On 25th May, the new General Data Protection Regulations (GDPR) will replace the Data Protection Act of 1998. This places a new emphasis on an individual’s rights as regards to data, and will change the way that Sidings Community Centre handles and manages data which we collect, store and process. Sidings Community Centre is committed to ensuring that any data which we collect and hold for an individual is in accordance with the new GDPR rules, and that we demonstrate clarity and transparency as regards to the reasons why we request personal data, ensure data is kept securely and in accordance with our legitimate interests as a provider of services, a voluntary sector community centre, within our status of a Registered Charity and Company Ltd by Guarantee. In certain cases there may also be overriding legislation requirements or obligations which determine the legitimate processing of data and the amount of time data is kept.
Data Protection Principles
Under GDPR, all personal data obtained and held by us must be processed according to a set of core principles. In accordance with these principles, we will ensure that:
- processing will be fair, lawful and transparent
- data be collected for specific, explicit, and legitimate purposes
- data collected will be adequate, relevant, and proportionate to what is necessary for the purposes of processing
- data will be kept accurate and up to date. Data which is found to be inaccurate will be rectified or erased without delay
- data is not kept for longer than is necessary for its given purpose.
- data will be processed in a manner that ensures appropriate security of personal data including protection against unauthorised or unlawful processing, accidental loss, destruction, or damage by using appropriate technical or organisation measures
- we will comply with the relevant GDPR procedures for international transferring of personal data, if and when this applies
Individuals have the following rights in relation to the personal data Sidings Community Centre may hold which are:
- the right to be informed about the data we hold on you and what we do with it.
- the right of access to the data we hold on you.
- the right for any inaccuracies in the data we hold on you, however they come to light, to be corrected. This is also known as ‘rectification’;
- the right to have data deleted in certain circumstances. This is also known as ‘erasure’;
- the right to restrict the processing of the data;
- the right to transfer the data we hold on you to another party. This is also known as ‘portability’;
- the right to object to the inclusion of any information.
- the right to regulate any automated decision-making and profiling of personal data
The Data Controller (person who is responsible for storing, and determining any processing of the information which is held) – organisationally this is Sidings Community Centre, who will appoint a nominated person responsible for Data Processing – who will be the Centre Manager or CEO, responsible for ensuring the handling, management and processing of data is carried out in a manner which is fair, lawful, and transparent.
The kind of Data which Sidings Community Centre may request to collect and hold would fall into the following categories:
This is data which would identify you as a person and include such data as:
- Contact Details
- Date of Birth
In the case of parents whose children use our children’s services, this will also include the personal details of their children which, as well as the above, could also include additional information which is essential to enable staff to ensure the well-being of children being left in our care at all times.
Sensitive Data or Special Category Data (can also become anonymised data) such as:
- Age Category
- Employment Status
- Ability/Disability status
Possible health related data (determined by service area specific requirement)
This Anonymised Data, when separated from any “identifiable or personalised data” may be used for purposes of reporting to funders or organisational analysis to help monitor how the organisation is meeting its aims and objectives.
Additionally, as an employer Sidings Community Centre may collect further specific information to enable us carry out our duties as an employer. Specifically, we hold the following types of data:
- personal details such as name, address, phone numbers
- information gathered via the recruitment process such as that entered into a CV or included in a CV cover letter, references from former employers, details on your education and employment history etc
- details relating to pay administration such as National Insurance numbers, bank account details and tax codes
- medical or health information
- possible divulgence of criminal records
- information relating to your employment with us, including: job title and job descriptions, your salary, your wider terms and conditions of employment, details of formal and informal proceedings involving you such as letters of concern, disciplinary and grievance proceedings, your annual leave records, appraisal and performance information, internal and external training modules undertaken
More information regarding data held by Sidings Community Centre as employer is included in our Privacy HR Policy for Employees, and will also include details of what we do with information submitted in unsuccessful job applications.
Purposes for which we will request and handle data:
- as a service provider to ensure we comply with service requirements (e.g. parents registering their children using our Childcare Services)
- as an employer
- as a Registered Charity & Co Ltd (e.g. Trustees and Director details)
- membership details (in accordance with constitutional requirements)
- for marketing, promotional, consultation and information purposes
Sensitive Data (can be referred to as Special Category or anonymised data):
- for reporting to funders as a condition of grant funding
- to monitor organisational performance and response to need
- to present profile of use to funders and public
Under GDPR, the emphasis will be on gaining individuals consent (often referred to as “Opt-in”). At all points where data is requested (eg service area registration forms, application forms) individuals will be given clear information as to the reason why we are requesting their personal and sensitive data, and whether we will “share” any of this information with a third party. Consent will also be requested from those whose personal contact details are to be held on our mailing lists, for marketing and information purposes within the legitimate interests of our status and purpose as a community centre. The length of time for which we intend to keep this information, the basis on which we will retain it, and how we will store it, will also be made clear. This may differ according to the reason the data is requested, and whether there may be overriding legislative requirements (see Retention of Records statement displayed in Early Years and Main office ) which determine the length of time we retain data or the reason why we may have to share information.
