Data Protection Policy
Date created: 6 July 2022
The purpose of this Data Protection Policy (DPP) is to demonstrate that the Society, a ‘small company’ as defined by the UK GDPR, are compliant with the ‘data protection principles’ set out in UK GENERAL DATA PROTECTION REGULATION (UK GDPR), tailored by the DATA PROTECTION ACT 2018.
This DPP is applicable to all data processing undertaken by the Society.
Customer – A person, not a member of the Society, who has bought goods or services from the Society
Society – Hampshire Genealogical Society
DPP – Data Protection Policy
ICO – Information Commissioners Office (UK)
Member – A person who has joined the Society on payment of their annual subscription
Lawfulness, fairness and transparency
Information held by the Society
The Society will carry out an information audit every five years. The audit will incorporate a review of the management of member and customer personal data held by the Society and will identify any potential risks to the security of such personal data.
Lawful basis for processing member and customer personal data
The Society have elected to use ‘Consent of the data subject’ as the basis for collecting Society member and customer personal data.
Society members will be requested to give their ‘Consent’ for the storage of their personal data at the time they submit their membership application to the Society. Society customers will be requested to give their ‘Consent’ when they purchase goods and services from the Society.
Consent to process children’s data for online services
Membership of the Society will be restricted to persons 18 yrs. of age or older and therefore ‘Consent to process children’s data for online services’ will not be applicable to the Society.
Registration with the ICO
The Society is registered with the ICO.
Right to be informed including privacy information
The Society Privacy Notice will be displayed on the Society website public area and in the Society Quarterly Journal; it will also be transmitted by the Society Membership Secretary to those new Society members who elect to submit hard copy (paper) membership application forms to the Society. A copy of the Society Privacy Notice will also be included with all goods and services delivered by the Society.
Communicating the processing of children’s personal data
Membership of the Society is restricted to persons 18 yrs. of age or older and therefore the requirements for ‘Communicating the processing of children’s personal data’ will not be applicable to the Society.
Right of access
Society members and customers will have the right to:
- Confirm that their personal data is being processed
- Receive a copy of their personal data recorded by the Society
This ‘Right of access’ will be stated in the Society Privacy Notice. Society members and customers can request access to their personal data by writing (email is acceptable) to the Society Membership Secretary.
Right of rectification and data quality
Society members and customers will be responsible for advising the Membership Secretary, in writing (email is acceptable) of any changes to their personal data that may occur after their application to join is accepted by the Society or after their receipt of goods and services from the Society.
Right of erasure including retention and disposal
Society members will be responsible for instructing the Society Membership Secretary, in writing (email is acceptable) if they require their personal data to be erased from the Society records. The Society Membership Secretary shall then advise the member, in writing, when this erasure has been completed.
From this time the person requesting the erasure shall no longer be a member of the Society and will receive no further communications from the Society including the Society Quarterly Journal; they will no longer have access to the Society website members section; membership fees will not be refunded.
Society customers can also write to the Society Sales Office Manager instructing that their personal data be erased from the Society files. The Society sales office shall confirm to the customer, in writing, when this erasure is completed.
Unless requested by members or customers to erase their personal data from the Society electronic or hard copy paper files, the Society shall retain such personal data for seven years after lapse of a Society membership or the most recent date of a purchase of goods or services from the Society by a customer.
Right to restrict processing
Personal data retained by the Society will consist of the contact details and payment processes used to manage annual subscriptions paid by Society members and payments from customers for goods and services received from the Society. Members and customers have the right to block or restrict the processing of their personal data by notifying the Society Membership Secretary in writing (email is acceptable).
Right of data portability
The portability of data, as defined by the UK GDPR, is not applicable to the Society.
Right to object
The personal data provided by members and customers to the Society will be for the purpose of becoming a member of, or to purchase goods or services from the Society.
Therefore if members or customers object to the Society processing their personal data then the Society will refer them to their ‘Right of erasure including retention and disposal’ as stated elsewhere in this document.
Rights related to automated decision making including profiling
The Society will not use member and customer personal data for automated decision making and profiling.
Accountability and governance
The Society monitor its compliance with this Data Protection Policy and carries out an audit, every five years, of the effectiveness of its data handling and security controls. This includes data protection awareness training for all Society volunteers involved in the processing of Society members and customers personal data.
Data Processor Contract
There will Data Processor Contracts’ in place between the Society and all Society Data Processors.
The Society will carry out information management risk assessments every five years and put in place measures required to mitigate risks to member and customer personal data.
Data Protection by Design
The Society will put in place the policies and procedures necessary to demonstrate their obligation to implementing the appropriate technical and organisational personal data protection measures.
Data Protection Impact Assessments (DPIA)
The Society consider the personal data processing they undertake to be low risk as defined by the UK GDPR and therefore DPIA’s are not required.
Data Protection Lead
The Society will appoint a ‘Data Protection Lead’ as the focal point for all UK GDPR issues within the Society.
Data security, international transfers and breaches
The Society will issue a Security Policy demonstrating their commitment to maintaining the security of their member and customer personal data.
Personal data held by the Society will only be transferred outside of the jurisdiction of the UK GDPR if conditions of transfer set out in Chapter V of the UK GDPR are met.
The Society will issue a Data Breach Policy demonstrating their commitment to managing any breach of their personal data management systems including the timely notification of the affected Society members and customers.