Data Protection Policy
Privacy and Data Protection Policy [Version 5 22/05/2018]
Sennen Churchtown Hall Committee/Trustees respect personal privacy and realise the importance of personal information security.
This policy sets out the rules on privacy and data protection and the legal conditions that must be satisfied in relation to the obtaining, handling, processing, storage, transportation and destruction of personal information.
The Committee are collectively responsible for ensuring compliance with the 2018 General Data Protection Regulation 2018 (GDPR).
Under the GDPR’s accountability principle, Sennen Churchtown Hall Committee (SCTH Committee) has to be able to show how it complies with the data protection principles, i.e. by having effective policies and procedures in place.
- There is no significant charity exemption to data protection or marketing law.
- Volunteers are classed in the same way as employees; they must be trained and equipped to protect data. There is no volunteer exemption.
Any questions or concerns about the operation of this policy, for example, if you consider that the policy has not been followed in respect of personal data held about yourself or others, the matter should be initially raised with the Sennen Churchtown Hall Committee’s Data protection Officer (see below)
Under GDPR, the Data Protection Principles are condensed into six key areas, which are referred to as the Privacy Principles. These are:-
- The Key Areas of Compliance
- There must be a lawful reason for collecting personal data and it must be processed and used in a fair and transparent way.
- Data must only be used for the reason it is initially obtained. (e.g. processing personal data only in order to meet our operational needs or to fulfil legal requirements).
- Only data that is absolutely necessary should be collected.
- Steps must be taken to ensure that personal data is up-to-date and accurate (with procedures in place to ensure it is kept up-to-date at all times).
- Establishing appropriate retention periods for personal data and not keeping it longer than needed
- Providing adequate security measures to protect personal data.
- These privacy principles are supported by a further principle – accountability. This means that we must not only do the right thing with data but must also show that all the correct measures are in place to demonstrate how compliance is achieved so that data is collected and used fairly, lawfully and in a transparent way. In this way, we will ensure that data subjects’ rights are appropriately exercised
In addition, there is also an expectation that Committee members will be trained on data protection.
- The Data Controller and the Data Protection Officer
We, The Sennen Churchtown Hall Committee are the ‘Data Controller’
By law we are required to designate someone to take responsibility for data protection compliance.
Therefore, Jane Atkinson is the named person together with the support of the full Committee. Any
enquiries can be initially dealt with by the appointed Data Protection Officer
Communicating Privacy Information Privacy Notices
When personal data is collected it is necessary to give people certain information, such as how the Trustees intend to use their information. This is done through a privacy notice. Under the GDPR, when any data is collected, people must be told exactly how their data is to be used, who it might be shared with and how long data is to be kept
There is a lawful basis for processing personal data under the GDPR. People have a stronger right to have their data deleted where SCTH use consent as the lawful basis for processing it. We will seek consent on the initial registration as a committee member or as a Friend of Sennen Churchtown Hall.
If any admin work is ever contracted out to an agency or contractor, SCTH are wholly responsible for what they do, unless the personal data has been stolen or otherwise used for their own purposes.
Personal data available in the public domain is still personal data and Data Protection still applies to it.-
Under GDPR individuals have new and enhanced rights on the collection, access and deletion of their data. In our setting this means that you have the following rights:
the right to be informed about what is held and why;
the right of access to your data;
the right to rectification;
the right to erasure;
the right to restrict processing;
the right to object
the right not to be subject to automated decision-making including profiling.
the right to data portability which applies
to personal data an individual has provided to a controller;
where processing is based on the individual’s consent or for the performance
of a contract
when processing is carried out by automated means.
NB:The Trustees have a duty to provide personal data in a structured commonly used and machine readable form
The data Controller and the Committee will make the necessary decisions about deletion
Although consent is not needed for every use of personal data, SCTH trustees agree that with consent, any data held is legitimate. (Other reasons are specifically set out in the Data Protection Act and the GDPR). However, SCTH will not assume consent. They acknowledge that failure to opt-out, silence and previous support is not consent.
Consent must be freely given, specific, informed and unambiguous and the reasons for gaining consent must be made clear. At all times there will be a positive opt-in as consent cannot be inferred.
Consent will also be sought separately from other terms and conditions,
Consent can be withdrawn by emailing SCTH
For all bookings, for Committee member records and for the Friends of the Hall, there will be a separate opt-in box/option on forms with details on how to withdraw.
Consent can be withdrawn by talking to the Data Protection Officer
We are obliged to have written arrangements with anybody processing data for us. We will not automatically send or sell personal information to third party organisations. Written data arrangements will be sought with anybody processing data for SCTH trustees. Anyone processing such data must meet with their own GDPR compliance and written data arrangements will be sought with anybody processing data for Sennen Churchtown Hall. If inaccurate personal data is held and has been shared with another organisation, the Committee must tell the other organisation about the inaccuracy so it can correct its own records.
Anonymous statistical data which includes footfall and hall usage can be shared with third parties.
- Subject Access Requests
There will be no charge for complying with a request.
The Trustees can refuse or charge for requests that are manifestly unfounded or excessive. However, if a request is refused, the Trustees will tell the individual why and that they have the right to complain to the supervisory authority and to a judicial remedy. This must be done without undue delay and, at the latest, within one month.
Data protection must be incorporated into new initiatives and projects and services at the development stage –not as an afterthought.
- Data Breaches
Procedures must be in place to detect, report and investigate a personal data breach. Failure to report a breach when required to do so could result in a fine, as well as a fine for the breach itself.
