Data Protection Policy
Scope of the policy
This policy applies to the work of The Arthur Bliss Society. The policy sets out the requirements that The Arthur Bliss Society has to gather information for membership purposes.
The policy details how personal information will be gathered, stored and managed in line with data protection principles and the Data Protection Act (2018).
The policy is reviewed on an ongoing basis by The Arthur Bliss Society trustees to ensure that we are compliant.
This policy should be read in tandem with The Arthur Bliss Society’s Privacy Policy.
Why this policy exists
This data protection policy ensures that The Arthur Bliss Society:
complies with data protection law and follows good practice
protects the rights of members
is open about how it stores and processes members data
protects itself from the risks of a data breach
General guidelines for trustees and group leaders
The only people able to access data covered by this policy should be those who need to communicate with or provide a service to the The Arthur Bliss Society members. The Arthur Bliss Society will ensure that trustees understand their responsibilities when handling data.
Trustees should keep all data secure, by taking sensible precautions and following the guidelines below.
Strong passwords must be used and they should never be shared.
Data protection principles
The General Data Protection Regulation identifies key data protection principles:
Principle 1 – Personal data shall be processed lawfully, fairly and in a transparent manner
Principle 2 – Personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
Principle 3 – The collection of personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
Principle 4 – Personal data held should be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate,
having regard to the purposes for which they are processed, are erased or rectified without delay
Principle 5 – Personal data must kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for the which the personal data are processed
Principle 6 – Personal data must be processed in accordance a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Data processing must be transparent. lawful and fair.
The Arthur Bliss Society requests personal information from potential members and members for membership applications and for sending communications. The forms used to request personal information will contain a privacy statement informing potential members and members as to why the information is being requested and what the information will be used for.
The lawful basis for obtaining member information is due to the contractual relationship that the Arthur Bliss Society has with individual members.
Members will be informed as to how their information will be used and the Committee of The Arthur Bliss Society will seek to ensure that member information is not used inappropriately. Appropriate use of information provided by members will include:
Communicating with The Arthur Bliss Society members about The Arthur Bliss Society events and activities
Communicating with The Arthur Bliss Society members about their membership and/or renewal of their membership
The Arthur Bliss Society will ensure that The Arthur Bliss Society members’ information is managed in such a way as to not infringe an individual Arthur Bliss Society members’ rights which include:
the right to be informed
the right of access
the right to rectification
the right to erasure
the right to restrict processing
the right to data portability
the right to object
Adequate, relevant and limited data processing
Members of The Arthur Bliss Society will only be asked to provide information that is relevant for membership purposes. This will include:
Name
Postal address
Email address
Telephone number
Accuracy of data and keeping data up-to-date
The Arthur Bliss Society has a responsibility to ensure The Arthur Bliss Society members’ information is kept up to date. The Arthur Bliss Society Members will be informed that they should let the Membership Secretary know if any of their personal information changes. In addition, on an annual basis, the membership renewal process will provide an opportunity for The Arthur Bliss Society members to inform The Arthur Bliss Society about any changes to their personal information.
Accountability and governance
The The Arthur Bliss Society Committee is responsible for ensuring that it remains compliant with data protection requirements and can evidence that it has.
The Arthur Bliss Society Committee will ensure that new members joining the Committee receive information about the requirements of the DPA and the implications for their role.
Secure Processing
The Arthur Bliss Society trustees have a responsibility to ensure that data is both securely held and processed. This will include:
trustees using strong passwords
trustees not sharing passwords
restricting access of sharing member information to those on the Committee who need to communicate with members on a regular basis
using password protection on laptops and PCs that contain personal information
using password protection or secure cloud systems when sharing data between trustees
paying for firewall security to be put onto trustees’ laptops or other devices
Subject Access Request
The Arthur Bliss Society members are entitled to request access to the information that is held by The Arthur Bliss Society.
The request needs to be received in the form of a written request to the Membership Secretary of The Arthur Bliss Society. On receipt of the request, the request will be formally acknowledged and dealt with expediently (the legislation requires that information should generally be provided within one month) unless there are exceptional circumstances as to why the request cannot be granted.
The Arthur Bliss Society will provide a written response detailing all information held on the The Arthur Bliss Society member.
A record shall be kept of the date of the request and the date of the response.
Data Breach Notification
Were a data breach to occur, action shall be taken to minimise the harm. This will include ensuring that all The Arthur Bliss Society trustees are made aware that a breach has taken place and how the breach occurred. The Committee shall then seek to rectify the cause of the breach as soon as possible to prevent any further breaches and where necessary, the Information Commissioner’s Office would be notified. The Committee shall also contact the relevant members to inform them of the data breach and actions taken to resolve the breach.
Where a The Arthur Bliss Society member feels that there has been a breach by The Arthur Bliss Society, a committee member will ask the The Arthur Bliss Society member to provide an outline of the breach. If the initial contact is by telephone, the committee member will ask the The Arthur Bliss Society member to follow this up with an email or a letter detailing their concern. The alleged breach will then be investigated by members of the committee who are not in any way implicated in the breach.
Breach matters will be subject to a full investigation, records will be kept and all those involved notified of the outcome.