Privacy Policy

Gisborough Priory Project Data Protection Policy and Procedure

Data Protection Policy

The Data Protection Policy incorporates the Data Security Policy and Privacy Policy

Gisborough Priory Project holds and protects all personal information (data) in line with the Data Protection Principles listed below,  as required by General Data Protection Regulations May 2018.

Data protection principles

Schedule 1 of the Data Protection Act lists the data protection principles in the following terms:

  1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless

    (a) at least one of the conditions in Schedule 2 of the Data Protection Act (The right to collect and hold data) is met, and

    (b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 of the Data Protection Act (The right to collect and hold sensitive data) is also met.

  2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
  3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
  4. Personal data shall be accurate and, where necessary, kept up to date.
  5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
  6. Personal data shall be processed in accordance with the rights of data subjects under this Act.
  7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
  8. Personal data shall not be transferred to a country or territory unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

Data Protection Procedures

Definitions:

Data Controller – Person who is responsible for controlling the data (personal information)

Data Protection Officer – Person who is responsible for the data to be protected

Data Processor – Person who collects and uses the data

The Data Controller and Data processors are individually responsible for the management of the personal data they hold in line with this Policy.

Details of the current Data Controller, Data Protection Officer and Data Processors are to be found in Appendix A Section 1

Once a person has given their personal data to Gisborough Priory Project (GPP) having read and agreed to the terms and conditions under which their data is held, that personal data can be used and shared by the Board and Volunteer Supervisors of (GPP) without further permission being sought, but will not be shared with any other third party without permission.

1 Processing data fairly and lawfully.

The personal data of volunteers, members or people who we deal with are not given out to anyone outside of GPP.  ( See Appendix Section 2 Action Point 1) This data is shared with the Board Members of GPP, other GPP personnel and others required by law, as applicable.

Consent to GPP holding data is given when anyone completes a volunteer and / or membership form.  The forms state that completing them means giving consent to hold and use their personal data in line with the GPP Data Protection Policy. Where volunteers have already completed a form their consent is requested and noted.  .  Consent to GPP holding data on people who we deal with is noted when they agree to this. (See Appendix Section 2 Action Point 2)

2 Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.

Volunteer data is collected as a requirement for becoming a volunteer and is used by GPP to keep volunteers updated with information that they need to know as a volunteer of GPP.

Member data is collected as a requirement for becoming a member and is used by GPP for matters relating to being a member, including receiving a members newsletter, to allow voting at a GPP AGM or Special General Meeting and confirm member benefits, through the issuing a membership card.

GPP collects data on the people we deal with to aid the work the organisation.

3 Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

GPP collects the minimum data needed to meet the above specified and lawful purposes outlined in item 2

4 Personal data shall be accurate and, where necessary, kept up to date.

Volunteer and Member data is updated annually.  Where the Volunteer and / or Member needs to update their data between the annual updates due to change of circumstances, volunteers need to inform the Volunteer Coordinator and the Member the Company Secretary.  Personal information will be updated within 14 days of receiving it.

Data on people we deal with is updated when we are informed.  When we stop dealing with a specific person and / or organisation we delete that data and update the records with the data of the new relevant person and / or organisation, where that is appropriate.

5 Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

Volunteers and Members are contacted annually to confirm that they still want to be volunteers and / or members and update their personal data.  If they have not replied within 8 weeks of being contacted their personal data is destroyed.

Data we hold on other people that we deal with will be kept for as long as we deal with that person. However specific data that only relates to a specific event will be deleted once that event has finished and any necessary admin has been completed. (see Appendix A Action Point 3)

Financial data e.g. gift aid applications will be kept in accordance with HMRC requirements.

Records of Accidents will be kept for 3 years in line with the personal injury claim time frame.

When we stop dealing with a specific person and / or organisation we delete that data and update the records with the data of the new relevant person and / or organisation, where that is appropriate.

If the person whom we hold data on wants GPP to remove it the data controller will inform the relevant data processor(s) who will remove it within 28 working days and inform all data processors so they can update their information.

6 Personal data shall be processed in accordance with the rights of data subjects under this Act.

Volunteers, Members and others we collect data about have the following rights over their data:

  1. The right to be informed
  2. The right of access
  3. The right to rectification
  4. The right to erasure
  5. The right to restrict processing
  6. The right to data portability
  7. The right to object
  8. Rights in relation to automated decision making and profiling

Where anyone requests any of the above rights GPP will respond within 28 working days.  GPP does not hold data that needs to be portable and does not use it to make automated decisions or profiling.  All requests should be made to the Data Controller, however the most relevant data processor or the controller can action the request.

7 Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

All personal data that is held securely on a PC, lap top and / or ipad or similar and is password protected.

All personal data held on paper is held in a securely locked filing cabinet or safe.

Volunteer and Membership data held in Box is only accessible to GPP Board members

Data Processors are kept informed about what they can legally process and destroy and undergo training where necessary.

This is dealt with in detail in the Security Policy below.

8 Personal data shall not be transferred to a country or territory unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

Data Security Policy

The Data Controller is responsible for the implementation of the Data Security Policy in relation to all personal data held by GPP, with the exception of CCTV, where the CCTV Controller is responsible.

