Deeside Naturalists’ Society
Data Protection and Retention Policy
Click on the ‣ to display individual headings. Or on the button to show/hide all details
Data Protection Policy
1. Introduction Deeside Naturalists’ Society (DNS) needs to collect and use certain types of information about individuals in order to provide a membership service.
“Personal Data” means any information relating to an identifiable living person (Data Subject) who can be directly or indirectly identified from that information. It also applies to sensitive Personal Data, (‘Special Category Data’). Those categories are subject to additional protections, and include data that relates to an individual’s race or ethnic origin, religion, trade union membership, politics, health, sex life, sexual orientation, biometrics and genetics.
This Personal Data must be collected and dealt with appropriately whether it is collected on paper, stored in a computer database, or recorded on other material and there are safeguards to ensure this under the Data Protection Act 2018 (DPA) and/or General Data Protection Regulations (GDPR) ((together, "Data Protection Legislation").
2. Data Controller and Processor DNS is the Data Controller, which means that it determines what purposes Personal Data held, will be used for. It is also responsible for notifying the Information Commissioner of the data it holds or is likely to hold, and the general purposes that this data will be used for.
In addition, DNS is a Data Processor, when it is responsible for processing Personal Data on behalf of another data controller.
3. Data Protection Principles
DNS regards the lawful and correct treatment of Personal Data as very important to successful working, and to maintaining the confidence of those with whom we deal.
To this end, DNS will adhere to the Principles of Data Protection, as detailed in the relevant DPA and/or GDPR.
Specifically, the Principles require that Personal Data:
1. Shall be processed fairly, lawfully and in a transparent manner in relation to the Data Subject on one of the following lawful bases of consent, contract, legal obligation, vital interests, public task or legitimate interests;
2. Shall be collected for specified, explicit and legitimate purposes and shall not be processed in any manner incompatible with that purpose or those purposes;
3. Shall be adequate, relevant and limited to what is necessary in relation to those purpose(s);
4. Shall be accurate and, where necessary, kept up to date;
5. Kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Data are processed;
6. Shall be processed in a manner that ensures appropriate security of the Personal Data using appropriate technical or organisational measures to prevent unauthorised or unlawful processing or accidental loss or destruction of, or damage to, Personal Data.
DNS will, through appropriate management and strict application of criteria and controls:
• Identify a valid lawful basis for being able to process Personal Data;
• Meet it’s legal obligations to specify the purposes for which information is used;
• Collect and process appropriate information, and only to the extent that it is needed to fulfil its operational needs or to comply with any legal requirements;
• Ensure the quality of information used;
• Ensure that the rights of Data Subjects about whom information is held, can be fully exercised. These include:
The right to be informed that processing is being undertaken,
The right of access to one’s Personal Data
The right to restrict processing in certain circumstances
The right to rectification if data is wrong or not complete,
The right to erasure of information unless there are important reasons for us to keep it
The right to data portability of a copy of the information we hold about them;
The right to object to the way we use their information;
The right not to be subject to automated decision-making including profiling;
• Take appropriate technical and organisational security measures to safeguard Personal Data;
• Ensure that Personal Data is not transferred outside of the EEA without suitable safeguards;
• Treat people justly and fairly whatever their age, religion, disability, gender, sexual orientation or ethnicity when dealing with requests for information;
• Set out clear procedures for responding to requests for information.
4. Data Disclosure DNS may share data with other agencies such as HMRC in order to perform its membership services.
The Data Subject will be made aware in most circumstances how and with whom their information will be shared. Where this includes Special Category Data, we will normally obtain the Data Subject’s explicit consent, although there are circumstances that we may not
These are:
a) Carrying out a legal duty or as authorised by the Secretary of State
b) Protecting vital interests of an Individual or other person
c) The Individual has already made the information public or they have been manifestly made public
d) Conducting any legal proceedings, obtaining legal advice or defending any legal rights
e) Carrying out the obligations and exercising specific rights of the controller or of the Data Subject in the field of employment and social security and social protection law
f) Is necessary for reasons of substantial public interest
g) Archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
h) Monitoring for equal opportunities purposes – i.e. race, disability or religion
i) Providing a confidential service where the individual/service user’s consent cannot be obtained or where it is reasonable to proceed without consent: e.g. where we would wish to avoid forcing stressed or ill Data Subjects to provide consent signatures.
