Protecting BRA Members Data (GDPR)
John Howarth - BRA Company Secretary
Updated 2nd March 2021
The Data Protection (Charges and Information) Regulations 2018 require every organisation that processes personal information to pay a data protection fee unless it is exempt.
The BRA comes under these Regulations since it keeps personal information about individuals. It is the intention of the Association to comply with the requirements of the Regulations. It is a legal requirement to do so and the ICO (Information Commissioner’s Office) has powers to levy fines on organisations that do not do so.
2) Data Collected
The Association will collect and keep the following data in respect of each individual Member: (NB: This is in compliance with The Companies Act Section 113)Name, Postal Address, email Address, Telephone Number, Date of joining BRA, date of leaving BRA.
The Association uses Members’ personal information for internal record keeping and administration.
The BRA uses the data to administer the organisation and to inform Members of matters of legitimate interest in it and about it.
The Association will not provide an individual member’s personal information to any other party without the individual’s written consent.
3) Rights and Responsibilities
The responsibilities of the Association are:
(a) to inform those individuals about whom personal details are kept (i.e. the “Data Subjects”) about the Regulations,(b) to indicate to them of its intention to comply, and(c) to give a brief outline to them as to what their rights are under the Regulations.
The Data Subjects have the following rights under the Regulations:
The right to be informed about the data held about them
The right to have confirmation that the Association is holding the data and is processing it lawfully
The right to have the data corrected if it is inaccurate or incomplete
The right to have the data erased from the Association’s files
The right to restrict how the Association processes the data
The right to object to how the Association processes the data
4) Lawful Processing
There are six bases for lawful processing:
1. Consent e.g. the Association has asked for and has received permission (with evidence) to hold information about the Data Subject
2. Performance of a contract e.g. an individual has signed up to membership, paid a membership fee, and has expectations that a service will be delivered
3. Legal Obligation e.g. the Association has a legal requirement to keep the data
4. Vital Interest e.g. disclosure of personal information in an A&E Department when it could save someone’s life
5. Public Task (This applies mostly to public authorities)
6. Legitimate Interest e.g. informing Data Subjects about activities that the BRA is carrying out.
No single basis is more important than any other when it comes to defining lawful processing, and only ONE basis is needed to define lawful processing.
Because the Association is a Company Limited by Guarantee the Companies Act specifies what information it needs to keep about its Membership (i.e. a Legal Obligation), and because Members pay a subscription there is a Contract with the implied assumption that by joining and paying the subscription Members are giving their Consent.
5) Sharing of Data
BRA does not share data with any other organisation. The list of Members is available to the Committee (who themselves must be Members) and the Company Secretary, but not to other individual Members.
6) Data Accuracy
It is the responsibility of individual members to inform the Association of any changes to any of the data that the Association holds about them. The Association will, as part of the membership renewal process, undertake a full check of postal and email addresses and telephone numbers of all Members.