Available Policies
last updated: 19 April 2023
This template is an example of how you can record your DPIA process and outcome. It follows the process set out in our DPIA guidance, and should be read alongside that guidance and the Criteria for an acceptable DPIA set out in European guidelines on DPIAs.
You should start to fill out the template at the start of any major project involving the use of personal data, or if you are making a significant change to an existing process. The final outcomes should be integrated back into your project plan.
The aim of this project is to broker a relationship between people who need volunteers and people who want to volunteer. This relationship is facilitated via TeamKinetic’s Volunteer management system.
This DPIA is required as personal data is collected and shared via the application to ensure the safe brokerage and management of volunteers.
Some of the data captured falls into the special categories and some profiling is undertaken by the service
TeamKinetic acts as Data Processor on behalf of the Customer
How TeamKinetic data will be collected;
Volunteers submit their own data, via the online submission form
The data collection is undertaken via SSL secured web form and SSL secured API in the case of native applications.
How TeamKinetic store your data;
All data is stored in fully secured hosted servers in the UK.
A full list of server centre accreditations can be found here. Data at rest is encrypted using AES-256 symmetric encryption.
Data deletion is agreed in accordance with the data controller
TeamKinetic and third parties;
TeamKinetic do not use sub-processors. No data is shared with third parties
How TeamKinetic data will be processed
The following categories of Personal Data may be processed
The data controller will determine the following:
TeamKinetic receive data directly from the data subject and act as Data Processor on behalf of our customers for the management of volunteers with the following agreement in place
Volunteers would expect us to use this information in this way in accordance with the Data Controllers privacy policy, and terms and conditions of registering an account.
Should the Data Controller not have a Privacy Policy, it will default to the generic TeamKinetic privacy policy.
The Data Processing policy constitutes a data processing agreement between the Customer (The Data Controller) and the supplier TeamKinetic Ltd (Data Processor)
Team Kinetic have undergone the following accreditation:
NHS Level 2 Information Governance Tool Kit
Cyber Essential registered
All our UK data centres are ISO 9001, ISO 27001, ISO 22301 and PCI DSS compliant.
Registered with the ICO as a data processor
Any user has the right of erasure and can request to have their data removed once they are logged in and authenticated. Live data is immediately removed, backup data takes 30 days to be removed.
What is the purpose for TeamKinetic processing your data;
Data processing is performed to enable volunteers to access, find and join volunteering opportunities and to provide the services required to enable this.
Outcomes include but are not limited to;
Increased recruitment, retention and reward of volunteers and the development of insight regarding the volunteer audience and motivations, actions and experiences.
Consider how to consult with relevant stakeholders:
TeamKinetic is provided as Software as a Service (SaaS) and we do not anticipate requiring talking to stakeholders as the product features are already defined.
We will assign a single account and support manager for each customer. They will be the only members of our organisation with access to customer data. These members of staff will have been made aware and trained in the relevant GDPR policies.
We do not have any further sub data processors but act on instructions from our customer the data controller, about what data we collect and how we use it.
Our data servers are routinely audited by independent expert penetration tests
Describe compliance and proportionality measures
The lawful basis for this processing is Consent, unless otherwise stated by the data controller example- Legal requirement to collect health data for health and safety purposes.
The processing of Special category data requires explicit consent
Data usage and policies are clearly communicated during registration and positive consent is required by all users.
Volunteers provide consent at the point at which they register to use the system or if the data policy is amended. It is not practical to continually request consent from volunteers, but volunteers who become inactive can be removed by the Data Controller (South Ayrshire Council) at their discretion.
Consent for marketing will be dealt with under the volunteer sign up.
Data subjects can exercise their rights via the Data Controller (South Ayrshire Council)
Data enrichment is not performed on any volunteer's data.
