This Policy sets out the obligations of The League of St Bartholomew’s Nurses regarding data protection and the rights of its members (data subjects) in respect of their personal data under EU Regulation 2016/679 General Data Protection Regulation (GDPR). GDPR defines “personal data” as any information relating to an identified or identifiable person (a data subject).
This Policy sets out the League’s obligations regarding the collection, processing, transfer, storage, and disposal of personal data. The procedures and principles set out herein must be followed at all times by the League, its officers, agents, or other parties working on behalf of the League. The League places high importance on the correct, lawful, and fair handling of all personal data, respecting the legal rights, privacy, and trust of all individuals with whom it deals.
2. The Data Protection Principles
This Policy is designed to ensure compliance with GDPR and The Charities Commission. GDPR sets out the following principles with which any organisation handling personal data must comply.
All personal data must be:
- Processed lawfully, fairly, and in a transparent manner in relation to the data subject.
- Collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
- Adequate, relevant, and limited to what is necessary in relation to the purposes for which it is obtained.
- Accurate and, where necessary, kept up to date. Every reasonable step will be taken to ensure that personal data that is inaccurate is erased or rectified in a timely fashion.
- Kept in a form that permits identification of data subjects for no longer than is necessary. Personal data may be stored for longer periods solely for archiving purposes, subject to implementation of the appropriate technical and organisational measures required by GDPR.
- Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures.
3. The Rights of data subjects (members)
GDPR sets out the following rights applicable to data subjects:
3.1 The right to be informed
Where personal data is collected directly from members they will be informed of its purpose at the time of collection.
Where personal data is obtained from a third party, (e.g. Gift membership) the relevant data subjects will be informed of its purpose as soon as reasonably possible and in any event not more than 8 weeks after the personal data is obtained. The following information shall be provided to all members:
- Details of the League Data Compliance Manager
- The purpose(s) for which the personal data is being collected and will be processed
- Where the personal data is to be transferred to a third party, details of that 3rd party.
- Details of how data will be retained; the data subject’s rights under GDPR; their right to withdraw their consent to the League’s processing of their personal data at any time; and their right to complain to the Information Commissioner’s Office (the “supervisory authority” under GDPR).
3.2 The right to Data Subject Access
- Members may make subject access requests (SARs) at any time to ask about the personal data which the League holds about them, what it is doing with that personal data, and why.
- Members wishing to make a SAR must do so in writing. The SAR should be addressed to the League’s Data Compliance Manager. Responses to SARs will be made as soon as reasonably practicable and where possible within 2 months. If additional time is required, the data subject shall be informed.
- The League does not charge a fee for the handling of normal SARs. The League reserves the right to charge reasonable fees for additional copies of information that has already been supplied to a data subject, and for requests that are manifestly unfounded or excessive, particularly where such requests are repetitive.
3.3 The right to Rectification of Personal Data
- Data subjects have the right to require the League to rectify any of their personal data that is inaccurate or incomplete.
- The League shall rectify the personal data in question, as soon as reasonably practicable and where possible within 2 months. If additional time is required the data subject shall be informed.
3.4 The right to deletion of personal data
Members have the right to request that the League erases the personal data it holds about them in the following circumstances:
- When it is no longer necessary for the League to hold that personal data with respect to the purpose(s) for which it was originally collected or processed
- If the member wishes to withdraw their consent to the League holding and processing their personal data. All requests for erasure will be complied with.
- If the personal data has been processed unlawfully
- If the personal data needs to be erased in order for the League to comply with a legal obligation
4. Lawful, Fair, and Transparent Data Processing
GDPR seeks to ensure that personal data is processed lawfully, fairly, and transparently, without adversely affecting the rights of the data subject. GDPR states that processing of personal data shall deemed be lawful if the data subject (member) has given consent to the processing of their personal data for one or more specific purposes. The League obtains consent from all members to allow use of their personal data for the purposes stated in paragraph 9.4 below.
5. Specified, Explicit, and Legitimate Purposes
League members are kept informed at all times of the purpose or purposes for which the League uses their personal data. Paragraph 3.1 details ways in which members are informed.
6. Adequate, Relevant, and Limited Data Processing
The League only collects and processes personal data for the specific purpose or purposes of which data subjects have been informed.
7. Accuracy of Data and Keeping Data Up-to-Date
- The League takes all reasonable steps to ensure that personal data collected, processed, and held is accurate and up-to-date.
- The accuracy of personal data is checked when it is first collected and through reminders in the League News thereafter. If any personal data is found to be inaccurate or out-of-date, all reasonable steps will be taken without delay to amend or erase that data, as appropriate.
8. Data Retention
The League does not retain personal data for any longer than is necessary for the purpose for which it was originally collected, held, and processed. When personal data is no longer required, all reasonable steps will be taken to erase or otherwise dispose of it without delay. Details of the League’s approach to data retention, including retention periods for specific personal data types is detailed in section 9 below.
9. Secure Processing
The League uses the following procedures to ensure that all personal data collected, held, and processed is kept secure and protected against unauthorised or unlawful processing and against accidental loss, destruction, or damage.
