As an update from the DPA 1998 (Data Protection Act) the new EU GDPR (General Data Protection Regulations) are coming into force on the 25 May 2018. Therefore, Breast Friends York Board of Trustees (the Data Controller) has created a Data Protection Policy and relevant systems which ensure that we comply with the new regulations whilst providing the best possible service for our members, supporters and volunteers. The Secretary shall be the Data Processor and the Chair shall be the Data Officer.
Purpose of the Policy
This policy will set out the actions and processes that Breast Friends York Board of Trustees will follow to ensure the GDPR regulations are fully met. It will specify what members, supporters and volunteers can expect from the Board regarding data protection. Additionally, our processes will be explicitly detailed to ensure transparency with regard to our data processing and use of private data.
Breast Friends York is a breast cancer peer support network which is a registered charity and is committed to protecting and respecting the privacy of its members, supporters and volunteers. We provide practical and emotional support to those with a breast cancer diagnosis in York and the surrounding areas. The lawful basis on which Breast Friends York holds personal data is that of consent, i.e. explicit consent is given by its members, volunteers and supporters in order to store their personal data. Breast Friends York use personal data to provide the services and information that its members sign up to when joining and also to communicate with supporters and volunteers about events and activities. Personal data is not shared with any other third party unless; a, it is annonymised as general data for statistical purposes as detailed in our Data Protection Policy under the heading ‘Who we Share your Personal Data With’, b, the information gives us concern for the safety and welfare of our members, the individual the information is about or their families, in which case the information will be passed on to the relevant authority.
What Personal Data we Hold
Members will be required to give us information via our Membership Form in order to join Breast Friends York. There are two types of information that we may hold. Compulsory information that we require is name, date of birth, next of kin, address, contact details and communication preferences.
Optional information such as breast cancer related medical details can be provided in order to assist us in tailoring support towards to the individual, ie passing on relevant research and information that may be relevant.
This data is processed according to the conditions Under Article 9(2a) of the GDPR:
“The data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject”.
Personal data of members, supporters and volunteers may also be obtained by corresponding with us by telephone, e-mail or via social media.
Why we Need your Personal Data
The reason we need personal data is to be able to process and administer the membership of Breast Friends York, provide the support services that members sign up to when joining and communicating with our supporters and volunteers regarding events and activities.
Reasons we need to process your data include:
To administer the membership of Breast Friends York including:
- The processing of membership forms.
- Sharing data within the Board of Trustees in order to organise events and activities and provide specific, requested support.
- Breast Friends York Newsletter distribution.
- Communication regarding Breast Friends York events with members, supporters and volunteers.
Breast Friends York has the following social media pages: Facebook, Twitter and Instagram. All members are free to join these pages. If you join one of the social media pages, please note that provider of the social media platform(s) have their own privacy policies and that Breast Friends York does not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data on social media pages.
Breast Friends York also has a closed group on Facebook (Breast Friends York Secret Group) which members have the option to join. Members should be aware that by joining this group all other members of that closed group will have access to the information that they post within it. Before joining the group members should ensure that their own Facebook privacy settings are in place to meet their individual needs. Should an individual member choose to become Facebook friends with another member of the closed group, therefore allowing that friend access to the information contained within their Facebook account, they should be aware that they do so at their own risk and Breast Friends York take no responsibility for an individual’s privacy settings outside of the closed group.
Breast Friends York also uses organisations to help with fundraising such as Localgiving and EasyFundraising. Before signing up to either of these organisations, members, supporters and volunteers should ensure that they are aware of the relevant data protection policies. Please note that these organisations have their own privacy policies and that Breast Friends York does not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data on these websites.
Accountability and Governance
Where we Store Personal Data:
Personal data will be stored in locked, fireproof cabinets (for paper records) at the Breast Friends York registered address and that of the Secretary (the Data Processor). Electronic copies of membership forms and spreadsheets will be securely kept using Google cloud hosting, protected by password security which is accessed only by the Breast Friends York Officers (Chair, Treasurer and Secretary). The Data Processor will ensure that spreadsheets and databases are updated as soon as consent is received. Telephone numbers of members, supporters and volunteers will be stored on the Breast Friends York mobile telephone for the purposes of communication only. This mobile telephone will be kept stored securely at the Breast Friends York registered address and is password protected.
Who we Share your Personal Data With:
Breast Friends York does not share any personal data it holds with any other third party. Occasionally Breast Friends York may share anonymised group statistics (eg how many members have a specific breast cancer type) in the interests of breast cancer research and living with and beyond breast cancer service development or Breast Friends York funding applications.
Breast Friends York data processing requires personal data to be transferred outside of the UK for the purpose of Google cloud hosting. Where Breast Friends York does transfer personal data overseas it is with the appropriate safeguards in place to ensure the security of that personal data.
How Long we Hold your Personal Data:
Breast Friends York will hold personal data on its members for the duration of their membership. Any personal data we hold on members will be securely destroyed upon request to cease membership at any time, in accordance with the GDPR ‘right to be forgotten’. In the case of supporters and volunteers, communication in writing is required in order for Breast Friends York to delete the personal data held. Personal data is not processed for any further purposes other than those detailed in this policy.
Your Rights Regarding your Personal Data:
As a data subject, members, supporters and volunteers have the right at any time to submit a subject access request in order to access a copy of the personal data that Breast Friends York holds about that individual. This request should be made in writing via post or email and Breast Friends York will comply with any such requests within 1 month of receipt.
Complaints can be made to the UK’s data protection supervisory authority, the Information Commissioner’s Office, about the processing of your personal data.
As a data subject you are not obliged to share your personal data with Breast Friends York, however if you choose not to share your personal data with us we may not be able to register or administer your membership. In the case of supporters and volunteers we may be unable to communicate regarding events and activities.
A data breach is a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. Should any member, volunteer or supporter detect a data breach, they are obliged to inform the Data Officer in the first instance. Additionally, they have the right to complain to the ICO.
Breast Friends York will regularly update and change all passwords relating to personal data protection in order to avoid potential data breaches.
Data Breach Procedure: The Data Officer will undertake an investigation which will include making arrangements to gather all necessary information from the reporting individual or organisation. An emergency meeting of the Board of Trustees will be called and the complaint will be investigated within 1 month. The Data Officer will inform the ICO and any individual that may be affected of any breaches they are aware of. The Board of Trustees may choose to review the policy as an outcome of the investigation.