Privacy and Data Protection Policy [Version 5 22/05/2018]

Statement

Sennen Churchtown Hall Committee/Trustees respects personal privacy and realises how important it is
that personal information remains secure.
This policy sets out the rules on privacy and data protection and the legal conditions that must be satisfied
in relation to the obtaining, handling, processing, storage, transportation and destruction of personal
information.
The Committee are collectively responsible for ensuring compliance with the 2018 General Data Protection
Regulation 2018 (GDPR).
Under the GDPR’s accountability principle, Sennen Churchtown Hall Committee/trustees (SCTH Committee)
has to be able to show how it complies with the data protection principles, e.g. by having effective policies
and procedures in place.
Please note:
• There is no significant charity exemption to data protection or marketing law.
• Volunteers are classed as no different to employees; they must be trained and equipped to protect
data. There is no volunteer exemption
Any questions or concerns about the operation of this policy, for example, if you consider that the policy
has not been followed in respect of personal data about yourself or others, the matter should be initially
raised with the Sennen Curchtown Hall Committee/Trustees Data protection Officer (see below)
Under GDPR, the Data Protection Principles are condensed into six key areas, which are referred to as the
Privacy Principles. These are:-
1. The Key Areas of Compliance
i. There must be a lawful reason for collecting personal data and must do it in a fair and transparent
way.
ii. Data must only be used for the reason it is initially obtained. (e.g. processing personal data only in
order to meet our operational needs or to fulfil legal requirements)
iii. Only collecting data that is absolutely necessary
iv. Steps must be taken to ensure that personal data is up to date and accurate (there has to be
accurate and there must be mechanisms in place to keep it up to date).
v. Establishing appropriate retention periods for personal data and not keeping it longer than needed
vi. Providing adequate security measures to protect personal data.


These privacy principles are supported by a further principle – accountability. This means that we
must not only do the right thing with data but must also show that all the correct measures are in
place to demonstrate how compliance is achieved so that data is collected and used fairly, lawfully
and in a transparent way. In this way, we will ensure that data subjects’ rights are appropriately
exercised
In addition, there is also an expectation that Committee members will be trained on data protection.
Documentation on policies, procedures and training is going to be a key part of any effective
compliance programme.
2.
The Data Controller and the Data Protection Officer
We, The Sennen Curchtown Hall Committee/Trustees are the ‘Data Controller’
By law we are required to designate someone to take responsibility for data protection compliance.
Therefore, Jane Atkinson is the named person together with the support of the full Committee. Anyenquiries can be initially dealt with by the appointed Data Protection Officer
3.
Communicating Privacy Information Privacy Notices
When personal data is collected it is necessary to give people certain information, such as how the Trustees
intend to use their information. This is will be done through a privacy notice. Under the GDPR, when any data
is collected people must be told exactly how their data is to be used, who it might be shared with and how
long data is to be kept
There is a lawful basis for processing personal data under the GDPR. People have a stronger right to have
their data deleted where SCTH use consent as the lawful basis for processing it. We will seek consent on
the initial registration as a committee member or as a Friend of Sennen Churchtown Hall.
If any admin work is ever contracted out to an agency or contractor, SCTH are wholly responsible for what
they do, unless the personal data has been stolen or otherwise use it for their own purposes.
Personal data available in the public domain is still personal data and Data Protection still applies to it.-
https://www.civilsociety.co.uk/news/free-guide-to-gdpr-and-data-protection-for-charities-published-
today.html#sthash.OxckJRFD.dpuf
4.
Individuals’ Rights
Under GDPR individuals have new and enhanced rights on the collection, access and deletion of their data. In
our setting this means that you have the following rights:


the right to be informed about what is held and why;
the right of access to your data;
• the right to rectification;
• the right to erasure;
• the right to restrict processing;
• the right to object
• the right not to be subject to automated decision-making including profiling.
• the right to data portability This applies:
o to personal data an individual has provided to a controller;
o where processing is based on the individual’s consent or for the performance
of a contract
o

