This is the Data Protection Policy of the Equality Party and details how the Party complies with Data Protection legislation; the UK GDPR and the Data Protection Act 2018.
DEFINITIONS
The following are key terms that are defined within the DPA 2018 and UK GDPR:
Personal Data – Personal data means any information relating to an identified or identifiable natural (living) person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Special Category Personal Data – personal data that relates to a data subject’s race, ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetics, biometrics, health, sex life or sexual orientation.
Data Subject – the individual who the personal data is about.
Processing – Any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, including activities such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Everything we do, even just storing it, with personal data is processing.
Controller (Data Controller) – The Controller has the legal responsibility to ensure the Force complies with the DPA 2018 and UK GDPR.
Data Processor – third party individual or organisation who process personal data for, or on behalf of, the Controller.
Data Protection Officer (DPO) – the DPO is a required role stipulated by the DPA 2018 with a primary role to support compliance with legislation, advise the Controller and ensure that data subjects’ rights are upheld.
Information Commissioner’s Office (ICO)
The ICO is the UK statutory regulatory body for the Data Protection legislation. More information about the ICO can be found at their website: Information Commissioner’s Office (ICO)
DATA PROTECTION PRINCIPLES
The DPA 2018 and UK GDPR each have six principles personal data processing.
The principles lie at the heart of the legislation. They are set out right at the start and inform everything that follows. They don’t give hard and fast rules, but rather embody the spirit of the general data protection regime. Compliance with the spirit of these key principles is therefore a fundamental building block for good data protection practice.
It is also key to our compliance with the detailed provisions in the legislation.
The principles are:
- lawfulness, fairness and transparency
- purpose limitation
- data minimisation
- accuracy
- storage limitation
- integrity and confidentiality (security).
There is also what is often referred to as the 7th principle, which is accountability. The Controller must be able to demonstrate their compliance with the 6 principles, so we not only have to follow the principles, but we also have to be able to evidence that we have done so.
Principle 1
General processing of personal data will be lawful, fair and undertaken in a transparent manner in relation to individuals.
Our Privacy Notice details our processing and is available on this website.
Principle 2
Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
We process personal data in order to run our political party specifically staying in contact with our members and supporters, including consulting with them regarding policies and activities.
Principle 3
Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
We will only process persona data which we believe is necessary to our aims as a political party or in order to support the specific data subject, eg for casework.
Principle 4
Personal data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
It is vitally important, not just because we must comply with legislation, but operationally, that our data is accurate. We will make decisions as a party based on our statistical data, which is often based on personal data which we process, if this data is inaccurate then our statics will be inaccurate and we will be basing decisions on false data.
The majority of our data will be provided to us by the individual and any third party data will usually come from an official source, such as the electoral register.
Principle 5
Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
We will process data for as long as individuals remain members and supporters and for up to 6 years afterwards to coincide with the political election terms. After this personal data will be anonymised and only statistical data will be retained.
Principle 6
Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Mailchimp and GoCardless are both ISO27001 certified.
The remainder of our information is processed in Google, but contains limited personal data.
The Leadership team undertake Data Protection awareness sessions to ensure that their understanding of the Principles is sound.
Governance
Data Protection is a standing item on all Leadership meetings which the DPO attends. Any member of the Leadership Team can raise a data protection issue at meetings, but also contact the DPO at any time should they wish to.
Complaints
Any complaints received via any means, will be sent to the Data Protection Officer for investigation. The DPO will acknowledge the complaint within 30 days and investigate without undue delay, responding to the complainant as soon as practicable.
Breaches
A data breach is anything which happens to personal data which should not have happened. A breach is an incident leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.
Any member of the Leadership Team who becomes aware of a data breach must immediately inform the Data Protection Officer, who will investigate and advise the Leadership Team on the appropriate action, including whether the breach reaches the threshold to be reported to the ICO.
Subject Access Requests
The requester of any subject access requests will be asked for identification documentation in order that we can be certain that we are disclosing data to the right person. The request will be dealt with by the most appropriate person on the Leadership Team who has access to the data being requested. That person will seek advice from the DPO and all requests will be answered within the one calendar month time frame.
Obtaining PD from third parties
We will ensure that it is clearly recorded where any personal data is obtained from third parties will have the original identity of the third party.
Disclosure of PD
We will not disclose personal data to any third party, unless they are a processor for us or we have a contract with them. We will never sell any personal data to a third party.
Information Assurance/Audits
Mailchimp and GoCardless carry out regular audits to ensure their compliance with ISO 27001. The Leadership Team will carry out an audit annually within our database to ensure that it is working as it should. This will be in the form of dip sampling each processing activity within it. The result will be reported to the Leadership Team.
Last updated: 5 May 2026
