Register of SystemsA register of all systems or contexts in which personal data is processed by the RWC.
1. Data protection principles
The RWC is committed to processing data in accordance with its responsibilities under the GDPR.
Article 5 of the GDPR requires that personal data shall be:
a. processed lawfully, fairly and in a transparent manner in relation to individuals;
b. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
c. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
d. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; and
e. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”
2. General provisions
a. This policy applies to all personal data processed by the RWC.
b. The Responsible Person shall take responsibility for the RWC’s ongoing compliance with this policy.
c. This policy shall be reviewed at least annually.
3. Lawful, fair and transparent processing
a. To ensure its processing of data is lawful, fair and transparent, the RWC shall maintain a Register of Systems.
b. The Register of Systems shall be reviewed at least annually.
c. Individuals have the right to access their personal data and any such requests made to the RWC shall be dealt with in a timely manner.
4. Lawful purposes
a. All data processed by the RWC must be done on one of the following lawful bases: consent, contract, legal obligation, or legitimate interests. The RWC shall note the appropriate lawful basis in the Register of Systems.
b. Where consent is relied upon as a lawful basis for processing data, evidence of opt-in consent shall be kept with the personal data.
c. Where communications are sent to individuals based on their consent, the option for the individual to revoke their consent should be clearly available and systems shall be in place to ensure such revocation is reflected accurately in the RWC’s systems.
5. Data minimisation
a. The RWC shall ensure that personal data are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
a. The RWC shall take reasonable steps to ensure personal data is accurate.
b. Where necessary for the lawful basis on which data is processed, steps shall be put in place to ensure that personal data is kept up to date.
7. Archiving /removal
a. To ensure that personal data is kept for no longer than necessary, the RWC shall put in place an archiving policy for each area in which personal data is processed and review this process annually.
b. The archiving policy shall consider what data should/must be retained, for how long, and why.
a. The RWC shall ensure that personal data is stored securely either using GDPR compliant software that is kept-up-to-date or, if paper-based, under lock and key.
b. Access to personal data shall be limited to personnel who need access and appropriate security should be in place to avoid unauthorised sharing of information.
c. When personal data is deleted this shall be done safely such that the data is irrecoverable.
d. Appropriate back-up and disaster recovery solutions shall be in place.
In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, the RWC shall promptly assess the risk to people’s rights and freedoms and if appropriate report this breach to the Information Commissioner’s Office (ICO) and the individuals affected.
END OF POLICY
Rottingdean Whiteway Centre (RWC)
Register of Systems
1. Those enrolling on courses are required to complete and submit an enrolment form giving name, address, telephone number(s) and email address. This can be on paper or by completing an on line enrolment form. This information goes to the Education Officer – Enrolments, who enters it into a database. Class registers giving names, phone numbers and email addresses are produced for the tutor which is sent to them so that they can contact the students if necessary. A different version with just the student’s name is produced for the use of the tutor in class. Personal information given when students enrol is only used to manage their enrolment – it is not used for marketing or fundraising, and it is not shared with third parties. Enrolment details will be retained for 2 years and then destroyed. Lawful basis: legitimate interests.
2. Once a year, students are asked to complete a questionnaire in which they are invited to give their email address if they would like to receive updates about RWC events. Their name, if given, and email address is then added to a mailing list which is maintained by the Course Organiser in the Cloud at Yahoo. All those on the list receive a bi-monthly newsletter with details of courses and upcoming events at RWC. The newsletter includes the opportunity to unsubscribe. Questionnaires giving email addresses will be retained for two years and then destroyed. Lawful basis: Legitimate interests.
3. The Course Organiser produces a contact list of tutors each term, with names, addresses, phone numbers and email addresses. The list is provided to the member of the Management Committee with responsibility for tutors’ pay and to the caretakers, who keep their copy in the always-locked Boiler Room. Lawful basis: legitimate interests.
4. Tutors are asked to submit a CV before they are employed. This is retained by the Course Organiser as a hard copy. Lawful basis: legitimate interests.
5. Those hiring rooms at the RWC are required to give their name, address, telephone number and email address. They sign a hire contract: Lawful basis: legitimate interests: Contract
6. Paid employees are required to submit personal details including NI number and bank account details for pay and tax purposes. These details will be retained for seven years after the end of their employment by RWC. Lawful basis: legitimate interests.
7. Trustees are required to complete anapplication form giving personal details, name, address, telephone number and email address and references are taken up. Lawful basis: legitimate interests.