Last Updated 18.02.2019
The Friends – means The Friends of Putney School of Art and Design, registered charity number 1131144
GDPR – means General Data Protection Regulation
Responsible person – means the Friends Membership Secretary
Register of Systems – means a register of all systems or contexts in which personal data is processed by the Friends
1. Data Protection Principles
The Friends is committed to processing data in accordance with its responsibilities under the legal and regulatory requirements, including the GDPR. This policy explains the Friends requirements to retain data and to dispose of data and provides guidance on appropriate data handling and disposal.
Article 5 of the GDPR requires that personal data shall be:
a. processed lawfully, fairly and in a transparent manner in relation to individuals;
b. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
c. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
d. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
e. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
f. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”
2. General Provisions
2.1 This policy applies to all personal data processed by the Friends, that is, any information identifying a living individual or information relating to a living individual that we can identify (directly or indirectly) from that data alone or in combination with other identifiers we possess or can reasonably access. Data protection laws require us to retain personal data for no longer than is necessary for the purposes for which it is processed (this is the principle of storage limitation).
2.2 The Responsible Person shall take responsibility for the Friends ongoing compliance with this policy.
2.3 All trustees and volunteers must comply with this policy. Failure to do so may subject the Friends to fines and penalties, adverse publicity, difficulties in providing evidence when Friends needs it and in continuing its work. It is the responsibility of everyone to understand and comply with this policy.
2.4 This policy shall be periodically reviewed, at least annually, and updated as required.
2.5 The Friends shall register with the Information Commissioner’s Office as an organisation that processes personal data.
3. Lawful, Fair and Transparent Processing
3.1 To ensure the processing of data is lawful, fair and transparent, the Friends shall maintain a Register of Systems.
3.2 The Register of Systems shall be reviewed at least annually.
3.3 Individuals have the right to access their personal data and any such requests made to the Friends shall be dealt with in a timely manner.
4. Lawful Purposes
4.1 All data processed by the Friends must be done on one of the following lawful bases: consent, contract, legal obligation, vital interests, public task or legitimate interests (see ICO guidance for more information).
4.2 The Friends shall note the appropriate lawful basis in the Register of Systems.
4.3 Where consent is relied upon as a lawful basis for processing data, evidence of opt-in consent shall be kept with the personal data.
4.4 Where communications are sent to individuals based on their consent, the option for the individual to revoke their consent should be clearly available and systems should be in place to ensure such revocation is reflected accurately in the Friends’ systems.
5. Data Minimisation
5.1 The Friends shall ensure that personal data are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
5.2 The Friends generally deletes data held after six years of consent having been given for the personal data to be held. The following exceptions apply
a) Volunteers. Data will be held for volunteers for six years following their last day of service.
b) Friends Members. Data will be held for one year following cessation of membership.
c) Where bequests or donations have been made by individuals who wish to be named on such bequests or donations.
e) Where a valid business reason, or notice to preserve documents for litigation, or other special situation calls for its continued retention by the Friends.
6.1 The Friends shall take reasonable steps to ensure personal data is accurate.
6.2 Where necessary for the lawful basis on which data is processed, steps shall be put in place to ensure that personal data is kept up to date.
7. Data Retention
7.1 To ensure personal data is kept for no longer than necessary, the Friends shall review its Register of Systems annually.
7.2 The Friends will rationalise the data it holds annually and destroy any data older than six years which it holds (unless specified at clause 5.2 above).
8.1 The Friends shall ensure that personal data is stored securely using modern software that is kept up to date or that hard copies are kept in a secure location in a locked and alarmed building.
8.2 Access to personal data shall be limited to personnel who need access and appropriate security should be in place to avoid unauthorised sharing of information.
8.3 When personal data is deleted this should be done safely such that the data is irrecoverable.
8.4 Appropriate back up and disaster recovery solutions shall be in place.
In the event of a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, the Friends shall promptly assess the risk to people’s rights rights and freedoms and if appropriate report this breach to the ICO (more information on the ICO website).
Register of Systems – Last Updated 18.02.2019
DATA CONTROLLER CONTACT DETAILS
Mark Hayman, Membership Secretary, Friends of PSAD, Putney School of Art and Design, Oxford Road, London, SW15 2LQ. email@example.com
OVERVIEW OF DATA
What data do we collect?
Names, email addresses, addresses, telephone numbers, bank details for direct debits (not stored).
Where do we store the data?
Hard copy application forms – stored securely at Treasurer’s home and digital membership database held encrypted on personal computers of Treasurer and Membership Secretary.
Membership database backed up on Apple iCloud.
How do we protect and document the data we have?
Password protected digital documents with access limited to the following Friends Trustees – Chair, Treasurer, Secretary, Newsletter and Social Media Editor and Membership Secretary. Hard copy paper records are kept in a secure room Treasurer’s home.
How long do we keep the data for?
Six years, in line with our data protection policy.
Do we have a function/reason for every piece of data we collect?
Name: customer service, volunteers, archival purposes.
Telephone: contact, emergency contact
Email: contact, mail shots FPSAD & PSAD marketing only, subscription renewals
Address: contact, hard copy newsletter, FPSAD and PSAD marketing only, subscription renewals.
What is the process if somebody asks to be removed from our records?
The Treasurer and Membership Secretary check the digital database and hard copy records and delete the relevant data.
Data System and Review of Data Process Detail – Friends Database
Type of data Friends’ Database
Description of data Name, email address, telephone information, direct debit information (not stored)
Date of consent to hold data Renewed annually
Where the data is stored Digital spreadsheet. Hard copy membership forms including gift aid details.
Source of the data Given directly to the Friends for the purpose of joining the Friends’ scheme.
Purpose of the data To send information about the Friends’ news, events, exhibitions and activities.
How the data is protected in its storage
Digital records are kept on the Treasurer and Membership Secretary’s personal computers. Data is password protected and encrypted and
backed up to Apple iCloud. The passwords are known only to Trustees including the Chair, Treasurer, Secretary, Newsletter and Social Media Editor, and Membership Secretary. Paper records are kept in a secure room in the Treasurer’s home.
Usage restrictions Data is used only by the Friends for the purposes of contacting Friends with the aforementioned information which they have requested to receive. Data is never shared with third parties. Friends are notified that their name and email address will be used in this way and are able to opt out and have their information removed at any time.
Usage rights Permission given by individuals when they join the Friends
Usage Frequency Three newsletters are sent out, one each term. Renewals are annual.
Workshop, lecture, social and exhibition/fair information is sent out each term.
Retention period Six years
Lawful basis for processing Consent Comments
Data System and Review of Data Process Detail – Student/Class Representatives
Type of data Student/Class Representatives Database
Description of data Name and email address
Date of consent to hold data Renewed Annually
Where the data is stored Digital spreadsheet
Source of the data Given to the Friends via PSAD class tutors
Purpose of data To send information about the Friends’ news, events, exhibitions andactivities.
How the data is protected in its storage
Digital records are kept on the Membership Secretary’s personal computer. Data is password protected and encrypted and backed up to
Usage restrictions Data is used only by the Friends for the purposes of contacting Student/ Class Representatives with the aforementioned information which they have requested to receive. Data is never shared with third parties.
Student/Class Representatives are notified that their name and email address will be used in this way and are able to opt out and have their information removed at any time.
Usage rights Permission given by individuals when they agree to be Student/Class Representative.
Usage frequency Emails are sent out each term detailing Friends/School activities.
Retention Period Six years
Lawful basis for processing Consent