Carlisle Diocese Mothers’ Union Data Protection Policy - June 2020
1. Introduction
1.1 This Policy sets out the obligations of Carlisle Diocese Mothers’ Union (CDMU) regarding data protection and the rights of donors, members, beneficiaries and suppliers (“data subjects”) in respect of their personal data under the General Data Protection Regulation (GDPR). GDPR alters how individuals and organisations can handle the personal information of the public. GDPR also boosts the rights of individuals and gives them more control over their information
1.2 This Policy sets out the procedures that are to be followed when dealing with personal data. The procedures and principles set out herein must be followed at all times by the charity, its employees, volunteers, agents, contractors, or other parties working on behalf of the charity.
1.3 Definitions
- Personal Data: any information relating to an identified or identifiable person
- Data Subject: Individual member whose personal data is being stored
- Identifiable Person: Someone who can be identified, directly or indirectly
- Responsible person: Takes responsibility for Carlisle Diocese Mothers’ Union ongoing compliance with this policy
- Data Manager: Manages the data on behalf of CDMU and MSH.
1.4 The CDMU is committed not only to the letter of the law, but also to the spirit of the law and places high importance on the correct, lawful, and fair handling of all personal data, respecting the legal rights, privacy, and trust of all individuals with whom it deals.
2. The Data Protection Principles
This Policy aims to ensure compliance with GDPR. GDPR sets out the following principles with which any party handling personal data must comply. All personal data must be:
Principle 1: Personal data shall be processed lawfully, fairly, and in a transparent manner in relation to the data subject.
Principle 2: Personal data shall be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes.
Principle 3: Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.
Principle 4: Personal data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which they are processed, is erased or rectified without delay.
Principle 5: Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed.
Principles 6&7: Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
3. Data Processing by External Suppliers
4. Consent (download pdf copy from our resources page for consent forms)
4.1 Consent is not required for members data to be held by the CDMU, or for the CDMU, to communicate with members – this is ‘legitimate interest’. The CDMU, will not engage in marketing appeals or products, as the primary purpose of the communication, with any individual unless consent is obtained first.
4.2 Consent explicitly is required when collecting images, video and other material for
external marketing purposes. Consent will also be sought when non–members seek
information or to be added to mailing lists.
4.3 Consent is defined as any indication on the part of the data subject that he or she agrees that their personal data may be processed. Consent must be given freely, without any duress, it must be specific, informed and without ambiguity and shall be granted by the data subject either by way of a statement or through clear, affirmative action on his or her part.
4.4 In relation to the processing of personal data of children under the age of 16, CDMU requires additional consent from the person who has parental responsibility over the child and CDMU must be able to demonstrate that this additional consent has been provided, as per Parental Consent Form (see Appendix 1b) and that it has taken reasonable efforts to ensure that the claim of parental responsibility is authentic and true, including the use of available technology.
5. Retention Procedure
Data Owner | To ensure that the collection, retention and destruction of all personal data by each branch is carried out according to the requirements of the GDPR. Including Permission to Share Details. (Appendix 5) |
---|---|
Treasurer | 1: To ensure that all financial records, including accounting and tax records are retained for no longer than 7 years. 2: To ensure that all relevant statutory and regulatory records are retained for statutory limitation periods. (with the exception of the aforementioned records listed above). 3: To ensure donor’s data, if lapsed, should not be kept beyond the 7 years tax audit. |
Health and Safety Officer | To ensure that all Health and Safety records are retained in accordance to MU’s Public Liability Insurance policy (normally 40 years). |
Diocesan President | To ensure that all HR records are retained no longer than 6 years in total. |
Communications Coordinator: Diocesan Secretary | Consent to receive communication is advised to be refreshed every 2 years other than the consent already obtained to use photographs and video footages. |
6. Data Breach
In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, Carlisle Diocese Mothers’ Union shall promptly assess the risk to people’s rights and freedoms and if appropriate report this breach to the Information Commissioner’s Office (ICO). CDMU is required to provide the following to the supervisory authority in case of a data breach:
- A description of the nature of the personal data breach.
- The categories of personal data that have been affected by the breach.
- The number, which may be approximated if necessary, of data subjects affected by the breach.
- The number, which may be approximated if necessary, of personal data records
affected by the breach. - The name and contact details of the Data Owner.
- The likely outcomes of the personal data breach.
- Any measures taken by MU to address and/or mitigate the breach and All other information regarding the data breach.
