1. The Basics of General Data Protection Regulations 2018
1. The new General Data Protection Regulations work in several ways. Firstly, it states that anyone who processes personal information must comply with eight principles, which make sure that personal information meets these criteria:
a) Lawfulness, fairness and transparency:
Data is processed lawfully, fairly and in a transparent manner in relation to the data subject;
b) Purpose limitation:
Data is collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
c) Data minimisation:
Data is adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
Data is accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
e) Storage Limitation:
Data is kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject;
f) Integrity and confidentiality:
Data is processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
2. The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).
1. processed fairly and lawfully and, in particular, shall not be processed unless specific conditions are met;
2. obtained only for one or more of the purposes specified in the Act, and shall not be processed in any manner incompatible with that purpose or those purposes;
3. adequate, relevant and not excessive in relation to those purpose(s);
4. accurate and, where necessary, kept up to date;
5. not kept for longer than is necessary;
6. processed in accordance with the rights of data subjects under the Act;
7. kept secure by the Data Controller who takes appropriate technical and other;
8. measures to prevent unauthorised or unlawful processing or accidental loss or destruction of, or damage to, personal information; and
9. not transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal information.
The second area covered by the Act provides individuals with important rights, including the right to find out what personal information is held on computer and most paper records. Individuals have the right to request to see their information, and to ask for their information to be amended or erased.
Confidentiality: Confidential information is defined as verbal or written information, which is not meant for public or general knowledge, information that is regarded as personal by users, members, trustees, employees or volunteers.
Consent: of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
Data: The GDPR definition of personal data also includes information such as name, an identification number, location data including addresses, emails, phone numbers, online identifiers including IP addresses, information gathered by cookies or factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (which could include CCTV)
The GDPR reaches further than the current Data Protection Act. It is designed to take into account modern technology and the right of the data subjects to the protection of the personal data being held by an organisation about him/her.’
Data is information stored:
a) Electronically i.e. on computer, including word processing documents, emails, computer records, CCTV images, microfilmed documents, backed up files or databases, faxes and information recorded on telephone logging systems.
b) Manually i.e. records which are structured, accessible and form part of a filing system where individuals can be identified, and personal data easily accessed without the need to trawl through a file.
Data Controller: The person who (either alone or with others) decides what personal information we will hold and how it will be held or used)
Data Protection Officer: The person(s) responsible for ensuring that we follow our data protection policy and complies with the General Data Protection
Data concerning health: means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;
Data Subject: any living individual whose personal data is being processed.
‘Explicit’ consent: is a freely given, specific and informed agreement by an individual to the processing of personal information about them. Explicit consent is needed for processing sensitive data.
Notification: Notifying the Information Commissioner about the data processing activities of (insert name of organisation), as certain activities may be exempt from notification.
Information Commissioner: The UK Information Commissioner responsible for implementing and overseeing the General Data Protection Regulations.
Processing: means the use made of personal data including any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
Processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller
Personal data: means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more
factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Personal data breach: means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
3. Policy statement
As an organisation we need to collect and use certain types of information about the different people we come into contact with in order to carry out our work. This personal information must be collected and dealt with appropriately– whether on paper, in a computer, or recorded on other material. This policy applies to all personal and sensitive personal data. We will:
• comply with the General Data Protection Regulations in respect of the data we hold about individuals;
• respect individuals’ rights;
• be open and honest with individuals whose data is held;
• ensure that everyone processing personal information understands that they are contractually responsible for following good data protection practice;
• protect the organisation’s volunteers, members and other individuals;
• provide training, support and supervision for volunteers who handle personal data, so that they can act legally, confidently and consistently;
• regularly assess and evaluate our methods and performance in relation to handling personal information;
• protect the organisation from the consequences of a breach of its responsibilities.
We recognise that our first priority under the General Data Protection Regulations is to avoid causing harm to individuals. Information about our members will be used fairly, securely and will not be disclosed to any person unlawfully.
Secondly, the Regulations aim to ensure that the legitimate concerns of individuals about the ways in which their data may be used are taken into account. In addition to being open and transparent, we will seek to give individuals as much choice as is possible and reasonable over what data is held and how it is used.
The Board of Trustees recognises its overall responsibility for ensuring that BAHE complies with its legal obligations.
The Data Protection Officer is currently Heather Shepherd, who has the following responsibilities:
• Briefing the Board on Data Protection responsibilities;
• Reviewing Data Protection and related policies;
• Ensuring that if it becomes necessary, Data Protection induction and training takes place;
• Handling subject access requests;
• Approving unusual or controversial disclosures of personal data;
• Ensuring contracts with Data Processors have appropriate data protection clauses;
• Electronic security;
• Ensuring that all personal and company data is non-recoverable from any computer system previously used within the organisation, which has been disposed of or passed on/sold to a third party.
• Approving data protection-related statements on publicity materials and letters
Each individual officer post holder and volunteer who handles personal data will comply with the organisation’s operational procedures for handling personal data (including induction and training) to ensure that good Data Protection practice is established and followed. All individual officer post holders and volunteers are required to read, understand and accept any policies and procedures that relate to the personal data they may handle in the course of their work.
This section of the policy only addresses security issues relating to personal data.
Any recorded information on members will be:
• Kept in locked cabinets, secured computers, on our online booking system, or DropBox
• Protected by the use of passwords if kept on computer or encrypted if appropriate
• Destroyed confidentially if it is no longer needed, or if an individual requests.
