GENERAL DATA PROTECTION REGULATION
GENERAL PRIVACY NOTICE
Background
1. The General Data Protection Regulations (GDPR) came into force in May 2018 and builds upon existing legislation such as the Data Protection Act 1998. GDPR places even more onerous responsibilities on any organisation that holds personal data. As a membership organisation, the River Yealm & District Association (RYDA) acquires, stores and uses personal data provided by its members. In addition, the RYDA publishes the Newton Ferrers and Noss Mayo Village Directory (also known as “The Blue Book”). The Village Directory contains personal data of both members and non-members and so is also subject to GDPR.
2. Personal data broadly means any piece of information that can allow an individual to be directly or indirectly identified (for example names, addresses, email addresses). This includes data which on its own may not precisely identify an individual, but which if combined with other information – even from another source – might allow that individual to be identified. GDPR also includes a category of ‘sensitive personal data’ which imposes even stricter regulation however the RYDA holds no such data.
3. This Privacy Notice is provided by the RYDA Committee which is the Data Controller for the purposes of GDPR.
Aim
4. The aim of this Privacy Notice is to explain why the RYDA needs the personal data it holds and how it will acquire, store, use and, most importantly, secure that data in order to be compliant with GDPR.
Format
5. This Privacy Notice is in 2 parts as it sets out the policy and procedures for 2 distinct cases:
Part A. The application of GDPR to RYDA Members.
Part B. The application of GDPR to entries in the Village Directory.
PART A - THE APPLICATION OF GDPR TO RYDA MEMBERS
The Legal Basis for Holding Personal Data of RYDA Members
6. The basic premise of GDPR is that there has to be a legal basis for an organisation to hold and process personal data. GDPR recognises 6 bases. The lawful basis that applies to RYDA Members is Contract. This means that the processing of data is necessary because of a contract an organisation has with an individual. In the case of the RYDA, the contract is the provision of defined membership services in return for members paying a membership fee. In these circumstances, the sole purpose of holding and storing personal data is so that the RYDA can provide these membership services.
7. To comply with GDPR, the personal data we hold about you must be:
* Used lawfully, fairly and in a transparent way.
* Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
* Relevant to the purposes we have told you about and limited only to those purposes.
* Accurate and kept up to date.
* Kept only as long as is necessary for the purposes we have told you about.
* Kept and destroyed securely including ensuring that appropriate technical and security measures are in place to protect your personal data from loss, misuse, unauthorised access and disclosure.
8. What are your rights regarding your personal data? GDPR establishes the following rights for you:
* Right to be informed. You have the right to be informed why we need your personal data and how we will use and protect it. This is the principal purpose of this Privacy Notice.
* Right to access. You have the right to request the personal data we hold on you. We are required to provide that information at the latest within one month.
* Right to rectification. If the data we hold on you is incorrect, out of date or incomplete, you can request a rectification. We must respond to such a request within one month.
* Right to erasure. If you believe that we should no longer be holding your personal data or we are unlawfully using it, you can request that we erase the data we do hold, the so called ‘right to be forgotten’. We have to complete the erasure within one month.
* Right to restrict processing. You have the right to restrict how we use your data and we must act within one month. A simple example would be if you no longer wanted us to communicate with you by email but by paper instead.
* Right to data portability. Although this is highly unlikely in the circumstances of the RYDA, you have the right to request that we electronically move, copy or transfer your personal data to another organisation.
* Right to object. You have the right to object if we use your data for any purpose other than that to which you have consented.
Acquiring Personal Data
9. Why does the RYDA need personal data? As a membership organisation, the RYDA requires personal data for some or all of the following purposes:
* To maintain a record of its current members.
* To process relevant financial information relating to membership eg. payment of the membership fee by standing order.
* To confirm your identity to provide some or all of these services.
* To contact you by post, email, telephone or social media to facilitate the provision of membership services. The following list is not exhaustive but includes:
o To notify you of any changes to our services, events or staff.
o To confirm your membership status when membership renewal is due.
o To advertise any events that are allied to our charitable objectives.
o To provide articles that might be of interest to you.
o To provide the RYDA Newsletter.
o To distribute the papers relevant to an Annual General Meeting. This will be done either electronically, by post or hand delivered.
o To promote the interests of the RYDA.
o To seek your views, opinions and comments eg. concerning planning applications.
