Privacy and Data Protection Policies
PRIVACY POLICY
The Dever Society treats your privacy rights seriously. This privacy policy sets out how we will deal with your ‘personal information’ and applies to all stakeholders (members, employees and volunteers).
When you join you are asked to provide certain information when you complete the Application Form. This includes:
• Name
• Address
• Email address
• Telephone number
We will also request that you provide consent for us to communicate with you by email and telephone. Your consent is required in order to ensure our compliance with data protection legislation.
We use your data:
• To provide activities and services to you.
• For administration, planning and management of the Society.
• To monitor, develop and improve the provision of Society activities.
We will post you our quarterly newsletter and our Annual Report and Accounts. We will also contact you by email and/or telephone, according to how you wish to be contacted, to advise you of our own activities and other activities which Trustees and committee members feel would be of interest to our stakeholders.
We may disclose data about you:
• Internally to Trustees and members of our committees as required to run our activities.
• To HMRC to process Gift Aid claims.
Where we need to share your information to anyone outside the Society, we will inform you as to who the data will be shared with and for what purpose and seek your permission.
We hold your data so that we can provide our services to you. Your data will not be stored for longer than is required to meet your needs as a stakeholder.
To ensure the data we hold is accurate and up to date, stakeholders need to inform us about any changes to their data. You can do this by contacting The Dever Society Administrator by email or telephone at any time. Contact details are in every issue of our quarterly newsletter and on our website.
Should you wish to view the data that we hold on you, you can make a request by contacting the Society Administrator. We will usually respond within 14 days of the request being made.
We have in place security safeguards to protect your data against loss or theft, as well as unauthorised access. Your membership data is held on a database which is only accessed by the Society Administrator and authorised Trustees.
If you have any queries about this policy, or have any complaints about our privacy practices, please contact the Society Administrator by email, telephone or in writing.
DATA PROTECTION POLICY
This policy applies to the running of The Dever Society. The policy sets out the requirements that we have for gathering data from stakeholders (members, employees and volunteers). The policy details how data will be gathered, stored and managed in line with the General Data Protection Regulation (GDPR). The policy is reviewed on a regular basis to ensure that we are compliant. This policy should be read in tandem with our Privacy Policy.
This data protection policy ensures that we:
• Comply with data protection law and follow good practice.
• Protect the rights of members and partners.
• Are open about how we store and process stakeholders’ data.
• Protect ourselves from the risks of a data breach.
General guidelines
• Access to data covered by this policy will be limited to those who need to contact or provide a service to our stakeholders.
• We will provide training to employees, Trustees and committee members to help them understand their responsibilities when handling personal data.
• We will keep all data secure, by taking sensible precautions and following the guidelines below.
• Strong passwords will be used for computerised data records and they will be never be shared outside authorised employees and Trustees. Paper records are kept under lock and key.
• Data will not be shared outside the Trust unless with prior consent and/or for specific and agreed reasons.
• We will request help from the Information Commissioners Office if we are unsure about any aspect of data protection.
Data protection principles
The General Data Protection Regulation identifies 8 data protection principles.
Principle 1 - Personal data shall be processed lawfully, fairly and in a transparent manner.
Principle 2 - Personal data can only be collected for specified, explicit and legitimate purposes and will not be further processed in a manner that is incompatible with those purposes.
Principle 3 - The collection of personal data must be adequate, relevant and limited to what is necessary.
Principle 4 – Personal data held should be accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data is correct, and any inaccurate data is erased or rectified without delay.
Principle 5 – Personal data which is kept in a form which permits identification of individuals shall not be kept for longer than is necessary.
Principle 6 - Personal data must be processed in accordance with the individuals’ rights.
Principle 7 - Personal data must be processed in a manner that ensures appropriate security of the personal data against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Principle 8 - Personal data cannot be transferred to a country unless that country ensures an adequate level of protection for the rights of individuals in relation to the processing of personal data.
We request data from stakeholders so we can contact them about their involvement with the Society. The forms used to request data contain a privacy statement as to why information is being requested and what it will be used for. Stakeholders are asked to provide consent for their contact details to be used to contact them by email and telephone, and a record of this consent and their data is held securely. Our newsletter and Annual Report and Accounts are posted to stakeholders based on our legitimate interest to communicate with them. Stakeholders can, at any time, remove their consent by contacting the Society Administrator. Once a stakeholder requests not to be contacted using a particular method, this will be acted upon promptly and confirmed with them.
