1. Purpose of report
The aim of this report is to review the Llangollen Maelor Angling (LMA) position regarding the gathering, storage and usage of personal information and to make recommendations to ensure compliance with the requirements of the new General Data Protection Regulation (GDPR) which comes into force on the 25 May 2018.
It should be noted that the current Data Protection Act of 1998 will be replaced by the GDPR which will be supplemented by a new Data Protection Bill (once it receives Royal Assent).
As would be expected with the introduction of any new regulation there is much information available and this summary draws heavily on that available through the websites of the National Council for Voluntary Organisations [1] (NCVO) and the Information Commissioner’s Office (ICO)[2]. Whilst every effort has been made to appraise and evaluate all the available information this report and its recommendations have been limited to a level that is proportionate to the extent of information kept by WDT and the manner in which it is used.
2. The new legislation
The EU General Data Protection Regulation (GDPR) is based around the notions of principles, rights and accountability obligations and the legislation is regulated in the UK by the Information Commissioner's Office (ICO) as well as the courts.
The law applies to organisations in all sectors, both public and private. It applies to all electronic records as well as many paper records.
The purpose of the Regulation is to protect individuals (and their personal data), not organisations. Important changes to the existing data protection legislation include a legal requirement to obtain positive consent (which must be given freely, be specific and unambiguous) from every individual whose personal data are held on membership databases and other databases in order to continue to hold that information. There will also be a requirement to provide a privacy statement.
Whilst LMA is a small organisation and keeps relatively basic information about its volunteers and members nonetheless as a keeper of ‘personal data’ it is necessary to be compliant with the requirements of GDPR and appropriate procedures should be adopted to ensure this takes place.
3. Main principles of the General Data Protection Regulation
The GDPR legislation:
i. requires organisations to register if they keep records (unless they are exempt and this includes many charities and clubs).
ii. governs the processing of personal data including 'personal sensitive data'
iii. requires organisations to comply with eight principles for data protection. (The 8 principles and what they mean in practice are reproduced at Appendix 1 at the end of this report.)
iv. allows employees, service users and other contacts to request to see the personal data held on them.
Additionally NCVO also recommends that every organisation should have a written policy and procedure that is specific to their context about how they handle personal data and enact privacy principles.
4. LMA Compliance with the requirements of GDPR legislation, as set out in 3 above
i. Registration with the ICO. The Registration self-assessment exercise on the ICO website has been carried out and confirms that LMA does not need to register with the ICO.
ii. Processing of personal data including 'personal sensitive data'. Whilst LMA does not hold information that is regarded as personal sensitive data there is a need to ensure that the personal data held is done so appropriately. Although adherence to the requirements of the Service Level Agreement will ensure that information held meets the current requirements of DPA (1998) in order to meet the requirements of GDPR and in line with guidance of the NCVO it is recommended that a suitable Data Protection Policy and Confidentiality Policy be drawn up for WWRT.
Please see Appendix 2 for a DRAFT Data Protection and Confidentiality Policy
iii. Compliance with the eight principles for data protection. The 8th principle relating to sending personal data outside the European Economic area is not applicable to LMA activities. The requirements of the other seven principles can be met through the production of the previously mentioned Data Protection and Confidentiality Policy
iv. Requests to see personal data. Again this can be dealt with through the production of a Data Protection and Confidentiality Policy.
5. Suggested action to meet the requirements of the legislation:
To bring together the requirements of the Service Level Agreement, the General Data Protection Regulation and the Data Protection Act it is suggested that the following actions be taken:
a) A Data Protection and Confidentiality Policy, as mentioned in the preceding section, be agreed and adopted for use by LMA.
b) A basic audit of the information held on LMA databases should be carried out. It is anticipated that this information will principally be contact information (consisting of email addresses and telephone numbers) held by LMA officers. However all officers and others who may hold and use personal data in order to enable the functioning of LMA should be contacted to determine the extent of personal information held.
c) Positive consent (“opt-in”) should be obtained fromLMA members, and any others whose personal data is held by LMA (this could be obtained via a simple “electronic” or paper letter of consent) and preferably before 25th May 2018 and this will explain why information is kept and for how long. See Appendix 3 for a DRAFT template.
Whilst it is anticipated that there will be no major issues concerning the acquisition, storage and use of personal information in addition to the recommendations already made, the following measures, based on the guidance available from NCVO and the ICO, are also suggested to ensure best practice and compliance with the GDPR.
i. Steps should be taken to obtain consent to hold personal data relating to members who are under the age of 18 from their parents or legal guardians;
ii. Consent should be sought from volunteers and members to share information such as email addresses and telephone numbers for the purposes of coordinating volunteer activities and circulating information relating to LMA activities.
iii. As a matter of good practice and to minimise the amount of information openly circulated such measures as distributing information using the BCC function rather than the open CC option should be used.
iv. The security of personal data held on behalf of LMA should be reviewed. All the available guidance indicates that electronically held data must be stored on computers that are password-protected (as well as being protected by standard anti-virus and malware software) and that data stored in paper files should be kept in a locked filing cabinet, box-file or drawer.
