PWMCT DATA PROTECTION
We keep the personal information that you have given us only for as long as required for us to operate the service in accordance with legal requirements and tax and accounting rules. Where your personal information is no longer required, we will ensure it is disposed of in a secure manner. We will never share, sell or swap your details with any third parties.
Where you have provided your consent for our use of your personal information, you always have a right to withdraw your consent at any time. Under the Data Protection Act 1998 you have a right to request a copy of the personal information we hold about you and to have any inaccuracies corrected. You also have the right to request us to erase your personal information, request us to restrict our processing of your personal information or to object to our processing of your personal information.
Pickering War Memorial Charitable Trust
General data protection policy and practices 2018
Pickering War Memorial Charitable Trust, herein after referred to as PWMCT, is registered with the Information Commissioner’s Office. (I.C.O.) (Certificate held with this document). It recognises its obligations under the General Data protection Act 2018, to have clear and dynamic policies and practices relating to the rights of individuals to be informed about the collection and use of their personal data. Bearing in mind that PWMCT is an organisation which serves the general public, we design all processes by which a person can exercise their data protection rights making them accessible and easy to understand.
At all times PWMCT will only only collect personal information needed for its specific purposes. This will include information collected on CCTV which will be processed in accordance with the I.C.O’s Code of Practice and used in accordance with I.C.O. registration entry details. (Held with this document)
It will keep this data secure, ensuring that it is relevant and up to date. It will only hold as much information as is needed and only for as long it is needed. It will allow the subject of the information to see it on request.
PWMCT will collect only such data as is needed to carry out its function as a Community Hall. This will generally mean the collection and retention of names, addresses, telephone numbers, emails etc.for the purposes of: Hall Lets, Hall Tenancies, Contractual arrangements, staffing arrangements, Trustee membership, Friends’ Membership, CCTV recording and Volunteer information. This information will not be shared with other users or third parties and will only be available to authorised Trustees and managers or officers of the law, if and when they have a legitimate and specific reason for needing this information.
PWMCT undertakes to carry out regular information audits in order to be fully aware of what current personal data we hold and what we do with it and to ensure that any data that is no longer current is completely destroyed or erased.
Because PWMCT is an organisation for the benefit of the people of Pickering including, on occasions, young people under the age of eighteen, it is incumbent upon us to put ourselves in the position of the people about whom we are collecting and holding information and to ensure that this information is not shared in any way that may endanger privacy or safeguarding.
In order to comply with the key transparency requirement under the GDP Regulations, PWMCT will:
• provide individuals with information including: our purposes for processing users’ personal data, our retention periods for that personal data, and who it will be shared with. This data is regarded as ‘privacy information’.
• provide privacy information to individuals at the time we collect their personal data from them;
• no personal data will be sought from other sources, if any personal data is accidentally obtained from other sources, or obtained as part of PWMCT’s legitimate links with other organisations, PWMCT will provide users with that privacy information within a reasonable period of obtaining the data this period will be no later than one month.
• All information that PWMCT provides to its users will be concise, transparent, intelligible, easily accessible, and it must use clear and plain language.
• PWMCT will obtain ongoing feedback from users on the effectiveness of its delivery of its privacy information and will amend its practices appropriately.
• PWMCT will regularly review, and where necessary, update privacy information and will bring any proposed new uses of an individual’s personal data to their attention before starting that processing.
All staff, Trustees, Friends of PWMCT and Hall users (All hereinafter referred to as users) of PWMCT and all individuals for whom PWMCT may hold any personal data in the future will be provided with the following privacy information:
• the name and contact details of our organisation;
• the contact details of our data protection controller;
• the purposes of the processing;
• the lawful basis for the processing;
• the legitimate interests for the processing;
• the categories of personal data obtained;
• the recipients or categories of recipients of the personal data;
• the retention periods for the personal data;
• the rights available to individuals in respect of the processing;
• the right to withdraw consent;
• the right to lodge a complaint with a supervisory person.