The Data controller will review the implementation of information security on an annual basis.

The Data Controller records who holds records, what records they hold and how they are stored using the data map flowchart.

Access to Data

Board members have access to all personal data and volunteer supervisors have access to data that is relevant to them,

Access to personal data by any unauthorised person is prohibited.

Data cannot be processed by a third party without permission of the person whose data needs to be processed.

Storage and Security of Data

The Data Controller has a list of all Data processors and how they store their data.

All personal data is stored securely whether this is on paper or on a computer.

Personal data held on paper will be stored in a locked filing cabinet or similar.

Personal data held on computer is password protected and data held in Box can only be accessed by Board members who have a link to it. All devices which hold personal data will have malware and firewall protection.

All devices which hold personal data are routinely backed up.

All devices are updated with the latest security patches.

GPP is working towards a Business Continuity Plan to mitigate the effect of any untoward incidents.

Destruction of Personal Data.

Where personal data is held on paper, this will be destroyed using a cross – shredder.  Where data is held on computer or other devices it will be deleted.

Volunteers and Members are contacted annually to confirm that they still want to be volunteers and / or members and update their personal data.  If they have not replied within 8 weeks of being contacted their personal data is destroyed.

Data we hold on other people that we deal with will be kept for as long as we deal with that person. However specific data that only relates to a specific event will be deleted once that event has finished and any necessary admin has been completed. (see Appendix Section 2  Action Point 3)

Financial data e.g. gift aid applications will be kept in accordance with HMRC requirements.

Records of Accidents will be kept for 3 years in line with the personal injury claim time frame

When we stop dealing with a specific person and / or organisation we delete that data and update the records with the data of the new relevant person and / or organisation, where that is appropriate.

Complaints and Security Breach

Volunteers, members and those people who we deal with have the right to complain should they think that GPP has mishandled their personal data.  Complaints should be made in the first instance to the Data Protection Officer, who will investigate and respond to that complaint within 30 days of receiving it.  Should volunteers, members and those people who we deal with be unhappy with the way their complaint has been dealt with they can then raise their complaint directly with the Information Commissioner’s Office.

Where a person’s data has been compromised, and they are not aware of it, they will be informed by the Data Controller.  Any breach of personal data that is reported to the Data Controller will then be reported to the Information Commissioner’s office.

Privacy Policy

We provide the following privacy information to our volunteers and members on an annual basis, and to people who we deal with when they request it:

The name and contact details of our organisation.

The contact details of our Data Protection Officer/ Data Controller.

The lawful basis for the processing

The legitimate interests for the processing

The recipients or categories of recipients of the personal data.

The retention periods for the personal data.

The rights available to individuals in respect of the processing.

The right to withdraw consent

The right to lodge a complaint with the Data Protection Officer/ Data Controller.

GPP regularly reviews and, where necessary, updates its privacy information.

If GPP plans to use personal data for a new purpose, GPP updates its privacy information and communicates the changes to individuals before starting any new processing.

All Board Members (Trustees) are accountable, and have joint responsibility over compliance of the Data Protection Policy, Data Security Policy and Privacy Policy, resultant procedures and action points.

This Policy is reviewed annually by the Board.  The Appendix and the data mapping are updated as required and checked annually.  Changes to the Appendix are made by the Data Controller who then informs the Board

Agreed and passed 8 June 2020

Review Date  August 2021

Appendix

Section 1

Data Controllers and Processors

Data Controller / Data Protection Officer:  Christine Clarke

Data Processors: Judith Arber, Carol Robinson, Jenny Thomas, Katherine Appleton, Sheila Berry.

Section 2

GDPR Action Points.

Action 1: At GPP events, GPP will display a statement saying ‘GPP may take general photos of this event for use by third parties.  Attending this event means that you agree to this.  Where photos of specific attendees are taken, individual permission will be sought before distributing them to a third party.  GPP cannot be held responsible for members of the public who choose to post their photos on social media and include you in them without your permission.’

2 Consent to GPP holding data on people who we deal with is noted when they agree to this.

Action 2:  When someone who we deal with freely gives their contact details we assume consent to hold and use those details.  Where contact lists are held a note is made that we have consent to have that data.

Where we approach someone and they give us their details, or their details are publicly available we assume consent to hold and use those details.

Where a third party holds events on the Priory, we will seek consent to hold their data and note it.

3 specific data that only relates to a specific event will be deleted once that event has finished and any necessary admin has been completed

Action 3:  At events where third parties are present GPP may need to hold documentation that relates to that specific event e.g. insurance certificates.  This information will be destroyed once it is no longer needed.  Data (contact details) on third parties that attend GPP events will be kept in line with the GPP Data Protection Policy.

Personal data held by Gisborough Priory Project (GPP):

Volunteers and members names, addresses, phone number (where given) email address and other relevant personal information (where given).

People that we deal with in the course of meeting our aims and objectives contact details: name email address and phone number and the company they work for and / or represent where these details are given and other relevant information.

Photos and videos.