The Rural Community Council of Essex (“RCCE”) is a not-for-profit organisation providing services to communities and people in need. Because these services are wide-ranging and varied, it is the precise nature of a particular RCCE service that determines what personal data we hold about whom, the rationale for holding that data, the length of time that data is held for, and the rights that an individual (or ‘data subject’) has to access and/or restrict the personal data that we hold.
In some instances, RCCE will be the ‘Data Controller’, determining the means by which personal data is processed; in others, RCCE will be a ‘Data Processor’, processing personal data on behalf of a third-party Data Controller. In all instances, RCCE is committed to complying with relevant legislation pertaining to the protection of personal data, including the General Data Protection Regulation (EU 2016/679) (GDPR) and the Data Protection Act 2018. This includes ensuring (i) that robust security controls are in place to protect the personal data we hold and (ii) that personal data will be safely destroyed once the designated retention period has elapsed. This commitment extends to all third party Data Processors that process personal data on our behalf.
Lawful bases for processing personal data
The types of service that RCCE provides, and the lawful basis upon which we rely to process personal data in relation to the provision of each service are summarised below. ‘Basic personal data’ refers to an individual’s name, address, telephone and email address. ‘Sensitive personal data’ may include information about an individual’s physical or mental health and/or their racial or ethnic origin. Unless otherwise specified below, all data subjects have the right to access the personal data we hold for them, to erase or update their personal data and to restrict the ways in which we use their personal data to communicate with them. Other than with a third party Data Processor operating under our instruction, we will never share an individual’s personal data with a third party unless we have their express permission or a legal obligation to do so.
1. Paying members (individuals, parish/town councils, village halls, oil-buying scheme)
- All our paying members are contractually entitled to receive a basic level of advice and support from our staff as part of their membership package. This entitlement lasts for a standard 12-month period at the end of which members are invited to renew their membership. In order to meet our contractual obligations, we need to keep basic personal data pertaining to our members and their representative officers so that we can communicate with them. In GDPR language, we have a ‘legitimate interest’ in holding this personal data.
- We will ordinarily keep this personal data for a period of 12 months after the individual or organisation’s membership lapses. This is so that we can readily re-install the member when / if they renew their membership. In the case of representative officers (for example, parish clerks and chairmen), we will only keep their personal data for as long as they remain a representative officer of the organisation concerned.
- All members have the right to access the personal data we hold for them, to erase or update their personal data and to restrict the ways in which we use their personal data to communicate with them.
2. Competitions (incl. ‘Village of the Year’, parish magazine, ‘Growing Communities’)
- In order to organise and administer competitions we need to keep basic personal data pertaining to individual applicants, representative officers of schools, community groups, parishes and sponsoring organisations, and volunteers who assist us in administering the competitions. As such, we have a ‘legitimate interest’ in holding this personal data.
- In the case of individual applicants, we will retain their personal data for a period of six months after the results of the competition have been announced. This is so that we can provide feedback if requested. After six months we will securely delete their personal data.
- For representative officers and volunteers, we will keep their personal data for a minimum period of one year after the competition’s closure, at which point, we will invite them to participate in the following year’s competition. If they do not wish to participate, we will invite them to be added to the list of individuals who have expressed an interest in our work (see 5 below). If they do not wish to be added, we will securely delete their personal data.
3. Bespoke services to councils, other statutory bodies, village halls and community groups
- Sometimes, we provide bespoke services to district/town/parish councils, other statutory bodies, village hall charities and community groups. This includes services to organisations that are not members as well as services to paying members that fall outside those included in the basic membership contract (see 1 above). As a minimum, in order to meet our contractual obligations (whether explicit or implied), we need to keep basic personal data pertaining to the representative officers and trustees of these organisations. As such, we have a legitimate interest in holding this personal data.
- In the case of our Village Hall & Community Buildings service, we may retain personal data pertaining to trustees, representative officers, advisers and employees for an indefinite period if we believe it to be of intrinsic value in delivering a continuous service to our clients or, in the case of hard-copy documentation, we believe it to be of inherent historic interest.
- In all other cases, once a contract has been completed, we will invite the representative officer and/or trustee to be added to the list of individuals who have expressed an interest in our work (see 5 below). If they do not wish to be added, we will securely delete their personal data.
4. Community Consultations (including Housing Needs Surveys)
- On occasion, we contract with parish councils and/or village hall charities to survey entire communities and to invite local residents to express their views on prospective changes to their community, for example the development of affordable local housing schemes. Generally, the data we collect from these surveys does not enable an individual resident to be identified. However, sometimes we may invite respondents to become involved in a consultation process or, in the case of housing needs surveys, to express an interest in a specific development. Before we share any personal data with a parish council, village hall charity or property developer, the specific consent of the data subject .
- In the case of housing needs surveys, we destroy all personal data in our possession within five years of the survey deadline or within one month of the related housing scheme opening, whichever is the soonest. Personal data pertaining to other community consultations is destroyed within six months of the completion of the consultation.
- All data subjects have the right to access the personal data we hold for them, and to erase or update their personal data.
