Data Protection Policy
Data Protection Policy for Halstead Community Shed
Data Protection Statement
Halstead Community Shed is mclassified as a Data Controller under the General Data Protection Regulation (the GDPR). This policy outlines our commitment to protecting the personal data of people in relation to our organisation’s work in accordance with the GDPR – as regulated by The Information Commissioner’s Office (ICO), the UK authority on data protection – and carrying out any data processing with transparency, accountability and good governance.
If your Shed also handles data on behalf of another organisation, you may be a Data Processor in addition to being a Data Controller. You should check you understand the definitions of both and add/delete accordingly.
Main Contacts
Below are the Shed s main contacts for data protection in line with this policy. They should be your primary contact should you wish to discuss something related to data protection, or need further information.
Data Protection Officer (DPO): Kevin Pryke
DPO Tel: 07889 255269
DPO Email: halsteadShed @gmail.com
The DPOs’ are volunteers of the Data Controller, the Halstead Community Shed and have responsibility for ensuring personal data is collected and processed lawfully in line with this policy and the GDPR, and is kept secure.
As it stands, the GDPR doesn’t require small voluntary organisations like Shed s to have a Data
Protection Officer, but it is always good practice to ensure there are named contacts for something so important, and ensure those people – at the very least – know your policy and procedures thoroughly.
Definitions
This policy uses the GDPR’s definitions for the following key terms.
Personal data – any information relating to an identified or identifiable natural person, both ‘direct’ and
‘indirect’ identification.
Natural Person – an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.
Data Controller – a ‘person’ who determines the purposes for information processing and the manner in which it is done. A data controller will be a ‘person’ recognised by law i.e. individuals, organisation and corporate bodies.
Data Processor – any ‘person’ (again, a person as recognised by law), other than an employee of a data controller, who processes the data on behalf of the data controller.
Other key terms are defined within their sections.
Data Collection
From time to time, we will need to process the following examples of personal data from volunteers, service users and other natural persons related to our work. We may also, at times, need to collect and process personal data not listed here. The following are some examples of the types of personal data we
may collect and process.
- Name
- Contact information e.g. address, telephone numbers, email addresses
- Information about your age, ethnicity, gender, nationality, disability status
- Your occupation and job title
- Information about your skills, qualifications and expertise
- Information relevant to our human resources procedures
We may use this information to:
- Manage memberships
- Understand the views and opinions of Shed ders and other related persons
- Handle complaints
- Monitor the impact of our work e.g. through case studies or consultation
- Improve our services
- Carry out administration functions
- Get help if somebody is in danger e.g. contact next of kin if an accident or emergency occurs
- Send information we think might be of interest to you
- Comply with legal obligations
Delete and amend the above in line with you data processing procedures and reasons.
In line with the GDPR, Halstead Community Shed will ask for and record individuals’ consent prior to collecting and processing data for certain purposes and provide clear and concise privacy notices to provide information on how and why we are collecting and processing particular data. Halstead Community Shed will ensure it provides ongoing opportunities to give or revoke consent where appropriate and necessary in line with the GDPR. Halstead Community Shed’s privacy notices will also state clearly our lawful basis or bases for collecting the data in each instance that we collect and process it. This will be in line with the six documented legal bases of the GDPR; consent, contract, legal obligation, vital interests, public tasks or legitimate interest.
Halstead Community Shed will maintain a live log of the exact types of data, reasons and lawful basis for collection and processing which allows us to demonstrate our compliance with the GDPR with the ICO, if ever necessary.
Halstead Community Shed will never, under any circumstances, use personal data to discriminate against a person for any reason.
Halstead Community Shed will audit personal data on file on an annual basis to ensure it is still relevant, needed and lawfully held. If ever we need to use data for another purpose, we will make sure we inform and/or request consent from the relevant persons, in line with the GDPR.
Halstead Community Shed will carry out a Data Protection Impact Assessment (DPIA) prior to implementing new data handling technology and/or where processing personal data is likely to significantly affect individuals.
Data Handling
Halstead Community Shed understands its obligations under the GDPR, when collecting, controlling and
managing personal data. We will ensure that we:
- process data lawfully, fairly and in a transparent manner.
- collect data only for specified, explicit and legitimate purposes and not further processing in a manner that is incompatible with those purposes.
- process data adequately, relevant and limited to only what is necessary.
- ensure personal data is accurate and kept up to date, rectifying and erasing any errors or inaccuracies without delay.
- will keep personal data in a form that permits identification of individuals for no longer than is necessary for the purpose.
- process personal data in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing, and against loss, destruction or damage.
As a data controller and in line with the GDPR, we will keep a record of our processes, consistent withthe above and be able to demonstrate our compliance at any given time.
Data Storage and Security
Halstead Community Shed takes the matter of safety of personal data very seriously and will always
ensure we put in place robust safety measures, appropriate to the type of information we hold and
process.
In order to secure personal data kept by Halstead Community Shed we will use a mixture of the following methods, appropriate to the data held.
- Physical security including .
- Computer security including <passwords, encryption or two-factor authentication>.
We will check our storage and security practices regularly to ensure they are in line with regulation and appropriate for the personal data held. We will build a culture of awareness and security within the Shed ensuring good communication with key people, and we will only ever provide access to personal data for people that need it for lawful processing.
The exact way we store personal data for each purpose will be documented in our Data Protection Log.
Individual Rights
Halstead Community Shed is aware of the rights for individuals whose personal data we hold. In line with those rights we will ensure we process data in accordance with these rights. We will:
- Be transparent and inform them of how and why we will process their personal data, as well as the lawful basis for doing so.
- Respond within 30 days if people ask to access their personal data, allowing them to verify its lawful collection and processing.
- Rectify any inaccurate or incomplete personal data without delay.
- Erase any personal data when it is no longer needed or there is no lawful reason for it being held.
- Take immediate action if an individual requests that we suppress the processing of their data or objects to its collection, retaining just enough to respect their wishes in future.
- Never process personal data for more than it’s lawful, documented purpose(s).
- Obtain clear, active consent from each individual where we are lawfully obliged to do so.
Data Breaches
Halstead Community Shed recognises the GDPR’s guidelines to record, rectify and report, where necessary, data breaches; where a breach of security leads to the destruction, loss, alteration or unauthorised disclosure of, or access to, personal data.
Halstead Community Shed’s DPOs are allocated the responsibility for minimising the likelihood of breaches and taking prompt action if ever they happen. Halstead Community Shed will ensure it notifies the individuals whose data is involved if there is any adverse risk to them as a result of the breach, and where necessary notify the Information Commissioner’s Office (ICO).
Accessing Information
Under the GDPR, individuals have the right to access the information held about them. If you would like to request information held, or be reminded of the reasons, lawful basis and methods of keeping your personal data, please send a request in writing to:
FAO Kevin Pryke
Halstead Community Shed, Unit 16 fifth Avenue , Halstead, CO9 1NH
We will respond to all requests within 30 days.
The Information Commissioner’s Office (ICO)
The ICO is “the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals” (ICO website). It is responsible for administering the provisions of the GDPR. Under the GDPR, organisations must register with the ICO unless exempt.
Halstead Community Shed is exempt from registering with the ICO because .
Halstead Community Shed only:
- processes information necessary to establish or maintain membership or support.
- processes information necessary to provide or administer activities for people who are members of the organisation or have regular contact with it.
- shares the information with people and organisations necessary to carry out the organisation’s activities unless given permission otherwise.
- keeps the information while the individual is a member or supporter or as long as necessary for
member/supporter administration.