reasons is defined and justified. Data is not transferred but held in an encrypted format and is not externally portable. Information held by OXFORDSHIRE MOTOR PROJECT (TRAX AND TRAX SE) has always been treated with respect and has never been transferred outside the boundary of reasonable internal use. OXFORDSHIRE MOTOR PROJECT (TRAX AND TRAX SE) have in addition introduced a single instance use of data which is managed on a need to know basis. OXFORDSHIRE MOTOR PROJECT (TRAX AND TRAX SE) personal data is restricted to partners and student’s data that is held to enable OXFORDSHIRE MOTOR PROJECT (TRAX AND TRAX SE) to deliver its services. This data is encrypted and is only used to carry out their duties to deliver services to its partners, parents and students. OXFORDSHIRE MOTOR PROJECT (TRAX AND TRAX SE) also retains a data base. This is a list of individuals and partners that have opted in by 25th May 2018. As part of the consent to opt in to receive information our partners, parents and students will on each instance receive and unambiguous message to opt out. Our communication data is; clear, specific, granular, prominent, opt-in only, properly documented and easily withdrawn.

The charity has a specific requirement to data protection related to those under the age of 18 and with sensitive information. The policy set out in the statement has high relevance to the work the charity does, specifically need to know and retention of data. In addition, the duty of care related to holding information is held by the partner or parent under 18 as well as the young person.

The Article 29 Working Party has produced guidance for organisations on the designation, position and tasks of DPOs. Preparing for the General Data Protection Regulation (GDPR) OXFORDSHIRE MOTOR PROJECT (TRAX AND TRAX SE) takes its duties to protect individual data seriously. The Finance Director of the charity holds the ultimate responsibility to ensure all elements of the OXFORDSHIRE MOTOR PROJECT (TRAX AND TRAX SE) data protection policy and new elements introduced by GDPR are implemented in the UK.