General Data Protection Regulation (GDPR) Policy

Introduction

The EU General Data Protection Regulation (“GDPR”) comes into force across the European Union on 25th May 2018 and brings with it the most significant changes to data protection law in two decades. Based on privacy by design and taking a risk-based approach, the GDPR has been designed to meet the requirements of the digital age.

The General Data Protection Regulation supersedes the Data Protection Act 1998. The 21st Century brings with it broader use of technology, new definitions of what constitutes personal data, and a vast increase in cross-border processing. The new Regulation aims to standardise data protection laws and processing across the EU; affording individuals stronger, more consistent rights to access and control their personal information.

Our Commitment

Motivated Minds (‘we’ or ‘us’ or ‘our’) are committed to ensuring the security and protection of the personal information that we process, and to provide a compliant and consistent approach to data protection. We have always had a robust and effective data protection programme in place which complies with existing law and abides by the data protection principles. However, we recognise our obligations in updating and expanding this programme to meet the demands of the GDPR.

Motivated Minds are dedicated to safeguarding the personal information under our remit and in developing a data protection regime that is effective, fit for purpose and demonstrates an understanding of, and appreciation for the new Regulation. Our preparation and objectives for GDPR compliance have been summarised in this statement and include the development and implementation of new data protection roles, policies, procedures, controls and measures to ensure maximum and ongoing compliance.

Motivated Minds has updated its policies and procedures to reflect the new rights of individuals under GDPR, namely:

  • the right to be informed;
  • the right of access;
  • the right to rectification;
  • the right to erasure;
  • the right to restrict processing;
  • the right to data portability;
  • the right to object; and
  • the right not to be subject to automated decision-making including profiling.

Motivated Minds keeps information on its staff, members and users, in order to meet our legal obligations and keep individuals safe when they are participating in our activities. Our reasons for keeping this information are covered by the lawful bases allowed in GDPR, namely:

(a) Consent:  The individual has given clear consent for you to process their personal data for a specific purpose.

(b) Contract:  The processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.

(c) Legal obligation:  The processing is necessary for you to comply with the law (not including contractual obligations).

(d) Vital interests: The processing is necessary to protect someone’s life.

(e) Public task:  The processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.

(f) Legitimate interests: The processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)

Audit of Data Held

Motivated Minds has conducted an audit of the personal and sensitive data that we hold in the organisation and we will complete a data audit each year.

Designated person responsible for GDPR compliance

The designated person responsible for GDPR compliance at Motivated Minds is Carla Andrews Managing Director.

Procedures

Data Collection

  • Motivated Minds explains to people whose personal data we store how we intend to use that data through our privacy statement which is clearly accessible on our website / registration forms.
  • Motivated Minds gains active consent from individuals for holding their personal information by:
    • Requiring the person (or their parent/carer for those under the age of 13) to sign to say they consent at the point at which data is collected
    • We verify that the person giving consent on behalf of a young person under the age of 13 has the right to do so
    • Seeking consent on an annual basis for those on mailing lists – and removing people from data bases if they do not respond.
    • We keep records that demonstrate that individuals have given active consent for us to store and use their personal data
  • Our forms and templates include a standard form of wording to ensure that individuals understand what the purpose of the collection of the data is and what will happen to that data. Importantly, our forms ensure that all individuals give their explicit consent when they supply information regarding medical conditions or are consenting to the use of their data for commercial purposes.  Good evidence of explicit consent is a box ticked on a form.
  • For people under the age of 18 we ensure that the child’s parent or carer give their consent by completing a paper form. We have a similar process for the carers of vulnerable adults who cannot give an agreement themselves
  • Our privacy statement is written in terms which can be easily understood by our members/users and their families/carers
  • Our staff and volunteers have been trained in using the personal data we collect only for the purposes that we state we use it for
  • We store personal information securely, on password protected devices and/or in locked cabinets in secure premises. Only approved individuals have access to this data
  • If someone withdraws consent for us to store and use their personal data, we immediately remove their data from our management information systems and shred any paper documents we hold concerning their personal information.
  • We review our data collection and storage systems every 2 years, to ensure that they remain fit for purpose

Personal and Sensitive Data

Motivated Minds ensures that any confidential information is handled sensitively, stored appropriately and destroyed when no longer used.