There is a duty on SCTH to report and investigate certain types of data breach to the Information Commissioner’s Office (ICO), and in some cases, to individuals. The ICO will be notified of a breach where it is likely to result in a risk to the rights and freedoms of individuals (e.g., where it could result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage). SCTH trustees will notify the ICO within 72 hours of becoming aware of a breach.
Individuals can complain to the Information Commissioner’s Office, (ICO), if they think there is a problem with the way the Trustees have or are handling personal data. There is a requirement for information to be provided in concise, easy to understand and clear language.
Where a breach is likely to result in a high risk to the rights and freedoms of individuals, those concerned must, in most cases, be notified directly.
- Data Protection by Design. Data Protection Impact Assessments (DPIA)
The GDPR makes privacy by design an express legal requirement, under the term ‘data protection by design and by default’. It also makes Protection Impact Assessments (PIAs) – referred to as ‘Data Protection Impact Assessments’ or DPIAs – mandatory in certain circumstances.
A DPIA is required in situations where data processing is likely to result in high risk to individuals, for example:
– where a new technology is being deployed;
– where a profiling operation is likely to significantly affect individuals;
– where there is processing on a large scale of the special categories of data.
The Trustees can refer to guidance the ICO has produced on PIAs as well as guidance from the Article 29 Working Party; this guidance shows how PIAs can link to other organisational processes such as risk management and project management.
SCTH trustees are aware that they can be fined for non-compliance with GDPR.
Under the GDPR’s accountability principle, SCTH committee has to be able to show how it complies with the data protection principles, i.e. having effective policies and procedures in place.
All data held is treated as highly confidential and is never passed to anyone other than those authorised to handle it.
The data held falls into the following categories:
- The Booking Database
The data required for people hiring the Village Hall
The only personal data needed is the contact information necessary to complete the booking (name, address, telephone and email address).
The information provided by anyone looking to hire the Hall, i.e. the Hirer (or someone acting on their behalf) is required in order to complete the booking. Therefore processing of the personal data is necessary for the performance of the Contract to hire SCTH. We consider the lawful grounds for processing this data under the Data Protection Regulations to be that SCTH is entering a Contract with the individual (in this case the Hirer).
Other notes placed on the Booking may include price confirmation or specific instructions.
When a booking is made, an entry will be made in the Bookings Diary held by the Booking Officer. The details will be the text information entered as a necessary part of the booking, timing information (both the time being booked and the date and time the booking is made). The only information entered in the on-line calendar is the annotation “booked”, for the booking date, (i.e. anonymous)* see section c below (Friends of the Hall).
Access to the Booking information is restricted to:
The Booking officer who is permitted to book, amend or cancel for any Hirer
Authorised Users representing specific Groups that are permitted to book, amend and cancel bookings for their own Group.
The Trustees (Management Committee Members) who are able to view all the data, whereas those representing specific Groups can only see their own data.
Booking Data is retained for 5 years from the date of the actual hiring (not the date the booking was made). This is for statistical analysis and grant applications as part of the development project. At no time is any personal information used, only the nature of the booking.
- Regular User and Committee Database
This refers to data retained for the Users, Groups and Members of the Management Committee, who are authorised to handle bookings, contact Committee members etc.
The Committee aims to keep this centrally on the admin tab of the SCTH website, with access restricted to Committee members only, via a secure password.
The Friends of Sennen Churchtown Hall Email List
A list of personal emails of interested people is kept, together with any services they may offer voluntarily to support the Hall or Committee on an ad hoc basis. This information is held securely on Sennen Churchtown Hall MailChimp Account, which is password-protected.
On each email sent we provide an opportunity for the recipient to unsubscribe.
We are confident that our original ‘opt-in’ methodology of meeting interested “friends” face to face, meets with the requirements of the e-Privacy Directive and that the unsubscribe option described above, meets with the latest Data Protection Regulations. New email addresses will only be added if an individual makes a direct request to a member of the committee. Unless requested to remove or erase an email address, it will remain on the “Friends of the Hall” list indefinitely.
- SCTH Web Site
The SCTH website was originally a source of download information for Hall Users (containing Policies, booking forms).
*Currently, there is no on-line Village Hall booking system. However, the online calendar on the website can be viewed by anyone to find out the booking availability of the Hall; however, the only information shown is the date and the Hall’s availability, no other details are displayed.
“This site respects your privacy and does not collect personal information from your visit to us, but like other sites we do collect general statistical information about browser types, operating systems, and the number and length of pages visited. This helps us understand and improve the user experience”
- SCTH Facebook page
Sennen Churchtown Hall may also share news and publicise events on the Hall’s Facebook page which can be found at: https://www.facebook.com/Sennen-Churchtown-Hall-787670111255174/
Information concerning Persons making donations
Details on Gift aid declarations are to be kept for 6 years for HMRC purposes.
Under GDPR, there is special protection for children’s personal data, particularly in the context of commercial internet services such as social networking.
Children and young adults under the age of 18 are not permitted to make a booking or become a friend of the hall.
Should SCTH offer online services in the future, consent from a parent or guardian will be required in order to process their personal data lawfully and for children to access this. The GDPR sets the age when a child can give their own consent to this processing at 16 (although this may be lowered to a minimum of 13 in the UK). Consent has to be verifiable and, when collecting children’s data, the privacy notice must be written in language that children will understand.
Date Adopted: May 14/15th 2018. Updated 31st May 2018
Edited by Chris Mawer Oct 2016 and May 31st 2018