when processing is carried out by automated means.
NB:The Trustees have a duty to provide personal data in a structured commonly used and machine
readable form
The data Controller and the Committee will make the necessary decisions about deletion
5. Consent
Although consent is not needed for every use of personal data, SCTH trustees agree that with consent, any
data held is legitimate. (Other reasons are specifically set out in the Data Protection Act and the GDPR).
However, SCTH will not assume consent. They acknowledge that failure to opt-out, Silence and previous
support is not consent.
Consent must be freely given, specific, informed and unambiguous and the reasons for gaining consent must
be made clear. At all times there will be a positive opt-in as consent cannot be inferred.
Consent will also be sought separately from other terms and conditions,
Consent can be withdrawn by emailing SCTH
For all bookings, for Committee member records and for the Friends of the Hall, there will be a separate
opt-in box/option on forms with details on how to withdraw.Consent can be withdrawn by talking to the Data Protection Officer
6.
Data Agreements
We are now obliged to have written arrangements with anybody processing data for us. We will not
automatically send or sell personal information to third party organisations. Written data arrangements will
be sought with anybody processing data for SCTH trustees. Anyone processing such data must meet with
their own GDPR compliance and written data arrangements will be sought with anybody processing data for
Sennen Churchtown Hall. If inaccurate personal data is held and has been shared with another organisation,
the Committee will have to tell the other organisation about the inaccuracy so it can correct its own records.
Anonymous statistical data which includes footfall and hall usage can be shared with third parties.
7. Subject Access Requests
There will be no charge for complying with a request.
The Trustees can refuse or charge for requests that are manifestly unfounded or excessive. However, if a
request is refused, the Trustees will tell the individual why and that they have the right to complain to the
supervisory authority and to a judicial remedy. This must be done without undue delay and, at the latest,
within one month.
8.
New Projects
Data protection must be incorporated into new initiatives and projects and services at the development stage
–not as an afterthought.
9.
Data Breaches
Procedures must be in place to detect, report and investigate a personal data breach. Failure to report a
breach when required to do so could result in a fine, as well as a fine for the breach itself.
There is a duty on SCTH to report and investigate certain types of data breach to the Information
Commissioner’s Office (ICO), and in some cases, to individuals. The ICO will be notified of a breach where
it is likely to result in a risk to the rights and freedoms of individuals (e.g, where it could result in
discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic
or social disadvantage). SCTH trustees will notify the ICO within 72 hours of becoming aware of a breach.
Individuals can complain to the Information Commissioner’s Office, (ICO), if they think there is a problem
with the way the Trustees have or are handling personal data. There is a requirement for information to be
provided in concise, easy to understand and clear language.
Where a breach is likely to result in a high risk to the rights and freedoms of individuals, those concerned
must be notified directly in most cases.
10.
Data Protection by Design. Data Protection Impact Assessments (DPIA)
The GDPR makes privacy by design an express legal requirement, under the term ‘data protection by design
and by default’. It also makes Protection Impact Assessments (PIAs) – referred to as ‘Data Protection
Impact Assessments’ or DPIAs – mandatory in certain circumstances.
A DPIA is required in situations where data processing is likely to result in high risk to individuals, for
example:- where a new technology is being deployed;
– where a profiling operation is likely to significantly affect individuals;
– where there is processing on a large scale of the special categories of data.
11.
Fines
SCTH trustees are aware that they can be fined for non-compliance with GDPR.
12.
Information Held
Under the GDPR’s accountability principle, SCTH committee has to be able to show how it complies with the
data protection principles, e.g. by having effective policies and procedures in place.
All data held is treated as highly confidential and is never passed to anyone outside of those authorised to
handle it.
The data we hold falls into the following categories:
a) The Booking Database
The data we have to obtain for people hiring the Village Hall

The only personal data required is the contact information necessary to complete the booking (name,
address, telephone and email address).

The information provided by anyone looking to hire the Hall, i.e. the Hirer (or someone acting on their
behalf) is required in order to complete the booking. Therefore processing of the personal data is
necessary for the performance of the Contract to Hire SCTH. We consider the lawful grounds for
processing this data under the Data Protection Regulations to be that SCTH is entering a Contract
with the individual (in this case the Hirer).
• Other notes placed on the Booking may include price confirmation or specific instructions.
• When a booking is made, an entry will be made in the Bookings Diary held by the Booking Officer.
The details will be the text information entered as a necessary part of the booking, timing
information (both the time being booked and the date and time the booking is made). This information
is not currently able to be entered electronically and is therefore unavailable on-line

Access to the Booking information is restricted to:
– The Booking officer who is permitted to book, amend or cancel for any Hirer
– Authorised Users representing specific Groups that are permitted to book, amend and cancel
bookings for their own Group.

