GDPR is the EU General Data Protection Regulation. It replaces the old UK Data Protection Act, applies across the EU and is also being implemented as UK law. It covers personal data in electronic form and as hard copy. Those who control data need to set out much more detail on what/why/how etc. Data subjects’ (people’s) rights are clearer and much more information must be provided. Implementation date 25 May 2018.
There are six GDPR principles relating to the processing of personal data, i.e. that it should be:
- processed lawfully, fairly and in a transparent manner
- collected for specified, explicit and legitimate purposes
- adequate, relevant and limited to what is necessary
- accurate and, where necessary, kept up to date
- retained only for as long as necessary
- processed in an appropriate manner to maintain security.
What do you as a Group HAVE to do?
- Be AWARE that action and change may be necessary – same-old same old will not do
- KNOW what personal information the Group holds, where it came from, and who has access to it. You may wish to appoint a single person to look after that task
- RECORDS: keep a record of what data you hold and what the reason is for having it
- DELETE OLD DATA e.g. the addresses of Scouts who left the Group five years ago
- CHECK YOUR SECURITY – password protection, encryption for information in the cloud. Ask yourself, do you need paper copies or memory sticks?
- UNDERSTAND the rights of people whose information you hold.- see beloe
- ASK FOR CONSENT before collecting data
- HAVE A PLAN ready if someone comes up with some difficult questions
The rights of indiviiduals under GDPR: We all have:
- The right to be informed about what data you are collecting, how you will use it and how long you will store it for
- The right to access any personal data you hold, and relevant supplementary information, so that they can verify whether or not it is lawful
- The right to rectification – making sure that the data you hold is accurate and as complete as necessary for the purposes you hold it
- The right to erasure – people can ask us to erase any personal data that is held about them. This is not an absolute right, applying only in certain circumstances.
- The right to restrict processing – people can permit you to store their data but ask you not to use it further (e.g for a mailing list)
- The right to data portability – people can request any data that they have provided, for their own purposes across different services
- The right to object – people can object to processing of their personal data and you must comply unless there are compelling legitimate grounds to the contrary.
In the real world, holding addresses and phone numbers of parents is unlikely to be a problem so long as this data is properly looked after, not shared or passed on, and deleted after use.
Brief DO’s and DON’Ts
- DO ensure your data is password protected, restricted and carefully controlled
- DO ensure you know what data is being held
- DO use OSM
- DON’T PANIC – it’s not the end of the world. There are people out there making more of GDPR than is necessary.
- DON’T allow contact details to fall into the wrong hands
- DON’T use pieces of paper, notebooks or unprotected spreadsheets for storing parental data
- DON’T send email to parents using “To:” or “Cc:” – always use Blind copies