v. Any data that are not accurate or are no longer relevant or required for the purpose for which it was originally acquired should be removed from databases and destroyed immediately by either deleting them from electronic files or shredding if stored on paper. For example: personal data relating to individuals who are no longer volunteers of WDT.
vi. Careful consideration should be given to the taking, use and storage of photographic material (under the GDPR, photos in which individuals can be recognised are classed as personal data and are therefore subject to the same regulation as other personal data). Consideration should be given to removing old/out-of-date photos from databases; any new photos that are taken for e.g. publicity purposes will require the positive consent (“opt-in”) of all individuals appearing in those photos.
vii. The LMA Web Site (which was not the subject of this report) should be subject to scrutiny to ensure that it will be compliant with the GDPR.
6. Summary
It is recommended that LMA should now adopt the measures suggested in this report to ensure that data held on behalf of the organisation meets the required standards of the General Data Protection Regulation and the relevant Data Protection Act. If the suggested measures are not adopted then alternative suitable procedures should be devised and put in place.
Appendix 1
The eight principles for data protection with additional information as extracted from the Information Commissioner’s Office website[3]:
(Principle 1). Processing personal data fairly and lawfully
The Data Protection Act requires you to process personal data fairly and lawfully. In practice, it means that you must:
have legitimate grounds for collecting and using the personal data;
not use the data in ways that have unjustified adverse effects on the individuals concerned;
be transparent about how you intend to use the data, and give individuals appropriate privacy notices when collecting their personal data;
handle people’s personal data only in ways they would reasonably expect; and
make sure you do not do anything unlawful with the data.
(Principle 2). Processing personal data for specified purposes
This requirement (the second data protection principle) aims to ensure that organisations are open about their reasons for obtaining personal data, and that what they do with the information is in line with the reasonable expectations of the individuals concerned.
In practice, the second data protection principle means that you must:
be clear from the outset about why you are collecting personal data and what you intend to do with it;
comply with the Act’s fair processing requirements – including the duty to give privacy notices to individuals when collecting their personal data;
comply with what the Act says about notifying the Information Commissioner; and
ensure that if you wish to use or disclose the personal data for any purpose that is additional to or different from the originally specified purpose, the new use or disclosure is fair.
(Principle 3) The amount of personal data you may hold.
The Data Protection Act requires you to ensure you only collect the personal data you need for the purposes you have specified. You are also required to ensure that the personal data you collect is sufficient for the purpose for which it was collected.
In practice, it means you should ensure that:
you hold personal data about an individual that is sufficient for the purpose you are holding it for in relation to that individual; and
you do not hold more information than you need for that purpose.
So you should identify the minimum amount of personal data you need to properly fulfil your purpose. You should hold that much information, but no more. This is part of the practice known as “data minimisation”.
(Principle 4) Keeping personal data accurate and up to date.
The Data Protection Act imposes obligations on you to ensure the accuracy of the personal data you process. It must also be kept up to date where necessary.
To comply with these provisions you should:
take reasonable steps to ensure the accuracy of any personal data you obtain;
ensure that the source of any personal data is clear;
carefully consider any challenges to the accuracy of information; and
consider whether it is necessary to update the information.
(Principle 5) Retaining personal data.
Principle 5 requires you to retain personal data no longer than is necessary for the purpose you obtained it for. This principle has close links with both principles 3 and 4. Ensuring personal data is disposed of when no longer needed will reduce the risk that it will become inaccurate, out of date or irrelevant.
In practice, it means that you will need to:
review the length of time you keep personal data;
consider the purpose or purposes you hold the information for in deciding whether (and for how long) to retain it;
securely delete information that is no longer needed for this purpose or these purposes; and
update, archive or securely delete information if it goes out of date.
(Principle 6) The rights of individuals.
The rights of individuals that it refers to are:
a right of access to a copy of the information comprised in their personal data;
a right to object to processing that is likely to cause or is causing damage or distress;
a right to prevent processing for direct marketing;
a right to object to decisions being taken by automated means;
a right in certain circumstances to have inaccurate personal data rectified, blocked, erased or destroyed; and
a right to claim compensation for damages caused by a breach of the Act.
(Principle 7) Information security.
This part of the guide offers an overview of what the Data Protection Act requires in terms of security, and aims to help you decide how to manage the security of the personal data you hold. There is no “one size fits all” solution to information security. The security measures that are appropriate for an organisation will depend on its circumstances, so you should adopt a risk-based approach to deciding what level of security you need.
In particular, you will need to:
design and organise your security to fit the nature of the personal data you hold and the harm that may result from a security breach;
be clear about who in your organisation is responsible for ensuring information security;
make sure you have the right physical and technical security, backed up by robust policies and procedures and reliable, well-trained staff; and
be ready to respond to any breach of security swiftly and effectively.
(Principle 8) Sending personal data outside the European Economic Area.
