Registered Charity No: 512906
Liverpool & South West Lancashire Family History Society
DATA PROTECTION POLICY
|Policy prepared by:||Liverpool & South West Lancashire FHS|
|Approved by the Committee:|
|Policy operational from:|
|Next review date:||25th May 2019|
|Data Controller:||The Liverpool & SW Lancashire Trustees|
|Members’ Interests Secretary:||firstname.lastname@example.org|
This Policy should be read in conjunction with the Policy Statement which outlines some of the ways in which some aspects of the policy can be implemented.
Liverpool & South West Lancashire Family History Society collects and processes and uses information about individuals.
The Society may also hold details about business partners, such as the printers of the Society journal.
Why this policy exists
This policy describes how personal data must be collected, handled and stored to meet the society’s data protection standards and it ensures that the Liverpool & SW Lancashire Family History Society:
- Complies with data protection law and follows good practice
- Protects the rights of post holders, members, suppliers and other contacts
- Is open about how it stores and processes individuals’ data
- Protects itself from the risks of a data breach
Society GDPR Documents
The society has produced the following documents
- Liverpool & SW Lancs FHS GDPR Data Protection Policy. (This current document)
- Liverpool & SW Lancs FHS GDPR Consent Agreement (All members)
- Liverpool & SW Lancs FHS Consent Agreement (Committee)
- Liverpool & SW Lancs FHS GDPR Privacy Statement
Data protection law
- The General Data Protection Regulation (GDPR), describes how organisations - including Liverpool & SW Lancs FHS - must collect, handle and store personal information.
- These rules apply regardless of whether data is stored electronically, on paper or on other materials.
- To comply with the law, personal information must be collected and used fairly, stored safely and not disclosed unlawfully.
The GDPR is underpinned by eight important principles. These say that personal data must:
- Be processed fairly and lawfully
- Be obtained only for specific, lawful purposes
- Be adequate, relevant and not excessive
- Be accurate and kept up to date
- Not be held for any longer than necessary
- Processed in accordance with the rights of data subjects
- Be protected in appropriate ways
- Not be transferred outside the European Economic Area (EEA), unless that country or territory also ensures an adequate level of protection
PEOPLE, RISKS & RESPONSIBILITIES Policy scope
This policy applies to:
- The committee of the Liverpool & SW Lancs. FHS
- All post holders and volunteers Liverpool & SW Lancs. FHS
- All contractors, suppliers and other people working on behalf Liverpool & SW Lancs FHS as described in the introduction
- It applies to all data that the society holds relating to identifiable individuals, even if that information technically falls outside of the GDPR. This can include:
- Names of individuals (Members, Speakers, Non-members who buy items from our online bookshop, Names written in the meeting attendance book) and their:
- Postal address
- E-mail address
- Telephone no. (if held)
- Any other information relating to identifiable individuals
- Gift Aid information
Data protection risks
This policy helps to protect the Liverpool & SW Lancs. FHS from data security risks, including:
- Breach of confidentiality. For instance, information being given out inappropriately
- Failing to offer choice. For instance, all individuals should be free to choose how the society uses data relating to them.
- Reputational Damage. For instance, the Society could suffer if hackers successfully gained access to sensitive data.
- The committee is ultimately responsible for ensuring that the Liverpool & SW Lancs FHS meets its legal obligations
- Everyone who volunteers for or works with Liverpool & SW Lancs. FHS has some responsibility for ensuring data is collected, stored and handled appropriately.
- Everyone who processes personal data must ensure that it is handled and processed in line with this policy and data protection principles.
- The following people have key areas of responsibility:
The Data Protection Officer has responsibility for:
- Keeping the committee updated about data protection responsibilities, risks and issues.
- Reviewing all data protection procedures and related policies, in line with an agreed schedule.
- Arranging data protection training and advice for the people covered by this policy.
- Handling data protection questions from the committee and anyone else covered by this policy.
