Association‎ > ‎

GDPR

This page explains how we are affected by the introduction of the European General Data Protection Regulation and what the association is doing to ensure we comply with this.

Please contact communications@surreybellringers.org.uk if you have any questions or comments on the information provided here.


What is GDPR?

The General Data Protection Regulation (GDPR) is a new, Europe-wide law that replaces the Data Protection Act 1998 in the UK. It is part of the wider package of reform to the data protection landscape that includes the Data Protection Bill. The GDPR sets out requirements for how organisations will need to handle personal data from 25 May 2018.

The GDPR applies to ‘personal data’, which means any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. The GDPR brings in a much broader definition of personal data from previous legislation, increases the standard of consent needed and the obligations to protect and secure information under our control.


How this affects the Surrey Association

All organisations are required to have a legal basis for processing personal information and to adhere to the requirements for processing this data. Where necessary we will need to ensure we have a valid consent from individuals whose data we hold and we have appropriate systems and controls in place to ensure that data is maintained and secured and individuals legal rights are protected.

During February we conducted a review of our readiness for GDPR.  Following the review an action plan was proposed with both short and longer term changes to ensure the association complies with the new regulation.

A summary of this was delivered to the General Committee at it's meeting in March.  A copy of this document is attached below.

As part of our preparations for GDPR a new privacy policy is being developed.  This provides information on our data processing and our lawful basis for this as well as your rights.  The latest draft of this document is attached below.


Why do we need to do this?

It is not only big companies that get fined for data protection offences the ICO has prosecuted and fined numerous charities and voluntary organisations under the existing data protection legislation.  

This link makes for sobering reading:


These are just a few of many charities fined in 2017:

Battersea Dogs and Cats Home (fined £9,000)
Great Ormond Street Hospital Children's Charity (fined £11,000)
Macmillan Cancer Support (fined £14,000)
The Royal British Legion (fined £12,000)

GDPR increases the level of fines the ICO can levy, raises the standards that organisations need to adhere to and gives individuals more rights to ensure their data is protected.


GDPR resources




The full text of the regulations: https://gdpr-info.eu/

A copy of the CCCBR interim guidance Jan 18 is attached below





Use of emails and email groups

The effect of GDPR on emailing groups of ringers attracts a lot of questions and concerns.  It's probably our most common use of personal data as so much or our administration and communication is done via email.

The principle concern is the potential to inadvertently expose someones address to other members in a group when you send emails to a list.   This could be considered a breach of privacy.  We do have an obligation under GDPR to consider this and seeking consent to share when we capture someone's email address would be a way of addressing this. However we could also address this by using the blind copy (BCC) option when sending group emails, something that is widely considered good emailing etiquette anyway.

This is only a problem if you are acting in an official capacity on behalf of an organisation using data that belongs to the organisation..  If you are emailing groups as a natural person in the course of your personal activity then the data protection laws don't apply to you.




GDPR for tower bands

Individual towers will need to adhere to the policy of their local parish and this will be based on diocesan policy. You can find more information on this here:


http://southwark..anglican.org/ information/gdpr

Tower Captains and Secretaries should familiarise themselves with their own churches GDPR preparations and data privacy policies.  In most cases the data processing carried out relates to the maintenance and use of a contact list for band members.

Most PCC's will have a complex and diverse set of data protection issues to address and the tower contact list is probably the least of their worries but you need to check that the this is included in the scope of the policy.


Lawful basis

One of the most important changes for GDPR is a requirement to establish a lawful basis for any data processing. In many cases this requires a consent from the data subject but there are other ways to establish a lawful basis, the most commonly used one is likely to be a 'legitimate interest'. 


Provided your data is limited to reasonable information necessary to administer the band (name, address, phone number and email address for example) you are entitled to claim a legitimate interest as a lawful basis for data processing in which case there is no need to seek consent. You would only need consent if you did anything with the data that would compromise an individuals rights (such as the right to privacy).

Your PCC's privacy policy is required to state the lawful basis on which data is processed so you should check and confirm your policy allows you to claim a legitimate interest.

If your church insists on consent for all data uses please query this.  It is an unnecessary burden for the kind of common data processing performed by bell ringers administering their own groups.

The Southwark Diocese publishes a comprehensive toolkit with advise and templates for parishes. This does explain the difference between legitimate interest and consent as a lawful basis for data processing and they do include both in their template privacy policies. The advise also acknowledges that there are circumstances where consent is not appropriate and that there are other lawful basis for processing personal data, particularly where data is only shared within members of the church group (Page 15 para 4).

There is a good explanation of 'legitimate interest' on the 'gdpr for churches' website: http://www.gdprforchurches. org.uk/key-elements/lawful- basis/legitimate-interests/


Care of personal data

It is important that you protect any personal information you hold and take care that it is held securely and used only for the purpose it was collected.  You should take care to delete data when it is no longer needed.

You need to be particularly careful to clearly distinguish between data you hold as an officer of a church and is controlled under their privacy policies and data you hold as a private individual.  Data held by natural persons in the course of their personal activity is excluded from GDPR so your personal records and contacts are not affected..














Ċ
Surrey Bellringers,
2 Feb 2018, 12:12
Ċ
Surrey Bellringers,
14 Apr 2018, 08:55
Ċ
Surrey Bellringers,
11 Mar 2018, 04:43