Data Protection Policy

BRLSI Data Protection Policy v.02 (2018)

Bath Royal Literary and Scientific Institution (BRLSI) is committed to ensuring that all personal and sensitive organisational information, however received, is treated as confidential. The procedures the BRLSI adopts are fully compliant with the Data Protection Act and guidance from the Information Commissioners Office.

Policy statement:

This policy applies to all staff, including Directors, employees and volunteers. All must comply with this policy during, and at all times after, their period of involvement, employment or volunteering with the Institution.

BRLSI treats all personal and sensitive organisational information, however received, as confidential with regard to the terms of the Data Protection Act 1998 and the Human Rights Act 1998.

This includes:
a) Anything of a personal nature that is not a matter of public record about a member, member of staff, volunteer, trustee or donor (individual and organisation)
b) Sensitive organisational information

BRLSI will comply with the law in obtaining, processing and using personal information and in the protection and disclosure of that information, as defined in the Data Protection Act 1998.

The nine Data Protection Principles from the Data Protection Act 1998 (as amended from May 2018) are that data is:
1. processed fairly and lawfully
2. obtained and processed for one or more specific and stated purpose(s)
3. adequate, relevant and not excessive
4. accurate and up to date
5. held for no longer than necessary
6. processed in accordance with the rights of the data subjects
7. kept secure from unauthorised processing or disclosure
8. the right to be “forgotten”
9. not transferred outside the European Economic Area unless the same safeguards apply

Data Protection Policy:

1. At BRLSI, personal data is only collected when it is needed for a specific and legal reason, for instance to keep a record of paid up members of BRLSI, their membership numbers, forenames and surnames, their home and/or email addresses and their joining and renewal dates.
1.1. The BRLSI Board is, for the purposes of the current legislation, the Data Controller. BRLSI has appointed a Data Manager / Data Protection Officer (currently Rob Randall).  The only people allowed to collect and process personal data act under the Data Manager’s direction; these Approved Persons have to be formally approved by BRLSI Management Committee and the Board, and are subject to annual review.
1.2. A list of Approved Persons will be drawn up and signed off by Chair of Management Committee (MC); this list would normally include BRLSI paid office staff, the Election Manager, the Chair of Membership Committee, Newsletter Editor and any ad hoc persons who are asked by Management Committee to generate distribution lists for post and/or e-mail communication.
1.3. The Approved Persons will receive recorded Data Protection Act training.
1.4. Access to Member information on the website is restricted to a few named individuals who must also be Approved Persons.
1.5. Access to the Members Database on the BRLSI server is restricted to BRLSI office staff, the Database Controller, the Election Manager, the Chair of Membership Committee, Newsletter Editor and any ad hoc persons who are asked by Management Committee to generate distribution lists for post and/or e-mail communication.  Downloads of the database in whole or in part are subject to prior approval from the Data Manager and must be recorded.

2. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed. For instance, BRLSI Membership details should include Fore and Surnames, email address, home address, date of receipt of Membership payment and renewal date.

3. Personal data shall not be further processed in any manner incompatible with that purpose or those purposes. No Membership data will be shared with bodies outside BRLSI.

4. BRLSI will ensure that data is kept secure and private from unauthorised eyes, taking appropriate technical and organisational measures against unauthorised or unlawful processing of personal data, and against accidental loss or destruction of, or damage to, personal data.

5. Personal data shall be accurate and, where necessary, kept up to date.  Depending upon its nature it will be subject to routine destruction after a prescribed period of time as indicated below.

6. Personal data processed for any purpose shall not be kept for longer than is necessary for that purpose.

7. BRLSI has established retention periods in place which allow that personal data will be kept as long as necessary; these periods are listed below:
7.1. Valid Memberships shall be retained whilst the Membership remains valid  (up to 6 months after subscription payment is due).
7.2. Expired Memberships until one year after the Membership has expired, a maximum of 2 years overall.
7.3. Employed staff during their employment and for a period of 3 years after staff have left BRLSI employment, for reference purposes.
7.4. Volunteers during their work for BRLSI and for 3 years afterwards, for reference purposes.
7.5. Directors during their term of office, and for 3 years afterwards, for reference purposes.
7.6. Information gathered in relation to courses for a maximum period of 2 years.
7.7. CCTV recordings are wiped and reused after variable periods of time.

At the end of these periods, those responsible for staff, members, volunteers and trustees will, as appropriate delete the personal information data from all the relevant databases.

8. Any paper records with names, addresses and other personal information will be destroyed after use (e.g. Young BRLSI Consent Forms will normally be destroyed within six months after the event for which they were created).

9. No copies of the Members database, either its original or organised form must be retained by Approved Persons on their personal computing devices for longer than is necessary to undertake agreed processing; any files held for a short period must be password protected.

10. BRLSI will comply with the Data Protection Act 1998 and any amending legislation in responding to subject access requests for personal data. Requests from individuals for a copy of their data held by BRLSI will normally be met within 10 working days of of the request. Any subsequent request for amendment or erasure will be met within further 10 working days of notification.

11. BRLSI shall ensure its staff are adequately trained and the training recorded. New employees will receive Data Protection training to explain how they should store and handle personal information. Refresher training will be provided at regular intervals for existing staff.

12. Those BRLSI Approved Persons will use strong passwords. All passwords will contain upper and lower case letters, a number and ideally a symbol. This will help to keep the information secure and follows established good practice.

13. Similarly BRLSI Approved Persons should ensure that all portable devices carrying such personal data are encrypted.  All portable devices – such as memory sticks and laptops – used to store personal information are to be encrypted and password protected.