As a voluntary organisation, we take our responsibilities very seriously. For this reason, we have become fully compliant with data protection under the new General Data Protection Regulations that came into effect on 25th May 2018. Here is how we are collecting, using and storing all personal information.
Aim: To help our committee members, street representatives and members confirm what counts as personal information?
“Personal information” is anything that either identifies someone on its own or would identify someone when it’s combined with other information. This includes:
- Email addresses
- Postal addresses
- Phone numbers
- Social media accounts
If someone deliberately misuses personal data, they can be personally prosecuted and fined by the Information Commissioner’s Office.
When will I encounter personal information?
As a community association that brings people together to take action, we come into contact with people’s information in lots of different ways, such as:
- Collecting email addresses at meetings
- Taking photos at events
Information is a very valuable asset – without it, we wouldn’t be able to build our association.
But we will make sure it’s protected. If we collect, hold or use someone’s information, we must do it safely and securely. We are trusted with their information, so need to treat it right!
Definition of the General Data Protection Regulation (GDPR)
The GDPR came into effect 25th May 2018, replacing the Data Protection Act 1998. It enhances people’s right to have their data protected.
It contains six key principles about how their data should be used. It should be:
(a) Processed lawfully, fairly and transparently
(b) Collected for specified, explicit and legitimate purposes and not further processed in an incompatible way
(c) Adequate, relevant and limited to what is necessary for the purpose for which it is processed
(d) Accurate and where necessary kept up-to-date
(e) Kept in a form which permits identification of data subjects for no longer than is necessary
(f) Kept in a manner which ensures the security of information
As well as following the principles, the GDPR also requires organisations to demonstrate how they are complying with them.
- Before doing anything, it is worth giving thought to what data is needed and why and avoidance of collecting more than is required.
- Making it clear who’s collecting and managing the data
- Explanation of why collecting such information, how it is intended to be used, anything else someone would need to know in order to decide whether to give you their data
- If someone doesn’t consent to giving you their data, you must not use it.
Moving and storing information
- If we collect information on paper, we make sure it is safely stored.
- Access to any information is only for those who need to know it. For example, on a shared computer, it would be password-protected.
- There is only one file – with a protected back up.
- Information is only used for the reason for communication. For example, if they gave you their email address to receive any flyers etc., it will not be used to send out a different e-newsletter.
- If we want to use someone’s information for another purpose, we will get their consent first.
- If sending an email to a large number of people all at once, we may use a blind copy “BCC” to keep email addresses private. Remember, recipients may not have consented to sharing with others.
- We will only keep someone’s information for as long as need to. If they move on or stop being involved, we will delete it.
- If someone asks you to delete their information (for example, they no longer want to receive an e-newsletter), then that should do so immediately and the Committee be informed.
- If when using emails, don’t forget about “sent” items. Sent boxes will regularly review and delete these if they include someone’s data.
Denice Gately, Chair of Goffs Oak Community Association/17th June 2018