Methods of providing privacy and other information to individuals
• When providing our privacy information to users, PWMCT may use a combination of appropriate techniques, such as:
• printed information, e.g. enhanced booking and membership forms, contracts and other appropriate documents;
• face to face explanations;
• email (taking care, where appropriate, to ensure that emails are sent to individuals and not to groups unless permission is given)
• mobile and smart device functionalities.
The timing of the provision of privacy information
PWMCT provides users with privacy information at the time we collect their personal data from them e.g. when users book the hall, take up employment or commence tenancy
If we accidentally, or in the process of dealing with legitimate partners, obtain personal data from a source other than the individual it relates to, we provide them with privacy information within a reasonable of period of obtaining the personal data and no later than one month:
• if we plan to communicate with the individual, at the latest, when the first communication takes place;
• if we plan to disclose the data to someone else, e.g. an officer of the law with a legitimate reason for demanding the data, at the latest, when the data is disclosed.
The method of providing privacy information
We provide the information in a way that is:
• easily accessible;
• in clear and plain language.
Changes to the privacy information
PWMCT regularly reviews and, where necessary, updates our privacy information.
In the unlikely event that PWMCT plans to use personal data for a new purpose, we update our privacy information and communicate the planned changes to individuals before starting any new processing.
The appropriate lawful bases for processing data for PWMCT are CONSENT, CONTRACTUAL AND LEGAL OBLIGATIONS
Basis for processing: Consent
When obtaining consent PWMCT will include:
• the names and contact details of our organisation;
• why we need the data; and what we will do with it;
• a clear explanation of how individuals can withdraw consent at any time.
We use the personal data of Hall users, staff and users for:
• Registering Trustees;
• Recording membership of Friends’ Association;
• Obtaining personal permissions to contact individuals by post, by telephone or electronically
• Contacting individuals with necessary information specific to PWMCT e.g. The cancellation of a meeting, minutes of a meeting, forthcoming events of PWMCT, newsletters etc.
• Details of Hall bookings, Hall Lets, Tenancies etc.
• Obligatory details of staff for legitimate and required processing
• Contracts of employment, tenancies and service agreements
We never share users personal details with other users or organisations, unless separate consents are obtained. Separate consents will not be obtained without the expressed and specific consent of users.
The only exception to this would be if an officer of the law had a proven legitimate reason to obtain the details and in the prevention of crime and trespass.
• We name our organisation and give appropriate contact details.
• We ask users to positively opt in to consent on the booking form, contract or relevant documentation.
• We do not use default pre-ticked boxes or any other type of default consent.
• We use clear, plain language that is easy to understand.
• We specify why we want the data and what we are going to do with it.
• We give users options to consent separately for different purposes and types of processing when requiring additional consents. These consents are only ever required for legitimate activities.
• We tell individuals they can withdraw their consent.
• We ensure that individuals can refuse to consent without detriment.
We keep a record of when and how we obtained consent from the individual.
We keep a record of exactly what they were told at the time.
We review consents annually or, if appropriate, more regularly to check that the relationship, the processing and the purposes have not changed.
We have processes in place to refresh consent at appropriate intervals.
We make it easy for individuals to withdraw their consent at any time, and publicise how to do so.
We act on withdrawals of consent in a prompt manner.
We do not penalise individuals who wish to withdraw consent.
We ensure that all records of consent are completely destroyed and erased immediately they are no longer necessary
The right of an individual member to rectification
PWMCT recognises that a member has the right to have inaccurate personal data rectified, or completed if it is incomplete. Its policy on rectification is as follows:
• An individual can make a request for rectification verbally or in writing.
• PWMCT will respond as soon as possible and, at the latest, within one month.
• In certain extreme circumstances, where PWMCT considers that a request is manifestly unfounded or excessive, PWMCT reserves the right, within the law, to refuse a request for rectification.
• This right is closely linked to the controller’s obligations under the accuracy principle of the GDPR (Article (5)(1)(d)).
Process for rectification and complying with requests for such
Those responsible for processing PWMCT policy, i.e. data processors and controllers, understand how to recognise a request for rectification and understand when this right applies. All processors will be trained accordingly.
