Data Protection Policy

Adopted – Jan 2018

TRESA needs to keep certain information on its members to carry out its day to day operations, to meet its objectives and to comply with legal obligations.

The organisation is committed to ensuring any personal data will be dealt with in line with the Data Protection Act 1998. To comply with the law, personal information will be collected and used fairly, stored safely and not disclosed to any other person unlawfully.

The aim of this policy is to ensure that everyone handling personal data is fully aware of the requirements and acts in accordance with data protection procedures. This document also highlights key data protection procedures within the organisation.

This policy covers all TRESA directors and anyone who may handle TRESA membership information.

Definitions

In line with the Data Protection Act 1998 principles, TRESA will ensure that personal data will:

  • Be obtained fairly and lawfully and shall not be processed unless certain conditions are met
  • Be obtained for a specific and lawful purpose
  • Be adequate, relevant but not excessive
  • Be accurate and kept up to date
  • Not be held longer than necessary
  • Be processed in accordance with the rights of data subjects
  • Be subject to appropriate security measures
  • Not to be transferred outside the European Economic Area (EEA)

The definition of ‘Processing’ is obtaining, using, holding, amending, disclosing, destroying and deleting personal data. This includes some paper based personal data as well as that kept on computer.

The Personal Data Guardianship Code suggests five key principles of good data governance on which best practice is based. The organisation will seek to abide by this code in relation to all the personal data it processes, i.e.

  1. Accountability: those handling personal data follow publicised data principles to help gain public trust and safeguard personal data.
  2. Visibility: Data subjects should have access to the information about themselves that an organisation holds. This includes the right to have incorrect personal data corrected and to know who has had access to this data.
  3. Consent: The collection and use of personal data must be fair and lawful and in accordance with the DPA’s eight data protection principles. Personal data should only be used for the purposes agreed by the data subject. If personal data is to be shared with a third party or used for another purpose, the data subject’s consent should be explicitly obtained.
  4. Access: Everyone should have the right to know the roles and groups of people within an organisation who have access to their personal data and who has used this data.
  5. Stewardship: Those collecting personal data have a duty of care to protect this data throughout the data life span.

Type of information processed

TRESA processes the following personal information:

  • Names of members
  • Addresses of members
  • Email address of members
  • Date membership fee was paid (And therefore a derived expiry/renewal date)

Personal information is kept in the following forms:

  • Saved on a spreadsheet
  • Saved as a contact within Gmail

Groups of people within the organisation who will process personal information are:

  • TRESA Membership Secretary
  • TRESA Web Editor

Responsibilities

Under the Data Protection Guardianship Code, overall responsibility for personal data in a voluntary organisation rests with the governing body. In the case of TRESA, this is the Board of Directors.

The governing body delegates tasks to the Chair as Data Controller. They are responsible for:

  • understanding and communicating obligations under the Act
  • identifying potential problem areas or risks
  • producing clear and effective procedures

All directors who process personal information must ensure they not only understand but also act in line with this policy and the data protection principles.

Breach of this policy will result in investigation that may lead to directors being expelled from the organisation.

Policy Implementation

To meet our responsibilities Directors will:

  • Ensure any personal data is collected in a fair and lawful way;
  • Explain why it is needed at the start;
  • Ensure that only the minimum amount of information needed is collected and used;
  • Ensure the information used is up to date and accurate;
  • Review the length of time information is held;
  • Ensure it is kept safely;
  • Ensure the rights people have in relation to their personal data can be exercised

We will ensure that:

  • Everyone managing and handling personal information is trained to do so.
  • Anyone wanting to make enquiries about handling personal information, whether a director, volunteer or service user, knows what to do;
  • Any disclosure of personal data will be in line with our procedures.
  • Queries about handling personal information will be dealt with swiftly and politely.

Gathering and checking information

Before personal information is collected, we will consider: what is the bare minimum information we need in order to function and keep people notified.  We also consider it reasonable to give members a three months grace period after their membership has lapsed.  This provides time to pay membership fees.  After this all details will be erased.

We will inform people whose information is gathered about the following: what information we capture and why we hold it.  We also notify when membership has lapsed and that all data will be erased after three months if membership is not renewed.

We will take the following measures to ensure that personal information kept is accurate:

  • We remove records three months after lapse of membership.
  • Any changes requested will be actioned promptly.
  • Annual reminders will be issued stating how we use personal information and encouraging members to notify us if they wish to have their details removed.

Retention periods

TRESA will ensure that information is kept according to the following retention periods guidelines:

For the duration of paid membership plus an additional three months during which we remind members to renew.  After this three month period all information held on a person is erased.

Data Security

The organisation will take steps to ensure that personal data is kept secure at all times against unauthorised or unlawful loss or disclosure. The following measures will be taken:

  • Restricting access to the online contact list to only relevant people (i.e. The Membership Secretary and we Editor).
  • Changing passwords to online contact lists.

Any unauthorised disclosure of personal data to a third party by a director may result in that director being expelled from the organisation.

Procedure in case of a breach

When a breach of data protection occurs, consideration will be given to reviewing practices. In addition TRESA will consider whether the breach should be reported to the Information Commissioner.

Subject Access Requests

Anyone whose personal information we process has the right to know:

  • What information we hold and process on them
  • How to gain access to this information
  • How to keep it up to date
  • What we are doing to comply with the Act.

They also have the right to prevent processing of their personal data in some circumstances and the right to correct, rectify, block or erase information regarded as wrong.

Individuals have a right under the Act to access certain personal data being kept about them on computer and certain files.  Any person wishing to exercise this right should apply in writing to TRESA, C/O Hillcrest School, or they may approach any director or attend any public meeting   to request this.

We may also require proof of identity before access is granted. The following forms of ID will be required:

  • Driving Licence
  • Passport
  • Confirmation of identity by another TRESA Director.

Queries about handling personal information will be dealt with swiftly and politely.

We will aim to comply with requests for access to personal information as soon as possible, but will ensure it is provided within the 40 days required by the Act from receiving the written request

Review

This policy will be reviewed at intervals of 3 years to ensure it remains up to date and compliant with the law.