- Dealing with requests from individuals concerning the data Liverpool & SW Lancs FHS holds about them
- Checking and approving any contracts or agreements with third parties ie the printers of the journal.
Other Data Processors (as listed on page 1) have these responsibilities:
- To ensure that the personal IT and paper-based systems, services and equipment used for storing data meet acceptable security standards.
- To perform regular checks and scans to ensure security hardware and software is functioning properly. (Mainly using Anti-Virus Software and utilities)
- To evaluate any third-party services the society may consider using to store or process data; for instance, cloud computing services or web hosting services.
- Using data protection statements – approved by the committee – to attach to communications such as emails and letters.
- Addressing any data protection queries from journalists or media outlets like newspapers.
- Where necessary, working with other post-holders or committee members to ensure marketing initiatives abide by data protection principles
GUIDELINES General Guidelines
- The Liverpool & SW Lancashire Family History Society will provide guidance to all committee members to help them understand their responsibilities when handling data.
- The only people able to access data covered by this policy should be those who need it to fulfil their duties on behalf of the society. These will normally be Membership Secretary, Journal Editor, Treasurer, Members’ Interests Secretary, Webmaster and Forum Administrator.
- The Journal Editor will liaise with the General Committee to ensure that the data concerning committee members, when published in printed form, is only that for which consent has been given.
- Data Processors should request help from the Data Protection Officer if they are unsure about any aspect of data protection. They should keep all data secure, by taking the sensible precautions contained in this document.
- Personal data should not be disclosed to unauthorised people, either within the society or externally.
- Data should be regularly reviewed and updated if it is found to be out of date. Members should know how to advise Processors of any changes which need to be made.
These guidelines describe how and where data should be safely stored. It should be remembered that although membership data will usually only need to be held and accessed by the Membership Secretary and Treasurer, there may be other data relating to identifiable living people in the archives and thus the following points apply to those INDIVIDUAL records as well.
The Data Protection Officer will ensure that the Data Processors store data safely and report back to the Data Controller (the General Committee) at regular intervals. All guidelines also apply to data which was originally supplied on paper or that which is usually stored electronically but has been printed out for a specific reason.
When data is stored electronically:
- It must be protected from unauthorised access, accidental deletion and malicious hacking attempts.
- Strong passwords should be used by Data Processors and they should never be shared and they should be changed regularly.
- If data is stored on removable media (External HDD, CD, DVD or memory stick), these should be kept locked away securely when not being used.
- Data should only be stored on designated drives and servers, and should only be uploaded to approved cloud computing services and/or website hosting services.
- Data should be backed up frequently by Processors.
- Numerous copies of data sets should not be retained unless they are being archived for genuine reasons.
- Data will be held in as few places as necessary.
- Data Processors should not create any unnecessary additional data sets.
- All servers and computers containing data should be protected by approved security software and a firewall.
When data is sent electronically from one Processor to another:
- It should be both encrypted and password protected and the means to access it be known to the receiver.
- Clearly, passwords should not be sent at the same time as the actual data.
- Once the data has been received, the password used for delivery should ideally be changed to another by the recipient.
When data is stored on paper:
- It should be kept in a secure place where unauthorised people cannot see it.
- Data Processors should make sure paper and printouts are not left where unauthorised people could see them.
Personal data is of no value to the Liverpool & SW Lancs FHS unless the society can make use of it.
When working with personal data Data Processors should ensure:
- The screens of their computers are always locked when left unattended.
- Personal data should not be shared informally.
- Bulk emails to members should be sent BCC (Blind copied). They will not normally need to be encrypted.
- Personal data should never be transferred outside of the European Economic Area but Society journals sent to members outside the EEA will contain information which has been shared with the UK members’ consent given as part of their signed consent form.
- The law requires the society to take reasonable steps to ensure data is kept accurate and up to date.
- The Membership Secretary will have the most up to date data which will be checked by the Officer on a quarterly basis at each Journal posting.
- All Data Processors should take reasonable steps to ensure that the Membership Secretary has data which are accurate and as up to date as possible by informing the Officer of any changes they discover.
