Data Protection Policy

1. Purpose

1.1 This policy sets out how Mums in Science Ltd collects, processes, stores, and protects personal data in compliance with applicable data protection laws and regulations (e.g., the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (GDPR), or other relevant national laws).

1.2 This policy ensures that all employees, contractors, and volunteers of Mums in Science Ltd understand and adhere to the principles of data protection, thereby safeguarding the rights of individuals whose personal data we handle.

2. Scope

2.1 This policy applies to:

All employees, contractors, consultants, volunteers, and associates who handle personal data on behalf of Mums in Science Ltd
All personal data processed in relation to our activities, whether held electronically or in physical form.

2.2 It covers data subjects including (but not limited to) clients, beneficiaries, suppliers, staff, and other stakeholders.

3. Definitions

Personal Data: Any information relating to an identified or identifiable individual (e.g., name, address, email, phone number, identification number, IP address).
Processing: Any operation performed on personal data, such as collection, recording, organization, structuring, storage, retrieval, use, disclosure, or destruction.
Data Subject: The individual whose personal data is processed.
Data Controller: The individual or organization that determines the purposes and means of processing personal data.
Data Processor: Any individual or organization that processes personal data on behalf of the Data Controller (other than an employee of the Data Controller).
Special Category Data: Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health data, sexual orientation, or genetic/biometric data.

4. Data Protection Principles

We are committed to processing personal data in accordance with the following principles:

Lawfulness, Fairness, and Transparency:
- We process personal data lawfully and fairly, providing clear information to data subjects about how and why their data is used.
Purpose Limitation:
- Personal data is collected for specified, explicit, and legitimate purposes. We do not further process it in a manner incompatible with those purposes.
Data Minimization:
- We only collect and process personal data that is adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed.
Accuracy:
- We keep personal data accurate and up to date. We take all reasonable steps to erase or correct inaccurate data.
Storage Limitation:
- We retain personal data no longer than is necessary for the purposes for which it was collected. After that, data is securely deleted or anonymized.
Integrity and Confidentiality:
- We process personal data in a manner that ensures its security, including protection against unauthorized or unlawful processing, accidental loss, destruction, or damage.
Accountability:
- We maintain responsibility and demonstrate compliance with these principles, ensuring appropriate measures and records are in place.

5. Lawful Basis for Processing

5.1 Mums in Science Ltd will identify and document the lawful basis for each type of personal data processing. Common lawful bases include:

Consent: The data subject has given clear consent for processing their personal data for a specific purpose.
Contract: Processing is necessary for fulfilling a contract with the data subject or taking steps to enter into a contract.
Legal Obligation: Processing is necessary to comply with a legal obligation.
Vital Interests: Processing is necessary to protect someone’s life.
Public Task: Processing is necessary to perform a task in the public interest.
Legitimate Interests: Processing is necessary for legitimate organizational interests, provided these interests are not overridden by the rights of the data subject.

6. Data Subject Rights

We respect the rights of data subjects, which may include:

Right to be Informed: The right to clear and transparent information about how we use personal data.
Right of Access: The right to request copies of personal data.
Right to Rectification: The right to request corrections to personal data that is inaccurate or incomplete.
Right to Erasure (‘Right to be Forgotten’): The right to request the deletion or removal of personal data where there is no compelling reason for its continued processing.
Right to Restrict Processing: The right to block or suppress processing of personal data.
Right to Data Portability: The right to obtain and reuse personal data for personal use across different services.
Right to Object: The right to object to the processing of personal data under certain circumstances (e.g., direct marketing).
Rights related to Automated Decision Making and Profiling: The right not to be subject to automated decisions that significantly affect the individual.

7. Retention and Disposal

7.1 Retention:

We maintain a retention schedule that sets out how long we hold different categories of data before secure disposal.

7.2 Disposal:

When personal data is no longer required, it is securely deleted, destroyed, or anonymized in accordance with our Retention and Disposal procedures.

8. Security Measures

8.1 Technical Measures:

Use of passwords, encryption, firewalls, and secure servers to prevent unauthorized access to data.
Regularly updating software and operating systems to address security vulnerabilities.

8.2 Organizational Measures:

Role-based access controls, ensuring that only authorized personnel can access particular data.
Confidentiality agreements for employees, contractors, or third parties who handle personal data.
Regular data protection training and awareness for staff.

9. Data Sharing and Transfers

9.1 Internal Sharing:

Personal data is shared internally only when required for the performance of relevant duties.

9.2 External Sharing:

Any sharing of personal data with external parties (e.g., service providers, subcontractors) is conducted under a contract, ensuring compliance with data protection obligations.

9.3 International Transfers:

Personal data transferred outside the relevant national or regional jurisdiction (e.g., outside the UK or EEA) will be safeguarded by appropriate transfer mechanisms, such as Standard Contractual Clauses or an adequacy decision.

10. Data Breaches

10.1 Definition:

A data breach is any event that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data.

10.2 Reporting:

All data breaches or suspected breaches must be reported immediately to Dr Shara Cohen (CEO)
Where required by law, data breaches will be notified to the relevant supervisory authority and, if necessary, to affected data subjects without undue delay.

11. Roles and Responsibilities

11.1 Senior Management/Board:

Have overall responsibility for data protection compliance within the organization.
Ensure adequate resources are allocated for data protection measures.

11.2 Data Protection Officer (DPO)/Data Protection Lead (if appointed):

Monitor compliance with data protection laws.
Provide advice on data protection obligations.
Liaise with supervisory authorities and data subjects, where necessary.

11.3 Employees, Volunteers, and Contractors:

Responsible for understanding and following this policy.
Must report any concerns, complaints, or breaches in relation to personal data immediately.

12. Monitoring and Review

12.1 This policy is reviewed regularly (at least annually) or whenever there is a significant change in data protection laws or organizational practices.
12.2 Any substantive amendments will be communicated to all relevant personnel and stakeholders in a timely manner.