Members Login

RCCE General Privacy Notice - August 2018

 

Introduction

 

The Rural Community Council of Essex (“RCCE”) is a not-for-profit organisation providing services to communities and people in need. Because these services are wide-ranging and varied, it is the precise nature of a particular RCCE service that determines what personal data we hold about whom, the rationale for holding that data, the length of time that data is held for, and the rights that an individual (or ‘data subject’) has to access and/or restrict the personal data that we hold.

 

In some instances, RCCE will be the ‘Data Controller’, determining the means by which personal data is processed; in others, RCCE will be a ‘Data Processor’, processing personal data on behalf of a third-party Data Controller. In all instances, RCCE is committed to complying with relevant legislation pertaining to the protection of personal data, including the General Data Protection Regulation (EU 2016/679) (GDPR) and the Data Protection Act 2018. This includes ensuring (i) that robust security controls are in place to protect the personal data we hold and (ii) that personal data will be safely destroyed once the designated retention period has elapsed. This commitment extends to all third party Data Processors that process personal data on our behalf.

 

Lawful bases for processing personal data

 

The types of service that RCCE provides, and the lawful basis upon which we rely to process personal data in relation to the provision of each service are summarised below. ‘Basic personal data’ refers to an individual’s name, address, telephone and email address. ‘Sensitive personal data’ may include information about an individual’s physical or mental health and/or their racial or ethnic origin. Unless otherwise specified below, all data subjects have the right to access the personal data we hold for them, to erase or update their personal data and to restrict the ways in which we use their personal data to communicate with them.  Other than with a third party Data Processor operating under our instruction, we will never share an individual’s personal data with a third party unless we have their express permission or a legal obligation to do so.

 

1. Paying members (individuals, parish/town councils, village halls, oil-buying scheme)

 

  • All our paying members are contractually entitled to receive a basic level of advice and support from our staff as part of their membership package.  In order to meet our contractual obligations, we need to keep basic personal data pertaining to our members and their representative officers so that we can communicate with them. In GDPR language, we have a ‘legitimate interest’ in holding this personal data.

 

  • We will only keep this personal data for as long as the individual or organisation is a member of RCCE.  In the case of representative officers (for example, parish clerks and chairmen), we will only keep their personal data for as long as they remain a representative officer of the organisation concerned. 

 

2. Competitions (incl. ‘Village of the Year’, parish magazine, ‘Growing Communities’)

 

  • In order to organise and administer competitions we need to keep basic personal data pertaining to individual applicants, representative officers of schools, community groups, parishes and sponsoring organisations, and volunteers who assist us in administering the competitions. As such, we have a ‘legitimate interest’ in holding this personal data.

 

  • In the case of individual applicants, we will retain their personal data for a period of six months after the results of the competition have been announced. This is so that we can provide feedback if requested. After six months we will securely delete their personal data.

 

  • For representative officers and volunteers, we will keep their personal data for a minimum period of one year after the competition’s closure, at which point, we will invite them to participate in the following year’s competition. If they do not wish to participate, we will invite them to be added to the list of individuals who have expressed an interest in our work (see 4 below). If they do not wish to be added, we will securely delete their personal data.

 

3. Bespoke services to councils, other statutory bodies, village halls and community groups

 

  • Sometimes, we provide bespoke services to councils, other statutory bodies, village halls and community groups. This includes services to organisations that are not members as well as services to paying members that fall outside those included in the basic membership contract (see 1 above). As a minimum, in order to meet our contractual obligations (whether explicit or implied), we need to keep basic personal data pertaining to the representative officers of these organisations. As such, we have a legitimate interest in holding this personal data.

 

  • Once the contract has been completed, we will invite the representative officer to be added to the list of individuals who have expressed an interest in our work (see 4 below). If they do not wish to be added, we will securely delete their personal data.

 

4. Generic communications (incl. AGM notifications, on-line bulletins & hard-copy documents)

 

  • In addition to our paying members, we hold basic personal data for, and send communications to, individuals who have expressed an interest in our work or who are non-paying members of partnerships/groups we administer (including the Essex Rural Partnership, the Essex Rivers Local Action Group and ‘Big Local’ Partnerships) or who are representatives of public sector bodies with whom we interact in the course of our business. We hold this personal data on the basis that we have a legitimate interest in order that we can provide these individuals with the highest level of service.

 

  • Because data processing is low risk and has minimal impact on the data subject, the personal data will be held for as long as the data subject wishes to be involved in our work and/or the work of the partnerships/groups that we administer.

 

5. Programmes funded by Governmentbodies including the EU, DWP, DEFRA, Big Lottery and Big Local

 

  • In delivering these government-funded programmes, the government body will ordinarily be the Data Controller and RCCE will be the Data Processor, processing personal data on behalf of the government body.

 

  • For corporate and community beneficiaries of such programmes, we will need to keep some personal data pertaining to their representative officers. To enable grant payments to be made, this may include National Insurance numbers, bank and business details.