Access to data stored electronically is controlled by a password and only those needing access are given the password. Those accessing this should be careful about information that is displayed on their computer screen and make efforts to ensure that no unauthorised person can view the data when it is on display.
Notes regarding personal data of clients should be shredded or destroyed.
6. Data Recording and storage
We have two databases holding basic information about our members and those booking sessions online. The back-up copies of data are kept in a safe, locked place.
We will regularly review our procedures for ensuring that our records remain accurate and consistent and, in particular:
• We will keep records of how and when information was collected.
• The database system is reviewed and re-designed, where necessary, to encourage and facilitate the entry of accurate data.
• We will work towards storing data on an individual in a single place, and all volunteers will be discouraged from establishing unnecessary additional data sets.
• Effective procedures are in place so that all relevant systems are updated when information about any individual changes.
• Effective procedures are also in place to address requests from data subjects for access to, amendments or the erasure of their information
• Data will be corrected if shown to be inaccurate.
Information will be stored for only as long as it is needed or required by statute and will be disposed of appropriately.
8. Access to data
Information and records will be stored securely and will only be accessible to authorised staff or volunteers, and the individual to whom the information relates.
All members have the right to request access to all information stored about them. Any subject access requests will be handled by the Data Protection Officer within the required time limit.
Subject access requests must be in writing or by email. All volunteers are required to pass on anything which might be a subject access request to the Data Protection Officer without delay. In accordance with the GDPR, we will provide personal data in a ‘commonly used and machine readable format.’ We also recognise the right of the individual to transfer this information to another Controller.
Where the individual making a subject access request is not personally known to the Data Protection Officer their identity will be verified before handing over any information.
The required information will be provided in permanent form unless the applicant makes a specific request to be given supervised access in person.
We will provide details of information to service users who request it unless the information may cause harm to another person.
We are committed to ensuring that in principle Data Subjects are aware that their data is being processed and:
• for what purpose it is being processed;
• what types of disclosure are likely; and
• how to exercise their rights in relation to the data.
Data Subjects will generally be informed in the following ways:
• Volunteers: during the application process
• Members: when they provide their information and consent to retain it is requested, or when they request (on paper, online or by phone) services
Whenever data is collected, the number of mandatory fields will be kept to a minimum and Data Subjects will be informed which fields are mandatory and why.
Information about members will only be made public with their explicit consent. (This includes photographs.)
Consent will be obtained from parents, if children’s data is being stored or processed depending on the age of the child/young person in accordance with legislation.
Consent should be given in writing, although for some services it is not always practicable to do so. In these cases verbal consent will always be sought to the storing and processing of data, and records kept of the dates, and circumstances.
Online consent will be requested when members sign up to mailing lists or activities. In all cases it will be documented on the database that consent has been given.
All Data Subjects will be given the opportunity to opt out of their data being used in particular ways, such as the right to opt out of direct marketing (see below).
We acknowledge that, once given, consent can be withdrawn by the Data Subject at any time. There may be occasions where the organisation has no choice but to retain data for a certain length of time, even though consent for using it has been withdrawn.
11. Direct marketing
We will treat the following unsolicited direct communication with individuals as marketing:
• seeking donations;
• promoting any of our services;
• promoting our events;
• promoting membership to supporters;
• promoting sponsored events and other fundraising exercises;
• marketing on behalf of any other external company or voluntary organisation.
Whenever data is first collected which might be used for any marketing purpose, this purpose will be made clear, and the Data Subject will be asked to provide their consent. We do not have a policy of sharing lists, obtaining external lists or carrying out joint or reciprocal mailings.
We will only carry out telephone marketing where consent has been given in advance;
Whenever e-mail addresses are collected, any future use for marketing will be identified, and the provision of the address made optional.
12. Volunteer training and acceptance of responsibilities
All volunteers that have access to any kind of personal data will be given copies of all relevant policies and procedures during their induction process, including the Data Protection policy. All staff will be expected to adhere to all these policies and procedures.
We will provide opportunities for all volunteers to explore Data Protection issues through volunteer training and annual reviews.
BAHE may collect and use the following kinds of personal information through this website
- information about your use of this website including information obtained via cookies
- information that you provide on this website for queries, bookings, membership, registration, notifications, including your name, email address , postal address, telephone number and name and age of children for the purpose of making electronic bookings for services
- information that you provide by joining our membership using the online option, this includes your name, address, email address, telephone number and membership details. Once collected, all the data is treated in a way that meets all the requirements already covered in this policy.
We are collecting data for the following reasons:
- We request your consent at each opportunity to enter data
- Processing is necessary for organising activities using an online method
- Data collected for membership is required in order to report back to our funders on our activities and growth of our organisation. We never ask for more information than is necessary.
Using Personal Information obtained via the website
BAHE may use your personal information to:
- send you updates to our news page that you have given consent for.
- contact you for the purpose of discussing a booking, for an activity that you have previously made on the website
Your information will be held confidentially. Occasionally we may need to disclose information to our Data Processor or sub-Processor. Where we need to do so, the Data Processor or sub-Processor in question will be obligated to use that personal information in accordance with the terms of this privacy statement.
Securing Your Data Submitted Online
BAHE will take reasonable technical and organisational precautions to prevent the loss, misuse or alteration of your personal information. We will take reasonable technical and organisational precautions to store, process and transport all personal information you provide in a secure manner.
14. Policy review
This policy will be reviewed and updated as necessary in response to changes in relevant legislation, contractual arrangements, and good practice or in response to an identified failing in its effectiveness.
In case of any queries in relation to this policy please contact our Data Protection Officer