We store all data at rest and in transit in UK data hubs encrypted. We do not make data transfers to any other geographical location or to any other data processors.
| PR# | Privacy Issue | Risk to Individuals | Compliance Risk | Corporate Risk |
| PR001 | Catastrophic Data loss | Person data breach could cause various risks to individuals | Unlawful loss or destruction of data poses a GDPR/data protection risk | Fine by the regional regulators
Reputational damage /monetary loss |
| PR002 | Theft or cyber attack | Person data breach could cause various risks to individuals | Unlawful loss or destruction of data poses a GDPR/data protection risk | Fine by the regional regulators
Reputational damage /monetary loss |
| PR003 | 3rd party service failure | Risk of Personal data breaches- deliberate or accidental action (or inaction) by a controller or processor. | In breach of Art. 5 GDPR principle (a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’); | Fine by the regional regulators
Reputational damage /monetary loss |
| PR004 | Personal data retained for longer than necessary | Person data breach could cause various risks to individuals | In breach of Art. 5 GDPR principle (e) of the GDPR storage limitation | Fine by the regional regulators
Reputational damage /monetary loss |
| PR005 | Disclosure of personal data to unauthorised persons or agencies | Person data breach could cause various risks to individuals | Unlawful loss or destruction of data poses a GDPR/data protection risk | Fine by the regional regulators
Reputational damage /monetary loss |
| PR# | Likelihood | Impact | Overall risk |
| PR001 | Unlikely /low | Medium | GREEN |
| PR002 | Unlikely /low | Medium | AMBER |
| PR003 | Unlikely /low | HIGH | AMBER |
| PR004 | Unlikely /low | Low | GREEN |
| PR005 | Unlikely /low | Low | GREEN |
Describe the actions you could take to reduce the risks
| PR# | Risk Score | Options to reduce or eliminate risk | Effect on risk | Residual risk | Measure approved |
| PR001 | GREEN | See our Data Asset Protection and Resilience Policy | Accepted | GREEN | Yes/no |
| PR002 | GREEN | See our Operational Security of Services Policy | Accepted | GREEN | Yes/no |
| PR003 | AMBER | See our Information Governance Policy regarding 3rd party services. | Accepted | AMBER | Yes/no |
| PR004 | GREEN | Data Controllers have the ability to delete their data in the application in accordance with their own policies and procedures. Our Data Resilience and Asset Protection policy outlines our deletion and back up process. | Accepted | GREEN | Yes/no |
| PR005 | GREEN | Our Privacy and Data policy clearly outlines the conditions under which we can share data. | Accepted | GREEN | Yes/no |
| Item | Name/date | Notes |
| Measures approved by: | Integrate actions back into project plan, with date and responsibility for completion | |
| Residual risks approved by: | If accepting any residual high risk, consult the ICO before going ahead | |
| DPO advice provided: | DPO should advise on compliance, step 6 measures and whether processing can proceed | |
| Summary of DPO advice: | ||
| DPO advice accepted or overruled by: | If overruled, you must explain your reasons | |
| Comments: | ||
| Consultation responses reviewed by: | If your decision departs from individuals’ views, you must explain your reasons | |
| Comments: | ||
| This DPIA will kept under review by: | The DPO should also review ongoing compliance with DPIA |
The following provides some guidance as how to determine the likelihood of a compromise (resulting in any of the impact categories) occurring:
Low (Rare/Unlikely) - less than 25% chance of a compromise occurring within the next 3 years
Medium (Possible/Likely) – between 25% and 75% chance of a compromise occurring in the next 3 years
High (Highly Likely/Certain) – a 75%+ chance of a compromise occurring in the coming year
The risk matrix combines the HIGHEST identified impact severity with the likelihood score occurring to determine the overall risk level.
| 3x3 Matrix | ||||
| Impact Severity | ||||
| High | 3 | M=3 | H=6 | H=9 |
| Medium | 2 | L=2 | M=4 | H=6 |
| Low | 1 | L = 1 | L = 2 | M=3 |
| Multiplier | 1 | 1 | 2 | 3 |
| Likelihood | L | Low | Medium | High |
Suite 5, Parkway Five,
Manchester.
M14 7HR
UK
