On 25th May, the new General Data Protection Regulations (GDPR) will replace the Data Protection Act of 1998. This places a new emphasis on an individual’s rights as regards to data, and will change the way that Sidings Community Centre handles and manages data which we collect, store and process. Sidings Community Centre is committed to ensuring that any data which we collect and hold for an individual is in accordance with the new GDPR rules, and that we demonstrate clarity and transparency as regards to the reasons why we request personal data, ensure data is kept securely and in accordance with our legitimate interests as a provider of services, a voluntary sector community centre, within our status of a Registered Charity and Company Ltd by Guarantee. In certain cases there may also be overriding legislation requirements or obligations which determine the legitimate processing of data and the amount of time data is kept.
DATA PROTECTION PRINCIPLES
Under GDPR, all personal data obtained and held by us must be processed according to a set of core principles. In accordance with these principles, we will ensure that:
Individuals have the following rights in relation to the personal data Sidings Community Centre may hold which are:
The Data Controller (person who is responsible for storing, and determining any processing of the information which is held) – organisationally this is Sidings Community Centre, who will appoint a nominated person responsible for Data Processing – who will be the Centre Manager or CEO, responsible for ensuring the handling, management and processing of data is carried out in a manner which is fair, lawful, and transparent.
The kind of Data which Sidings Community Centre may request to collect and hold would fall into the following categories:
This is data which would identify you as a person and include such data as:
Date of Birth
In the case of parents whose children use our children’s services, this will also include the personal details of their children which, as well as the above, could also include additional information which is essential to enable staff to ensure the well-being of children being left in our care at all times.
Sensitive Data or Special Category Data (can also become anonymised data) such as:
Possible health related data (determined by service area specific requirement)
This Anonymised Data, when separated from any “identifiable or personalised data” may be used for purposes of reporting to funders or organisational analysis to help monitor how the organisation is meeting its aims and objectives.
Additionally, as an employer Sidings Community Centre may collect further specific information to enable us carry out our duties as an employer. Specifically, we hold the following types of data:
More information regarding data held by Sidings Community Centre as employer is included in our Privacy HR Policy for Employees, and will also include details of what we do with information submitted in unsuccessful job applications.
Purposes for which we will request and handle data:
Sensitive Data (can be referred to as Special Category or anonymised data):
Under GDPR, the emphasis will be on gaining individuals consent (often referred to as “Opt-in”). At all points where data is requested (eg service area registration forms, application forms) individuals will be given clear information as to the reason why we are requesting their personal and sensitive data, and whether we will “share” any of this information with a third party. Consent will also be requested from those whose personal contact details are to be held on our mailing lists, for marketing and information purposes within the legitimate interests of our status and purpose as a community centre. The length of time for which we intend to keep this information, the basis on which we will retain it, and how we will store it, will also be made clear. This may differ according to the reason the data is requested, and whether there may be overriding legislative requirements (see Retention of Records statement displayed in Early Years and Main office ) which determine the length of time we retain data or the reason why we may have to share information.
Sharing your data:
Individual consent will be requested if Sidings Community Centre is lawfully requested to share data or wishes to share your data with a Third Party for any other legitimate reason. As with the above, the purpose and legal basis for requesting this will be made clear before consent is sought, or in the event where there is an overriding legal requirement for us to do so. When sharing with a third party – Sidings Community Centre will take steps to ensure that the Third Party demonstrates meeting GDPR regulations as to the usage and storage of such information. Some information may be available publicly such as Trustees and Directors details on the Charity Commission and Company House websites, and some personal data may appear in newspaper articles, Sidings Community Centre’s newsletters, marketing material or on our website. In such a situation, clear information will have been provided with the individuals concerned as to the nature of this public information sharing, and consent requested and obtained beforehand. This may also apply to photos taken for promotional or evidencing purposes.
Website and Social Media: we operate strictly controlled privacy settings with display-only setting for public viewing. Messaging via Facebook, Twitter and Instagram is via Private Messaging responding to queries only.
Collection of Data: Method of collection of personal information (as of May 18) includes:
Paper Copies of forms will be kept in locked files and/or in lockable cabinets in lockable rooms, with limited access by senior personnel. Electronic data will be held on our secure systems which will be suitably pass-worded and accessed by specifically named personnel only, including co-ordinating staff for specific activity areas.
Access to data:
Under the key principles of GDPR, individuals have the right to have access to any of the data we store on them. Sidings Community Centre will continually review its data holding systems to ensure that all data will be stored within an organisationally agreed set of systems, stored both manually and electronically, to facilitate data access by individuals when requested.
The following Manual (paper) documentation will held securely in the following locations:
Electronic Storage of Data:
In the event of a breach of any data, Sidings Community Centre will comply with GDPR guidelines as to informing ICO and individuals as soon as it is realised that this has occurred.
The above information is shared through secured systems which will be reviewed and updated on a regular basis.
Right to Correct and Delete Data:
Individuals will be reminded from time to time to update and correct/change any personal data we hold, or have access to view their Data and change it be request. Individuals can also request that their details are deleted (erased) at any time, although if the provision of data is necessary for a service or other matters such as compliance with Health & Safety, they will be informed that they may no longer be able to have a particular service available to them.
Retention and Disposal of Data:
Data will only be stored for a reasonable or proportionate amount of time, to fulfil the purpose for which it is given. Service Area specific registration forms will give specific information as to Sidings Community Centre’s recommended time span for retention of data and for which purpose this will be used. This must be transparent when consent is given. However, in certain circumstances there may be overriding legislation requirements for the retention of data (see Retention of Records statement displayed in Early Years and Main office).
Paper held documentation will be destroyed using secure systems and any commercial company hired to dispose of information will have to demonstrate secure and GDPR compliant disposal means (mainly shredding).
Electronically held data will be deleted at specific times of the year, in compliance with GDPR and within recommended time frames as indicated at the time consent was granted, by request of individual, or within legal obligatory time limits (see (see Retention of Records statement displayed in Early Years and Main office)
Complaints: Details of the ICO will be given in the event of anyone wishing to register a complaint