The Trustees (Management Committee Members) who are able to view all of the data,
whereas those representing specific Groups can only see their own data.

Booking Data is retained for 5 years from the date of the actual hiring (not the date the
booking was made). This is for statistical analysis and grant applications as part of the
development project. At no time is any personal information used, only the nature of the
booking.
b) Regular User and Committee Database
This refers to data that which we retain for the Users, Groups and Members of the Management Committee
who are authorised to handle bookings, contact Committee members etc.
Currently the committee is hoping to keep this centrally on the admin tab of the SCTH website. Committee
members only will be able to access this via a secure password.
The Friends of Sennen Churchtown Hall Email List
A list of personal emails of interested people is kept, together with any services they may offer voluntarily
to support the Hall or Committee on an ad hoc basis, it is hoped that this information will be held securelyon the admin section of the website. Access will be password protected. On each email sent we provide an
opportunity for the recipient to reply with the text REMOVE ME as the Subject Header and we
guarantee to remove any person from the Email distribution list that makes this request. We accept
that with some email addresses there could be sufficient information to identify a natural person.
Therefore when the email address is used for the purposes of forthcoming event notification, it is only
used in the ‘bcc’ line, thereby ensuring that no other recipient is aware of any other email addresses.
We are confident that our original ‘opt-in’ methodology of meeting interested “friends” face to face,
meets with the requirements of the e-Privacy Directive and that the REMOVE ME option described above,
meets with the latest Data Protection Regulations. New email addresses will only be added if an individual
makes a direct request to a member of the committee. Unless requested to remove or erase an email
address, it will remain on the list indefinitely.
c) SCTH Web Site
Currently, the Village Hall website is primarily a source of download information for Hall Users (containing
Policies, booking forms). An “admin” tab will enable all SCTH committee data to be accessed centrally and
securely i.e. password protected
Currently, there is no on-line Village Hall booking system. However, the site can be used by anyone to view
the availability of the Hall, but the only information shown depicts the date and the Hall’s availability, there
is no other detail displayed.
The site is produced, run and maintained by: http://tastywebdesign.com/ Tastywebdesign has its own privacy
policy as stated:
“This site respects your privacy and does not collect personal information from your visit to us, but like other sites we
do collect general statistical information about browser types, operating systems, and the number and length of pages
visited. This helps us understand and improve the user experience”
Cookies: The site does not currently use cookies, However, UK and EU law now requires sites to get your consent to
cookies being sent by a site
d) SCTH Facebook page
Sennen Churchtown Hall can also share news and publicise events on our own Facebook page which can be
found at: https://www.facebook.com/Sennen-Churchtown-Hall-787670111255174/
It should be noted that the Village Hall cannot guarantee that the browser or social media route taken to
get to our site (i.e. via Google, Facebook) was not using Cookies or other analytics. If any data is being
obtained because of the route taken to visit our site, please be assured that we do not get any data from
them.
From May 2018 all users of Facebook can access the Facebook Privacy Policy by going to:
https://www.facebook.com/about/privacy
e) Information concerning Persons making donations
Details on Gift aid declarations are to be kept for 6 years for HMRC purposes.
13.
Children
Under GDPR, there is special protection for children’s personal data, particularly in the context of
commercial internet services such as social networking.
Children and young adults under the age of 18 are not permitted to make a booking or become a friend of
the hall.
Should SCTH offer online services in the future, consent from a parent or guardian’ will be required in order
to process their personal data lawfully and for children to access this. The GDPR sets the age when a child
can give their own consent to this processing at 16 (although this may be lowered to a minimum of 13 in the
UK). Consent has to be verifiable and that when collecting children’s data the privacy notice must be written
in language that children will understand.Date Adopted: May 14/15 th 2018. Updated 22 nd May 2018
Policy originally written by J Atkinson Oct 2016 Updated in compliance with GDPR May 2018
Checked by Chris Mawer Oct 2016 May 15th 2018
Agreed by the Trustees
Signed:
Date