The Iona Community (“the Community”) takes the security and accuracy of personal data seriously. It complies with its obligations under the UK General Data Protection Regulation (GDPR) by
- keeping personal data up to date;
- storing and destroying data securely;
- not collecting or retaining excessive amounts of data;
- protecting personal data from loss, misuse, unauthorised access and disclosure
- ensuring that appropriate technical measures are in place to protect personal data.
This statement refers to such data held by the Community on third party individuals.
Personal Data on Individuals Held and Processed
The following types of personal data on individuals is held and processed:
- Personal Records: Name, title, affiliation(s), address(es), telephone number(s), email address(es).
- Financial Information: Details of Bank Accounts; payments received or made; Gift Aid declarations and records.
- Contact Preferences: Acceptable and preferred method(s) of communication (mail, telephone, email) from the Community to the individual as notified to the Community Administration Office.
- General Information: Membership of working groups or committees; attendance at events; information on specific areas of interest or expertise relevant to the Objects of the Community.
The legal basis for the Community to process personal data is the legitimate interest of the Community to maintain its financial records (including the processing of Gift Aid); to provide news and information about the Community, events and activities; to fundraise; and to promote the interests of the Community.
Preferred methods of contact with an individual are processed by consent of the individual.
Sharing Personal Data
Personal data will be treated as strictly confidential and will only be shared as necessary with employees of the Community so that they can carry out their duties and for purposes connected with the Community.
Contact information will be shared only with authorised representatives of the Community.
Data will only be shared with others not included above with the explicit consent of the person.
Questions About the Data and Its Use
If a person has questions about their data, and what the Community does with it, they should contact the Data Controller
Rights of a Person Whose Data is Held and Processed by the Community
A person has a number of rights under GDPR:
- The right to know what data is held
- A person has a right to know what personal data is held about them.
- This statement describes the data that is held. A person may ask if the Community has any other data about that person which is not covered by this statement.
- The right to request a copy of the data the Community holds
- A person can ask for a copy of the data the Community holds about them. This is called a “subject access request”.
- If a person makes a “subject access request”, the Community will give the person a copy of the data the Community holds about them.
- The Community will do this within one month. The Community will normally give the person the data in a computer file.
- The right to object
- A person can object if the person thinks the Community is using the data in the wrong way.
- A person can also object if that person thinks the Community does not have “lawful grounds” for using the data.
- The Community will give a person a statement explaining why the Community uses the data and explaining the “lawful grounds”.
- If a person is still not happy, that person can complain to the Information Commissioner’s Office (https://ico.org.uk/make-a-complaint/)
- If the Community is using the data in the wrong way, the Community will stop immediately and stop it happening again.
- Right to have data corrected
- If a person thinks that there is a mistake in their data, the Community should be told. The person has a right to have it corrected.
- The Community may need to check what is the correct data but will put right any mistakes as soon as possible.
- Right to be forgotten
- The Community will remove data immediately on request of a person or their legal representative. Otherwise, data will be removed two years after the last contact with the person.
- This does not apply to Gift Aid declarations and records which the Community is legally obliged to retain for six years after the calendar year to which it relates.
- Other financial information may be held for up to six years for accounting purposes.
If anything happened to data that could be a risk to a person, the Community will do its best to inform those concerned as quickly as possible
The Data Controller is the Business Director of the Community.
A Director of The Iona Community (Company limited by guarantee ref:SC096243) has been nominated by the Council to oversee matters pertinent to GDPR.
A pdf version of the official statement is available: Data Privacy Statement (Community)