Purpose of this policy
The purpose of this policy is to communicate to staff, volunteers and to donors, supporters and clients of MRDFthe approach that MRDFintends to take when handling the personal data of any person.
This document applies to the operation of MRDF in England and Wales.
MRDFmust comply with data protection law. The law prior to 25.05.18 is derived from the Data Protection Act 1998 (“the ‘98 Act”) and from 25.05.18 will be derived from the General Data Protection Regulation (Regulation 2016/679/EU) (“GDPR”) which came into force on 25.05.16 and which becomes applicable on 25.05.18.
Compliance with this policy will be the responsibility of the MRDF Admin Manager.
Every person who is employed by, works with or volunteers for MRDFis required to adhere to this policy to the best of their ability. If there are any concerns regarding the application of this policy it is the responsibility of the person with the concern to contact the MRDFdata protection manager at the first opportunity either directly or in writing.
This document uses definitions applicable to GDPR as these supersede any existing law from 25.05.18.
“Data Subject” The “data subject” is any natural person about whom information is obtained, stored and/or processed by MRDF or any person or organisation acting on MRDF’s behalf for any reason associated with MRDF.
Data subjects include officers, employees, servants and agents of MRDF, volunteers, donors and any other person whose personal data (see below) is collected and processed by or on behalf of MRDFfor any reason.
“Natural Person” A living person. A human being. The term “natural person” does not include any “legal person” such as a company, partnership or corporation.
“Personal Data” Any information relating to an identified or identifiable natural person is “personal data”. This includes, but is not limited to, name, identification number, location, online identifier or any physical, physiological, genetic, mental, economic, cultural or social identity of a natural person.
“Special Category Data” Certain data is considered to be sensitive in nature and is referred to as “special category” data. Special category data is any data which reveals the racial or ethnic origin, the political opinions, the religious or philosophical beliefs, any trade-union memberships or any natural person. Any data such as genetic or biometric data which can uniquely identify a natural person or data concerning the sex life or sexual orientation of a natural person is also special category data.
“Controller” The “controller” for the purposes of this policy is MRDF. The controller is the natural or legal person who either alone or jointly with others determines the purposes and means of processing of personal data.
“Processor” A “processor” is a natural or legal person who processes personal data under the direct and express instructions of a controller.
“Processing” Any operation which is performed on personal data such as but not limited to collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction amounts to processing of that personal data.
Data Protection Principles
Every person working for, with or on behalf ofMRDF must adhere to the following principles when dealing with personal data. Personal data must only be:
- Processed lawfully, fairly and in a transparent manner in relation to the subject (‘lawfulness, fairness and transparency’)
- Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (‘purpose limitation’)
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’)
- Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’)
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which personal data are processed (‘storage limitation’)
- Processed in a manner that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage using appropriate technical or organisational measures (‘integrity and confidentiality’)
Data Subject Rights
Every data subject has the following rights which must be upheld in a timely manner in order to comply with the law:
Right of access – the right to obtain a copy of personal data of the data subject and the details of processing carried out by or on behalf of MRDF;
Right of rectification – the right to ensure that errors in data held by MRDFare corrected;
Right to erasure – the right, under certain circumstances, to ensure that personal
data held byMRDF on that natural person is erased;
Right to restriction – the right to restrict the processing of personal data under
Right to portability – the right to obtain a copy of personal data obtained by the controller from the data subject in a portable machine readable form and also to have it transferred to another controller if so desired; and
Right to objection – the right to object to the processing of their personal data under
Each of these data subject rights is, in effect, a controller obligation. It is incumbent on the controller to facilitate the exercise of these rights. From 25.05.18 the controller can only charge a fee following a request to exercise the right of access under very limited circumstances.
The controller must respond to a request to access a copy of personal data within one calendar month.
Any employee, servant or agent of MRDFwho receives or becomes aware of any request from a data subject must forward that request to the data processing manager immediately.
Data subjects seeking to exercise any of the above data subject rights are requested to make their request to the data processing manager at MRDFto ensure a prompt and effective response.
In addition to the data subject rights, which themselves amount to controller obligations, the controller must comply with other obligations when processing the personal data of natural persons.
MRDFwill only collect such personal data as is required to do the required processing. This will differ depending upon whether the data subject is an employee, a volunteer or a donor.
MRDFwill only retain personal data for as long as is reasonably required by law or good practice following the last contact with the data subject. This retention period differs depending upon whether the data subject is an employee, a volunteer or a donor.
MRDFhas a policy of carrying out a data cleansing exercise annually and as a result data will be retained for no longer than one year in excess of the required retention period. Otherwise it would be excessively cumbersome for MRDFto manage the data cleansing process effectively.
Privacy by Design:
MRDFhas a responsibility to design and engineer its systems so that personal data is not misused and so that it is stored and processed in a manner which is consistent with minimising the opportunity for data loss and data being processed in a manner which has no lawful basis.
