Data Protection Policy - Bristol Fashion

Bristol Fashion Ladies’ Barbershop Club (BFLBC) needs to gather and use certain information about individuals in order to operate.

These can include members, suppliers, volunteers, audiences and potential audiences, business contacts and other people the group has a relationship with or regularly needs to contact.

This policy describes how this data must be collected, handled and stored to comply with the General Data Protection Regulations (GDPR).

This data protection policy ensures that BFLBC:

Protects the rights of its members and supporters
Complies with data protection law and follows good practice
Is open about how it stores and processes individual’s data
Protects itself from a data breach

Data Protection Law

The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy for all individuals in the European Union and describes how organisations must collect, handle and store personal information. These rules apply whether data is stored electronically, on paper and on other material. To comply with the law, personal information must be collected and used fairly, stored safely and not disclosed unlawfully.

BFLBC recognises and understands that the consequences of failure to comply with the requirements of GDPR may result in:

Criminal and civil action
Fines and damages
Personal accountability and liability
Loss of confidence in the integrity of BFLBC’s systems and procedures
Irreparable damage to BFLBC’s reputation

BFLBC may also consider taking action where members do not comply with GDPR.

Roles and Responsibilities

This policy applies to all members or anyone involved in the activities of BFLBC.

This policy applies to all personal and sensitive data processed on computers, stored in paper files and on other material. This can include:

Names of individuals
Postal addresses
Email addresses
Telephone numbers
Any other personal information relating to individuals

BFLBC is the Data Controller and will determine what data is collected and how it is used. The Data Protection Officer for BFLBC is the Membership Manager. She, together with the Management Committee, are responsible for the secure, fair and transparent collection of and use of data by BFLBC. Any questions relating to the collection or use of data should be directed to the Data Protection Officer.

Everyone who has access to data as part of BFLBC has a responsibility to ensure that they adhere to this policy.

Data Protection Principles

a) We fairly and lawfully process personal data in a transparent way.

BFLBC will only collect data where lawful and where it is necessary for the legitimate purposes of the group.

A member’s name, contact details and date of birth will be collected when they first join the group and will be used to contact the member regarding group membership, administration and activities. Other data may subsequently be collected in relation to their membership, including their payment history for subscriptions.

Lawful basis for processing this date: Contract (the collection and use of data is fair and reasonable in relation to BFLBC completing tasks expected as part of the individual’s membership).

An individual’s name and contact details will be collected when they make a booking for an event. This will be used to contact them about their booking and to allow entry to the event.

Lawful basis for processing this data: Contract (the collection of data is fair and reasonable in relation to BFLBC completing tasks expected as part of the booking).

An individual’s name, contact details and other details may be collected at any time (including when booking tickets or at an event), with their consent, in order for BFLBC to communicate with them about and promote group activities.

Lawful basis for processing this date: Consent (see ‘How we get consent’)

b) We only collect and use personal data for specific, explicit and legitimate purposes and will only use the data for those specified purposes.

When collecting data, BFLBC will always provide a clear and specific privacy statement explaining to the subject why the data is required and what it will be used for.

c) We ensure any data collected is relevant and not excessive.

BFLBC will not collect and store more data than the minimum information required for its intended purpose.

BFLBC needs to collect telephone numbers and email addresses from members in order to be able to contact them about group administration and activities.

d) We ensure data is accurate and up-to-date

BFLBC will ask members to check and update their data on an annual basis. Any individual will be able to update their data at any point by contacting the Membership Manager.

e) We ensure data is not kept longer than necessary

BFLBC will keep records for no longer than is necessary in order to meet the intended use for which it was gathered (unless there is a legal requirement to keep records for a longer period).

The storage and intended use of data will be reviewed in line with BFLBC’s Data Protection and Retention Policy. When the intended use is no longer applicable (e.g. contact details for a member who has left the group) the data will be deleted within a reasonable period unless the member has consented to her contact details being retained for the purpose of informing her of future Club activities and events.

f) We keep personal data secure

BFLBC will ensure that data it holds is kept secure
Electronically held data will be held within a password-protected and secure environment. Passwords for electronic data files will be re-set each time an individual with data access leaves their role/position
Physically-held data (e.g. membership forms) will be stored securely
Access to data will only be given to relevant committee members where it is clearly necessary for the running of the group. The Data Protection Officer will decide in what situations this is applicable.

Individuals’ Rights

Where BFLBC collects, holds and uses an individual’s personal data, that individual has the following rights over that data. BFLBC will ensure its data processes comply with those rights and will make all reasonable efforts to fulfil requests from an individual in relation to those rights.

