Major changes are about to take place to UK law relating to data privacy and protection which includes personal information (“data”) which the The European Knowledge Tree Group for eHealth (the Group) keeps about you. This cannot be a short communication because of the scale of the changes taking place (with effect from 25th May 2018) but it is vital that you take the time to carefully and thoroughly read the Privacy Notice which follows.
To assist your understanding the Notice deals with the following points :
- What is Lawful Processing
- What data does the Group acquire and keep about you
- Where does the Group get the data from and how is the data stored
- Does the Group transfer your data elsewhere
- How long does the Group retain your data
- Your rights
On 25th May 2018 new legislation on Data Protection enters into force (The General Data Protection Regulation - “GDPR”). GDPR replaces previous legislation and contains lots of obligations which the Group must fulfil and lots of rights which you as Members have vis-à-vis the Group. Many of the Rules are the same as under previous legislation but there is plenty of new material.
GDPR is an EU Directive directly applicable in all Member states without the need for local legislation and with effect from 25th May 2018. However, the UK has decided that it wants the content of GDPR to apply after the UK leaves the EU and has tabled a Bill in the House of Lords which will achieve this objective. At first sight the Bill looks the same as GDPR (with adjustments which the Group believes are mainly not relevant to the Group’s position) but things change and the Group will need to review its position once the Bill becomes law.
GDPR, including its preamble, contains some 54,000 words so the Group hopes you will be understanding if we attempt to reduce that to some succinct explanations. GDPR allows the Group (“Controller” in GDPR-speak) to introduce operational rules and policies compliant with the new Directive.
GDPR profoundly changes the way the relationship between the Group and its Members works in relation to the information (data) which the Group collects from you and then processes and stores. Some data is necessarily provided to or accessed by a third party such as an event venue or a caterer. Most of the law is mandatory but where there are options this notice will identify and explain the option the Group is using. Many of the terms are rather technical but we need to use specific terms in order to say exactly what GDPR stipulates. The Group’s first task is to be a lawful processor of your data.
2. Lawful Processing
Membership of the Group is a form of contract where Members agree to participate, in return for which Members receive benefits and services provided by the Group. The Group asserts that it is a lawful processor by virtue of this relationship and does not need to obtain specific consent to process data. The Group also considers it is exempted from any obligation to appoint a Data Protection Officer (DPO) but it does accept the obligation to carry out processing in ways which are lawful, fair and transparent. The Group may be required to appoint a designated DPO by the UK legislation.
3. Types of Data Collected and Stored
The Group is committed to recording accurate personal data which primarily consists of your name and email address.
The Group does not collect sensitive personal data such as genetic, biometric or health data. Nor does it collect information on race, ethnicity, religion, political persuasion, or sexual orientation. Such sensitive data is known in GDPR as special category data.
The Group may use your data to enhance your experience of Group Membership by recording your personal preferences, interests and geographical location.
If information is published (i.e. in the public domain) about a Member, e.g. personal, professional or civic honour, award, achievement, etc the Group is likely to add such information to your Member record.
The Group keeps a central store of Members’ personal data in its membership database.
In the event of there being a data breach the Group undertakes to inform you (as well as any relevant authority) not later than 1 month of the Group becoming aware of the breach. The Group does not believe that the data it holds give rise to any need to report a breach to the Information Commissioner within 72 hours but it is conscious of the possible need to do so. Paper records are also held securely.
4. Transfer and Sharing of Data
The Webmaster is the principal processor of your data. The Group’s Officers may also wish to look at Member data from time to time.
The Group will not be able to release to a member personal data about another member, even a telephone number or email address, without your permission.
When you attend functions or events organised by the Group the venue will normally, for security and practical reasons, want a list of names and the caterer will want a list of any special dietary requirements.
The Group does not knowingly transfer your data outside the EU and requires all its suppliers not to make such transfers. The ultimate location of computer servers can make this apparently simple commitment difficult to enforce.
5. Retention of Data
Names and contact details are maintained in the database as a historical record of the Group’s members.
6. Your Rights
- To complain
Ideally the Group would wish to try to deal with complaints itself before recourse to any external authority and asks Members to submit complaints via email or post, but it is open to Members to submit a complaint at any time to the Office of the Information Commissioner.
- To have correct data recorded by the Group
The Group will be happy to correct errors and to update its records when circumstances change.
- To require the Group to erase data which it holds about a Member
The Group will fully respect the new legislation but reminds Members that the low-level information gathered by the Group is perceived by the Group as the minimum needed to provide Members with the benefits of Group Membership.
7. The Group Website
This policy applies when members use the Group website. The Policy Notice is published on the website.
Whenever this policy is updated a notice will be sent to Members.