ISSUE 1, REVISION 1 (dated 15th May 2018)
One of the biggest changes to UK data privacy law comes into effect on 25th May 2018.
The General Data Protection Regulation (or GDPR for short) is a positive step towards you having more control over how your data are used and how you are contacted. The changes will also help to better protect your personal data.
To make sure you’re ready to make your choices, Choices Aberdeen has created this handy guide that will help explain the changes and what they mean for you within our organisation.
5 General things you need to know about GDPR
You may have seen GDPR hitting the headlines, or perhaps organisations have already contacted you about it? Let’s take a closer look at what GDPR is and what it means for you
- It’s the biggest change to UK data privacy law in 20 years
Thanks to technological advances the amount of personal data being generated is rapidly increasing – every time you shop online, use your favourite app or ‘like’ a photo on Facebook you generate data – which is why the law needs updating to better protect people. As part of the General Data Protection Regulation (GDPR) all companies, organisations & charities must review how they manage all personal data – from email addresses to employee/contractor/volunteer bank details – and ensure they are GDPR-ready by 25th May 2018.
- It will give you more control over your personal data
GDPR is all about giving you more control on how your personal data are used. You’ll have greater visibility and control over the personal data organisations hold about you – whether it’s something as simple as your name, or as complex and sensitive as bank information. This means you can have greater confidence that information about you is accurate, up-to-date and properly managed.
- You can choose who contacts you, and how
Over the coming months you’ll probably notice a lot of organisations asking for your consent so they can contact you about offers, products or services they think you’ll find useful or interesting. To comply with GDPR, these requests need to be clear and straightforward. You get to choose who contacts you and how, for example, by e-mail, post, social media or phone.
- You can also change your mind at any time
If you give an organisation permission to contact you, it doesn’t mean you can’t change your mind in the future. Under the new rules, it should be easier to update your preferences on what you want to receive and how.
- Your data will be better protected
GDPR also aims to make sure that all organisations holding personal data have the right processes in place to protect the data. Organisations who put personal data at risk will face hefty penalties.
Article 5 of the GDPR requires that personal data shall be:
a) processed lawfully, fairly and in a transparent manner in relation to individuals;
b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes, further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be incompatible with the initial purposes;
c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
d) accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
How does this affect you?
- working for Choices Aberdeen
- volunteering with Choices Aberdeen
- receiving counselling or therapeutic listening support Choices Aberdeen
- receiving newsletter updates Choices Aberdeen
a) We are the Trustees of Choices Aberdeen (the data controller). You can contact our Data Protection Officer (DPO), Nelly Jaka, on 07794667898 or 01224624900 or, in her absence, Andrew Martin on 01224 624900 during office hours. Choices’s Data Processor is the office administrator, Andrew Martin.
b) Subject to applicable data protection law we may share your personal data with our legal and other professional advisors, including our auditors, courts to comply with legal requirements & for the administration of justice and in an emergency or to otherwise protect your vital interests.
c) To comply with our legal obligation and legitimate activities, we will monitor e-mails, calls, other communications, reports and activities as part of your agreement/contract with Choices Aberdeen to protect the legitimate security or integrity of our charity operations.
d) We will use your personal data for the reasons set out below and we will use it to manage your activity as a volunteer/employee/contractor/funder.
e) The information we hold consists of: –
- the Choices Aberdeen application process,
- the Volunteer’s Agreement and employment/contractor contracts,
- PVG paperwork (on a temporary basis),
- team rota/timetable
- the Volunteers’ Register (details of all volunteers) and other registers required for legal purposes,
- Gift Aid signature list,
- expense claims,
- GDPR consent,
- photographs & videos taken when on duty for legitimate Choices Aberdeen purposes.
- appropriate details of those people who sponsor legitimate Choices Aberdeen events.
- Photographs for ID cards and Team Sheets,
- Contact details relating to Partners, Donors, Churches and Funders
- Liaison with partners and organisations seeking to or already working with Choices Aberdeen,
- bank details for employees, consultants & those volunteers seeking to have any expense claim paid by the bank transfer method, and
- all training records.
- telephone, emails and names of users seeking to book an appointment with the Counsellor. These information will be stored temporarily and once appointment is confirmed, these information will be removed and destroyed securely. The counsellor do not record full names on client files. Only initials are used and all files relating to counselling are kept in a secure cabinet which is locked at all times. Only the counsellor will have access to these files.
f) All the above information is held on either hard copy which is kept under lock and key in the Choices Credo office, electronic copies which are on devices which are password protected or mass storage devices which are kept in fireproof boxes, again under lock and key at Credo.
g) We will process your personal data for our own legitimate purposes for good governance and managing & auditing our operations.
h) One of the new rights you have is “the right to move, copy or transfer your personal data” (data portability). Please contact our Office Manager if you are considering this.
i) You are free at any time (with reasonable notice) to inspect your personal records and/or ask for a copy of the said records (at a nominal cost).
j) You are personally responsible for forwarding to Choices Aberdeen any amendments or updates to the details we keep of you in a suitable format, except for training records which we will update as and when training is completed.
k) You are at liberty to have removed any personal record of yourself unless required by UK law. This is to be requested in writing to the Office Administrator at Choices Aberdeen, Credo Centre, 14-20 John Street, Aberdeen, AB25 1BT. If this request adversely affects your ability either to volunteer or be employed by Choices Aberdeen we will discuss the matter with you to try and find a mutually agreed solution for you to continue with Choices Aberdeen and for the agreement to be in accordance with Choices Aberdeen rules and regulations applicable at that time.
l) If you so wish, Choices Aberdeen will do its upmost not to include your personal details in e-mails that are circulated to all volunteers. This is normally achieved by all copied addressees having their e-mail address placed in the “bcc address box” of an e-mail. If you do not find this acceptable again please contact the Office Administrator who will try to make alternate arrangements.
m) All trustees, directors, management committee members and team leaders (or nominated deputies) will assume that it is acceptable to communicate with a volunteer or staff member by e-mail, text, telephone, facebook messenger and WhatsApp or for counselling clients through Hushmail unless that person communicates to the Office Administrator, in writing, their unwillingness to agree to this.
n) Choices Aberdeen works on the principle that if a volunteer or staff member signs an official Choices Aberdeen form then the person who signed the form has given permission for that information to be stored, either in hard copy or electronically, as prescribed in f) above and the information can be viewed and used by any trustee, director, member of the management committee and/or team leaders (or nominated deputies).