GDPR Statement

Background / context

 

This year (2018) the European Commission is taking a major step to standardise online privacy protections for its citizens. The General Data Protection Regulation (GDPR) requires businesses to comply with new rules for collecting, sharing, and protecting personal data within the borders of the European Union (EU).

 

By the end of May this year (2018), citizens living under the umbrella of GDPR will have a set of brand new rights. Businesses need to be able to adequately accommodate these citizens’ rights should they choose to exercise them:

 

  1. The right to be forgotten: the removal of inaccurate, inadequate, irrelevant or excessive information about them from online search engines
  2. The right to data portability: the ability to obtain and reuse their personal data for their own purposes across different services
  3. The right to be informed in the event of a data breach

 

The Scottish Recovery Consortium supports the rights of individuals to exercise these rights.

 

The SRC does not seek to gather information on individuals or hold information unnecessarily. We only gather the minimum we require to operate as a legal entity, to account properly for the money we are given and to report on the work we have carried out with those funds. As soon as it is no longer needed we destroy any information we hold on individuals.

 

What data is held by the SRC and for what purpose

 

The Scottish Recovery Consortium is a registered charity and company limited by guarantee. With this legal status we are required by law to keep clear financial records and to maintain an up to date list of members of the charity. This means keeping records that ensure staff salaries, expenses of staff and volunteers, and suppliers get paid. We hold records of all application forms received for posts within the SRC for six months after recruitment. This is to ensure accountability for the equality of opportunity in the recruitment process.

 

The Scottish Recovery Consortium undertakes the event management and financial support for Recovery Walk Scotland and applying for licences for this event means that we supply the court with a list of our board members criminal offences.  We are required by law to do this.

 

We register people to attend courses or events / networks through the SRC and hold their name, email, phone number, area of Scotland and organisation they are coming from.  In key events we also ask for the status details in relation to recovery. This information is primarily collected to keep event participants informed about the event/ course they have registered for.

 

 

We hold all this information for a year for the purpose of ensuring we are connecting with the right groups of people and accounting for the work we carry out, No personally identifying details taken from registrations (e.g. names and status) are used in reports, it is the accumulated statistics we use. We do this with the explicit consent of those registering.

 

We hold a publicly available database for community groups in Scotland. The details of the group, its activity and contact details are published on the SRC website and this is done by consent.

 

From 2018 onwards people registering for events will be asked in addition if they would like to hear from the SRC about other events and the name, phone and email and other held details of those who say yes to this will be stored in a SRC contact yes database on our shared drive.

 

The SRC never sells any of the data it holds on individuals to other bodies. The SRC will protect your personal contact information and only hand it on to another individual with your explicit approval. We send information about our work and upcoming events to many groups and organisations. We will only send our further information about events Individuals who have agreed to receive such information from us.

 

To remove data or move data held by SRC

All SRC staff members hold information about different aspects of the work. All staff members are responsible for responding to requests to remove personal contact details of individuals on request.

All staff members are able to respond to requests from individuals who are seeking to move any data held on them to another organisation. We will check of course that there is no legal impediment for doing so i.e. destroying records of expenses paid to an individual in the current financial year.

If you want to be removed from any email list that is held by the SRC, contact any staff member and request that your details be removed.

The security of data held by the SRC

The SRC’s information is held on a closed server and the contact lists will be password protected on this shared drive and on individual computers. The SRC checks regularly with its IT providers that we are secure.

The Status of this statement

This statement has been approved by the SRC board and is now our policy. We will keep monitoring our work and practice to ensure we guard the spirit and the letter of the new rights.