Article 13 and Article 14 notifications:
Where personal data has been obtained from the data subject directly, it is MRDF’s responsibility to provide the data subject with the following information if the data subject does not already have it:
- The identity and the contact details of the controller;
- The contact details of the data protection officer if such a person has been appointed;
- The purposes of the processing and the legal basis for that processing;
- What, if any, legitimate interest of MRDF or of a third party is relied on as the legal basis of the processing;
- The recipients of categories of recipients of the personal data, if any;
- If transfer of the data to a third country or to an international organisation is intended, whether or not there is an adequacy decision of the European Commission in force in respect of that country or any appropriate or suitable safeguards which are relied upon and how the data subject can obtain a copy of those safeguards;
- For how long the personal data will be stored or the criteria used to determine that period;
- The existence of the right of the data subject to request from MRDFaccess to and rectification of or erasure of the personal data or restriction of processing concerning the data subject or to object to the processing as well as the right to data portability;
- Where the processing is based on the data subject’s consent the fact that the data subject may withdraw that consent at any time unless prevented from doing so by law;
- The right of the data subject to lodge a complaint with a supervisory authority (regulator);
- Where the provision of the personal data is a statutory or contractual requirement or a requirement necessary to enter into a contract, the data subject must be informed of this and whether he or she is required to provide the personal data and of the consequences of non-compliance with this requirement;
- If any automated decision making or profiling is carried out using the personal data then the data subject must be informed about this and provided with a meaningful explanation as to the logic involved and the envisaged consequences of this processing for the data subject;
- Where MRDFintends to process the data for a purpose other than that for which the data were collected, MRDFmust provide the data subject with a further notification including reminding him or her of his or her statutory rights in respect of that processing.
- Where MRDFobtained personal data of a data subject other than directly from the data subject MRDFmust provide the data subject with the information outlined above together with:
- The name and contact details of the source of the personal data and, if applicable, whether it came from publicly accessible sources.
In this second case, MRDFmust provide this information to the data subject no later than one month after obtaining it or when it is first used to communicate with the data subject (if that is its purpose) whichever is the sooner.
MRDFis also required to communicate the above information to a data subject no later than when it is disclosed to another recipient.
As a matter of policy, MRDF does not disclose personal data to third parties for any other purpose than for the processing of that data in relation to payment of wages, salaries, expenses or the processing of donations and for that purpose alone.
Where the data subject is attending an MRDF function,MRDFmay need, in order to facilitate the operation of that function and the attendance of the data subject,
MRDFdoes not sell or transfer personal data to any organisation for the purpose of direct marketing or for any other purpose other than for processing of payments or booking of accommodation or travel as outlined above.
MRDF as controller has a responsibility to keep written records (which may be stored in electronic form) in accordance with Article 30. These records are (as applicable to MRDF):
- name, contact details of MRDFas controller;
- the purposes of the processing;
- description of the categories of data subjects and of the categories of personal data;
- categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;
- where applicable, transfers of personal data to a third country (outside of the EEA) or an international organisation, including the identification of that third country or international organisation and, in the case of transfers carried out in relation to performance of a contract between MRDF and the data subject, a description of suitable safeguards in place to protect the rights and freedoms of the data subject;
- where possible the envisaged time limits for retention of the different categories of data;
- a general description of the technical and organisational security measures in place
- to safeguard the rights and freedoms of the data subject.
- These records may be made available to the regulator on request.
Information Security Measures
MRDF has put in place and will continue to monitor and maintain a number of systems, processes and procedures to ensure and assure that the personal data of data subjects, be they employees, volunteers, donors or clients, is kept securely and safely at all times.
These measures include but are not limited to: encryption of all data sets at rest, control of all backup datasets which are in any event encrypted; and maintaining physical and logical security in relation to access to any personal data.
The person responsible for information security at MRDF is the ICT manager.
Data Protection Breaches
A data protection breach is defined as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
Any employee, servant, agent of MRDFor any volunteer working with MRDFwho becomes aware of a data protection breach or a possible data protection breach is required to inform the data protection manager as soon as possible.
On becoming aware of a breach, MRDFas controller is obliged to inform the regulator within 72 hours.
Data subjects must be informed of any breach affecting their personal data within 30 days unless MRDFis able to demonstrate that the data breach is unlikely to result in a risk to the rights and freedoms of the data subjects.
Everyone working for and with MRDFis reminded that data protection is taken very seriously both by MRDFand by the community as a whole. From 25.05.18 very serious financial penalties may be applied by a competent data protection supervisor (regulator) for breaches of the law and failure to keep personal data safely and securely. These penalties could be sufficiently large to close down MRDF. The maximum fine that can be levied is €20m or 4% of worldwide revenue.