5. Generic communications (incl. AGM notifications, on-line bulletins & hard-copy documents)
- In addition to our paying members, we hold basic personal data for, and send communications to, individuals who have expressed an interest in our work or who are non-paying members of partnerships/groups we administer (including the Essex Rural Partnership, the Essex Rivers Local Action Group and ‘Big Local’ Partnerships) or who are representatives of public sector bodies with whom we interact in the course of our business. We hold this personal data on the basis that we have a legitimate interest in order that we can provide these individuals with the highest level of service.
- Because data processing is low risk and has minimal impact on the data subject, the personal data will be held for as long as the data subject wishes to be involved in our work and/or the work of the partnerships/groups that we administer.
6. Programmes funded by Government bodies including the EU, DWP, DEFRA, Big Lottery and Big Local
- In delivering these government-funded programmes, the government body will ordinarily be the Data Controller and RCCE will be the Data Processor, processing personal data on behalf of the government body.
- For corporate and community beneficiaries of such programmes, we will need to keep some personal data pertaining to their representative officers. To enable grant payments to be made, this may include National Insurance numbers, bank and business details.
- In the case of individual beneficiaries, we may need to keep some sensitive personal data in order (i) to meet our safeguarding obligations and (ii) to evidence successful outcomes to the relevant government body. In all cases, the specific consent of the data subject is obtained before they enrol on the programme and/or receive any funding.
- If, following enrolment, the beneficiary decides not to stay on the programme, and they have not achieved any outcomes, their personal data will be retained for 30 days after they have left the programme. It will then be securely destroyed.
- Once the beneficiary is enrolled on the programme and has contributed one or more outcomes, we have a ‘legal obligation’ to retain the personal data for the length of time specified in the government body’s funding contract. Beneficiaries have the right to access the personal data we hold for them and to restrict the ways in which we use their personal data to communicate with them. However, because of our legal obligation (see above), they will not ordinarily have the right to require us to update or erase their personal data during the retention period. We will, however, wherever possible, anonymise their data.
7. ‘Community Agents Essex’ and affiliated contracts funded by Essex County Council
- In partnership with other not-for-profit organisations in Essex, RCCE provides support for vulnerable people and their informal carers. As the funder of these services, Essex County Council is the Data Controller, and RCCE and its partners are Data Processors, processing personal data on behalf of the Council.
- In order to deliver these services, we need to process sensitive personal data pertaining to individual clients. This sensitive personal data helps us (i) to identify the best solution for the client, (ii) to meet our safeguarding obligations and (iii) to evidence successful outcomes to Essex County Council and other public sector bodies. In all cases, the specific consent of the data subject is obtained before we are able to support them.
- Confidential hard-copy Client Record Forms are stored safely until such time as a case is closed and the client details have been entered onto the charity’s secure portal (the ‘CA Hub’). The forms are then destroyed.
- Subject to the consent of the client, we may also share their sensitive personal data, via the ‘CA Hub’, with one or more accredited referral partners which we believe are best placed to provide the specific support that the client needs. All our referral partners are required to comply with RCCE’s own conditions for data processing and data security.
- Sensitive personal data is ordinarily maintained on the CA Hub for a minimum period of three years after the last contact with the client. This is because clients often present themselves again with the same or similar needs, and historical knowledge improves the potential outcomes for the client.
- All data subjects have the right to access the personal data we hold for them, to erase or update their personal data and to restrict the ways in which we use their personal data to communicate with them.
- As a minimum, in order to meet our contractual obligations, we need to keep basic personal data pertaining to our suppliers and their representative officers so that we can pay and otherwise communicate with them. We have a legal obligation to hold this personal data.
- We will keep this personal data for a period of six years after the financial year in which the last payment to the supplier is made (in compliance with financial/tax regulations).
- We need to keep a Trustee’s personal data (including information on related parties and potential conflicts of interest) in order to meet our obligations under both Company and Charity Law. We have a legal obligation to hold this personal data.
- We will keep this personal data for as long as the data subject is a Trustee of RCCE. Personal information pertaining to unsuccessful applicants will be destroyed within 6 months of the decision being made not to appoint.
- We need to keep employees’ personal data (including application forms, references, passport details, work permits, DBS checks, bank details and leave & sickness records) in order (i) to fulfil the requirements of the employment contract with the individual and (ii) to comply with financial/tax regulations. We have both a third party legal obligation and a contract with the data subject.
- We will keep this personal data for the duration of the employment, plus a period of six years after the financial year in which the employee leaves RCCE’s employ (in compliance with financial/tax regulations). Personal information pertaining to unsuccessful applicants will be destroyed within six months of the decision being made not to appoint.
Exercising your Rights under this Privacy Notice
In order for an individual to exercise their rights under this Privacy Notice, they should make a Subject Access Request (SAR) to RCCE’s Finance & Administration Manager who is the charity’s nominated Data Protection Officer. The charity will respond to all SRAs within one month of receipt.
A copy of the RCCE General Privacy Notice can be downloaded here
Name & Registered Office
Rural Community Council of Essex,
Threshelfords Business Park,
Registered Charity No. 1097009.
Company registered in England and Wales No. 4609624