  • We ensure that sensitive information, whether on computer file or paper copies, is kept securely with access strictly controlled and limited to persons who need to have access to this information in the course of their work.
  • Sensitive data which could be a risk to individuals if in the public domain (e.g. health records, employment history) is held on fully secured, encrypted with a password, devices
  • Confidential information will only be used for the specific purpose for which it was requested and with the person’s full consent (although see below for information relating to welfare).
  • Once the information is no longer needed, confidential information will be destroyed by secure means (e.g. shredding, pulping or burning).

Information relating to the welfare of children, young people or vulnerable adults

Motivated Minds works with children, young people or vulnerable adults with respect to their welfare, and we inform people that:

  • Information will only be forwarded on ‘a need to know’ basis in order to safeguard the child/young person/vulnerable adult
  • Giving such information to others for the protection of the child/young person/vulnerable adult is not a breach of confidentiality if it follows the agreed processes of local safeguarding authorities
  • We cannot guarantee total confidentiality where the best interests of the child/young person/vulnerable adult are at risk
  • Primary carers, children, young people and vulnerable adults have a right to know if a report is being made to the Health Services or police, unless informing them could put the child/young person/vulnerable adult at further risk. If a decision is taken not to inform primary carers of such a report, reasons for that decision will be recorded
  • Images of a child/young person under the age of 18/vulnerable adult/ will not be used for any reason without the consent of their parent/carer
  • Images of members over 18 will not be used without their consent. We cannot, however, guarantee that cameras/videos will not be used at public events

Procedures are in place for recording and storing data in line with our privacy statement.

Information on Employees and Volunteers

Motivated Minds holds information on its employees as required by government departments. We also hold data about our volunteers to enable us to respond to their needs and meet the requirements of our funders (where appropriate). We hold information on employees and volunteers for the duration of their employment/volunteering with us, and for 5 years after they have left our organisation.

Employees and volunteers can ask to see any information that we hold about them. Motivated Minds will respond to such requests in a timely manner, within 30 days of receiving the request.

Dealing with a Data Protection Request

  • Under GDPR, anyone can ask if an organisation holds personal information about them, through a Subject Access Request (SAR). Motivated Minds will respond to their request within 30 days. This includes written records as well as data held on computer systems.
  • The person has the right to know:
    • What information is being used
    • Why it’s being used
    • Where it came from
    • Who can see the information?
  • Motivated Minds will send them a hard copy, if possible, such as a letter or print out, unless both parties agree otherwise
  • Motivated Minds will make sure the recipient can understand the information, i.e. explain what any codes mean
  • Motivated Minds follows the advice of the Information Commissioner on what type of personal data must be disclosed if an organisation receives a subject access request. The key steps that must be followed when deciding whether to disclose personal data are that data should be disclosed if:
  • A living individual can be identified from the data.
  • The data relates to the identifiable living individual, whether in personal or family life, business or profession.
  • That data is obviously about a particular individual.
  • The data linked to the individual provides particular information about that individual.
  • The data is used to inform or influence actions or decisions affecting an identifiable individual.
  • The data had biographical significance in relation to the individual.
  • The data focuses or concentrates on the individual as its central theme rather than some other person.
  • The data impacts or has the potential to impact on an individual whether in a person, family, business or professional capacity.
  • Particular care will be taken when disclosing information if a third party can be identified from the data.  Special provisions apply in such circumstances.

Transferring Information to Third Parties:

We carry out strict due diligence checks with all recipients of personal data to assess and verify that they have appropriate safeguards in place to protect the information, ensure enforceable data subject rights and have effective legal remedies for data subjects where applicable.

Motivated Minds only shares information on our customers and users with third parties when a suitable contract is in place with any ‘data processors’ processing personal data on the organisation. This includes funders and sport governing bodies.

Motivated Minds does not transfer data to third parties unless we have authorisation (usually that the individual has given consent, or the recipient is an authorised ‘data processor’)

Motivated Minds does not put personal data on the Internet without the individual’s consent.

Significant Data Breach

In the event of a significant data breach, such as lost or misplaced personal files, computers or memory sticks holding such information we will inform the relevant authorities and the individuals involved within 72 hours. Authorities will be given full details of the breach and actions to be taken to mitigate the impact.

Training

Our staff/volunteers will attend training on their induction to ensure compliance.

Date of last data audit: 28 May 2018

Date of next data audit: 28 May 2019

Signed: Managing Director - C Andrews

Date: 28 May 2018