Processing of personal data for the maintenance of the musical instrument loan system.
After completing the Information Commissioner’s Office online self assessment questionnaire, it has been determined, that as we do not process personal data on a computer, there is no requirement to notify the ICO that we are processing personal data.
We would also be exempt as a not-for-profit organisation. ‘Organisations which are established for not-for-profit making purposes can be exempt from notifying. The exemption may therefore be appropriate for small clubs, voluntary organisations and some charities. A not-for-profit organisation can make a profit for its own purposes, which are usually charitable or social, but the profit should not be used to enrich others. Any money that is raised should be used for the organisation’s own activities.’
We are however still required to comply with the other provisions of the Act.
1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless –
(a) at least one of the conditions in Schedule 2 is met, and
(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.
2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
4. Personal data shall be accurate and, where necessary, kept up to date.
5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
6. Personal data shall be processed in accordance with the rights of data subjects under this Act.
7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
Addressing each provision:
1. This is the first data protection principle. In practice, it means that you must:
- have legitimate grounds for collecting and using the personal data;
- not use the data in ways that have unjustified adverse effects on the individuals concerned;
- be transparent about how you intend to use the data, and give individuals appropriate privacy notices when collecting their personal data;
- handle people’s personal data only in ways they would reasonably expect; and
- make sure you do not do anything unlawful with the data.
We have legitimate grounds for collecting the data in order to maintain contact with the students who have borrowed instruments or their parents in the event of future need to recover the instrument. The information is only used for the purpose described and this is clearly explained on the loan form.
2. In practice, the second data protection principle means that you must:
- be clear from the outset about why you are collecting personal data and what you intend to do with it;
- comply with the Act’s fair processing requirements – including the duty to give privacy notices to individuals when collecting their personal data;
- comply with what the Act says about notifying the Information Commissioner; and
- ensure that if you wish to use or disclose the personal data for any purpose that is additional to or different from the originally specified purpose, the new use or disclosure is fair.
The loan form makes it clear why we are collecting personal data, which covers the intended use and privacy notices. As determined earlier we not need to notify the Information Commissioner. If there was cause to disclose the personal data for additional or different purposes, then the new use would have to reviewed and agreed before the disclosure could occur.
3. This is the third data protection principle. In practice, it means you should ensure that:
- you hold personal data about an individual that is sufficient for the purpose you are holding it for in relation to that individual; and
- you do not hold more information than you need for that purpose.
We only hold contact details, name, address, telephone number and email address, which is the minimum we need to maintain contact with the instrument borrower.
4. To comply with these provisions you should:
- take reasonable steps to ensure the accuracy of any personal data you obtain;
- ensure that the source of any personal data is clear;
- carefully consider any challenges to the accuracy of information; and
- consider whether it is necessary to update the information.
The information is checked when it is added to the form. The form requests the borrower to update the Friends of Dunstable Music Centre if they change their address or telephone number. The form should be reviewed annually with the borrower.
5. This is the fifth data protection principle. In practice, it means that you will need to:
- review the length of time you keep personal data;
- consider the purpose or purposes you hold the information for in deciding whether (and for how long) to retain it;
- securely delete information that is no longer needed for this purpose or these purposes; and
- update, archive or securely delete information if it goes out of date.
Following return of the instrument and resolution of any outstanding issues relating to its condition, the completed form should be shredded.
6. This is the sixth data protection principle, and the rights of individuals that it refers to are:
- a right of access to a copy of the information comprised in their personal data;
- a right to object to processing that is likely to cause or is causing damage or distress;
- a right to prevent processing for direct marketing;
- a right to object to decisions being taken by automated means;
- a right in certain circumstances to have inaccurate personal data rectified, blocked, erased or destroyed; and
- a right to claim compensation for damages caused by a breach of the Act.
We do not use this for direct marketing and there would be no issue with an individual seeing the data we hold; this would be reviewed annually with them to confirm the instrument loan is still required.
7. This is the seventh data protection principle. In practice, it means you must have appropriate security to prevent the personal data you hold being accidentally or deliberately compromised. In particular, you will need to:
- design and organise your security to fit the nature of the personal data you hold and the harm that may result from a security breach;
- be clear about who in your organisation is responsible for ensuring information security;
- make sure you have the right physical and technical security, backed up by robust policies and procedures and reliable, well-trained staff; and
- be ready to respond to any breach of security swiftly and effectively.
The records when not in use should be secured in a locked metal file box located in [ removed for security ].
Only Ian Hedges, Joanne Hedges and Chris Carey will be authorised to access the records for the purpose of managing instrument loans.
Ian Hedges will be responsible for shredding completed loan forms when required.
8. This is the eighth data protection principle, but other principles of the Act will also usually be relevant to sending personal data overseas. For example, the first principle (relating to fair and lawful processing) will in most cases require you to inform individuals about disclosures of their personal data to third parties overseas. The seventh principle (concerning information security) will also be relevant to how the information is sent and the necessity to have contracts in place when using subcontractors abroad.
We do not send data abroad and would not have cause to.