9.1 Transferring Personal Data and Communications
All communications containing personal data are transmitted using a secure service such as McLean Reid’s Client Zone, or and encrypted service (DropboxTM) and marked ‘confidential’.
The following measures are taken to ensure safe and secure storage of personal data:
- Electronic copies of personal data are stored securely and password-protected
- All hardcopies of personal data, along with any electronic copies stored on physical, removable media is stored securely in a locked drawer, cabinet, or similar
- All personal data stored electronically is backed up and stored on the EU-based Cloud, which is password protected.
- Where mobile devices are used to store personal data both the device and the appropriate files will be password protected
When any personal data is to be erased or otherwise disposed of for any reason (including where copies have been made and are no longer needed) it will be securely disposed of and deleted.
9.4 Use of Personal Data
9.4.1 Personal data will only be used to carry out the aims and functions of the League, including but not exclusively the following:
- To send the annual copy of the League News
- To compile a list of current members and monitor payment of subscriptions
- To contact new members to welcome them and provide further information about the League
- To send Christmas cards to members who qualified as a nurse 60 years or more ago
- To correspond with members who qualified as a nurse 60 years ago to make them aware of the Benevolent Fund
- To invite members to participate in League events
- To respond to members’ requests to attend League events
- To compile a list of names of deceased members for inclusion in the League news (NB no addresses will be included) and to correspond with the relatives of deceased members
- To compile a list of new members for inclusion in the League News (NB no addresses will be included)
- To invite members to serve on the League committees and working groups
9.4.2 The League shall ensure that the following measures are taken with respect to the use of personal data:
- No personal data will be shared informally and if a member or other party working on behalf of the League requires access to any personal data, such access should be formally requested from Data Compliance Manager
- Personal data will be handled with care at all times and will not be left unattended or on view to unauthorised parties at any time
- Personal data will never be shared with 3rd parties without the consent of members. As agreed annually by members attending the AGM, Personal data is shared with McLean Reid Chartered Accountants, for purposes of maintaining the membership database, and L and T Press, for printing and distributing the League News.
9.5 IT Security
The League will take the following measures to ensure IT and information security:
- All files containing personal data will be password-protected and transferred using a secure, encrypted service (see 9.1 above)
- Personal data transferred to the publisher for inclusion in the League News will be transferred from the data processors (McLean Reid) using their password-protected service (Client Zone)
- The publisher (L and T Press) keep all personal data securely during the publication process.
10. Accountability and Record-Keeping
- The League’s Data Compliance Manager is the League President.
- The League shall keep written internal records of all personal data collection, holding, and processing, which shall incorporate the following: The name and details of the League, its Data Compliance Manager; an up-to-date Data Information Audit; details of personal data retention by the League (see para 8 above); descriptions of the technical and organisational measures taken by the League to ensure the security of personal data (see section 9 above).
11. Data Information Audit
The League shall carry out a Data Information Audit for any new projects or new uses of personal data.
12. Organisational Measures
The League shall ensure that the following measures are taken with respect to the collection, holding, and processing of personal data:
- All members or other parties working on behalf of the League shall be appropriately trained/supervised, made fully aware of both their individual responsibilities and the League’s responsibilities under GDPR and under this Policy, and shall be provided with a copy of this Policy;
- Access to personal data held by the League will only be given to members or other parties working on behalf of the League that require access in order to carry out their assigned duties
- All members or other parties working on behalf of the League handling personal data shall be required and encouraged to exercise care, caution, and discretion when discussing work-related matters that concern personal data
- Methods of collecting, holding, and processing personal data shall be reviewed annually
- All personal data held by the League shall be reviewed annually
- Other parties working on behalf of the League handling personal data must ensure that any and all of their employees who are involved in the processing of personal data are held to the same conditions as those relevant members of the League arising out of this Policy and GDPR; and
- Where any agent, contractor or other party working on behalf of the League handling personal data fails in their obligations under this Policy, that party shall indemnify and hold harmless the League against any costs, liability, damages, loss, claims or proceedings which may arise out of that failure.
13. Data Breach Notification
- Any personal data breach must be reported immediately to the League’s Data Compliance Manager.
- If the personal data breach is likely to result in a high risk to the rights and freedoms of data subjects (e.g. financial loss, breach of confidentiality or other significant social or economic damage) the Data Compliance Manager will inform affected data subjects and the Information Commissioner’s Office of the breach as soon as reasonably practicable, where possible within 72 hours of having become aware of it.
- Data breach reporting will include: details of the measures taken, or proposed to be taken, by the League to address the breach including, where appropriate, measures to mitigate its possible adverse effects.
14. Implementation of Policy
This Policy is effective as of 25th May 2018. No part of this Policy shall have retroactive effect and shall thus apply only to matters occurring on or after this date.
This Policy has been approved and authorised by:
Name: Prof Maggie Nicol and the League Executive Committee
Position: President and Data Compliance manager
Due for Review by: May 2019