Data Protection Policy
Northern Ireland Region of U3As (NIREC) Data Protection Policy
Scope of the policy
This policy applies to the work of NIREC . It sets out NIREC’s requirements to gather information and how personal information will be gathered, stored and managed in line with data protection principles and the General Data Protection Regulation (GDPR). The policy is reviewed on an ongoing basis by NIREC members to ensure that we are compliant. This policy should be read in tandem with NIREC’s Privacy Policy
Why this policy exists
This data protection policy ensures that NIREC:
- complies with data protection law and follows good practice;
- protects the rights of members;
- is open about how it stores and processes members’ data;
- protects itself from the risks of a data breach.
General guidelines for Committee members
- The only people able to access data covered by this policy should be those who need to communicate with or provide a service to the Northern Ireland Region of U3As.
- NIREC officers will ensure that members understand their responsibilities when handling data.
- NIREC will keep all data secure, by taking sensible precautions and following the guidelines below.
- Strong passwords must be used.
- Data should not be shared outside of NIREC unless with prior consent and/or for specific and agreed reasons.
- Member information should be refreshed periodically to ensure accuracy
- Additional support will be available from the Third Age Trust where uncertainties or incidents regarding data protection arise.
Data protection principles
The GDPR identifies key data protection principles:
Principle 1 – Personal data shall be processed lawfully, fairly and in a transparent manner.
Principle 2 – Personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes.
Principle 3 – The collection of personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
Principle 4 – Personal data held should be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
Principle 5 – Personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals.
Principle 6 – Personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Lawful, fair and transparent data processing
NIREC requests personal information as detailed in its Privacy Policy.
Processed for specified, explicit and legitimate purposes
Members will be informed as to how their information will be used and NIREC will seek to ensure that member information is not used inappropriately.
NIREC officers will ensure that its members are made aware of what would be considered appropriate and inappropriate communication
NIREC officers will ensure that members’ information is managed in such a way as to not infringe an individual member’s rights which include the right:
- to be informed;
- to access;
- to rectification;
- to erasure;
- to restrict processing;
- to object.
Adequate, relevant and limited data processing
Member U3As of U3A in Northern Ireland will only be asked to provide information that is relevant for membership purposes. This may include:
- name;
- postal address;
- email address;
- telephone number
Where additional information may be required such as health related information this will be obtained with the consent of the member who will be informed as to why this information is required and the purpose for which it will be used.
Photographs
Photographs are classified as personal data. Where group photographs are being taken individuals will be asked to step out of shot if they don’t wish to be in the photograph. Otherwise consent will be obtained from individuals in order for photographs to be taken and individuals will be informed as to where photographs will be displayed. Should an individual wish at any time to remove their consent and to have their photograph removed then they should contact the Secretary on nithirdage@gmail.com to advise that they no longer wish their photograph to be displayed.
Accuracy of data and keeping data up-to-date
NIREC has a responsibility to ensure members’ information is kept up to date. Member U3As will be asked to let the Secretary know if any of their personal information changes
Accountability and governance
NIREC officers are responsible for ensuring that NIREC remains compliant with data protection requirements and can evidence that it has done so. Where consent is required for specific purposes then evidence of this consent (either electronic or paper) will be obtained and retained securely. The officers of NIREC will ensure that its new members receive an induction into the requirements of GDPR and the implications for their role. They shall also stay up to date with guidance and practice within the U3A movement and shall seek additional input from the Third Age Trust National Office should any uncertainties arise. The Committee will review data protection and who has access to information on a regular basis as well as reviewing what data is held. When Committee Members relinquish their roles, they will be asked to either pass on data to those who need it and/or delete data.
Secure Processing
NIREC officers have a responsibility to ensure that data is both securely held and processed. This will include:
- use of strong passwords;
- not sharing passwords outside NIREC;
- restricting access of sharing member information to those NIREC members who need to communicate with U3A members on a regular basis;
- using password protection on laptops and PCs that contain personal information;
- using password protection or secure cloud systems when sharing data between NIREC members;
- paying for firewall security to be put onto NIREC Members’ laptops or other devices if required.
Subject Access Request
U3A members are entitled to request access to the information that is held by NIREC. The request needs to be received in the form of a written request to the NIREC Secretary. On receipt, the request will be formally acknowledged and dealt with expediently (the legislation requires that information should generally be provided within one month) unless there are exceptional circumstances as to why the request cannot be granted.
NIREC will provide a written response detailing all information held on the member. A record shall be kept of the date of the request and the date of the response.
Data Breach Notification
Were a data breach to occur, action will be taken to minimise the harm. This will include ensuring that all NIREC members are made aware that a breach has taken place and how the breach occurred. The NIREC officers shall then seek to rectify the cause of the breach as soon as possible to prevent any further breaches. The Chair of NIREC shall contact National Office within 24 hours of the breach occurring to notify of the breach. A discussion will take place between the Chair and National Office as to the seriousness of the breach, action to be taken and, where necessary, the Information Commissioner’s Office would be notified. The Committee shall also contact the relevant U3A members to inform them of the data breach and actions taken to resolve the breach.
Where a U3A member feels that there has been a breach by NIREC, a NIREC officer will ask the member to provide an outline of the breach. If the initial contact is by telephone, the NIREC officer will ask the U3A member to follow this up with an email or a letter detailing their concern. The alleged breach will then be investigated by NIREC officers who are not in any way implicated in the breach. Where the officers needs support or if the breach is serious they should notify National Office. The U3A member should also be informed that they can report their concerns to National Office if they do not feel satisfied with the response from the U3A. Breach matters will be subject to a full investigation, records will be kept and all those involved notified of the outcome.
Policy date agreed: March 2019