7. General Training
8. Privacy Impact Assessment
A subsequent PIA may be carried out in the following circumstances:
- When setting up a new IT system.
- When new legislation, policies or related matters affecting privacy, are developed.
- When launching a data sharing initiative; and/or
- When personal data is used for new purposes. (Download a pdf copy from our resources page and view Appendix 2 for the PIA form and an example completed PIA)
9. Fair Processing Procedure and the Data Subjects Rights
Information regarding the rights of data subjects in respect of their personal data, including but not limited to must be included in the Fair Processing Notice:
- The right to access personal information
- The right to withdraw consent
- The right to amend personal data
- The right to request that personal data be permanently deleted.
- The right to strict processing; and
- The right to raise an official complaint with the relevant authority. (Download a pdf copy from our resources page and see Appendix 4 for Subject access request form and procedure)
10. Keeping Data Subjects Informed
MU shall ensure that the following information is provided – by reference to this Data Protection Policy – to every data subject when personal data is collected:
10.1 Details of CDMU:
- The purpose(s) for which the personal data is being collected and will be processed and the legal basis justifying that collection and processing.
- Details of the length of time the personal data will be held by CDMU (or, where there is no predetermined period, details of how that length of time will be determined);
- Details of the data subject’s rights under GDPR.
- Details of the data subject’s right to withdraw their consent to the CDMU’s processing of their personal data at any time.
10.2 The information set out above shall be provided to the data subject at the following applicable times:
- Where the personal data is obtained from the data subject directly, at the time of collection.
- Where the personal data is not obtained from the data subject directly (i.e. from another party): -at the time of the first communication OR -before the personal data is disclosed OR -in any event, not more than three months after the time at which the MU obtains the personal data.
11. Data Protection Measures
11.1 Carlisle Diocese Mothers’ Union shall ensure that personal data is stored securely using modern software that is kept-up to-date. Any paper records should be kept locked away. (Download a pdf copy from our resources page and see Appendix 6 for data protection measures)
11.2 Access to personal data shall be limited to personnel who need access and appropriate security should be in place to avoid unauthorised sharing of information.
1.3 When personal data is deleted this should be done safely such that the data is irrecoverable.
11.4 Appropriate back-up and disaster recovery solutions shall be in place.
11.5 A summary of these measures are provided by the CDMU’s “GDPR at a glance for Deanery and Branch leaders”. (Download a pdf copy from our resources page and see Appendix 6)
12. Organisational Measures
CDMU shall ensure that the following measures are taken with respect to the collection, holding, and processing of personal data:
- All employees, volunteers, agents, contractors, or other parties working on behalf of CDMU shall be made fully aware of both their individual responsibilities and the Charity’s responsibilities under the Regulation and under this Policy, and shall be provided with a copy of this Policy;
- Only employees, volunteers, agents, sub-contractors, or other parties working on behalf of CDMU that need access to, and use of, personal data in order to carry out their assigned duties correctly shall have access to personal data held by CDMU;
- All employees, volunteers, agents, contractors, or other parties working on behalf of CDMU handling personal data will be appropriately trained to do so.
- All employees, volunteers, agents, contractors, or other parties working on
behalf of CDMU handling personal data will be appropriately supervised. - Methods of collecting, holding and processing personal data shall be regularly
evaluated and reviewed. - The performance of those employees, volunteers, agents, contractors, or other
parties working on behalf of CDMU handling personal data shall be regularly
evaluated and reviewed. - All employees, volunteers, agents, contractors, or other parties working on
behalf of CDMU handling personal data will be bound to do so in accordance
with the principles of GDPR and this Policy by contract. - All volunteers, agents, contractors, or other parties working on behalf of CDMU
handling personal data must ensure that any and all of their employees who
are involved in the processing of personal data are held to the same conditions
as those relevant employees and volunteers of CDMU arising out of this Policy
and GDPR; - Where any volunteers, agent, contractor or other party working on behalf of
CDMU handling personal data fails in their obligations under this Policy that
party shall indemnify and hold harmless CDMU against any costs, liability,
damages, loss, claims or proceedings which may arise out of that failure.
13. Implementation of Policy
This Policy shall be deemed effective as of 3rd June 2020. No part of this Policy shall have retroactive effect and shall thus apply only to matters occurring on or after this date.
This GDPR Policy should be reviewed annually by CDMU at the October Diocesan Council Meeting.