Data Protection

DATA PROTECTION POLICY

 The National Allotment Society takes its members' privacy very seriously. 

GDPR
The act applies to ‘personal data’, which is information that can identify a living individual
The act applies to personal data that is or is going to be stored on a computer or storage device
Organisations or individuals who collect or hold personal data are referred to as ‘data controllers’
Any other organisations or individuals who use the information on behalf of the data controller are ‘data processors’
A person whose personal data is processed is called a ‘data subject’.
Doing virtually anything with data is known as ‘processing’.
 
Any data held or collected by the society must follow the data protection principles, personal data must be:

• Used in a fair and lawful way – This is for membership purposes only and not for any other reason.
• Collect the right type of data and for the correct purpose of membership management, adequate, relevant and not excessive for the reason for which it was collected.
• Accurate and kept up to date – It is essential that the MAIS (Management Administration Information System) database is the most up to date version of the data the Society has, saved or stored lists are not recommended.  Should you receive information that differs from that stored on MAIS it is essential that you update head office.
• Not kept longer than needed – data will be stored while in membership and personal information will be maintained on the database and deleted 2 years after cancelation of membership.  Hard copy files are destroyed after six years.
• Kept with appropriate security measures – Passwords should never be shared.  If it is felt necessary to store data that list must be encrypted with a password.

There are eight data protection principles that are central to the Data Protection Act. The Company and all its employees must comply with these principles at all times in its information-handling practices. In brief, the principles say that personal data must be:
 
1. Processed fairly and lawfully and must not be processed unless certain conditions are met in relation to personal data and additional conditions are met in relation to sensitive personal data. The conditions are either that the employee has given consent to the processing, or the processing is necessary for the various purposes set out in the Act. Sensitive personal data may only be processed with the explicit consent of the employee and consists of information relating to: 

• race or ethnic origin 
• political opinions and trade union membership
• religious or other beliefs
• physical or mental health or condition
• sexual life
• criminal offences both committed and alleged.

2. Obtained only for one or more specified and lawful purposes, and not processed in a manner incompatible with those purposes.

3. Adequate, relevant and not excessive. The Company will review personnel files on an annual basis to ensure they do not contain a backlog of out-of-date information and to check there is a sound business reason requiring information to continue to be held.

 4. Accurate and kept up-to-date. If your personal information changes, for example you change address, you must inform your line manager as soon as practicable so that the Company’s records can be updated. The Company cannot be held responsible for any errors unless you have notified the Company of the relevant change.

 5. Not kept for longer than is necessary. The Company will keep personnel files for no longer than six years after termination of employment. Different categories of data will be retained for different time periods, depending on legal, operational and financial requirements. Any data which the Company decides it does not need to hold for a period of time will be destroyed after one year. Data relating to unsuccessful job applicants will only be retained for a period of one year.

6. Processed in accordance with the rights of employees under the Act.

7. Secure, technical and organisational measures will be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, data. Personnel files are confidential and are stored in locked filing cabinets. Only authorised staff have access to these files. Files will not be removed from their normal place of storage without good reason. Data stored on diskettes or other removable media will be kept in locked filing cabinets. Data held on computer will be stored confidentially by means of password protection, encryption or coding and again only authorised employees have access to that data. The Company has network backup procedures to ensure that data on computer cannot be accidentally lost or destroyed.

8. Not transferred to a country or territory outside the European Economic Area unless that country ensures an adequate level of protection for the processing of personal data.

YOUR RIGHT TO ACCESS TO PERSONAL INFORMATION
You have the right, on request, to receive a copy of the personal information that the Company holds about you, including your personnel file, and to demand that any inaccurate data be corrected or removed. You have the right on request:

To be told by the Company whether and for what purpose personal data about you is being processed
To be given a description of the data and the recipients to whom it may be disclosed
To have communicated in an intelligible form the personal data concerned, and any information available as to the source of the data
To be informed of the logic involved in computerised decision-making.
Upon request, the Company will provide you with a statement regarding the personal data held about you. This will state all the types of personal data the Company holds and processes about you and the reasons for which they are processed. If you wish to access a copy of any personal data being held about you, you must make a written request for this and the Company reserves the right to charge you a fee of up to £10. To make a request, please complete a Personal Data Subject Access Request Form, which can be obtained from the Data Protection Officer.

If you wish to make a complaint that these rules are not being followed in respect of personal data the Company holds about you, you should raise the matter with the Data Protection Officer. If the matter is not resolved to your satisfaction, it should be raised as a formal grievance under the Company’s grievance procedure.