Data Protection Policy

1. Purpose

The purpose of this Data Protection Policy is to ensure that Ocean Census collects, processes, stores, and disposes of personal data responsibly, securely, and lawfully in line with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and other applicable legislation.

This policy works alongside our Privacy Policy, which sets out how we communicate with individuals about the way their data is used.

2. Scope

This policy applies to:

• All personal data processed by Ocean Census, including that of staff, contractors, volunteers, partners, donors, event participants, and users of the Ocean Census website and Ocean Census Biodiversity Data Platform.
• All staff, trustees, contractors, and volunteers who have access to personal data.

3. Principles of Data Protection

Ocean Census commits to processing personal data in accordance with the following principles:

1. Lawfulness, fairness and transparency – Data will only be collected and processed when there is a lawful basis and with clear information given to the individual.
2. Purpose limitation – Data will be collected for specified, explicit, and legitimate purposes and not further processed in a way incompatible with those purposes.
3. Data minimisation – Only the data necessary for the stated purpose will be collected.
4. Accuracy – Reasonable steps will be taken to keep personal data accurate and up to date.
5. Storage limitation – Data will only be kept for as long as necessary for the purposes for which it was collected, or as required by law.
6. Integrity and confidentiality – Data will be handled securely and protected against unauthorised or unlawful processing, accidental loss, destruction, or damage.
7. Accountability – Ocean Census will maintain appropriate documentation and be able to demonstrate compliance with data protection law.

4. Legal Basis for Processing

Ocean Census processes personal data on the following legal grounds:

• Consent – when individuals have actively agreed to communications, event participation, or registering new species.
• Contractual necessity – when processing is required to deliver services (e.g., managing event participation).
• Legal obligation – for purposes such as financial record keeping and compliance with statutory reporting requirements.
• Legitimate interests – where processing supports our charitable mission and does not override individuals’ fundamental rights and freedoms.

5. Categories of Personal Data Processed

Depending on the context, Ocean Census may process:

• Contact details (name, email address, postal address, phone number).
• Professional details (job title, organisation, field of work).
• Event participation data (registration details, dietary/access needs, photography/video consent).
• Scientific contributions (species registration submissions, institutional affiliation, nationality, country).
• Technical data (cookies, IP addresses, search logs, website usage statistics).

Sensitive personal data will only be collected where necessary and with explicit consent.

6. Data Retention

• General contact and communication data: retained for as long as consent is valid or until individuals request deletion.
• Financial/accounting records: retained for the statutory period required by law (normally 6–7 years).
• Event participation data: retained for up to 2 years after the event unless longer retention is necessary for reporting or with the individual’s consent.
• Biodiversity Data Platform submissions: retained indefinitely, unless an individual requests removal of their personal data.

7. Data Sharing

• Personal data will not be sold, rented, or traded.
• Data may be shared with trusted third-party service providers (e.g., event management platforms, IT providers, email distribution systems) under contractual agreements ensuring data security.
• Data may be disclosed where required by law.

8. Data Security

Ocean Census will take appropriate technical and organisational measures to protect personal data, including:

• Secure storage and access controls.
• Encryption and password protection where appropriate.
• Staff training on data protection responsibilities.
• Data sharing agreements with external processors.
• Regular review of IT security and data handling procedures.

9. Rights of Individuals

Under UK GDPR, individuals have the right to:

• Access their personal data.
• Request rectification of inaccurate data.
• Request erasure of their data (the “right to be forgotten”), subject to legal and contractual limitations.
• Restrict or object to processing of their data.
• Request data portability where applicable.
• Withdraw consent at any time where processing is based on consent.

Requests can be made by contacting: info@oceancensusmission.org

10. Data Breaches

Any personal data breach will be reported internally to the Data Protection Officer. Where required, the Information Commissioner’s Office (ICO) will be notified within 72 hours, and affected individuals will be informed promptly.

11. Responsibilities

• The Board of Trustees has overall responsibility for ensuring compliance with this policy.
• The designated Data Protection Officer is responsible for day-to-day oversight, training, and responding to data subject requests.
• All staff and volunteers handling personal data must follow this policy and complete relevant training.

12. Review

This policy will be reviewed at least once every two years, or sooner if required by changes in law, regulation, or organisational practice.