Processes for specified, explicit and legitimate purposes
Stakeholders will be told what we use their data for. Appropriate use of stakeholder data includes:
• Contacting stakeholders about Society events and activities.
• Contacting stakeholders about their membership/employment/volunteering and/or their Consent.
• Contacting stakeholders about specific issues that may have arisen during the course of their membership/employment/volunteering.
• Occasionally we will send stakeholders details of activities of other organisations that the Society thinks will be of interest.
We will ensure that use of stakeholders' data does not infringe their rights, which include:
• The right to be informed.
• The right of access.
• The right to rectification.
• The right to erasure.
• The right to restrict processing.
• The right to data portability.
• The right to object.
We will only keep data that is relevant for membership/employment/volunteering purposes. This includes:
• Name
• Postal address
• Email address
• Telephone number
• Method of payment and donations
• Consent methods
• Personal information such as National Insurance numbers and tax codes (for employees only)
Where a stakeholders' data needs to be shared with a statutory authority then consent does not have to be sought from the stakeholder.
We have a responsibility to ensure stakeholders' data is kept up to date. Stakeholders will be asked to let the Society Administrator know if any of their data changes.
We will ensure that we are compliant with data protection requirements and can prove it. Stakeholders are asked to provide consent for contact from us via email and telephone and this will be securely held as evidence of compliance. We will also stay up to date with guidance and the practice of the GDPR and will seek additional input from the Information Commissioners Office should any uncertainties arise. We will review data protection and what data is held and who has access to it on a regular basis.
The Council of Trustees has contracted for services from the following external service providers:
• The printer of our newsletter and our Annual Report & Accounts
• Mailchimp (a bulk email service)
The Council of Trustees has scrutinised their Terms and Conditions and judges that they are GDPR compliant. No stakeholder data is provided to our printer. Mailchimp receives a list of email addresses only.
Stakeholders can request access to the data we hold on them by contacting the Society Administrator and we will normally deal with a request within 14 days. A record will be kept of the date of the request and the date of the response.
Where a data breach has occurred action will be taken to minimise the harm. We will seek to rectify the cause of the breach as soon as possible. We will contact the Information Commissioners Office within 72 hours of the breach being reported. We will contact the relevant stakeholders to inform them of the data breach and the actions taken to resolve it.
If a stakeholder contacts us feeling that there has been a breach, he/she will be asked to produce an email or a letter detailing their concern. We will then investigate the breach. The stakeholder will also be informed that he/she can report their concerns to the Information Commissioners Office. Breach matters will be subject to a full investigation, records will be kept and all those involved notified of the outcome.
DATA MANAGEMENT POLICY
The Society collects data from new Members when they join using either an application form, which includes a Consent section for email and telephone communication, a Gift Aid form and a Standing Order mandate, or online using an online form.
The data is recorded from the forms into a database of Members held by the Society Administrator. This consists of:
Title, first name, surname, address, post code, telephone number, email address, joining date, Gift Aid date, method of payment, amount paid and consent for the Society to communicate with the Member via telephone or email.
This data is held until a Member leaves the Society, when it is deleted from the database. At any time, a Member can change their data or consents by contacting the Administrator and can also ask for a copy of their data.
Paper Application and Consent forms are held securely as proof of the original Application/Consent meeting GDPR requirements. The data is only used for the following activities:
• To store it securely for membership purposes.
• To communicate with Society Members.
Bank account details are not retained. Gift Aid forms are held securely by the Administrator and the data is used to reclaim Gift Aid from HMRC.
Some of the data held in the database is extracted and used for the following purposes:
1. To mail hard copies of The Dever Society newsletter, AGM minutes and the Trust’s Annual Report and Accounts. This mailing is done by the Administrator and does not involve data passing to third parties.
2. To email Members using Mailchimp, a bulk email service.
Existing members, as of November 2018, were asked to confirm their membership data and provide the required consents. This data has been used to update the Membership database and the data has been archived as proof of the consent meeting GDPR requirements. For new members, consent is requested in the membership application form and online joining form and then added to the Membership database and archived as proof of appropriate consent.
Society volunteers are currently all members of the Society.
More information is available in The Dever Society’s Privacy and Data Protection Policies.