This is what the Association must comply with going forward and why we have produced a Data Protection Policy and a Privacy Notice for you to sign.
The General Data Protection Regulation 2018 (“GDPR”) comes into force in the UK on 25th May 2018. It replaces the Data Protection Act 1998 and will harmonise data protection law throughout Europe.
The GDPR seeks to uphold 6 principles when an individual’s personal data is ‘processed’ by the NADCAA, (the term ‘processing’ is a wide term which covers most things which can be done with personal data, including collecting it, storing it and using it):
- Personal data must be processed fairly and lawfully and in a transparent manner.
- Personal information must be collected for specified, explicit and legitimate purposes.
- Personal data must be adequate, relevant and limited to what is necessary for the purpose
- Personal data must be accurate and up to date.
- Personal data must not be kept longer than is necessary.
- Personal information must be processed in a manner which ensures security of the personal data against unlawful processing accidental loss, destruction or damage.
Sensitive personal data is information concerning:
Racial or ethnic origin
Religious belief or similar including philosophical belief
Trade union membership
Physical/mental health or condition
Sexual life or sexual orientation
Commission or allegation of an offence
Proceedings of any offence, disposal of proceedings, sentences
The Newton Abbot & District Co-operative Allotment Association does not store any of the above personal data pertaining to its members.
The GDPR sets out the following legal grounds under which the NADCAA may process (non-sensitive) personal data:
Necessity to protect the vital interests of the individual– e.g. disclosing an employee’s heart condition to a paramedic
Necessity for the performance of a task carried out in the public interest
Necessity for the performance of a contract with the data subject
Necessity for compliance with a legal obligation
Necessity for the legitimate interests of the data controller
If you have consent
The GDPR requires that The Newton Abbot & District Co-operative Allotment Association is able to demonstrate that it is complying with the law so that each member has documentation which explains what data it holds, how it collects it and what the Association does with it. The key documents that enable the NADCAA to do this are:
A Data Protection Policy
Privacy notices (also known as a Fair Processing Notices)
Data Protection Policy
The Data Protection Policy informs members and others acting on behalf of the NADCAA how to handle personal data in compliance with the law.
The Privacy Notice clearly describes how the NADCAA handles and uses your personal data. New Members will receive a Privacy Notice when they join the Association and current members will be sent one by email or by post.
The Privacy Notice includes the following, among other information:
The identity and contact details of the NADCAA and the Colony Administrator responsible for Data Protection
The purposes and legal ground for processing data
The recipients of the personal data
If the NADCAA transferred data to any organisations situated outside the EU the notice should also include the legitimate interests pursued by that organisation and the safeguards in place to protect the data
The expected length of time that the NADCAA will store the data
The individual’s rights to access to, erasure or restriction of their personal data
The right to complain to the ICO
Data subjects (those whose data the NADCAA hold) have the right to access their information. They have a right to request that the NADCAA inform them of:
The purposes of processing
The categories of personal data held
The recipients of the personal data
How long the organisation expects to hold their data before destruction
The right to lodge a complaint with a supervisory authority
If the data was not collected directly from the data subject, the source of the information
The envisaged consequences of such processing for the data subject
In addition to being given the above information by the NADCAA, if an individual exercises this right they must be given a copy of the personal data that the NADCAA processes.