10. What personal data is required? The principle is that we only need the minimum personal data to efficiently and effectively run a membership organisation. In practice this means:
* Names
* Addresses
* Email addresses (for those who wish to be contacted by email)
* Telephone number(s)
* In addition for those who pay their subscription by standing order:
o Name of bank
o Branch name
o Address of bank
o Bank sort code
o Account No
o Account Name
11. How is the data acquired? The principal and preferred method of acquiring your personal data is by completion of a signed membership application form. However other methods of application such as by email may be accepted. In these circumstances, the personal data may be transferred to a membership application form by a member of the RYDA Committee.
Storing Personal Data
12. Your personal data will be stored in 2 ways:
* By retention of your original or updated membership application form in a paper file. Your bank details will only be stored in this way.
* By transferring your details – names, addresses, email addresses and telephone numbers only – to an electronic spreadsheet. This is currently Microsoft Excel, but a similar spreadsheet may be used at some point in the future.
13. The accuracy of your personal data will be checked with you whenever you attend an RYDA AGM in April each year. If you do not attend an AGM, we rely on you to inform us of any changes to your data.
14. How long do we keep your personal data for? We will keep your personal data for as long as you are a member of the RYDA. Once your membership lapses or you tell us that you no longer wish to be a member, your personal data will be securely deleted or destroyed.
Securing Personal Data
15. Protecting your personal data is of paramount importance to us. The Membership Secretary will be the main custodian of your personal data however access may be given to other Committee members for the normal execution of their duties; for example, access to the list of members to confirm if someone is an RYDA member
16. Do we share your personal data? No. We will not under any circumstances share your personal data with any other body or organisation unless you have given your explicit permission for us to do so.
17. What action is taken if there is a breach of data? Should the RYDA suspect or confirm that there has been a breach of personal data, the matter will be investigated as soon as possible. The individual(s) concerned will be informed of the details of the breach. If the breach is falls into a category of severity that requires the Information Commissioner’s Office to be informed, this will be done as soon as is practicable. RYDA rules and procedures will then be reviewed and amended as necessary to prevent a re-occurrence.
Summary
18. GDPR places a considerable legal responsibility on the RYDA in order to ensure that any personal data it holds on you is secure and only used for purposes which you have been made aware of as a member of the RYDA. Because we are a membership organisation, the legal basis for holding your personal data is termed Contract ie. the RYDA is contracted to provide some or all of the membership services outlined in this Privacy Notice because you have voluntarily become a member of the RYDA. This Notice also describes: what personal data we require; why we need it; how we store it; and how we secure it. Any further clarification can be obtained by contacting one of the RYDA Committee members.
PART B - THE APPLICATION OF GDPR TO THE VILLAGE DIRECTORY
The Legal Basis for Holding Personal Data for use in the Village Directory
19. The Village Directory which is also known as “The Blue Book” is the Newton & Noss local telephone directory. It contains the names, addresses and telephone numbers of individuals, local businesses and organisations and other useful information such emergency service numbers. The inclusion in the Directory is entirely voluntary. The Directory is published and managed by the RYDA and so it is incumbent on the RYDA to ensure that all the requisite permissions to hold and use personal data are maintained.
20. The basic premise of GDPR is that there has to be a legal basis for an organisation to hold and process personal data. GDPR recognises 6 bases. The lawful basis that applies to the Village Directory is Consent. This means that all individuals whose personal data is held and processed by the RYDA for the purposes of publishing the Village Directory must have given their explicit consent for their data to be held and processed. Therefore the sole purpose of holding and storing personal data in this circumstance is so that the RYDA can include an individual’s personal data in the local telephone directory.
21. To comply with GDPR, the personal data which the RYDA holds about you must be:
* Used lawfully, fairly and in a transparent way.
* Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
* Relevant to the purposes we have told you about and limited only to those purposes.
* Accurate and kept up to date.
* Kept only as long as is necessary for the purposes we have told you about.
* Kept and destroyed securely including ensuring that appropriate technical and security measures are in place to protect your personal data from loss, misuse, unauthorised access and disclosure.
22. What are your rights regarding your personal data? GDPR establishes the following rights for you:
* Right to be informed. You have the right to be informed why we need your personal data and how we will use and protect it. This is the principal purpose of this Privacy Notice.
