SHREWSBURY CIVIC SOCIETY TRUST LIMITED (Data Protection Policy)
The Scope of the Policy
Reasons for this Policy
This data protection policy ensures that Shrewsbury Civic Society Trust Limited:
- Complies with data protection law and follows good practice.
- Protects the rights of its members and clients.
- Is open about how it stores and processes members’ data.
- Protects itself from the risks of a data breach.
General Guidelines for Council of Management and Non-Trustee Officers
In this instance, Council of Management Officers shall mean those who have been elected to COM by means of a vote at an Annual General Meeting or who have been co-opted onto COM for a specific time period or purpose. COM Officers may also be referred to as trustees.
Non-Trustee Officers are those with a specific responsibility, such as Shop Manager, who may not be a COM member, or those who sit on various subcommittees for specific purposes but are not COM members.
The only people able to access data covered by this policy should be those who need to communicate with or provide a service to Shrewsbury Civic Society Trust Limited members and clients, i.e. data controllers and data processors.
The data controllers shall be the Chair and the IT Manager of Shrewsbury Civic Society Trust Limited, who may delegate on a case-by-case basis some data processing to others, henceforth to be known as data processors.
Shrewsbury Civic Society Trust Limited undertakes to provide suitable induction training to any authorised officer to help them understand their responsibilities when handling data.
Any officer authorised to control or process data should keep all data secure by taking suitable precautions and following the guidelines stated below.
- Strong passwords must be used and should never be shared.
- Data must not be shared outside of Shrewsbury Civic Society Trust Limited unless with prior consent and/or for specific and agreed reasons. An example of these latter reasons would be Gift Aid information provided to HMRC.
With regard to the membership and client databases, information held on such databases must be refreshed periodically to ensure accuracy. This can be done via the membership renewal process or when policy changes.
Guidance from relevant third parties, such as the Charity Commission, will be followed where uncertainties or incidents regarding data protection arise.
Data Protection Principles
The GDPR identifies key data protection principles:
- Principle 1: Personal data shall be processed lawfully, fairly and in a transparent manner.
- Principle 2: Personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archival purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes.
- Principle 3: The collection of personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
- Principle 4: Personal data held should be accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that any inaccurate personal data are erased or rectified without delay.
- Principle 5: Personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. Personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals.
- Principle 6: Personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Lawful, Fair and Transparent Data Processing
Shrewsbury Civic Society Trust Limited requests personal information from members, potential members and other interested parties in order to manage membership, membership applications and the dissemination of communications about their involvement or potential involvement with the society. The lawful basis for obtaining member information is due to the contractual relationship that Shrewsbury Civic Society Trust Limited has with its individual members and clients. All members and clients will be asked to provide consent for specific processing purposes. Members will be informed as to who they need to contact should they wish that their data not be used for specific purposes for which they have previously provided consent. Where these requests are received they will be acted upon promptly and the member or client informed as to when the action had been taken.
Processed for Specified, Explicit and Legitimate Purposes
Members and clients will be informed as to how their information will be used and COM will seek to ensure that member or client information is not used inappropriately. Appropriate use of information provided by members or clients will include but is not limited to:
- Communicating with members and clients about society events and activities.
- Communicating with members or clients about membership issues, renewal of membership or joining as a member.
- Communicating with members or clients about specific issues that have arisen during the course of their association with the society.
- Sending information to members or clients about offers and events provided by the society that may be of interest to them.
Consent will also be sought in order to notify member details to the sister organisation of the society, Shrewsbury Historica, for direct mailing of offers and events.
Shrewsbury Civic Society Trust Limited will not share personal data with any other third party.
Shrewsbury Civic Society Trust Limited will ensure that members’ information is managed in such a way as not to infringe on an individual member’s rights, which include:
- The right to be informed.
- The right of access to information.
- The right to rectification of information.
- The right to erasure of information.
- The right to restrict data processing.
- The right to data portability.
- The right to object.
Adequate, Relevant and Limited Data Processing
Members and clients of Shrewsbury Civic Society Trust Limited will only be asked for information that is relevant to communication or the sending of information as outlined above, viz.:
- Postal Address
- Email Address
- Type of Membership (if applicable)
- Gift Aid entitlement
- Telephone number(s)
Where additional information may be required, such as health related information, this will only be obtained with the consent of the member who will be informed as to why this information is required and the purpose for which it will be used. Where an activity is organised that required next-of-kin information to be provided, a legitimate interest assessment will have been completed before requesting this information. Members or clients will be made aware that the assessment has been completed.
Photographs are classified as personal data. Where group photographs are taken, members or clients will be asked to step out of shot if they do not wish to be in the photograph. Members or clients who submit photographs for publication in any publication by Shrewsbury Civic Society Trust Limited, including electronic publications, must have obtained the consent of individuals featured in the photographs. Should a member or client wish at any time to remove their consent and have their photograph removed then they should contact the society to advise that they no longer wish their photograph to be displayed.
Accuracy of Data and Keeping Data Up-to-date
Whilst Shrewsbury Civic Society Trust Limited has a responsibility to ensure that member and client information is kept up-to-date, members and clients also have a responsibility to keep their personal information up-to-date by informing the society of any changed personal information.
Accountability and Governance
The responsibility to ensure that Shrewsbury Civic Society Trust Limited remains compliant with data protection requirements and for evidencing that it has lies with COM. Where consent is required for specific purposes then evidence of this consent, either electronic or paper, will be obtained and retained securely. New members or clients will need to grant consent to the society for issues of communication or the sending of information, and the society will inform them of how they can read the full policy of the society. COM will review data protection regularly and who has access to information, as well as reviewing what information is held. When COM members relinquish their roles, they will be asked either to pass on the data to those who need it and/or delete data.
Trustees of Shrewsbury Civic Society Trust Limited have a responsibility to ensure that data is both securely held and processed. This will include:
- Relevant COM members using strong passwords.
- Relevant COM members not sharing passwords.
- Restricting access to data to those trustees or non-trustee officers who need it to communicate with members or clients.
- Using password protection on devices that contain personal information.
- Using password protection or secure cloud systems when data needs to be shared.
- Ensuring firewall protection is active and up-to-date on society devices or on relevant trustee devices.
Subject Access Request
Members and clients of Shrewsbury Civic Society Trust Limited are entitled to request access to the information it holds that relates to them. The request needs to be in the form of a written request to the society. On receipt of the request, it will be formally acknowledged and dealt with expediently, normally within a month, unless there are exceptional circumstances as to why the request cannot be granted. Shrewsbury Civic Society Trust Limited will provide a written response detailing all information held on the member. A record shall be kept of the date of the request and the date of the response.
Data Breach Notification
Were a data breach to occur, action shall be taken to minimise the harm. This will include ensuring that all members and clients are made aware that a breach has taken place and how the breach occurred. COM shall then seek to rectify the cause of the breach as soon as possible to prevent any further breaches.
Where a member or client feels that a data breach has occurred, they should notify a trustee and provide an outline of the breach. If the initial contact is by telephone, the trustee will then ask the member or client to follow this up with an email or letter detailing their concern. The alleged breach will then be investigated by a trustee who is not in any way implicated in the alleged breach.
Availability and Changes to this Policy
This policy is available for download from the website of Shrewsbury Civic Society Trust Limited (www.shrewsburycivicsociety.co.uk) or can be sent to a member or client individually upon request. This policy may be amended periodically, and if this occurs, we will make members and clients aware via our website, the society magazine or the monthly newsletter.
If you have any queries about this policy, need it in an alternative format or have any issue with or concern about our data protection policies, please contact us at email@example.com or write to us.