Memorial Scrolls Trust, Data Protection Policy
Date Policy Agreed: July 2017
Date to be reviewed: July 2018
Memorial Scrolls Trust (MST) is committed to a policy of protecting the rights and privacy of its members, volunteers, staff and others in accordance with The Data Protection Act 1998. This policy applies to all volunteers, members and staff. Any breach of The Data Protection Act 1998 or the MST Data Protection Policy may be considered an offence and in that event, disciplinary procedures apply.
Other organisations and individuals working with the Memorial Scrolls Trust, and who have access to personal information, will be required to comply with this policy. Any staff who deal with external organisations and volunteers will take responsibility for ensuring that such organisations sign a contract agreeing to abide by this policy.
Organisations and people about which we hold information are referred to in this policy as Data Subjects.
- Information we hold
- We hold three types of information which are covered by this policy:
- Personal information – information about individuals, such as names, addresses, job titles, payment and donation logs
- Sensitive personal information – in general this kind of information is only held about employees. There are, however, instances where sensitive information is held about other people (for example information about dietary requirements).
- Organisational information – publicly available information about organisations and some confidential information. Information about organisations is not covered by the Data Protection Act, however there is sometimes ambiguity about whether certain information is personal or organisational.
- We will not hold information about individuals without their knowledge and consent. It is a legal requirement that people know what we are doing with their information and who it will be shared with.
- We will only hold information for specific purposes. We will inform data subjects what those purposes are. We will also inform them if those purposes change.
- Access to Information
- We will seek to maintain accurate information by creating ways in which data subjects can update the information held.
- Information about Data Subjects will not be disclosed to other organisations or to individuals who are not staff or trustees except in circumstances where this is a legal requirement, where there is explicit or implied consent, or where information is publicly available elsewhere.
- Data Subjects have the option not to receive marketing mailings from us.
- Data Subjects will be entitled to have access to information held about them by us and for what purpose within 40 days of submitting a request.
- At the beginning of any new project or type of activity requiring data collection, the member of staff managing it will consult the Data Controller about any data protection implications.
- There may be situations where we work in partnership with other organisations on projects which require data sharing. We will clarify which organisation is to be the Data Controller and will ensure that the Data Controller deals correctly with any data which we have collected.
4.0 Data Security
- We have procedures for ensuring the security of all electronic personal data.
- Paper records containing confidential personnel data are all kept in locked filing cabinets and disposed of in a secure way when no longer required.
5.0 Our Commitment
- We take regular back-ups of computer data files which are stored securely on the Cloud.
- All new staff will be given training on the data protection policy and procedures. They will be told how they should store and handle personal information. Refresher training should be provided at regular intervals for existing staff.
- We will carry out a regular review of our data protection policy and procedures.
6.0 New Regulations
- As of May 2018 the Data Protection Act 1998 will no longer be valid and will be replaced with the General Data Protection Regulations. MST will be preparing for these new regulations and will update its policy in line with them.
Appendix - The Data Protection Principles defined by the Information Commissioner’s Office (ICO)
Whenever collecting information about people you agree to apply the eight Data Protection Principles:
- Personal data shall be processed fairly and lawfully.
- Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
- Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
- Personal data shall be accurate and, where necessary, kept up to date.
- Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
- Personal data shall be processed in accordance with the rights of data subjects under this Act.
- Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
- Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.