* Right to access. You have the right to request the personal data we hold on you. We are required to provide that information at the latest within one month.
* Right to rectification. If the data we hold on you is incorrect, out of date or incomplete, you can request a rectification. We must respond to such a request within one month.
* Right to erasure. If you believe that we should no longer be holding your personal data or we are unlawfully using it, you can request that we erase the data we do hold, the so called ‘right to be forgotten’. We have to complete the erasure within one month. We will erase your data from the electronic and paper files which we hold, however we will obviously not be able to do this from printed copies of that edition of the Directory which have already been distributed.
* Right to restrict processing. You have the right to restrict how we use your data and we must act within one month. A simple example would be if you no longer wanted us to communicate with you by email but by paper instead.
* Right to data portability. Although this is highly unlikely in the circumstances of the RYDA, you have the right to request that we electronically move, copy or transfer your personal data to another organisation.
* Right to object. You have the right to object if we use your data for any purpose other than that to which you have consented.
Acquiring Personal Data
23. Why does the RYDA need personal data? In order to include an individual’s details in the Village Directory, the RYDA clearly needs to be given that information for the specific purpose of maintaining an accurate telephone directory.
24. What personal data is required? The principle is that we only need the minimum personal data to include in a telephone directory. In practice this is restricted to:
* Names (First name(s) and surname(s))
* Addresses
* Telephone number(s)
25. How is the data acquired? The sole method of acquiring your personal data is by an individual completing a signed consent form. Each person to be named in the Directory has to give his/her individual consent. For example, a spouse or partner cannot give consent for their spouse or partner.
26. Updating Personal Data. It may be necessary for an individual to amend their personal details after publication of the Directory. These changes will only be made if the individual updates their consent form. Changes to Directories already distributed cannot obviously be made, but the changes will be made on the Directory database and by a notice in the Parish Magazine so that everyone can be made aware that changes have been made.
Using your Personal Data.
27. The Directory is provided free to all RYDA members and is also available to purchase locally. It is self-evident that the personal data you provide for the Directory will be available to anyone who acquires or buys a copy. This is made clear on the consent form.
Storing Personal Data
28. Your personal data may be stored in 3 ways:
* By retention of your original or updated consent form in a paper file.
* By transferring your details – names, addresses and telephone numbers only – to an electronic spreadsheet. This is currently Microsoft Excel, but a similar spreadsheet may be used at some point in the future.
* Once the Directory is ready for printing, a proof copy will be passed to the printer.
29. How long do we keep your personal data for? We will keep your personal data for as long as you wish your entry to remain in the Directory. Once you tell us in writing that you no longer wish to be included in the Directory, your personal data which is held in our electronic or paper files will be securely deleted or destroyed. However, it will obviously not be possible to delete your data from copies of the Directory that are either already in circulation or will be distributed before the next edition, except by manuscript amendments notified in the Parish Magazine.
Securing Personal Data
30. Protecting your personal data is of paramount importance to us however it must be understood that the telephone directory will be available locally. The RYDA Committee member with responsibility for the Directory will be the main custodian of your personal data however access may be given to other Committee members for the normal execution of their duties.
31. Do we share your personal data? Because the Directory is a telephone directory, the personal data you consent to being included will obviously be available to anyone with access to the Directory. That apart, the only organisation we authorise to have your data temporarily is the company that prints the Directory. That company will also be subject to GDPR and will be prohibited from passing your data to any third party. Furthermore, as an added precaution, the company will delete all personal data once printing is complete.
32. What action is taken if there is a breach of data? Should the RYDA suspect or confirm that there has been a breach of personal data, the matter will be investigated as soon as possible. The individual(s) concerned will be informed of the details of the breach. If the breach is falls into a category of severity that requires the Information Commissioner’s Office to be informed, this will be done as soon as is practicable. RYDA rules and procedures will then be reviewed and amended as necessary to prevent a re-occurrence.
Summary
33. This part of the General Privacy Notice deals exclusively with the Village Directory. All personal details contained within the Directory have been freely provided by each individual or organisation and so the legal basis under GDPR is Consent. Because in simple terms the Directory is a telephone directory, the personal data it contains is available to anyone who acquires the Directory. The personal data it contains is restricted to name, address and telephone number. This Notice also describes: why we need the personal data; how we store it; and how we secure it. Any further clarification can be obtained by contacting one of the RYDA Committee members.