 

  • In the case of individual beneficiaries, we may need to keep some sensitive personal data in order (i) to meet our safeguarding obligations and (ii) to evidence successful outcomes to the relevant government body. In all cases, the specific consent of the data subject is obtained before they enrol on the programme and/or receive any funding.

 

  • If, following enrolment, the beneficiary decides not to stay on the programme, and they have not achieved any outcomes, their personal data will be retained for 30 days after they have left the programme. It will then be securely destroyed.

 

  • Once the beneficiary is enrolled on the programme and has contributed one or more outcomes, we have a ‘legal obligation’ to retain the personal data for the length of time specified in the government body’s funding contract. Beneficiaries have the right to access the personal data we hold for them and to restrict the ways in which we use their personal data to communicate with them. However, because of our legal obligation (see above), they will not ordinarily have the right to require us to update or erase their personal data during the retention period. We will, however, wherever possible, anonymise their data.

 

6. ‘Community Agents Essex’ and affiliated contracts funded by Essex County Council

 

  • In partnership with other not-for-profit organisations in Essex, RCCE provides support for vulnerable older people and their informal carers. As the funder of these services, Essex County Council is the Data Controller, and RCCE and its partners are Data Processors, processing personal data on behalf of the Council.

 

  • In order to deliver these services, we need to process sensitive personal data pertaining to individual clients. This sensitive personal data helps us (i) to identify the best solution for the client, (ii) to meet our safeguarding obligations and (iii) to evidence successful outcomes to Essex County Council and other public sector bodies. In all cases, the specific consent of the data subject is obtained before we are able to support them.

 

  • Subject to the consent of the client, we may also share their sensitive personal data, via a secure portal (the ‘CA Hub’), with one or more accredited referral partners which we believe are best placed to provide the specific support that the client needs.

 

  • Sensitive personal data is ordinarily maintained on the CA Hub for a minimum period of three years after the last contact with the client. This is because clients often present themselves again with the same or similar needs, and historical knowledge improves the potential outcomes for the client. All data subjects have the right to access the personal data we hold for them, to erase or update their personal data and to restrict the ways in which we use their personal data to communicate with them.

 

7. Housing Needs Surveys

 

  • On occasion we survey entire communities and invite residents to express their views on local housing needs. Generally, the data we collect from these surveys does not enable an individual resident to be identified. However, sometimes we may invite respondents to express an interest in a specific development and to provide personal data which we can share with one or more developers that are interested in developing the site. In such cases, the specific consent of the data subject .

 

  • We destroy all personal data within five years of the survey deadline or within one month of the related housing scheme opening, whichever is the soonest. All other survey data is destroyed within one month of the completion of the final Housing Needs report. Aggregated non-identifiable data is kept indefinitely.

 

  • All data subjects have the right to access the personal data we hold for them, and to erase or update their personal data.

 

8. Suppliers

 

  • As a minimum, in order to meet our contractual obligations, we need to keep basic personal data pertaining to our suppliers and their representative officers so that we can pay and otherwise communicate with them.  We have a legal obligation to hold this personal data.

 

  • We will keep this personal data for a period of six years after the financial year in which the last payment to the supplier is made (in compliance with financial/tax regulations).

 

9. Trustees

 

  • We need to keep a Trustee’s personal data (including information on related parties and potential conflicts of interest) in order to meet our obligations under both Company and Charity Law. We have a legal obligation to hold this personal data.

 

  • We will keep this personal data for as long as the data subject is a Trustee of RCCE. Personal information pertaining to unsuccessful applicants will be destroyed within 6 months of the decision being made not to appoint.

 

10. Employees

 

  • We need to keep employees’ personal data (including application forms, references, passport details, work permits, DBS checks, bank details and leave & sickness records) in order (i) to fulfil the requirements of the employment contract with the individual and (ii) to comply with financial/tax regulations. We have both a third party legal obligation and a contract with the data subject.

 

  • We will keep this personal data for the duration of the employment, plus a period of six years after the financial year in which the employee leaves RCCE’s employ (in compliance with financial/tax regulations). Personal information pertaining to unsuccessful applicants will be destroyed within six months of the decision being made not to appoint.

 

 

Exercising your Rights under this Privacy Notice

 

In order for an individual to exercise their rights under this Privacy Notice, they should make a Subject Access Request (SAR) to RCCE’s Finance & Administration Manager who is the charity’s nominated Data Protection Officer.  The charity will respond to all SRAs within one month of receipt.

 

A copy of the RCCE General Privacy Notice can be downloaded here

 

NAME & REGISTERED OFFICE

Rural Community Council of Essex

RCCE House

Threshelfords Business Park

Inworth Road

Feering

Essex

CO5 9SE

Registered Charity No. 1097009.

Company registered in England and Wales No. 4609624