PWMCT will record all requests for rectification that are received verbally or in writing and will maintain these records until the matter is resolved to the satisfaction of all parties.
PWMCT understands when, in the very unlikely event, we can refuse a request and, should this arise, data processors will refer to the data controller and the detailed advice issued by the Information Commissioner’s Office.
PWMCT will ensure that we respond to a request for rectification without undue delay and, at the latest, within one month of receipt.
Data controllers and processors will follow the guidelines issued by the Information Commissioner’s Office relating to the extension of the time limit to respond to a request should this be necessary in extreme circumstances.
PWMCT has appropriate systems to rectify or complete information, or provide a supplementary statement should this prove necessary.
PWMCT will inform any recipients if we rectify any data we have shared with them.
Contracts between Controllers and Processors
PWMCT recognises that data processors should :
• only act on the written instructions of the controller;
• ensure that people processing the data are subject to a duty of confidence;
• take appropriate measures to ensure the security of processing;
• only engage sub-processors with the prior consent of the controller and under a written contract;
• assist the controller in providing subject access and allowing data subjects to exercise their rights under the GDPR;
• assist the controller in meeting its GDPR obligations in relation to the security of processing the notification of personal data breaches and data protection impact assessments;
• delete or return all personal data to the controller as requested at the end of the contract; and
• submit to audits and inspections, provide the controller with whatever information it needs to ensure that they are both meeting their Article 28 obligations, and tell the controller immediately if it is asked to do something infringing the GDPR or other data protection law of the EU or a member state.
The Right to Request Erasure and Complying with Requests
PWMCT recognises that, under the provisions of the GDPR, its users have the right to have their personal data erased. This right is also known as ‘the right to be forgotten’.
• inform users, when they supply personal data that they have a right to make a request for erasure, either verbally or in writing ;
• keep a record of all such requests until the matter has been satisfactorily dealt with;
• respond to a request immediately, if possible, but within one month at the latest;
• comply with any legitimate request and, in the extremely unlikely event that there is a question of legitimacy where we might need to refuse a request, we will consult the ICO ‘s advice;
• ensure that any data processors and controllers are aware of the circumstances when we can extend the time limit to respond to a request
• ensure that all data processors and controllers are aware of the emphasis on the right to erasure if the request relates to data collected from children;
ensure that we have appropriate and up to date methods in place to erase information.
The Right to Restrict processing
PWMCT acknowledges that users have the right to request the restriction or suppression of their personal data. This will be made clear to all users when they share their data. Consideration will be given to any such request and, in the extremely unlikely event that any such request is made, PWMCT will respond within one calendar month.
Data portability, Automatic decision making, marketing and profiling
PWMCT will not take part in any of the above activities without obtaining the expressed and specific consent of users.
Accountability and Governance
PWMCT’s internal data protection policies include:
• provision for training of data processors;
• internal audits of processing activities;
• maintenance and reviews of internal documentation and processing activities to ensure compliance;
• appointment , where appropriate, of data controllers and processors;
• implementation measures that meet the principles of data protection including data minimisation, transparency, regular monitoring and continuous improvement.
Documentation of processing activities
PWMCT maintains the following documentation in printed and electronic form in order to add, remove and amend information easily.:
• an up to date information audit showing what personal data our organisation holds;
• a record of the documentation process
• clear privacy notices;
• records of consent ;
• records of the location of personal data;
• records of any requests, complaints and subsequent actions relating to users rights in terms of data protection.
PWMCT’s security measures will seek to ensure that:
• the data can only be accessed, altered, disclosed or deleted only by those authorised to do so (and that those people only act within the scope of the authority given to them by PWMCT);
• the data held is accurate and complete in relation to it is being processed;
• the data remains accessible and usable, i.e., if personal data is accidentally lost, altered or destroyed, it is able to be recovered
This policy will be reviewed by users at the Annual General Meeting of PWMCT and amended where appropriate
GDPR 2018 Mal Danks for Pickering War Memorial Charitable Trusst