This section provides practical advice to companies or other organisations who want to send personal data outside the European Economic Area (EEA) and is therefore not applicable.
Appendix 2
DRAFT LMA Data Protection and Confidentiality Policy
In order to deliver the aims of the organisation LMA needs to gather, store and use certain forms of information about individuals. To ensure compliance with the provisions of the General Data Protection Regulation and the Data Protection Act, LMA will adopt the following measures:
Data protection principles
LMA will only collect data where lawful and where it is necessary for the legitimate purposes of the Trust. When collecting data, LMA will always provide a clear and specific privacy statement explaining to the subject why the data is required and what it will be used for.
LMA will not collect or store more data than the minimum information required for its intended purpose. LMA will ask members to check and update their data on a regular basis. Any individual will be able to update their data at any point by contacting the LMA membership secretary.
LMA will keep records for no longer than is necessary in order to meet the intended use for which it was gathered (unless there is a legal requirement to keep records).
Information will not be shared with third parties other than with the specific consent of the person for whom the information is held.
Data will not be used for any purpose other than the administration, operation and promotion of LMA.
Security
LMA will ensure that data held by us is kept secure.
Electronically-held data will be held within a password-protected and secure environment
Physically-held data will be stored securely. Access to data will only be given to relevant officers/staff members where it is clearly necessary for the running of LMA.
Individual’s rights
When LMA collects, holds and uses an individual’s personal data that individual has the following rights over that data. LMA will ensure its data processes comply with those rights and will make all reasonable efforts to fulfil requests from an individual in relation to those rights.
· Right to be informed: whenever LMA collects data it will provide a clear and specific privacy statement explaining why it is being collected and how it will be used.
· Right of access: individuals can request to see the data LMA holds on them and confirmation of how it is being used. Requests should be made in writing to the membership secretary and will be complied with free of charge and within one month. Where requests are complex or numerous this may be extended to two months
· Right to rectification: individuals can request that their data be updated where it is inaccurate or incomplete. LMA will request that members, staff and contractors check and update their data on an annual basis. Any requests for data to be updated will be processed within one month.
· Right to object: individuals can object to their data being used for a particular purpose. LMA will always provide a way for an individual to withdraw consent in all marketing communications. Where we receive a request to stop using data we will comply unless we have a lawful reason to use the data for legitimate interests or contractual obligation.
· Right to erasure: individuals can request for all data held on them to be deleted. LMA data retention policy will ensure data is not held for longer than is reasonably necessary in relation to the purpose it was originally collected. If a request for deletion is made we will comply with the request unless:
i. There is a lawful reason to keep and use the data for legitimate interests or contractual obligation.
ii. There is a legal requirement to keep the data.
Obligations to partner organisations
Where not specifically mentioned above LMA will ensure compliance with the requirements and conditions stipulated in the Agreements with its partner organisations.
Appendix 3
DRAFT volunteer consent letter
To: All volunteers of the Welsh Dee Trust (WDT)
Dear volunteer/member,
I am writing to advise you that existing data protection laws will be replaced by the new General Data Protection Regulation which comes into force on 25th May 2018. Important changes that the new regulation will make to data protection include a legal requirement for WDT to obtain your consent (sometimes referred to as a positive “opt-in”) to collect and retain personal data such as your name and contact details and any photographs which are/have been taken for publicity purposes, in which you appear.
We therefore need your consent to collect and retain your name and contact details (postal address, email address and telephone number(s)) so that we can contact you about volunteering opportunities, events and other items of information that are necessary to the aims and running of WDT. WDT would also like to share email addresses and telephone numbers with other WDT volunteers/members for the previously stated reasons.
Privacy: Your privacy is important. WDT will always keep your personal data secure and it will not be used for marketing communications. WDT will never share it with 3rd parties and your personal data will only be used for the purposes set out in this letter. Personal data will be held only for as long as you are a volunteer or member of WDT and you can of course request the removal of your personal data from the WDT database or to view it at any time by emailing me.
I would be very grateful if you could confirm that you are happy for WDT to retain and use your personal information for the purposes that are set out in this letter by replying to me by email no later than 28th May 2018. If we do not hear from you by this date, it will be assumed that you have withdrawn your consent for WDT to retain your personal data which will be deleted from its volunteer/membership database.
Yours sincerely
References used:
General data Protection Regulation: A guide for Charities. Viewed at http://www.cfg.org.uk/resources/Publications/~/media/Files/Resources/CFDG%20Publications/CFG266_Data_protection_v2.pdf
Information Commissioner’s Office; Guidance for not-for-profit organisations, charities and voluntary organisations. Viewed at https://ico.org.uk/for-organisations/charity/
National Council for Voluntary Organisations Data Protection; Information and Guidance. Viewed at https://www.ncvo.org.uk/practical-support/information/data-protection
Voluntary Arts Briefing 173 GDPR: Data Protection. Viewed at https://www.voluntaryarts.org/Handlers/Download.ashx?IDMF=fd0ae645-dcbc-4776-86f9-886a0fe249e0