Protecting BRA Members Data (GDPR)
John Howarth: Company Secretary
Some of you will be aware that new Data Protection Regulations come into effect in the UK on May 25th this year. They are called the General Data Protection Regulations (GDPR). They are designed to replace the existing Data Protection Act and to give greater protection and rights to individuals in respect of organisations who hold personal information about them. The Bookhams Residents’ Association falls under these regulations since it keeps information about its membership. It is the intention of the BRA to comply with the requirements of the GDPR. It is a legal requirement to do so and the ICO (Information Commissioner’s Office) has powers to levy fines on organisations that do not do so. The initial responsibilities of the BRA are:
- to inform its membership about the Regulations,
- to indicate to the membership its intention to comply, and to give a brief outline to its members as to what their rights are under the Regulations.
As members of the BRA you will have the following rights under the Regulations: The right to be informed about the data held about you
- The right to have confirmation that the BRA is holding your data and that the BRA is processing your data lawfully
- The right to have the data corrected if it is inaccurate or incomplete
- The right to have your data erased from the BRA files
- The right to restrict how the BRA processes your data
- The right to object to how the BRA processes your data.
There are six bases for lawful processing:
Consent of the individual (the “data subject”)
e.g. the organisation has asked for and has received permission (with evidence) to hold information about the “data subject”
Performance of a contract
e.g. someone has signed up to membership, paid a membership fee, and has expectations that a service will be delivered.
e.g. the organisation has a legal requirement to keep the data
e.g. disclosure of personal information in an A&E Department when it could save someone’s life.
Public Task (This applies mostly to public authorities).
Legitimate Interest e.g. informing the membership about new activities that the organisation is carrying out. No single basis is more important than any other when it comes to defining lawful processing, and only ONE basis is needed to define lawful processing. For the BRA the two most relevant ones are No. 3 – Legal Obligation and No 2. – Performance of a Contract. Because the BRA is a Company Limited by Guarantee the Companies Act defines the information it keeps about its membership – hence the Legal Obligation; and because the members pay a subscription there is a Contract. There is an implied assumption that by joining and paying the subscription individuals are giving their consent.