Individuals’ rights

Right to be informed: whenever BFLBC collects data it will provide a clear and specific privacy statement explaining why it is being collected and how it will be used.

Right of access: individuals can request to see the data BFLBC holds on them and confirmation of how it is being used. Requests should be made in writing to the Data Protection Officer and will be complied with within one month. Where requests are complex or numerous this may be extended to two months.

Right of rectification: individuals can request that their data be updated where it is inaccurate or incomplete. BFLBC will request that members check and update their data with the Membership Secretary on an annual basis. Any requests for data to be updated will be processed within one month.

Right to object: individuals can object to their data being used for a particular purpose. BFLBC will always provide a way for an individual to withdraw consent in all marketing communications. Where BFLBC receives a request to stop using data, BFLBC will comply unless it has a lawful reason to use the data for legitimate interests or contractual obligation.

Right to erasure: individuals can request for all data held on them to be deleted. The BFLBC Data Retention Policy will ensure data is not held for longer than is reasonably necessary in relation to the purpose it was originally collected. If a request for deletion is made, BFLBC will comply with the request unless there is a lawful reason to keep and use the date for legitimate interests or there is a legal requirement to keep the data.

Right to restrict processing: individuals can request that their personal data be ‘restricted’ – that is, retained and stored but not processed further (e.g. if they have contested the accuracy of any of their data, BFLBC will restrict their data while it is verified).

Member to Member Contact

BFLBC only shares members’ data with other members with the subject’s prior consent. However, BFLBC encourages communication between members.

To facilitate this, members can access the personal contact data of other members via the Members’ pages of the Club’s website. Personal data on these pages must not be shared with anyone outside the Club. Anyone doing this will be in breach of GDPR.

How we get consent

BFLBC may collect data from consenting supporters for marketing purposes (e.g. to promote Club activities and events).

Any time data is collected for this purpose, BFLBC will provide:

A method for users to show their positive and active consent to receive these communications (e.g. a ‘tick box’)
A clear and specific explanation of what the data will be used for (e.g. ‘Tick this box if your would like BFLBC to send you email updates with details of Club activities and events).

Data collected will only ever be used in the way described and consented to (e.g. BFLBC will not give out email data to third parties).

Every communication will contain a method through which the recipient can withdraw their consent (e.g. an ‘unsubscribe’ link in an email). Opt-out requests such as this will be processed in 14 days.

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Data Retention Policy

Introduction

This policy sets out how BFLBC will approach data retention and establishes processes to ensure BFLBC does not hold data for longer than in necessary. It forms part of BFLBC’s Data Protection Policy.

Roles and Responsibilities

BFLBC is the Data Controller and will determine what data is collected and how it is used. The Data Protection Officer for BFLBC is the Membership Manager. She, together with the Management Committee, are responsible for the secure, fair and transparent collection of data by BFLBC. Any questions relating to the collection or use of data should be directed to the Data Protection Officer.

Regular Data Review

A regular review of all data will take place to establish if BFLBC still has good reason to keep and use the data held at the time of the review. As a general rule a data review will be held every 2 years.

Data to be reviewed

Data on digital documents (e.g. spreadsheets, databases) stored on personal devices held by committee members
Data stored on third part online services (e.g. Dropbox, Facebook groups)
Physical data stored at the homes of committee members

Who the review will be conducted by

The review will be conducted by the Data Protection Officer with other committee members to be decided upon at the time of the review.

How data will be deleted

Physical data will be destroyed safely and securely, including shredding.
All reasonable and practical efforts will be made to remove data stored digitally.
- Priority will be given to any instances where data is stored in active lists (e.g. where it could be used) and to sensitive data.
- Where deleting the data would mean deleting other data that BFLBC has a valid lawful reason to keep (e.g. on old emails) then the data may be retained safely and securely but not used.

Statutory requirements

Data stored by BFLBC may be retained based on statutory requirements for storing data other than on data protection regulations. This might include but is not limited to:

Records of Gift Aid Declarations
Details of payments made and received (e.g. in bank statements and accounting records)
Committee meeting minutes
Contracts and agreements with suppliers

Other Data Retention Procedures

Member data

When a member leaves BFLBC and all administrative tasks relating to their membership have been completed, any potentially sensitive data held on them will be deleted – this might include bank details.
Unless consent has been given, data will be removed from all email mailing lists
All other data will be stored safely and securely and reviewed as part of the next two-year review.

Mailing list data

If an individual opts out of a mailing list their data will be removed as soon as is practically possible.
All other data will be stored safely and securely and reviewed as part of the next two-year review.