Data Protection policy 

Data Protection policy  

Purpose

The purpose of this policy is to set out the CVH commitment and procedures for protecting personal data. Trustees regard the lawful and correct treatment of personal information as very important to successful working, and to maintaining the confidence of those with whom we deal with. We recognise the risks to individuals of identity theft and financial loss if personal data is lost or stolen.

We are committed to a policy of protecting the rights and privacy of individuals. We need to collect and use certain types of Data in order to carry on our work of managing Campsall Village Hall (CVH). This personal information must be collected and handled securely.

Introduction to regulation

The Data Protection Act 1998 (DPA) and General Data Protection Regulations (GDPR) govern the use of information about people (personal data). Personal data can be held on computers, laptops and mobile devices, or in a manual file, and includes email, minutes of meetings, and photographs.

The following are definitions of the terms used:

Data Controller - the trustees who collectively decide what personal information CVH will hold and how it will be held or used.

Act means the Data Protection Act 1998 and General Data Protection Regulations - the legislation that requires responsible behaviour by those using personal information.

Data Subject – the individual whose personal information is being held or processed by Campsall Village Hall for example a hirer

‘Explicit’ consent – is a freely given, specific agreement by a Data Subject to the processing of personal information about her/him.

Explicit consent is needed for processing “sensitive data”, which includes:

(a) Racial or ethnic origin of the data subject

(b) Political opinions

(c) Religious beliefs or other beliefs of a similar nature

(d) Trade union membership

(e) Physical or mental health or condition

(f) Sexual orientation

(g) Criminal record

(h) Proceedings for any offence committed or alleged to have been committed.

Information Commissioner’s Office (ICO) - the ICO is responsible for implementing and overseeing the Data Protection Act 1998.

Processing – means collecting, amending, handling, storing or disclosing personal information.

Personal Information – information about living individuals that enables them to be identified – e.g. names, addresses, telephone numbers and email addresses. It does not apply to information about organisations, companies and agencies but applies to named persons, such as individuals who book the hall.

The Data Protection Act

This contains 8 principles for processing personal data with which we must comply. Personal data: -

1. Shall be processed fairly and lawfully and, in particular, shall not be processed unless specific conditions are met.

2. Shall be obtained only for one or more of the purposes specified in the Act and shall not be processed in any manner incompatible with that purpose or those purposes.

3. Shall be adequate, relevant and not excessive in relation to those purpose(s).

4. Shall be accurate and, where necessary, kept up to date.

5. Shall not be kept for longer than is necessary.

6. Shall be processed in accordance with the rights of data subjects under the Act.

7. Shall be kept secure by the Data Controller who takes appropriate technical and other measures to prevent unauthorised or unlawful processing or accidental loss or destruction of, or damage to, personal information.

8. Shall not be transferred to a country or territory outside the UK.European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal information.

Applying the Data Protection Act within the charity

The charity will remain the data controller for the information held. The trustees and volunteers are personally responsible for processing and using personal information in accordance with the Data Protection Act and GDPR. Trustees, and volunteers who have access to personal information will therefore be expected to read and comply with this policy.

We will let people know why we are collecting their data, which is for the lawful purpose of managing the hall, its hiring, marketing, publicity for events, fundraising and finances.

It is our responsibility to ensure personal data is only used for this purpose unless specific consent is given or the personal data is already in the public domain. Access to personal information will be limited to Trustees and volunteers.

Where individuals need to be identified in public documents e.g., minutes and harm may result, initials rather than full names will normally be used.