Data Protection
Data Protection Acts 1998 and 2018 (including EU General Data Protection Regulations 2016/679)
~ Policy: Aims, Coverage and Designated Responsibilities
This policy is to provide compliance with the Data Protection Acts 1998 and 2018 (including EU General Data Protection Regulations 2016/679) It will also provide details on how personal data will be processed, how it is accessed and used, the length of records retention and the decision making process for transferring records to the Aviation Heritage Foundation (AHF) archive.
The AHF is responsible for maintaining compliance with the Policy regardless of role or location. Contractors who process or hold personal data on behalf of the AHF will also have to comply with this Policy.
Managing Director/Chairman of the Board of Trustees:
Within AHF the Managing Director/Chairman of the Board of Trustees (referred to as MD/Chair.BoT) holds the responsibilities for the roles of:
Data Controller and Senior Information Risk Owner:
These roles include Data Protection Management, Records Management (Archiving) and Data Processing.
Legal Justification for Processing and Retaining Personal Data
Consent
-
Volunteers of the AHF actively consent to their personal data being processed on joining.
Contract
-
The AHF will process personal data with regard to contracts and other legal agreements as required in pursuant of our charitable objectives.
Legal Obligation
-
As a charity the AHF has to comply with the Charities Act 2011 which requires it to account for the sources of income and destination of expenditure, thus the processing of personal data complies with this requirement.
Legitimate Interests
-
The AHF will process and retain personal data in accordance with its objectives: (a) To advance the education of the public and conduct research into matters relating to aviation history including the Supermarine Spitfire (and its variants) and also its designer, R J Mitchell, and to publish the useful results of such research. In furtherance of the above the AHF will have the following powers: (i) To collect and disseminate information in all matters affecting such research, and (ii) To hold or arrange for the holding of exhibitions, meetings, lectures, classes, seminars or training courses.
Processing of Data
Volunteers
-
Data processing consists of Volunteers sending their personal data via the AHF website, email or through the post to the MD/Chair.BoT. Personal data via the website will be retained within the content management system and, if applicable, the AHF PayPal account. All application forms are kept in hard copy by the MD/Chair.BoT and details entered into a spreadsheet saved within the AHF IT system.
Contract
-
The MD/Chair.BoT, will process and retain contracts and other legal agreements between the AHF and third parties. Where possible electronic copies will be kept within the AHF IT system.
Legal Obligation
-
Donations and merchandise payments received are all processed electronically and are kept in the AHF PayPal account, cash flows spreadsheet and copies of relevant records are kept within the AHF IT system. Expenditure is the same as donations apart from where cheques are issued, and these are held by the MD/Chair.BoT.
Automated Decision Making
-
The AHF employs no automated decision making with regards to the processing or retention of personal data.
Retention of Records
Volunteer Application forms
-
Volunteer application forms and associated personal data will be reviewed for retention two years after the person leaves. Decisions for further retention will be based primarily on historical interest, secondary consideration will be governed by legal or governance issues.
Contract, Legal Agreement & Financial Records
-
The AHF is legally required to retain records for a minimum of six financial years after the financial year they relate to.
Archive Records
-
Permanent retention of records selected for the Archive. This is justified by AHF’s legitimate interests in processing this data and its charitable objectives.
Legal Rights of Data Subjects
Subject Access Requests
-
A Data Subject has the right to make a Subject Access Request in writing to the AHF with regard to records held by the AHF. The AHF will require two means of identity, one of which must be photographic, and one other. The AHF is required to respond within thirty days of the request. The AHF reserves the right to redact information concerning third party information and to reject requests that would be cost excessive. The AHF will not charge for materials or time involved in responding to Subject Access Requests.
Amendment or Erasure
-
Requests for amendment of data will normally be carried out within 30 days of receiving a written request. Requests for erasure will be reviewed on a case by case basis. Record erasure may not take place however a note may placed within it to reflect any objection(s) received.
Data Protection Act Complaints
Process
-
In the first instance the MD/Chair.BoT should be contacted and the complaint will be reviewed and responded to within 30 days.
-
If the AHF appears to fail to address a complaint satisfactorily then the Information Commission’s Office may be contacted to investigate. Their contact number is: 0303 123 1113
Privacy Impact Assessments
The AHF will undertake a privacy impact assessment before making any changes to the processing, use or disclosure of personal data within the AHF or to third parties.
Disclosure of Personal Data
Subject Access Requests by Authorised Bodies
-
The AHF may receive requests for the disclosure of personal data from the Police or other authorised bodies. The requests will be reviewed on a case by case.
-
Contact details for Volunteers may be made available to other AHF Volunteers for the purposes of AHF administration. This will be undertaken using the minimum of personal data and only using AHF email addresses for sending and receiving. No personal data will leave the UK or the European Union Area.
Sale or transfer of personal data to third parties for commercial purposes
-
The AHF will not disclose personal data to third parties unconnected with the administration of the AHF.
Breaches of the Data Protection Act
Definition
-
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data. A personal data breach can be broadly defined as a security incident that has affected the confidentiality, integrity or availability of personal data. In short, there will be a personal data breach whenever any personal data is lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable and this unavailability has a significant negative effect on individuals.
Actions to be Taken
-
On becoming aware of a personal data breach the MD/Chair.BoT should be informed as soon as possible.
-
The MD/Chair.BoT will conduct an investigation and determine if the Information Commissioner’s Office (ICO) needs to be informed within 72 hours of being made aware of a breach.
-
The requirements to notify the ICO will depend if the breach involves the following circumstances:
~ “A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned.”
-
The MD/Chair.BoT will need to undertake actions to mitigate as far as possible the effects on the individuals concerned. The MD/Chair.BoT is also required to inform the individuals concerned of the incident and the actions taken to remedy the matter.
-
Even if the breach doesn’t require ICO notification, the MD/Chair.BoT will need to document the incident and provide justification for not reporting the breach.
Communications by AHF representatives
-
The AHF email account should be used to communicate with Volunteers and those externally. The emails form part of the records created by the AHF and belong to it in order to provide legal and historical evidence of actions taken and decisions made. Emails sent and received are included within the scope of Subject Access Requests. Therefore it will be easier to process these requests and not infringe on any personal business if emails have to be disclosed from private email accounts. By using the AHF account a professional approach to others is presented. When sending emails to a large number of recipients the Blind carbon copy (Bcc) option is to be used for the email addresses so they are not to disclosed to others.
Record Keeping
Financial
-
The AHF is required to submit bank statements, invoices/receipts and a spreadsheet detailing how income was obtained and how money was expended during its’ Financial Year (Jan-Dec) to the AHF accountants so that an annual report and set of accounts accounts may be produced. Approval at the AGM and submission to the Charity Commission is then required. The AHF is legally required to retain records for a minimum of six financial years after the financial year they relate to.
Administration
-
It is important to retain administration records as both legal evidence of governance and for potential future retention within the AHF Archive. A full list of records and their retention periods are noted in Appendix A.
Disposal of Records
-
Records containing personal information which are selected for disposal will be disposed of in a confidential manner. The methods may include shredding for paper/compact discs, destruction of digital drives or through a confidential waste company. The MD/Chair.BoT will provide advice on this subject. A record will be kept of disposals together with dates of destruction and justification.
Appendix A: Retention Schedule
Types of Records:
1) Agendas & Minutes of Executive Meetings:
~ Retention Period: 10 years.
~ Retention Action: Transfer to the AHF Archive.
2) Contracts & Legal Agreements & Records.
~ Retention Period: 10 years.
~ Retention Action: Transfer to the AHF Archive.
3) Financial Records including bank statements, invoices & receipts.
~ Retention Period: Minimum of six financial years after the financial year they relate.
~ Retention Action: Destroy confidentially.
4) Complaints.
~ Retention Period: 10 years.
~ Retention Action: Review & retain if litigation may occur or relates to child
safeguarding issues.
5) Volunteer Records.
~ Retention Period: 2 years after the Volunteer leaves the AHF.
~ Retention Action: Review & retain if continuing legal or historical interest exists.
Otherwise the records should be destroyed in a confidential manner.
6) Disposal Register.
~ Retention Period: Permanent.
~ Retention Action: Transfer to the AHF Archive.
7) Publications & Newsletters.
~ Retention Period: Permanent.
~ Retention Action: Transfer to the AHF Archive.
8) Photographs & Film footage.
~ Retention Period: Permanent.
~ Retention Action: Transfer to the AHF Archive.
9) Websites & Social Media content.
~ Retention Period: Annually.
~ Retention Action: Copies of content should be transferred to the AHF Archive.