5. Data Collection DNS will ensure that data is collected within the boundaries defined in this policy. This applies to data that is collected in person, or by other means.
Any documentation which gathers personal and/or special categories of Personal Data should contain the following Privacy Statement information:
• An explanation of who we are
• What we will do with their data
• Who we will share it with
• How long we will keep it for
• That their data will be treated securely
• How to opt out
• Where they can find a copy of the full notice
A fuller Privacy Statement will also be published on our website.
When collecting data, DNS will provide details so that the Data Subject can:
a) Understand why the information is needed
b) Understand the Lawful basis
c) Understand what it will be used for and what the consequences are should the Data Subject decide not to give consent to processing
d) If required, grant explicit consent, either written or verbal for data to be processed. DNS will ensure that as far as reasonably practicable, the Data Subject is competent enough to give consent and has given so freely without any duress
6. Data Storage
Information and records will be stored securely and will only be accessible to authorised trustees and volunteers.
Information will be stored for only as long as it is needed or required and will be disposed of appropriately.
It is DNS responsibility to ensure all personal and company data is non-recoverable from any computer system previously used within the organisation, which has been passed on/sold to a third party.
7. Data Access and Accuracy
All individuals/service users have the right to access the information DNS holds about them. DNS will also take reasonable steps to ensure that this information is kept up to date by asking Data Subjects whether there have been any changes.
8. Data breach notification
In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data, the DNS shall promptly assess the risk to people’s rights and freedoms and if appropriate report this breach to the ICO.
In addition, DNS will ensure that:
• Everyone processing Personal Data understands that they are contractually responsible for following good data protection practice
• Everyone processing Personal Data is appropriately trained to do so
• Everyone processing Personal Data is appropriately supervised
• Anybody wanting to make enquiries about handling Personal Data knows what to do
• It deals promptly and courteously with any enquiries about handling Personal Data
• It describes clearly how it handles Personal Data
• It will regularly review and audit the ways it holds, manages and uses Personal Data
• It regularly assesses and evaluates its methods and performance in relation to handling Personal Data
This policy will be updated as necessary to reflect best practice in data management, security and control and to ensure compliance with any changes or amendments made to the Data Protection Act.
In case of any queries or questions in relation to this policy please contact the DNS Membership Secretary.
Approved by the DNS Trustees on 1st Feb. 2022
The guidelines are intended to ensure that DNS processes personal data in accordance with the personal data protection principles, in particular that when personal data is no longer needed for specified purposes, it is deleted or anonymised as provided by these guidelines.
The Membership Secretary is responsible for overseeing these guidelines. Any questions about the operation of the guidelines should be submitted to him/her.
General Principles on Retention and Erasure DNS’s approach to retaining personal data is to ensure that it complies with the data protection principles referred to in these guidelines and, in particular, to ensure that:
• Records containing personal data are regularly reviewed to ensure that they remain adequate, relevant and limited to what is necessary for legitimate purposes
• Records containing personal data are kept secure and are protected against unauthorised or unlawful processing and against accidental loss, destruction or damage. Where appropriate DNS uses anonymisation to prevent identification of individuals.
• When records are destroyed, whether held as paper records or in electronic format, DNS will ensure that they are safely and permanently erased.
Records
Membership Names, Contact Details and Gift Aid Declarations:-
These will be retained for 7 years after the end of the year in which the last membership payment or donation was made.
Payment Records
These will be retained for 7 Years after the end of the year in which they were made