Data Protection Policy
As at 11 March 2022
Our strong commitment to Data Protection is manifested in our annually renewed voluntary membership of the Information Commission’s Office (the ICO) and our desire to follow closely ICO guidance.
The provisions of this policy are drawn up in accordance with the UK Data Protection Act 2018 and the UK General Data Protection Regulation (UK GDPR). This is designed to:
- strengthen the rights and privacy of individuals
- make organisations like Gafcon more accountable externally & internally
- inspire us to review and amend our processes, policy and procedures when necessary
Data Protection Principles:
Gafcon will always be the “data controller” (the people who determine the purpose and manner in which any personal information is processed) but may not always be the “data processor” (the people who process the data for the data controller). There are likely to be occasions where Gafcon will need to sub-contract data processing (e.g. engage a mailing house) but in every instance Gafcon will ensure that any third party acting as data processor is required to follow the six Data Protection principles:
1. Fair, lawful and consented to.
We will be transparent about our use of personal data; access to a full copy of this policy, giving reasons for collecting data, will be available on any form (digital or hard copy)on which we request personal data. Data will not be processed without the knowledge and consent of the ‘data subjects’. Data subjects include:
- Subscribers – those who consent to receive Gafcon communications
- Supporters – those who identify as being in support of the aims and beliefs of the Gafcon movement by assenting to the Jerusalem Declaration (see here)
- Donors – those who have made a donation to Gafcon in the past
- Volunteers – those who offer their services free; most likely, but not necessarily, supporters
- Staff – those employed by Gafcon; full or part time; temporary or permanent
We recognise that data subjects have the right to obtain copies of their own data.
We understand consent to be the freely given, specific, informed and unambiguous indication of the data subject’s wishes by a statement or a clear affirmative action – as defined by the GDPR. Consent will be sought for all communications and no personal data will be transferred to a third party without consent. (A third party is any organisation or person outside of Gafcon other than approved data processors). We will ensure that consent is indicated positively and will not assume that an empty ‘box’ denotes consent.
2. Specific in purpose We will only use data for purposes given in this policy, clearly and openly informing the data subject about how their data will be used.
3. Adequate and clearly limited.
Gafcon will ensure we hold neither too much nor too little data in respect to our data subjects. Excessive data will immediately be destroyed or deleted.
4. Accurate and up to date.
To ensure data subjects are receiving appropriate communications, we will conduct an annual data audit. Where there is doubt as to whether data is accurate we will provide subjects with a copy of their data for information and updating. All amendments will be made as soon as possible and redundant data will be eliminated. It is our responsibility to respond to any notification of changes and amend them when relevant.
5. Retained no longer than is necessary.
We keep what we regard as minimal data and do not hold it longer than it is required. All personal data will be deleted or destroyed one month after a request to remove it.
All data will be kept on secure servers, or if paper copy under lock and key.
Gafcon recognises that Individuals have the right to:
a) know the identity of the data processor, why their data is being processed and their right to have their data deleted or to halt information being sent to them
b) know all the information held about them
c) to be compensated if they have been caused damage (both material and non-material) by any misuse or mishandling of data
d) to have removed and corrected any inaccurate data held about them.
The Type and Purpose of Data Collected by Gafcon:
We gather data principally to enable communication between the Gafcon movement and our data subjects. Data may be held for the following purposes:
3) Arranging meetings and conferences including travel
4) Staff Administration
5) Accounts & Records
6) Strategic Planning
Accountability within Gafcon:
The Data Protection Officer will be responsible for all data protection issues. The DPO reports to the Operations Manager, is involved in senior management decision-making, and oversees the implementation of the data protection policy- particularly on issues of the Data Subject’s consent and rights. The DPO ensures that due regard is given to ICO guidance and is responsible for notifying the ICO of ‘breach notification’, particularly when there has been a serious and high-risk data management incident.
Regular reviews of practices and processes are supervised by the DPO. We are accountable to the ICO. Impact assessments are made of current and proposed processes and initiatives.
Record keeping is an essential part of Gafcon Data Protection. Data capture, although mundane and repetitive, is essential and is to be performed meticulously. Summative but specific notes of Data Protection discussions should be taken at Trustees’ and Senior Management meetings.
Transfer of Data:
Gafcon only transfers data to our sister organisations (e.g. Gafcon Provinces and Branches) or to trusted agencies (e.g. our travel agent). No data will be transferred outside the UK and EU unless Gafcon receives written assent by the appointed recipient that he/she/they will comply with this data protection policy. We will not publish personal information about data subjects without their consent.
Data protection reviews:
This Data Protection Policy is to be annually reviewed, and if necessary amended, and signed off by the Operations Manager.
The current Data Protection Officer (DPO) is Mr Michael Tolmie