As a guide, you will be handling sensitive data regulated under GDPR, in the form of personal contact details for our pilgrims. You are probably aware that data protection law reform came with the General Data Protection Regulation (GDPR) that took effect from 25 May 2018. GDPR is not just a tick box exercise and it needs all staff and volunteers to embrace procedures.
It’s the law – failure to comply may result in prosecution, of the charity or individual.
You will be issued with the contact list for your pilgrimage, once ticket sales have closed. You can keep this on your smart phone or print it out, as long as it is not accessible to anyone else in your household. No leaving it lying around, in your pocket, or viewable on shared devices. You must delete or destroy this information as soon as is reasonably practical after the event. We will still have pilgrim details on the Eventbrite system, so if there are any problems afterwards where we may legitimately need to contact them, we can do so.
You may:
Hold the contact list on your mobile device or in hard copy for the use of checking in the event.
You must:
- Not download, copy or keep any pilgrim information on your personal computers beyond what is needed for the event.
- Keep the information completely secure from others.
- Delete or destroy the information as soon as practicable after the event.
Our full policy:
- INTRODUCTION AND AIM
This policy sets out the British Pilgrimage Trust CIO’s (the Trust’s) commitment to the lawful and fair handling of personal data in accordance with the General Data Protection Regulation (GDPR).
The British Pilgrimage Trust CIO needs to collect and use personal information in order to carry out its functions effectively. Information can be held about current, past and prospective employees, volunteers, donors, pilgrims, and suppliers and others with whom The Trust may communicate. The Trust has an obligation to handle personal data in accordance with the GDPR.
- POLICY
Any personal data which the Trust collects, records or uses in any way whether it is held on paper, computer or other media will be subject to appropriate safeguards to ensure that the BPT complies with the Regulation (see details under Implementation below).
The Trust endorses and adheres to the principles outlined in Article 5 and Recital 39 of the GDPR. Personal data used by the Trust will be processed lawfully; collected for specific and explicit purposes; be adequate to those purposes; kept accurate and up to date; kept for no longer than is necessary for those purposes; and processed securely.
- IMPLEMENTATION
In order to meet the requirements of the data protection principles and its obligations under the Act, The BPT will:
3.1 Be registered with the Information Commissioner’s Office.
3.2 Appoint a Data Protection Officer – this appointment will be included as part of the job description for the Trust’s Administrator, and overseen by the Vice Chairman of Trustees.
3.3. Acquire express consent for the collection of data.
3.4 Only use personal information for the purposes it was collected. These purposes will be stated explicitly at the point of collection, where consent is obtained.
3.5 Personal information is stored on password protected computers, or on secure cloud services that are both password protected, and run in a manner that is compliant with the GDPR.
3.6 Data subjects (individuals to whom the personal information relates) are able to exercise their rights under the Regulation, including the right:
- to be informed that their personal information is being processed.
- of access to their personal information.
- to correct, rectify, block or erase information that is regarded as inaccurate.
- to have their information deleted.
- to restrict the use of their data.
- to object to how their data is being used.
3.7 Personal data will only be disclosed to third parties when it is fair and lawful to do so in accordance with the Regulation.
3.8 Put in place procedures to check the accuracy of personal data collected, retained and disclosed; and to ensure data subjects can access, review, and request alterations to the manner in which their data is stored and used (including deletion).
3.9 Regularly review the time that personal information is retained or stored to ensure that it is erased at the appropriate time.
3.10 This policy is reviewed regularly and updated when necessary.