Data Protection

Introduction

Every diocese will hold information about members, volunteers, donors, supporters and beneficiaries:

·  To know who our members and volunteers are.

·  To keep our members, donors and supporters informed about what Mothers’ Union is doing.

·  To ensure that all subscriptions are received and to administer Gift Aid.

·  To inform members about any changes.

All personal information, such as names and contact details, whether held on a computer or in a relevant filing system, needs to be held in accordance with the UK’s Data Protection Act 1998.

The requirements of the Data Protection legislation in the Republic of Ireland (Data Protection Acts 1998 and 2003) are very similar. More detailed information can be found on the website of the Office of the Data Protection Commissioner for Ireland

(https://www.dataprotection.ie/docs/Home/4.htm)

Important Note

The General Data Protection Regulation (GDPR) will come into effect in the UK on 25th May 2018. This is the new legal framework in the EU for data protection and the UK government has confirmed that the decision to leave the EU will not affect the commencement of the GDPR. A revised document on Data Protection will therefore be made available before the GDPR comes into effect.

Do we need to register with the Information Commissioner’s Office?

Not for profit organisations and some charities are exempted from the requirement to register with the Information Commissioner’s Office (ICO) under the Data Protection Act 1998 – providing they meet the conditions of the exemption. So if the information you hold is purely for Mothers’ Union use and not divulged to any third parties, you will probably meet the requirements of the exemption.

Look at the ICO’s Information document to make sure your diocese meets the exemption conditions:

https://ico.org.uk/media/for-organisations/documents/1567/exemption-from-registration-for-not-for-profit-organisations.pdf

Remember that if you give the information to someone else within the Mothers’ Union organisation, they also have to respect the member’s right to privacy and cannot use the data for any other purposes.

Even if you are exempted from registering with the ICO, you still have to:

·  comply with the eight Data Protection Principles of Good Practice (see below)

·  respond in 21 days to a written request to provide information that would have been included in the public register, if the organisation was registered.

Eight Data Protection Principles of Good Practice

Data must be fairly and lawfully processed

Make sure you are dealing with the right person. Only the owner of the information can give you permission as to what you can and cannot do with the information. With data protection, vulnerable adults and children also have rights. Depending on the data that is being collected consent may be needed from the parent/guardian and also the vulnerable adult or child. In Scotland children over the age of 12 have to give consent, but this is not the case at present in other parts of the UK. However it is good practice to ensure that children are aware of what their parents are consenting to as a safeguard and to give children a voice to decide what personal data can be accessed by whom.

Data must be collected for specific lawful purposes only

Use data only for the purpose for which you collected it. The individual has a right to know what that purpose is. Data collected to update a membership database can only be used for membership related purposes. Disclosing the information to the local WI is incompatible as it is not the purpose for which it was collected. However using it to send Mothers’ Union newsletters to members is a related purpose. Please note that a member has a right to decline such use.

Only collect the data you need – adequate and relevant

There is no need to collect personal information, unless it is necessary for your use. So be clear about what data you need and why you need it. A good example is bank details – there is no need to collect this unless you have a financial relationship with the individual and need to administer transactions such as Direct Debit, payroll or BACS.

Data must be accurate and where necessary up to date

Always keep data up to date. Have a clear policy on when data will be updated, say within 28 days, and state this when you collect data.

Never keep data longer than necessary

For example:

·  Details about Gift Aid need to be kept for a minimum of six years after the end of the gift aid donation. Please note that you will need to keep the information as long as the donor is actively gift aiding his/her donations.

·  Criminal data and data associated with security you will need to keep longer – but only keep the data relevant for the purpose.

·  Bank details for Direct Debit purposes should not be kept after the member has stopped the mandate.

However data can be kept for statistical purposes without information of a personal nature, including names and addresses. You can keep membership profiles from the past but always ask whether you need to keep data in the format you are keeping it. For example, keep an individual’s initials and date of joining as a ‘membership number’, then date of birth, positions held, etc, but not bank details or their name and address as once the member has left as you do not need this information.

