Our Data Protection Officer (DPO) contact details
Name: Ron Spurs
Purpose of the policy and background to the General Data Protection Regulation
This policy explains to volunteers and the public about GDPR. Personal data must be processed lawfully, fairly and transparently; collected for specified, explicit and legitimate purposes; be adequate, relevant and limited to what is necessary for processing; be accurate and kept up to date; be kept only for as long as is necessary for processing and be processed in a manner that ensures its security. This policy updates any previous data protection policy and procedures to include the additional requirements of GDPR which apply in the UK from May 2018. The Government have confirmed that despite the UK leaving the EU, GDPR will still be a legal requirement.
This policy explains the duties and responsibilities of the Witney Carnival Committee (henceforth known as the committee) and it identifies the means by which the committee will meet its obligations. Identifying the roles and minimising risk, GDPR requires that everyone within the committee must understand the implications of GDPR and that roles and duties must be assigned. The committee chairman is the data controller and the Data Protection Officer (DPO).
It is the DPO’s duty to undertake an information audit and to manage the information collected by the committee, the issuing of privacy statements, dealing with requests and complaints raised and also the safe disposal of information.
A breach of the regulations could result in the committee facing a fine from the Information Commissioner’s Office (ICO) for the breach itself and also compensate the individual(s) who could be adversely affected. Therefore, the handling of information is seen as high/medium risk to the committee (both financially and reputationally) and one which must be included in the Risk Management Policy of the committee.
Such risk can be minimised by undertaking an information audit, issuing privacy statements, maintaining privacy impact assessments (an audit of potential data protection risks with new projects), minimising who holds data protected information,
One of the duties assigned to the DPO is the investigation of any breaches. Personal data breaches should be reported to the DPO for investigation. The DPO will conduct this with the support of the committee. Investigations must be undertaken within one month of the report of a breach. Procedures are in place to detect, report and investigate a personal data breach. The ICO will be advised of a breach (within 3 days) where it is likely to result in a risk to the rights and freedoms of individuals – if, for example, it could result in discrimination, damage to reputation, financial loss, loss of confidentiality, or any other significant economic or social disadvantage. Where a breach is likely to result in a high risk to the rights and freedoms of individuals, the DPO will also have to notify those concerned directly.
It is unacceptable for volunteers to use IT in any way that may cause problems for the committee, for example, the discussion of internal committee matters on social media sites could result in reputational damage for the committee and to individuals.
Being transparent and providing accessible information to individuals about how the Committee uses personal data is a key element of the Data Protection Act 1998 (DPA) and the EU General Data Protection Regulation (GDPR). The most common way to provide this information is in a privacy notice. This is a notice to inform individuals about what the Committee does with their personal information. A privacy notice will contain the name and contact details of the data controller and Data Protection Officer, the purpose for which the information is to be used and the length of time for its use. It should be written clearly and should advise the individual that they can, at any time, withdraw their agreement for the use of this information.
Issuing of a privacy notice must be detailed on the Information Audit kept by the committee. The committee will adopt a privacy notice to use, although some changes could be needed depending on the situation, for example where children are involved. All privacy notices must be verifiable.
The DPO must undertake an information audit that details the personal data held, where it came from, the purpose for holding that information and with whom the committee will share that information. This will include information held electronically or as a hard copy. Information held could change from year to year with different activities, and so the information audit will be reviewed at least annually or when the committee undertakes a new activity. The information audit review should be conducted ahead of the review of this policy and the reviews should be minuted.
There is special protection for the personal data of a child. The age when a child can give their own consent is 13. If the committee requires consent from young people under 13, the committee must obtain a parent or guardian’s consent in order to process the personal data lawfully. Consent forms for children age 13 plus, must be written in language that they will understand.
This policy document is written with current information and advice. It will be reviewed at least annually or when further advice is issued by the ICO. All volunteers are expected to comply with this policy at all times to protect privacy and confidentiality.
The type of personal information we collect
We currently collect and process the following information:
- Using our webform, we only collect the following personal data: Full Name and Email Address.
- If booking a stall, joining the procession or offering to sponsor us, we will also collect phone numbers, physical addresses and insurance details.
How we get the personal information and why we have it
We collect data either when you complete our contact webform on this website, or when you email the committee directly.
Most of the personal information we process is provided to us directly by you and we will only use your name and email address to contact you regarding your enquiry or request. We do not operate any newsletters or email lists.
Under the General Data Protection Regulation (GDPR), the lawful bases we rely on for processing this information are:
Your consent. You are able to remove your consent at any time. You can do this by contacting our Chairman named at the top of this page at email@example.com.
We have a legal obligation.
We need it to perform a public task.
How we store your personal information
Your data is stored on secure servers by Eco Hosting and no data is shared with anyone outside the carnival committee.
Your data protection rights
Under data protection law, you have rights including:
- Your right of access – You have the right to ask us for copies of your personal information.
- Your right to rectification – You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
- Your right to erasure – You have the right to ask us to erase your personal information in certain circumstances.
- Your right to restriction of processing – You have the right to ask us to restrict the processing of your personal information in certain circumstances.
- Your right to object to processing – You have the right to object to the processing of your personal information in certain circumstances.
- Your right to data portability – You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.
You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.
Please contact us at firstname.lastname@example.org if you wish to make a request.
How to complain
If you have any concerns about our use of your personal information, you can make a complaint to us at email@example.com
You can also complain to the ICO if you are unhappy with how we have used your data.
The ICO’s address:
Information Commissioner’s Office