DATA PROTECTION AND PRIVACY POLICY
Purpose
This policy explains the method that Mashamshire Community Office (MCO) follows in regard to data protection as regulated by The General Data Protection Regulation Act 2018 (GDPR) in relation to employees, volunteers, funders, customers, clients and other third parties (Data Subjects).
Principles
MCO regards the lawful and correct treatment of personal information as important to successful working and to maintaining the confidence of those with whom it deals.
MCO complies with the principles of good information handling enforced by the Act:
a) Data must be processed fairly and lawfully
b) Data must only be used for specific purposes
c) Data must be adequate, relevant and not excessive
d) Data must be accurate and kept up-to-date
e) Data must not be kept for longer than necessary
f) The rights of Data Subjects must be respected
g) Organisations must take appropriate steps to maintain security
Policy
MCO needs to collect and use certain types of information about the Data Subjects with whom it comes into contact. The personal information will be collected and dealt with appropriately – either on paper, computer or in another form (eg photographs etc).
MCO ensures that:
a) Everyone processing personal information is appropriately trained and supervised
b) Anybody wanting to make enquiries about handling personal information knows what to do
c) Any enquiries about handling personal information are dealt with promptly and courteously
d) The handling of personal information is clearly described
e) The management and use of personal information is regularly reviewed
Personal Data
If you act as a volunteer, trustee, member or recipient of our services you will give us information. Information may include your name, date of birth, postal address, email address, telephone number. We may also hold additional personal information to enable us to provide a more focused service.
Data Collection
MCO may collect the following information:
a) Email addresses when signing up to MCO’s mailing list. This is not linked to any other personal information and is used only for occasional emails about MCO activities and news related to Mashamshire.
This information is kept on a password-protected third party website as part of a single mailing list, and is neither used for individual contact nor held on MCO’s own computer or email server.
b) Contact information from individuals and companies who contact MCO by email. This is kept on a password-protected email server and deleted after six months unless it is part of an ongoing business relationship.
c) Booking forms for businesses and local community groups that advertise on the MCO website and annual Directory. Email addresses are used for information and promoting business events.
d) Booking forms and invoicing details for Masham Town Hall (MTH). Hard copies of Booking Forms are kept for 12 months. Invoice information is kept on a password-protected third party website and neither used for individual contact nor held on MCO’s own computer or email server.
Responsibilities
MCO is the Data Controller under the Act, which means it determines for what purposes personal information will be used. The Manager is the central point of contact at MCO for all data compliance issues.
Disclosure
MCO may share information with third parties, for example North Yorkshire County Council, Charity Commission, HM Revenue & Customs or funding bodies. The Data Subject will be made aware in most circumstances how and with whom their information will be shared.
There are circumstances where the law allows organisations to disclose data (including sensitive data) without the Data Subject’s consent. These are:
a) Carrying out a legal duty or as authorised by the Secretary of State
b) Protecting vital interests of a Data Subject or other person
c) Where the Data Subject has already made the information public
d) While conducting legal proceedings or obtaining legal advice
e) Monitoring for equal opportunities purposes
f) Where the Data Subject’s consent cannot be obtained or where it is reasonable to proceed without consent, eg where providing consent would cause stress to a vulnerable person.
Information held by MCO
Information held by MCO relates to organisations and individuals with whom it works or comes into contact. No details of individuals will be passed to other organisations for marketing, fundraising or circulating information, without a minuted resolution at a Trustees’ meeting indicating the specific terms and conditions of such circulation, which will then be added as an appendix to this policy. We rely on legitimate interest basis to use your personal information which includes explicit consent.
Storage
a) Manual files containing sensitive information will be kept in locked filing cabinets, accessible only to relevant staff.
b) Computer records and files containing sensitive information will be password protected, accessible only to relevant staff.
c) Information held about employees and volunteers will only be collected and recorded with good reason, and will be stored securely and for only as long as required. This information is held for management and administrative use only.
Website
MCO runs its own website for general information and promotion. The website is hosted securely, with access only to relevant MCO staff on a password-protected basis.
Personal Identification Information
MCO may collect personal identification from website users only if they fill out a form, fill in a survey with identifying information, or place an order for tickets or services. The website is anonymous to users, with no requirement to register or log in.
Non-personal Identification Information
MCO may collect non-personal information about website users, including the browser name, type of computer and technical information about users’ means of connection to the site. The website may use “cookies” to enhance user experience. These are small data files placed on the user’s hard drive for record-keeping purposes and sometimes to track information. Users may choose to set their web browser to refuse cookies, or to alert the user when cookies are being sent. In some cases, parts of the website may not function properly for users who have disabled cookies.
Data Access Requests
A Data Subject may make a subject access request (SAR) to see the information which the Organisation holds about them.
User Acceptance
By using MCO’s website, users signify their acceptance of this Data Protection Policy. Continued use of the website following the posting of changes to this policy will be deemed acceptance of those changes.
Electronic Newsletters
If a Data Subject joins the MCO e-mailing list, they will receive emails with information about MCO including news, forthcoming events and organisational updates. Detailed unsubscribe instructions are included at the bottom of each email, or users may contact MCO by any means and at any time to opt out.
Changes to this Privacy Policy
MCO will review this policy at least biennially, although may update at any time. If and when this happens, MCO will post a notification on our website and include the information in the next email sent.
Enquiries and Contact Details
Should you have any queries about personal data we hold, or if you wish to receive a hard copy of this Notice, please contact The Manager, Mashamshire Community Office, 7 Little Market Place, Masham, Ripon, North Yorkshire HG4 4DY.
You can also contact the Information Commissioner’s Office (ICO) at: https://ico.org.uk/
May 2018
Mashamshire Community Office, 7 Little Market Place, Masham, HG4 4DY.
Charity No 1098666. Limited Company No 4481253 (Governed by Trust)