Tarland Development Group Data Protection Policy
1. Since 2018 UK data protection law has been governed by the General Data Protection Regulation (GDPR). This created a harmonised legal framework regulating the collection, use and sharing of personal data throughout the EU.
As of 1 January 2021, the GDPR ceased to have effect in the UK and instead (under the European Union (Withdrawal) Act 2018) a UK version of the GDPR now applies (UK GDPR). This carries across much of the existing EU GDPR legislation, but applies as an independent law. The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (“Exit Regulations”) applies a number of necessary changes to the GDPR to make it relevant to the UK following departure from the EU.
The Data Protection Act 2018 remains in place, effectively subordinate to the UK GDPR and amended by the Exit Regulations. The Privacy and Electronic Communications (EC Directive) Regulations 2003 will remain in place, but will now refer to the UK GDPR.
2. The UK GDPR requires Tarland Development Group (TDG) to safely and responsibly manage all the personal data that it holds. TDG holds a very limited amount of personal data on its Members and on people who have contacted or have worked with the Group. This allows the Group to:
a. Operate according to its charitable aims as set out in its Constitution;
b. Provide Members with updates as required (e.g. dates of meetings and copies of the Annual Report etc.); and
c. React efficiently to any requests made to it.
All the data processing is carried out as part of one of the following lawful actions:
• Legal obligation;
• Public task; or
• Legitimate interests.
The Group will never contact any individuals on an unsolicited basis.
3. TDG is committed to protecting all personal data it holds in line with its responsibilities under GDPR and, in particular, to ensuring that any processing of data by the Group is lawful, fair and transparent. The Secretary is the Group’s nominated person responsible for ensuring TDG‘s compliance with GDPR.
4. TDG, as a Charity, is exempt from registering as an organisation that processes personal data with the Information Commissioner’s Office (ICO).
Data and Data Processing
5. All the Members’ information held by the Group has already been, and will continue to be in future, acquired with their permission. The Group will ensure that personal data are adequate, relevant and limited to only what is necessary in relation to the purposes for which the data is processed or retained. TDG will take reasonable steps to ensure that personal data is accurate and is kept up to date. TDG will also ensure that personal data is not kept for any longer than necessary.
6. Anyone has the right to access their personal data or to ask for their data to be removed from TDG records. Anyone wishing to do this should contact TDG as soon as possible (firstname.lastname@example.org) and the Group will comply with their request as quickly as possible.
7. The Group will ensure that any personal data is stored securely and will have appropriate back-up systems in place. Access to personal data will be limited to personnel who require access, who will not share the data without a justified reason.
8. When personal data is deleted this will be done such that the data is irrecoverable. TDG will destroy any obsolete computer equipment securely to ensure that any historic data is not accessible.
Breaches and Investigations
9. The Trustees will investigate any breach of data security (accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data held by TDG). The resulting report and the actions identified will be reviewed at the next Trustees meeting. The Chair will be responsible for ensuring that any actions are completed (including if necessary reporting the incident to the ICO).
10. This policy will be reviewed annually and updated as required.
KD – 15 February 2021