The General Data Protection Regulations (GDPR) came into force on 25 May 2018 and most processing of personal data by organisations will have to comply with the GDPR. Here are details on how the BEFT Centre is complying.
Complying with the GDPR includes giving you clear and detailed information about the data we keep about you, how we use this data, and your rights.
If you have any questions about this please contact the BEFT Centre Coordinator,
Sandra Taylor: firstname.lastname@example.org you can also find more information about GDPR here: https://ico.org.uk/
Personal data includes information such as: name, address, photos, email addresses, bank details, posts on social networking sites. Personal data is: ‘any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier’.
Processing personal data is: obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data.
Data subject: The person whom the personal data is about.
Data Controller: A controller determines the purposes and means of processing personal data.
Data Processor: A processor is responsible for processing personal data on behalf of a controller.
Lawful Basis: There are 6 lawful bases for keeping and processing personal data and the one that applies to the BEFT Community is ‘Legitimate interests’: ‘Legitimate interests is most likely to be an appropriate basis where you use data in ways that people would reasonably expect and that have a minimal privacy impact.’
What data do we have about you?
The data we have about you will come from some, or all, of the following.
The information that we have from you will include personal data such as: name, address, email address, emails, phone number. We may also have video and photos of you, particularly if you have attended a conference and given permission for us to take and use these.
Who is working with your data and why?
Sandra Taylor, Coordinator, is the Data Controller. She will make decisions about how data is used, in liaison with the other members of the Decision Making Team (DMT) and the wider volunteer team.
Sandra will also retain the signed GDPR Agreements, that all of our Data Processors must agree to comply with before being provided with any personal data.
The ‘data processors’ are members of the team that need to make use of some of your data, where you have given permission, to fulfil their role e.g. sending out updates, confirming membership, putting information on the directory, putting you in touch with other members living close to you. This includes the Coordinator, Events team, Membership team, Website team and Groups team.
How are we working with your data?
We use your data so that we can process your applications for membership, change of membership category, entry on the directory and any changes to this, application for the annual conference, to put you in touch with others living near you, and to keep in contact with you about relevant information. You have the right to limit this information as much as you want to, though some personal data is needed to carry out each task.
We keep your data for as long as it is needed and then delete it, there is no fixed time frame for this.
The data that we hold is for the specific use of the BEFT Centre and the only circumstance where we would disclose it to a third party is if there was a legal requirement, e.g. terrorism, drug money laundering; or via court order for disclosure. Of course the therapist directory is a bit different as it is available to anyone.
We meet the criteria for legitimate lawful basis as we are only using your data in ways you would expect us to and we have little data about you that would have an impact re. your privacy.
There will be periodic audits by the Coordinator with all Data Processors of their working in accordance with the BEFT Centre GDPR Agreement. Any breaches will be dealt with in a professional way in accordance with current procedure – if you want to know more about this please contact the Coordinator.
Where do we keep your information?
Some information is kept on the cloud e.g. google forms; and the rest may be kept on password protected personal computers/laptop/tablet, encrypted/password protected memory sticks and external drives. There are occasions when some information will be printed out e.g. signing in sheet for conference, and information will sometimes be shared with other members where there is explicit consent e.g. attendees at conference and with others living local to you.
Members of the volunteer team have access to this information for their specific roles e.g. Membership, Events, Website. These people have all signed agreements on appropriate use of this data before they have been given access to it.
All information – in print form, in emails and as attachments, – will be destroyed / deleted when it is no longer needed. This will be periodically audited by the Coordinator of the BEFT Centre.
As a not-for-profit organisation the BEFT Centre does not have to pay a fee to the ICO but must still comply with the GDPR.
Your rights under data protection law are: