Data Protection (GDPR) Policy

We will consider the following points about Personal Data we process:

• Should we be collecting this? 
• Is this useful and accurate? 
• Have we got clear permission or valid justification to use this? 
• Should we still be holding this? 
• Is our Personal Data held securely and safely? Is this request from the individual concerned?
• Are the businesses we work with also compliant?

Data processing

What we do with Personal Data is referred to as “processing”.  This means any activity that involves the use of Personal Data. It includes collecting, obtaining, recording or holding it, or carrying out any operation or set of operations on it including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transmitting or transferring Personal Data to third parties.

Audit

We will undertake a full audit of the Personal Data we hold; this includes paper and digital records.  Once we’ve gathered and assessed all the Personal Data we hold, we will decide whether it is still needed; if not, it will be deleted. For the Personal Data we would like to retain, we will need to be able to demonstrate valid reasons or express consent from the individuals to do so. 

Most management tasks, such as administering membership or other activities people would reasonably expect, could be classed as ‘legitimate interests’ but other communications, outside our core activities may rely on ‘consent’ as our condition.

Under GDPR, consent from individuals must be affirmative, freely given, specific, informed and unambiguous. This means that they must actively give consent for their Personal Data to be processed. Silence, inaction and pre-ticked boxes are not valid as consent. A record of how and when consent was granted should be kept on file.

Privacy statement

A clear, simple privacy statement will be available on our website. This will include the information we are required to provide: 

• The identity of Crick Woodlands as the data “controller” together with appropriate contact details 
• The purpose of collection 
• The legal basis for processing, including any legitimate interests relied upon
• Whether any sharing with third parties or international transfers will take place
• How long the data will be held
• Details of the individual’s rights regarding the data

Reference to this statement should be included in any communications with individuals, along with the option to opt-out or withdraw consent.

Retention policy

Any data we hold will only be kept for as long as it is necessary and useful. We will review all our Personal Data every two years to refresh the data and keep only what is relevant and current. Personal Data will always be deleted if an individual has withdrawn consent, or if the Personal Data is no longer up to date. Certain elements of the data can be held indefinitely if these are anonymised (removing personally identifiable data).

Rights and requests

• Right to be informed
  Individuals will be informed of how their Personal Data is collected, stored and processed in a clear, accessible way. This will be provided in our Privacy Statement and by request.
• Right of access
  Individuals can request access to a copy of their Personal Data in electronic form and details of how it is processed.  
• Right to rectification
  Individuals are entitled to have their Personal Data corrected if it is inaccurate or incomplete. 
• Right to erasure
  This permits individuals to request, in certain cases, the deletion of their Personal Data .
• Right to restrict processing
  Individuals can, in certain cases, request a halt on processing if they object to accuracy or purpose.  We can still hold the Personal Data until the request is resolved, but there will be an immediate pause in the processing in the meantime.
• Right to data portability
  Individuals can request the Personal Data that they have provided to us in a suitable digital format, sent directly to them or to a third party. 
• Right to object
  Individuals can, in certain cases, object to the processing of their data, e.g. in direct marketing. 

All requests must be passed to the Committee Secretary (if not originally addressed to them) so that there is a central point of contact responsible for receiving, recording and responding to requests (although actioning requests may ultimately be carried out by a committee member assigned to a particular request).

Before responding to or otherwise actioning a request, we must ensure that we are dealing with the data subject (or their authorised representative) and in doing we will verify the identity of the person making the request and (if applicable) their authority.  

We will deal with data subject requests to exercise the above rights, within one month of receipt of the request (or of confirmation of the requester’s identity if not provided with the request).  This period may be extended by a further two months if it is a particularly complex task or we have a strong, valid reason.

In certain cases, we may legitimately object to a request and we will inform the requester of the reasons for doing so in writing.

We will not charge a fee for complying with a data subject requests unless the request is manifestly unfounded or excessive, or (in the event of a request for copies of Personal Data) the requester asks for further copies of their Personal Data in which case we may charge an administration fee.

Data Breaches

If a data breach occurs, we are required to notify the Information Commissioners’ Office (and in certain instances the affected data subject).  Any breach (whether known or suspected) must be reported immediately to the Chairman and Committee Secretary.  All evidence relating to an actual or suspected data breach must be preserved.