Data Protection Policy
The Data Protection Act 1998 and the EU General Data Regulation 2018 describes how organisations must collect, handle and store personal information. These rules apply regardless of whether data is stored electronically, on paper or on other materials. To comply with the law, personal information must be collected and used fairly, stored safely and not disclosed unlawfully.
SCOPE OF THE POLICY
The policy sets out the requirements that the Bradford on Avon Preservation Trust (hereafter “the Trust”) has to gather personal information for membership purposes. In addition to our members and volunteers this policy applies to hirers, tenants, leaseholders and other people the Trust has a relationship with or may need to contact. The policy details how personal information will be gathered, stored and managed in line with data protection principles and the General Data Protection Regulation. The policy will be reviewed regularly to ensure compliance. This policy should be read in tandem with the Trust's Privacy Policy.
WHY THIS POLICY EXISTS
This data protection policy ensures that the Trust:
Complies with data protection law and follows good practice.
Protects the rights of members, volunteers and partners.
Is open about how it stores and processes members’ data.
Protects itself from the risks of a data breach.
GENERAL GUIDELINES
The only people able to access data covered by this policy should be those who need to communicate with members or provide a service to the Trust.
Data should not be shared informally or outside of the Trust.
Strong passwords must be used and they should never be shared.
Personal data should not be shared outside of the Trust unless with prior consent
and/or for specific and agreed reasons.
Member information should be reviewed and consent refreshed periodically via the
membership renewal process or when policy is changed.
DATA PROTECTION PRINCIPLES
The General Data Protection Regulation identifies 8 data protection principles.
Principle 1 - Personal data shall be processed lawfully, fairly and in a transparent manner.
Principle 2 - Personal data can only be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
Principle 3 - The collection of personal data must be adequate, relevant and limited to what is necessary compared to the purpose(s) data is collected for.
Principle 4 – Personal data held should be accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that are inaccurate are erased or rectified without delay.
Principle 5 – Personal data that is kept in a form, which permits identification of individuals, shall not be kept for longer than is necessary.
Principle 6 - Personal data must be processed in accordance with the individuals’ rights.
Principle 7 - Personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Principle 8 - Personal data cannot be transferred to a country or territory outside the European Union unless that country or territory ensures an adequate level of protection for the rights and freedoms of individuals in relation to the processing of personal data.
LAWFUL, FAIR AND TRANSPARENT DATA PROCESSING
The Trust requests personal information from members for the purpose of sending communications about their involvement with the Trust. Members will be asked to provide consent for their data to be held and a record of this consent along with member information will be held securely. Trust members will be informed that they can, at any time, remove their consent and will be told who to contact should they wish to do so. Once a member requests not to receive certain communications this will be acted upon promptly and the member will be informed when the action has been taken.
PROCESSED FOR SPECIFIED, EXPLICIT AND LEGITIMATE PURPOSES
Members will be informed how their information will be used and the Trust will seek to ensure that member information is not used inappropriately. Appropriate use of information provided by members will include:
Communicating with members about Trust events and activities and other local events and activities, that may be of interest to our members.
Adding members’ details to the mailing list for the Guardian Angel magazines.
Communicating with members about their membership and/or renewal of their
membership.
Communicating with members about specific issues that may have arisen during the
course of their membership.
The Trust will ensure that members' information is managed in such a way so as not to infringe an individual member’s rights.
ADEQUATE, RELEVANT AND LIMITED DATA PROCESSING
Members of the Trust will only be asked to provide information that is relevant for membership purposes. This will include:
Name.
Postal address.
Email address.
Telephone number.
Gift Aid entitlement.
Where additional information may be required, this will be obtained with the specific consent of the member who will be told why this information is required and the purpose that it will be used for.
In certain circumstances, the Data Protection Act allows personal data to be disclosed to law enforcement or other agencies without the consent of the data subject. Under these circumstances, the Trust will disclose requested data.
ACCURACY OF DATA AND KEEPING DATA UP TO DATE
The Trust has a responsibility to ensure members' information is kept up to date. Members will be asked to let the membership secretary know if any of their personal information
changes. In addition, annually, the membership renewal forms will provide an opportunity for members to resubmit their personal information and reconfirm their consent for the Trust to communicate with them.
ACCOUNTABILITY AND GOVERNANCE
The Trustees are responsible for ensuring that the Trust remains compliant with data protection requirements. The Trustees will review data protection and who has access to information regularly as well as reviewing what data is held.
SECURE PROCESSING
The Trustees have a responsibility to ensure that data is both securely held and processed. This will include:
Restricting access of sharing member information to those who need to communicate with members regularly.
Using password protection on laptops and PCs that contain or access personal information.
Using password protection or secure cloud systems when sharing data between authorised users.
SUBJECT ACCESS REQUEST
Members are entitled to request access to the information that is held by the Trust. This needs to be a written request to the Membership Secretary. The request will be formally acknowledged and dealt with within 14 days unless there are exceptional circumstances why the request cannot be granted. The Trust will provide a written response detailing all information held on the member. A record shall be kept of the date of the request and the date of the response.
DATE BREACH NOTIFICATION
Were a data breach to occur action shall be taken to minimise the harm by ensuring all Trustees are aware that a breach had taken place and how the breach had occurred. The Trustees shall then seek to rectify the cause of the breach as soon as possible to prevent any further breaches. The Trustees shall also contact the relevant members to inform them of the data breach and actions taken to resolve the breach.
If a member feels that there has been a breach by the Trust, a Trustee will ask the member to provide an outline of their concerns. This will need to be in writing either with an email or a letter detailing their concern. Trustees who are not in any way implicated in the breach will then investigate the concern. Breach matters will be subject to a full investigation, records will be kept and all those involved notified of the outcome.
Policy review date: 25 May 2020