- The society will make it easy for data subjects to update the information which the society holds about them. The method is outlined on the Privacy Statement.
- Data should be updated as soon as inaccuracies are discovered
- Members will be regularly reminded to help the society keep their details up to date.
Data retention and deletion
- An individual’s data is kept if that individual is a current society member.
- Details have – with consent – already been included in paper copies of the Journal. Electronic (pdf) versions of the publication also form part of the society’s historical archive and are stored in ‘members only’ area of the website but with the back cover removed.
- Backups exist in case information is accidentally destroyed. Backups should cover all information, but each one only needs to be kept for a short time: essentially however long it will take the organisation to discover the destruction. Since they are only needed when something goes wrong, access to them can be tightly limited.
- Archives, involve long-term storage of an organisation’s history and other information pertinent to the Constitutional Aims and Objectives. They should only contain the selected subset of information which constitutes the society’s history and which meets those Constitutional Aims and Objectives satisfactorily. Organisations intend that their archives will be used, so should store them with indexes and structures that make that easy to locate.
- Memberships are due for renewal on January 1st each year. If a member has not renewed by March of the current subscription year they will be sent an email (or letter for non email users) informing them that they have been deemed to be non-members. They will have 10 days to contact the society if they wish to revive and retain their member status. If a member has not renewed his/her membership after a period of 2 years all details of that member will be destroyed except for Gift Aid declarations which must be kept for 6 years for HMRC audit purposes.
- Members who rejoin the society once their membership has lapsed will be given new membership numbers. This removes the need to retain any data pertaining to previous periods of membership (such as old membership numbers).
- Even if a current member requests that data should no longer be processed, some of their personal data may need to be retained to meet statutory requirements such as Gift Aid information which is retained for 6 years. The Treasurer and Membership Secretary should liaise closely in these circumstances and advise the data subject of the information retained and why.
Data should be deleted if:
- A member leaves the society.
- An individual may allow their membership to expire or request that it ceases immediately.
- A member dies.
- A member specifically requests that their data is not retained. (At any time, a member may request that their data is not processed but it may be retained for the duration of their membership).
- If a member requests that their data is not retained the portion of it required to comply with Statutory Requirements will be stored and the member informed.
- The society is wound up.
SUBJECT ACCESS REQUESTS
This section deals with the entitlements of individuals who are the subject of personal data held by Liverpool & SW Lancs FHS
Requests from data subjects
- Individuals may ask what information the society holds about them and why. If an individual contacts the society requesting this information, this is called a subject access request.
- They should know how to gain access to their information.
- They should know how to keep it up to date.
- Individuals are entitled to be informed how the society is meeting its data protection obligations.
- They should know that they may receive a copy of the information free of charge. However, a ‘reasonable fee’ may be charged when a request is manifestly unfounded or excessive, particularly if it is repetitive.
- Subject access requests from individuals should preferably be made by email, addressed to the Membership Secretary.
- The Membership Secretary on behalf of the Data Controller will aim to provide the relevant data within 14 days.
- The Membership Secretary on behalf of the Data Controller will always verify the identity of anyone making a subject access request before handing over any information.
Disclosing data for other reasons
- In certain circumstances, the Data Protection Regulations allow personal data to be disclosed to law enforcement agencies or other statutory bodies (e.g. HMRC) without the consent of the data subject.
- Under these circumstances, Liverpool & SW Lancs FHS will disclose requested data. However, the Membership Secretary will ensure the request is legitimate, seeking assistance from the General Committee, FFHS and ICO where necessary.
The Liverpool & SW Lancs FHS aims to ensure that individuals are aware that their data is being processed, and that they understand:
- How the data is being used
- How to exercise their rights
The Liverpool & SW Lancs FHS has a Privacy Statement which sets out how data belonging to individuals is used. Both the Privacy Statement and this Data Protection Policy is available on the Society’s website at lswlfhs.org.uk