Data Protection Policy (GDPR 2018)

Data Protection Policy

         Street & Walton Men’s Shed

Data Protection Statement
Street & Walton Men’s Shed is classified as a Data Controller under the General Data Protection Regulation (the GDPR). This policy outlines our commitment to protecting the personal data of people in relation to our organisation’s work in accordance with the GDPR – as regulated by The Information Commissioner’s Office (ICO), the UK authority on data protection - and carrying out any data processing with transparency, accountability and good governance. 

​

Main Contacts

• Below are the Shed's main contacts for data protection in line with this policy. They should be your primary contact should you wish to discuss something related to data protection, or need further information. 

• Data Protection Officer (DPO): Brian Bastable      

• Tel: 01458443940           
  Email: brianbastable123@hotmail.co.uk

• The DPOs’ are volunteers of the Data Controller, the Street & Walton Men’s Shed and have responsibility for ensuring personal data is collected and processed lawfully in line with this policy and the GDPR, and is kept secure.

​

Definitions
This policy uses the GDPR’s definitions for the following key terms.

• Personal data – any information relating to an identified or identifiable natural person, both ‘direct’ and ‘indirect’ identification.

• Natural Person - an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.

• Data Controller - a ‘person’ who determines the purposes for information processing and the manner in which it is done. A data controller will be a ‘person’ recognised by law i.e. individuals, organisation and corporate bodies.

• Data Processor - any ‘person’ (again, a person as recognised by law), other than an employee of a data controller, who processes the data on behalf of the data controller.

• Other key terms are defined within their sections.

​

Data Collection

• From time to time, we will need to process the following examples of personal data from volunteers, service users and other natural persons related to our work. We may also, at times, need to collect and process personal data not listed here. The following are some examples of the types of personal data we may collect and process. 

• Name

• Contact information e.g. address, telephone numbers, email addresses

• Information about your age, ethnicity, gender, nationality, disability status

• Information about your skills, qualifications and expertise

•  Information relevant to our human resources procedures

• We may use this information to:

• Manage memberships 

• Understand the views and opinions of Shedders and other related persons

• Handle complaints

• Monitor the impact of our work e.g. through case studies or consultation

• Improve our services

• Carry out administration functions

• Get help if somebody is in danger e.g. contact next of kin if an accident or emergency occurs

• Send information we think might be of interest to you

• Comply with legal obligations

• In line with the GDPR, Street & Walton Men’s Shed will ask for and record individuals’ consent prior to collecting and processing data for certain purposes and provide clear and concise privacy notices to provide information on how and why we are collecting and processing particular data.  Street & Walton Men’s Shed will ensure it provides ongoing opportunities to give or revoke consent where appropriate and necessary in line with the GDPR. Street & Walton Men’s Shed’s privacy notices will also clearly state our lawful basis or bases for collecting the data in each instance that we collect and process it. This will be in line with the six documented legal bases of the GDPR; consent, contract, legal obligation, vital interests, public tasks or legitimate interest. 

• Street & Walton Men’s Shed will maintain a live log of the exact types of data, reasons and lawful basis for collection and processing which allows us to demonstrate our compliance with the GDPR with the ICO, if ever necessary.

• Street & Walton Men’s Shed will never, under any circumstances, use personal data to discriminate against a person for any reason.

• Street & Walton Men’s Shed will audit personal data on file on an annual basis to ensure it is still relevant, needed and lawfully held. If ever we need to use data for another purpose, we will make sure we inform and/or request consent from the relevant persons, in line with the GDPR.

• Street & Walton Men’s Shed will carry out a Data Protection Impact Assessment (DPIA) prior to implementing new data handling technology and/or where processing personal data is likely to significantly affect individuals. 

​

Data Handling

• Street & Walton Men’s Shed understands its obligations under the GDPR, when collecting, controlling, and managing personal data. We will ensure that we:

• Process data lawfully, fairly and in a transparent manner.

• Collect data only for specified, explicit and legitimate purposes and not further processing in a manner that is incompatible with those purposes.

• Process data adequately, relevant and limited to only what is necessary.

•  Ensure personal data is accurate and kept up to date, rectifying and erasing any errors or inaccuracies without delay.

•  Will keep personal data in a form that permits identification of individuals for no longer than is necessary for the purpose.

• Process personal data in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing, and against loss, destruction or damage.

• As a data controller and in line with the GDPR, we will keep a record of our processes, consistent with the above and be able to demonstrate our compliance at any given time.

​

Data Storage and Security

• Street & Walton Men’s Shed takes the matter of safety of personal data very seriously and will always ensure we put in place robust safety measures, appropriate to the type of information we hold and process.

• In order to secure personal data kept by Street Men’s Shed we will use a mixture of the following methods, appropriate to the data held. 

•  Physical security including: not held on Shed premises.

• Computer security including passwords and restricted access

• We will check our storage and security practices regularly to ensure they are in line with regulation and appropriate for the personal data held. We will build a culture of awareness and security within the Shed ensuring good communication with key people, and we will only ever provide access to personal data for people that need it for lawful processing.

• The exact way we store personal data for each purpose will be documented in our Data Protection Log.

• Individual Rights
   

• Street & Walton Men’s Shed is aware of the rights for individuals whose personal data we hold. In line with those rights we will ensure we process data in accordance with these rights. We will:

• Be transparent and inform them of how and why we will process their personal data, as well as the lawful basis for doing so.

• Respond within 30 days if people ask to access their personal data, allowing them to verify its lawful collection and processing.
   

• Rectify any inaccurate or incomplete personal data without delay.

• Erase any personal data when it is no longer needed or there is no lawful reason for it being held.

• Take immediate action if an individual requests that we suppress the processing of their data or objects to its collection, retaining just enough to respect their wishes in future.

• Never process personal data for more than it’s lawful, documented purpose(s).

•  Obtain clear, active consent from each individual where we are lawfully obliged to do so.

Data Breaches

• Street & Walton Men’s Shed recognises the GDPR’s guidelines to record, rectify and report, where necessary, data breaches, where a breach of security leads to the destruction, loss, alteration or unauthorised disclosure of, or access to, personal data. 

• Street & Walton Men’s Sheds DPOs are allocated the responsibility for minimising the likelihood of breaches and taking prompt action if ever they happen. Street Men’s Shed will ensure it notifies the individuals whose data is involved if there is any adverse risk to them as a result of the breach, and where necessary notify the Information Commissioner’s Office (ICO).

​

Accessing Information

• Under the GDPR, individuals have the right to access the information held about them. If you would like to request information held, or be reminded of the reasons, lawful basis and methods of keeping your personal data, please send a request in writing to:

Brian Bastable

Street & Walton Men’s Shed 
5 Barnard Avenue
Street,
Somerset,

BA16 0RW.

• We will respond to all requests within 30 days.

• The Information Commissioner’s Office (ICO)

• The ICO is “the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals” (ICO website). It is responsible for administering the provisions of the GDPR.

• Under the GDPR, organisations must register with the ICO unless exempt.

• Street & Walton Men’s Shed is exempt from registering with the ICO because it only makes a profit only for its own purposes.

• Street & Walton Men’s Shed only:

• Processes information necessary to establish or maintain membership or support.

• Processes information necessary to provide or administer activities for people who are members of the organisation or have regular contact with it.

• Shares the information with people and organisations necessary to carry out the organisation’s activities unless given permission otherwise.

• Keeps the information while the individual is a member or supporter or as long as necessary for member/supporter administration.

Signed:
Name: Brian E  Bastable
Review Date: 15th June 2022
Position: Chairman