There are new data protection regulations (GDPR) which came into force in May 2018 which affect all organisations that hold ‘Personal Data’.
What constitutes personal data?
Any information related to a natural person or ‘Data Subject’ that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.
The new regulations are designed to improve matters relating to consent to use, rights to view, and security of Personal Data.
The Lyme Regis Sea School Trust (LRSS) is a Data Controller under these regulations and we have to comply with the requirements of these regulations when they come into force in May 2018.
What data does LRSS hold?
LRSS holds the following ‘Personal Data’ for each member:
- Full name
- Postal address
- Telephone number (landline, mobile or both)
- Email address
- Date of birth
- Health and disability information.
LRSS acquires and holds members’ personal data for the following purposes:
- Electronic communication with members via e-mail.
- Within the booking system for administration and notification of member duties.
- To assist with internal administration of Sea School courses.
- Telephone & text communication with Sea School members.
- To facilitate internal volunteer and trustee communications where appropriate.
LRSS holds this data in a secure manner with appropriate encryption to minimise the risk of theft, loss or wider dispersal. ‘Bookings’ maintains a master list which includes all information relating to LRSS students and the Principal holds a master list including personal information relating to all of the working volunteers.
As a requirement of GDPR, LRSS will undertake a regular audit to ensure Personal Data is only held for as long as required for purposes (1) – (6) above and all copies of old membership lists – electronic or hard copy – held by the Trust are deleted or destroyed as appropriate.
LRSS does not control any Personal Data on social media such as Facebook. Therefore a members’ use of the LRSS Facebook page/group is subject to Facebook terms and conditions and is entirely at the members own choice and discretion.
If asked to by yourself verbally, receipt of text or via written instruction, we may pass your details on to the Lyme Regis Sailing Club. This is only to facilitate further learning or enjoyment in the sport of sailing and is not of financial benefit to The Lyme Regis Sea School Trust.
GDPR also introduces the following rights:
Right to Access
Part of the expanded rights of data subjects outlined by the GDPR is the right for data subjects to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. Further, the controller shall provide a copy of the personal data, free of charge, in an electronic format. This change is a dramatic shift to data transparency and empowerment of data subjects.
Right to be Forgotten
Also known as Data Erasure, the right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. The conditions for erasure, as outlined in article 17, include the data no longer being relevant to original purposes for processing, or a data subjects withdrawing consent. It should also be noted that this right requires controllers to compare the subjects’ rights to “the public interest in the availability of the data” when considering such requests.
GDPR introduces data portability – the right for a data subject to receive the personal data concerning them, which they have previously provided in a ‘commonly used and machine readable format’ and have the right to transmit that data to another controller.
LRSS Ltd requires the positive confirmation of each individual member that we can continue to hold and process their Personal Data for the purposes outlined above. For members under the age of 18 parental consent is required.
If we do not have your consent this will then prevent us from being able to communicate with you via the usual methods.