Guide to Data Protection, May 2018
This document is intended to assist all levels of the Grand Orange Institution of England (‘GOLE’) in the approach to the requirements laid down by the Data Protection Acts of 1998 and 2017 with particular reference to the General Data Protection Regulation (‘GDPR’), which became part of UK law on 24th May 2018. Note that personal data held on a deceased person is not subject to these rules.
The GDPR is an EU regulation but has become a part of UK law. This means that unless and until it is expressly repealed by the UK Parliament following Brexit, it remains in force, and should not therefore be overlooked.
Some pointers for data protection:
The legislation and GDPR seek to guarantee an individual’s rights over the data held by him or her by a third party;
The individual has a right to know what personal data is held on him, so that he may correct it, that the data held is proportionate to the need to hold it, that the data is used in a specified manner and for a specified purpose, and to demand that personal data not be held on him. This is subject to certain qualifications below, since societies would be unable to operate if they could not hold limited data on their members.
“Personal data” is standard data to enable the identification of a living individual; this will usually be (for GOLE) a person’s name, address, contact details, dates for receiving degrees, references to the person on minutes or reports, and may also include dates of birth, reference to membership held of other Loyal Orders, photographs and social media profiles.
“Sensitive personal data” is data that goes beyond this, and includes information such as a person’s political or religious affiliations, sexuality etc. It is not envisaged that a lodge would hold such information, with the exception that the regular place of worship is freely disclosed by the member prior to his initiation and may therefore be kept on file.
The legislation requires societies to have an overall Data Protection Officer, who acts as the bridge between the membership and the Information Commissioner, who is the person appointed by Her Majesty’s Government to ensure the Data Protection Act and GDPR are complied with. Within GOLE, this person is the Grand Secretary.
As far as can be ascertained, private lodges, District lodges and Provincial Grand Lodges do not need a Data Protection Officer as they are off-shoots of GOLE. However, lodges now require a Data Controller, and this has been sanctioned by the Grand Master to be the lodge secretary.
Data Controllers (lodge secretaries) have a responsibility for the personal and any sensitive personal data they keep on file, and likewise have a duty if this data is compromised to report this as soon as possible to the Data Protection Officer.
Regarding the GDPR, most people will have knowledge of emails in the run-up to May 2018 about people needing to click on links to stay in touch with societies, companies and so forth who currently have their details. The reason for the change is that the GDPR:
-Made it necessary for the company or society to produce and publish a document dealing with its data protection policy and how it processes personal data, and also to bring to members’ attention their rights to access the data held on them and to have this amended;
-Enables an individual to withdraw his or her consent to that data being held – this is subject to a legitimate interest test mentioned below;
-Made it necessary for the company or society to create a mechanism under which breaches of security relating to data protection can be reported internally, externally and to the member whose data has been compromised.
As a not-for-profit organisation, GOLE is not as restrained by the registration requirements placed on private companies, although any bands or social clubs operated by GOLE or its inferior lodges for profit would need to take further advice in conjunction with the Grand Secretary as Data Protection Officer.
The legitimate interest test pre-dates the GDPR. It stands to reason that certain data on an individual who voluntarily subscribes to GOLE as a brother or sister will be processed as part of the usual means of running a club or society. Previously consent to the processing of data was passive, inasmuch as the members of a society would be deemed to agree to their personal data being processed by virtue of continuing to be members of that society. This is “implied consent”. GDPR indicates that express consent is now needed to process data. GOLE will be issuing revised membership application forms so that the matter is dealt with at the outset.
Under GDPR, an individual has the following rights:
-To know what and why personal data is held on him or her;
-To know the society’s policy covering the holding and processing of this data;
-To have sight of the data held on him or her after a written or verbal application, this being made within a calendar month of the application and at no cost, except where the individual has already requested and seen the data free, or where it is reasonably considered that the individual’s reasons for requesting the data are vexatious, such as asking multiple times;
-To have data held on him or her rectified, corrected, added to (where incomplete) or edited (where unreasonably intrusive data is held that has no justification) within a calendar month of making a written or verbal application;
-To have data erased, albeit this is subject to the legitimate interest test such as the need to maintain some information on lapsed, resigned, suspended or expelled members in anticipation of an application to re-join;
-To have the processing of their data restricted, again subject to the legitimate interest test.