All dioceses should have a copy of the Retention of Records document which gives the minimum period for which data should be kept.

Personal data will be kept and used in accordance with the Data Protection Act.

The Data Protection Act gives rights to individuals about whom information is held. These include the right to:

·  Ask to see the information held about them.

·  Object to an organisation holding or processing information about them if it causes unwarranted damage or distress.

·  Prevent their data being used without their consent for marketing purposes (further information on obtaining consent for marketing can be found at Opt in, Opt out (see below).

Always safeguard data against unauthorised or unlawful processing, accidental loss or damage

Data kept on a personal home computer which can be accessed by others is not a safe way of storing data. If the computer is accessible to others then you must password protect the sections that hold information relating to members, using strong passwords. Make sure all portable devices – such as memory sticks and laptops – used to store personal information are encrypted.

Data must not be transferred outside the European Economic Area unless that country has adequate protection

This also applies to overseas offices of Mothers’ Union.

More detailed information about the Data Protection Principles of Good Practice can be found at: https://ico.org.uk/for-organisations/guide-to-data-protection/data-protection-principles/

Opt in, Opt Out

What is direct marketing?

Individuals have the right to prevent their personal data being used for direct marketing and can, at any time, give you written notice to stop (or not begin) doing so.

Direct marketing includes all the means by which you might contact individuals, such as mailshots, telephone calls, emails and text messages.

Direct marketing doesn’t just relate to selling products or services: it includes promoting particular views or campaigns. So even if you are using personal data to elicit support for Mothers’ Union (or a particular area of Mothers’ Union activity or a Mothers’ Union campaign) you are still carrying out direct marketing and would have to comply with a written notice to stop.

If you receive a notice to stop, you must comply within a reasonable period.

Gaining Consent

There are two ways of gaining consent to using personal data for marketing purposes:

Opt In

The recipient of a first communication (mailshot, email, text message) is asked to tick a box (or boxes) allowing you to continue to send them information.

Opt Out

The recipient is asked to tick a box (or boxes) if they do not want to receive any more communications.

It is good practice to give an individual the opportunity to opt out at the time you collect personal information from them, such as during a phone call or on a website, or when they sign an application form. You can also use this opportunity to find out how they want to be contacted.

An Opt Out can be for anything such as:

·  Not receiving acknowledgements/thank you letters.

·  No further communication.

·  Not passing on personal information to third parties.

You need to be clear about what you are asking the individual to agree. Do not combine two different clauses for example ‘occasionally we may contact you regarding fundraising events we are holding and also inform you about our partner organisations’. Test Opt Out clauses to ensure that they are clear and free from confusing messages.

Electronic communication

All email and text messages of a marketing or fundraising nature should have an Opt Out clause which an individual can use to unsubscribe from future messages.

There are additional guidelines relating to electronic mail marketing that can be found at:

https://ico.org.uk/for-organisations/guide-to-pecr/electronic-and-telephone-marketing/electronic-mail-marketing/

Recording of consent

You should keep clear records of what a person has consented to, and when and how you got this consent, so that you can demonstrate compliance in the event of a complaint.

Top five tips from the Information Commissioners Office

for small and medium sized charities and third sector organisations:

Tell people what you are doing with their data

People should know what you are doing with their information and who it will be shared with. This is a legal requirement (as well as established best practice) so it is important you are open and honest with people about how their data will be used.

Make sure those dealing with personal information are adequately trained

Those involved must receive data protection training to explain how they should store and handle personal information. Refresher training should be provided at regular intervals for existing staff and volunteers.

Use strong passwords

There is no point protecting the personal information you hold with a password if that password is easy to guess. All passwords should contain upper and lower case letters, a number and ideally a symbol. This will help to keep your information secure from would-be thieves.

Encrypt all portable devices

Make sure all portable devices – such as memory sticks and laptops – used to store personal information are encrypted.

Only keep people’s information for as long as necessary

Make sure your organisation has established retention periods in place and set up a process for deleting personal information once it is no longer required.

Letter of Assurance Guidance Document

Data Protection Page 1 of 4

September 2017