Scope of the policy
Why this policy exists
This data protection policy ensures that the Ivor Gurney Society:
- complies with data protection law and follows good practice
- protects the rights of members / clients
- is open about how it stores and processes members’ / clients’ data
- protects itself from the risks of a data breach
General guidelines for committee members
The only people able to access data covered by this policy should be those who need to communicate with or provide a service to the Ivor Gurney Society members / clients.
The Ivor Gurney Society will provide induction training to committee members to help them understand their responsibilities when handling data.
Committee Members should keep all data secure, by taking sensible precautions and following the guidelines below.
Strong passwords must be used and they should never be shared.
Data should not be shared outside of the Ivor Gurney Society unless with prior consent and/or for specific and agreed reasons.
Member information should be refreshed periodically to ensure accuracy, via the membership renewal process or when policy is changed.
Data protection principles
The General Data Protection Regulation identifies key data protection principles:
- Principle 1 – Personal data shall be processed lawfully, fairly and in a transparent manner
- Principle 2 – Personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes
- Principle 3 – The collection of personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
- Principle 4 – Personal data held should be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay
- Principle 5 – Personal data must kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for the which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals
- Principle 6 – Personal data must be processed in accordance a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
The Ivor Gurney Society requests personal information from potential members and existing members for membership applications and for sending communications. The forms used to request personal information will contain a privacy statement informing potential members and existing members why the information is being requested and what the information will be used for. The lawful basis for obtaining member information is due to the contractual relationship that the Ivor Gurney Society has with individual members. In addition members will be asked to provide consent for specific processing purposes. Ivor Gurney Society members will be informed whom they need to contact should they wish their data not to be used for specific purposes for which they have provided consent. Where these requests are received they will be acted upon promptly and the member will be informed when the action has been taken.
Processed for specified, explicit and legitimate purposes
Members will be informed how their information will be used and the Committee of the Ivor Gurney Society will seek to ensure that member information is not used inappropriately. Appropriate use of information provided by members will include:
- Communicating with Ivor Gurney Society members about Ivor Gurney Society events and activities
- Communicating with Ivor Gurney Society members about their membership and/or renewal of their membership
The Ivor Gurney Society will ensure that Ivor Gurney Society members’ information is managed in such a way so that an individual member’s rights are not infringed, which include:
- the right to be informed
- the right of access
- the right to rectification
- the right to erasure
- the right to restrict processing
- the right to data portability
- the right to object
Adequate, relevant and limited data processing
Members of Ivor Gurney Society will only be asked to provide information that is relevant for membership purposes. This will include:
- Postal address
- Email address
- Telephone number
Photographs are classified as personal data. Where group photographs are being taken Ivor Gurney Society members will be asked to step out of shot if they do not wish to be in the photograph. Otherwise consent will be obtained from Ivor Gurney Society members in order for photographs to be taken and members will be informed where photographs will be displayed. Should an Ivor Gurney Society member wish at any time to remove his/her consent and to have his/her photograph removed then he/she should contact webmanager -at- ivorgurney -dot- co -dot- uk to request that the photograph should not be displayed.
Accuracy of data and keeping data up-to-date
The Ivor Gurney Society has a responsibility to ensure that Ivor Gurney Society members’ information is kept up to date. Ivor Gurney Society members will be advised to let the membership secretary know if any of their personal information changes. In addition, on an annual basis, the membership renewal process will provide an opportunity for Ivor Gurney Society members to inform the Ivor Gurney Society about any changes in their personal information.
Accountability and governance
The Ivor Gurney Society Committee is responsible for ensuring that the Ivor Gurney Society remains compliant with data protection requirements and can evidence that it has been so. Where consent is required for specific purposes then evidence of this consent (either electronic or paper) will be obtained and retained securely. The Ivor Gurney Society Committee will ensure that new members joining the Committee receive an induction into the requirements of GDPR and the implications for their role. The Committee will review data protection and review who has access to information on a regular basis as well as reviewing what data is held. When Committee Members relinquish their roles, they will be asked to either pass on data to those who need it and/or delete data.
The Ivor Gurney Society Committee Members have a responsibility to ensure that data is both securely held and processed. This will include:
- committee members using strong passwords
- committee members not sharing passwords
- restricting access of sharing member information to those on the Committee who need to communicate with members on a regular basis
- using password protection on laptops and PCs that contain personal information
- using password protection or secure cloud systems when sharing data between committee members
- paying for firewall security to be put onto Committee Members’ laptops or other devices
Subject Access Request
Ivor Gurney Society members are entitled to request access to the information that is held by Ivor Gurney Society. The Ivor Gurney Society website enables a member to use a personal login in order to do so. Alternatively a written request can be sent to the Membership Secretary of Ivor Gurney Society. On receipt of the request, the request will be formally acknowledged and dealt with expediently (the legislation requires that information should generally be provided within one month) unless there are exceptional circumstances as to why the request cannot be granted. The Ivor Gurney Society will provide a written response detailing all information held on the Ivor Gurney Society member. A record shall be kept of the date of the request and the date of the response.
Data Breach Notification
Were a data breach to occur, action shall be taken to minimise the harm. This will include ensuring that all Ivor Gurney Society Committee members are made aware that a breach has taken place and how the breach occurred. The Committee shall then seek to rectify the cause of the breach as soon as possible to prevent any further breaches. The Committee shall also contact the relevant Ivor Gurney Society members to inform them of the data breach and actions taken to resolve the breach.
Where an Ivor Gurney Society member feels that there has been a breach by the Ivor Gurney Society, a committee member will ask the Ivor Gurney Society member to provide an outline of the breach. If the initial contact is by telephone, the committee member will ask the Ivor Gurney Society member to follow this up with an email or a letter detailing their concern. The alleged breach will then be investigated by members of the committee who are not in any way implicated in the breach. Breach matters will be subject to a full investigation, records will be kept and all those involved notified of the outcome.
This Policy dated 06/05/2018