Date for review:………………………23/05/2019…………………..
Signature of Director responsible for the policy:……………………………………….
The Chopwell Regeneration Group (CRG) is committed to a policy of protecting the rights and privacy of individuals, including members, volunteers, staff and participants in activities in accordance with the General Data Protection Regulation (GDPR) May 2018. The new regulatory environment demands higher transparency and accountability in the way organisations manage and use personal data. It also accords new and stronger rights for individuals to understand and control that use. The GDPR contains provisions that the CRG will need to be aware of as data controllers, including provisions intended to enhance the protection of personal data.
The CRG needs to hold information for the following purposes:
- Membership records
- Volunteering contacts
- Involvement in activities organised by the CRG
To comply with its legal obligations, including the obligations imposed on it by the General Data Protection Regulation (GDPR) the CRG must ensure that any information about individuals is collected and used fairly, stored safely and securely, and not disclosed to any third party unlawfully.
This policy applies to all members, volunteers, staff and participants in CRG’s activities.
As a matter of best practice, any other agencies and individuals working with CRG who have access to personal information will be expected to read and comply with this policy.
This policy will be updated as necessary to reflect best practice in data management, security and control and to ensure compliance with any changes or amendments to the GDPR and other relevant legislation.
General Data Protection Regulation (GDPR)
This piece of legislation comes in to force on the 25th May, 2018. The GDPR regulates the processing of personal data and protects the rights and privacy of all living individuals (including children), for example by giving all individuals who are the subject of personal data a general right of access to the personal data which relates to them. Individuals can exercise the right to gain access to their information by means of a ‘subject access request’. Personal data is information relating to an individual and may be in hard or soft copy (paper/manual files; electronic records; photographs; CCTV images) and may include facts or opinions about a person.
Data Protection Principles
The legislation places a responsibility on us to process any personal data in accordance with eight principles:
1) Process personal data fairly and lawfully. The CRG will make all reasonable efforts to ensure that individuals who are the focus of the personal data are informed of the purposes of the processing, any disclosures to third parties that are envisaged, given an indication of the period for which the data will be kept, and any other information which may be relevant.
2) Process the data for the specific and lawful purpose for which it collected that data and not further process the data in a manner incompatible with this purpose. We will ensure that the reason for which we collected the data originally is the only reason for which we process those data, unless the individual is informed of any additional processing before it takes place.
3) Ensure that the data is adequate, relevant and not excessive in relation to the purpose for which it is processed. We will not seek to collect any personal data which is not strictly necessary to the purpose for which it was obtained. Forms for collecting data will always be drafted with this in mind. If any irrelevant data are given by individuals, they will be destroyed immediately.
4) Keep personal data accurate and, where necessary, up to date. We will review and update all data on a regular basis. It is the responsibility of the individuals giving their personal data to ensure that this is accurate, and individuals should notify us if data needs to be updated. It is our responsibility to ensure that any notification of change is noted and acted on.
5) Only keep personal data for as long as is necessary. We will not retain personal data for longer than is necessary to ensure compliance with the legislation, and any other statutory requirements. This means we will undertake a regular review of the information held and implement a weeding process. We will dispose of any personal data in a way that protects the rights and privacy of the individual concerned (e.g. secure electronic deletion, shredding and disposal of hard copy files as confidential waste). A log will be kept of the records destroyed.
All personal data will be deleted or destroyed by us after three years of no contact, unless it is needed for gift aid or safeguarding purposes. If the individual has donated to Chopwell Regeneration Group their data will be kept for six years in accordance with HMRC gift aid regulations. If the individual has carried out paid or voluntary work with the CRG, we will keep their data for 10 years for safeguarding purposes.
6) Process personal data in accordance with the rights of the individual under the legislation. Individuals have various rights under the legislation including a right to:
- Be informed upon request of all the information held about them within 30 days.
- Prevent the processing of their data for the purpose of direct marketing.
- Compensation if they can show that they have been caused damage by any contravention of the Act.
- The removal and correction of any inaccurate data about them.
- Be forgotten and removed from the database at their request as long as this is fair and reasonable.
We will only process personal data in accordance with individuals’ rights.
7) Put appropriate technical and organisational measures in place against unauthorised or unlawful processing of personal data, and against accidental loss or destruction of data. We will ensure that any personal data which we hold is kept securely and not disclosed to any unauthorised third parties. We will ensure that all personal data is accessible only to those who have a valid reason for using it. We will have in place appropriate security measures:
- keeping all personal data in a secure location.
- password protecting personal data held electronically.
- archiving personal data which are then kept securely.
In addition, we will put in place appropriate measures for the deletion of personal data – manual records will be shredded or disposed of as ‘confidential waste’. Hard drives of redundant PCs will be wiped clean before disposal or if that is not possible, destroyed physically. A log will be kept of the records destroyed.
8) Ensure that no personal data is transferred to a country or a territory outside the European Economic Area (EEA) This also applies to publishing information on the Internet – because transfer of data can include placing data on a website that can be accessed from outside the EEA – so we will always seek the consent of individuals before placing any personal data (including photographs) on our website.
Consent as a basis for processing
Although it is not always necessary to gain consent from individuals before processing their data, it is often the best way to ensure that data is collected and processed in an open and transparent manner. We understand consent to mean that the individual has been fully informed of the intended processing and has signified their agreement (e.g. via their membership form) whilst being of a sound mind and without having any undue influence exerted upon them. Consent will not be inferred from the non-response to a communication.
As we will use MailChimp as our Data Processor to create our email distribution lists, send emails and collect information as a result of sending emails, we will obtain express consent from individuals to transfer data to MailChimp.
We will only contact individuals if they have opted in to communication through our website, or Facebook page where they have opted in to further contact, verbally, by email or in writing.
Where an individual has consented to being contacted by the CRG, that person’s consent will remain current until s/he advises us otherwise. However, an individual can opt out at any time by sending a letter to Chopwell Regeneration Group, 4, Greenhead Terrace, Chopwell, Newcastle upon Tyne NE17 7AH or an email to email@example.com.
Procedure for review
This policy will be updated as necessary to reflect best practice or future amendments made to the General Data Protection Regulation (GDPR) May 2018 and Data Protection Act 1998. It will be reviewed at least every two years. This means that if no changes have been made in the interim, the policy will be reviewed at the latest in May 2020. The person responsible for the monitoring of the policy will be the CRG Secretary, currently Jill Woodward.
This link to the ICO’s website (www.ico.gov.uk) provides further detailed guidance on a range of topics including individuals’ rights, exemptions from the Act, dealing with subject access requests, how to handle requests from third parties for personal data to be disclosed etc. In particular, see the Guide to Data Protection which is available from the website.