Sharing your data:
Individual consent will be requested if Sidings Community Centre is lawfully requested to share data or wishes to share your data with a Third Party for any other legitimate reason. As with the above, the purpose and legal basis for requesting this will be made clear before consent is sought, or in the event where there is an overriding legal requirement for us to do so. When sharing with a third party – Sidings Community Centre will take steps to ensure that the Third Party demonstrates meeting GDPR regulations as to the usage and storage of such information. Some information may be available publicly such as Trustees and Directors details on the Charity Commission and Company House websites, and some personal data may appear in newspaper articles, Sidings Community Centre’s newsletters, marketing material or on our website. In such a situation, clear information will have been provided with the individuals concerned as to the nature of this public information sharing, and consent requested and obtained beforehand. This may also apply to photos taken for promotional or evidencing purposes.
Website and Social Media: we operate strictly controlled privacy settings with display-only setting for public viewing. Messaging via Facebook, Twitter and Instagram is via Private Messaging responding to queries only.
Collection of Data: Method of collection of personal information (as of May 18) includes:
- Service/Activity Specific Registration Forms
- Mailing List sign ups and email communications (name and email addresses)
- Membership forms
- Attendance sheets
Paper Copies of forms will be kept in locked files and/or in lockable cabinets in lockable rooms, with limited access by senior personnel. Electronic data will be held on our secure systems which will be suitably pass-worded and accessed by specifically named personnel only, including co-ordinating staff for specific activity areas.
Access to data:
Under the key principles of GDPR, individuals have the right to have access to any of the data we store on them. Sidings Community Centre will continually review its data holding systems to ensure that all data will be stored within an organisationally agreed set of systems, stored both manually and electronically, to facilitate data access by individuals when requested.
The following Manual (paper) documentation will held securely in the following locations:
- Service Area folders – registration forms, incident and other personal data to be stored in lockable storage cabinets within lockable offices/rooms with restricted and defined access according to nature of data stored
- Trustee/Director Details and all signed Consent Forms – stored in centre safe
- Membership forms to be held in locked cabinet in centre office
- HR related Data to be kept in personal folders in locked cabinet in lockable storeroom
- Minutes and other records of essential business conduct – stored in files in lockable cabinet and/or archived for agreed retention period (see Retention of Records statement displayed in Early Years and Main office).
Electronic Storage of Data:
- Data taken from paper registration and other forms which is transferred to electronically held spreadsheets. Personal data is retained in the service area specific files which are securely passworded. Non-personal anonymised data is shared and transferred to central monitoring systems for funder and monitoring purposes
- Personal Contact Data is retained separately for transfer to a mail-chimp based communications system.
- HR information is stored and shared with a payroll company who operate outside the EU within clear agreements to demonstrate GDPR compliance, and Sidings Community Centre’s Auto-enrolment Pension Provider, Creative Pension Trust. PAYE data will be shared with HMRC according to legislative requirements as part of Sidings Community Centre’s legitimate business contractual and legal obligations
- In the case of our Early Years registered childcare services, parents also consent to give their details in order to gain government funding entitlements. Such information is held on secure portals which are deemed to be as secure as possible and GDPR compliant
- Online Banking: information on bank authorised signatories for online banking will only be provided with Trustees/Directors consent and using secure banking portals.
In the event of a breach of any data, Sidings Community Centre will comply with GDPR guidelines as to informing ICO and individuals as soon as it is realised that this has occurred.
The above information is shared through secured systems which will be reviewed and updated on a regular basis.
Right to Correct and Delete Data:
Individuals will be reminded from time to time to update and correct/change any personal data we hold, or have access to view their Data and change it be request. Individuals can also request that their details are deleted (erased) at any time, although if the provision of data is necessary for a service or other matters such as compliance with Health & Safety, they will be informed that they may no longer be able to have a particular service available to them.
Retention and Disposal of Data:
Data will only be stored for a reasonable or proportionate amount of time, to fulfil the purpose for which it is given. Service Area specific registration forms will give specific information as to Sidings Community Centre’s recommended time span for retention of data and for which purpose this will be used. This must be transparent when consent is given. However, in certain circumstances there may be overriding legislation requirements for the retention of data (see Retention of Records statement displayed in Early Years and Main office).
Paper held documentation will be destroyed using secure systems and any commercial company hired to dispose of information will have to demonstrate secure and GDPR compliant disposal means (mainly shredding).
Electronically held data will be deleted at specific times of the year, in compliance with GDPR and within recommended time frames as indicated at the time consent was granted, by request of individual, or within legal obligatory time limits (see (see Retention of Records statement displayed in Early Years and Main office)
Complaints: Details of the ICO will be given in the event of anyone wishing to register a complaint