Purpose
The
Association of Ringing Teachers (ART) has legal obligations under data
protection laws and these regulate what personal data we collect, how we
process and store it, who has access to it and with whom we share it. ART will
strive to meet these obligations at all times and to ensure that data subjects
are able to exercise their rights in respect of how their data is treated.
Introduction
The law currently applicable to our data processing is the U.K.’s Data Protection Act 2018 which incorporates the General Data Protection Regulation (GDPR) introduced by the European Union. There are seven principles underpinning this law:
- Lawfulness, fairness and transparency
- Purpose limitation – data is collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
- Data minimisation – data is adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
- Accuracy – data is accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay
- Storage limitation – data is kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed
- Integrity
and confidentiality (security) – data is processed in a
manner that ensures appropriate security of the personal data, including
protection against unauthorised or unlawful processing and against accidental
loss, destruction or damage, using appropriate technical or organisational
measures
- Accountability - the controller shall be responsible for, and be able to demonstrate compliance with the above
The nature of the processing currently carried out by ART, as a registered charity, exempts the Association from any need to register with the Information Commissioner’s Office, the body responsible for upholding information rights in the U.K.. We will, however, keep the need for registration under review.
Scope
This Policy applies equally to the Association’s:
- Trustees and Members of the Management Committee
- Employees
- Voluntary Workers, including Tutors, Workshop Leaders and Assessors
- Members and Course Delegates
- Any partner bodies, advisors or contractors working with the Association
Definitions
Personal data
Personal data only includes information relating to natural persons who:
- can be identified or who are identifiable, directly from the information in question; or
- who can be indirectly identified from that information in combination with other information.
Data subject
The data subject is the individual about whom personal data is held or processed.
Data controller
ART is the data controller and determines the purposes and means of processing personal data. “We”, “our”, “ART” and “the Association” all refer to The Association of Ringing Teachers”.
Data processor
A data processor is responsible for processing personal data on behalf of ART. In most cases processors will be members or employees of the Association.
Processing
Processing covers any action carried out on any piece of data including collection, storage, updating, sharing or deleting that data.
The Policy – How ART meets the Data Protection Principles
ART collects and keeps personal data about its committee, members, volunteers and service users in order to carry out functions in connection with the training and support of ringing teachers and new ringers. In processing that data we will:
- Collect, store, use, amend, share, destroy or delete personal data only in ways which protect people’s privacy and comply with the General Data Protection Regulation (GDPR) and other relevant legislation.
- Only collect, store and use the minimum amount of data that we need for clear purposes, and will not collect, store or use data we do not need.
- Only collect, store and use data for:
- purposes for which the individual has given explicit consent, or
- purposes that are in ART’s legitimate interests, or
- contracts with the individual whose data it is, or
- to comply with legal obligations, or
- Provide individuals with details of the data we have about them when requested by the relevant data subject.
- Delete data if requested by the data subject, unless we need to keep it for legal reasons.
- Strive to keep people’s data up-to-date and accurate.
- Store people’s data securely.
- Keep clear and accurate records of the purposes for which we collect and hold specific data, to ensure it is only used for these purposes.
- Not share personal data with third parties without the explicit consent of the data subject, unless legally required to do so.
- Strive to avoid data breaches. In the event of a data breach, we will endeavour to rectify the breach by getting any lost or shared data back. We will evaluate our processes and understand how to avoid it happening again. Serious data breaches which may risk someone’s personal rights or freedoms will be reported to the Information Commissioner’s Office within 72 hours, and to the data subjects concerned.
- Maintain a set of procedures and guidelines for all those categories of members, employees and associates listed above to follow.
More information about what data we keep, how we use it and who has access to it, as well as the lawful basis on which these activities are carried out, is contained in ART’s Privacy Policy. ART has recruited a Data Protection Adviser to the Management Committee, but does not currently deem it necessary to appoint a Data Protection Officer. We will, however, review this decision whenever this policy is reviewed.
Supporting Procedures and Guidelines
Related ART Policies