Friends of St Helena
Data Protection Policy
Last Updated: 7 November 2019
| Definitions | ||
| Charity | The Society of Friends of St Helena referred to as FoSH | |
| GDPR | Means the General Data Protection Regulation | |
| Responsible Person | Ian Mathieson - Make Contact | |
| Register of Systems | Means a register of all systems or contexts in which personal data is processed by the Charity |
1. Data protection principles
| FoSH is committed to processing data in accordance with its responsibilities under the GDPR. Article 5 of the GDPR requires that personal data shall be: |
|
| a. | used fairly, lawfully and transparently; |
| b. | used for specified, explicit purposes; |
| c. | used in a way that is adequate, relevant and limited to only what is necessary; |
| d. | accurate and, where necessary, kept up to date; |
| e. | kept for no longer than is necessary; |
| f. | handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage |
2. General provisions
| a. | This policy applies to all personal data processed by FoSH |
| b. | The Responsible Person is responsible for FoSH's ongoing compliance with this policy. |
| c. | This policy is reviewed at least annually. |
| d. | FoSH is registered with the Information Commissioner’s Office as an organisation that processes personal data. |
3. Lawful, fair and transparent processing
| a. | To ensure its processing of data is lawful, fair and transparent, FoSH maintains a Register of Systems. |
| b. | The Register of Systems is reviewed at least annually. |
| c. | FoSH members have the right to access their personal data and any such requests made to FoSH shall be dealt with in a timely manner. |
4. Lawful purposes
| a. | All data processed by FoSH is done on one of the following lawful bases: consent, contract, legal obligation, vital interests, public task or legitimate interests (see ICO guidance for more information). |
| b. | FoSH notes note the appropriate lawful basis in the Register of Systems. |
| c. | As consent is relied upon as a lawful basis for processing data, evidence of opt-in consent will be kept with the personal data. |
| d. | As communications are sent to Members based on their consent, the option for the Member to revoke their consent is clearly available and systems are in place to ensure such revocation is reflected accurately in the FoSH’s system. |
5. Data minimisation
| a. | FoSH takes reasonable steps to ensure that personal data will not be held or further used except for reasons of monitoring membership renewals, communications or distribution of magazines. |
6. Accuracy
| a. | FoSH will take reasonable steps to ensure personal data is accurate. |
| b. | Where necessary for the lawful basis on which data is processed, steps have been put in place to ensure that personal data is kept up to date |
7. Archiving / removal
| a. | To ensure that personal data is kept for no longer than necessary, FoSH has put in place an archiving policy for each area in which personal data is processed and review this process annually. |
| b. | The archiving policy considers what data should/must be retained, for how long, and why. |
8. Security
| a. | FoSH ensures that personal data is stored securely using modern software that is kept-up-to-date. |
| b. | Access to personal data will be limited to FoSH Committee Members who need access and appropriate security is in place to avoid unauthorised sharing of information. |
| c. | When personal data is deleted this is done safely such that the data is irrecoverable. |
| d. | Appropriate back-up and disaster recovery solutions are in place. |
9. Breach
| In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, FoSH will promptly assess the risk to Member’s rights and freedoms and if appropriate report this breach to the ICO (more information on the ICO website). |
10. Membership Database
| FoSH will hold the relevant personal data ie: contact details of all Members in a membership database to which only nominated members of the Committee have access. This data is needed for FoSH to communicate with Members and post magazines to them. It is assumed that by paying their subscription, new and existing Members agree that to fulfil its obligations FoSH must necessarily keep their contact details. Members can request the removal of their contact details from FoSH’s database by contacting the Membership Secretary - Make Contact. Such a request is effectively an application to leave FoSH. In the event of late payments of the subscription fee, the Membership Secretary will initially mark the member as Inactive (meaning they will not have access to member-only sections of the website) and will subsequently permanently delete the Member and their personal data from the database. |
11. St Helena Ancestors
| a. | FoSH has applied a 100-year rule to the release of most of its genealogical data, with additional century-old data being released on the first day of each New Year. The exceptions are Burials, Monument Inscriptions, Clerics and Governors where all the data has been made available. |
| b. | It is believed that FoSH's 100-year rule ensures no privacy issues exist in its genealogical data. However, where users believe the confidentiality of private information has indeed been breached, they should make this known to Dr Chris Hillman providing full details of their concerns - make contact. A judgement will then be made whether specific data should be hidden or entirely removed. |