Monday 12 February 2018

Read your own PRIVACY NOTICE and consider – would I sign this?


I have put this article into two parts, a SUMMARY which essentially makes the point and the DETAIL with an invitation to “crowd source” all your comments on this document. Think of it as a “where’s wally” exercise for GDPR professionals.

I was recently asked to review a Privacy Notice for a Club/Association that I will keep anonymous. I am sharing feedback as a learning exercise for anyone contemplating a Privacy Notice and a stark warning for anyone who simply recycles someone else’ Privacy Notice without thought.

SUMMARY


This is about a club with a membership who meet regularly to discuss their pet topic. They are not a business. They are not part of government. It is simply a club for which the text below details the conditions for membership.

First, have a look at the Data Protection Principles here

Lawfulness, fairness and transparency
Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject
Purpose limitation
Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
Data minimisation
Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
Accuracy
Personal data shall be accurate and, where necessary, kept up to date
Storage limitation
Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed
Integrity and confidentiality
Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures
Accountability
The controller shall be responsible for, and be able to demonstrate compliance with the GDPR



Now consider would you sign this as a club membership condition?

[zzzzzzzz]   may collect and process  [all and any] social media accounts + work and home details + professional life + personal relationships

[zzzzzzzz]   may disclose your personal data to
·        other members
·        professional advisors, banks and other service providers [unlimited]
·        any central or local government department and other statutory or public bodies as required.

This seems a bit excessive as a pre-condition of joining a Club/Association for the purposes of monthly chats about common interests.

1.      It does not seem to be collected for specified, explicit and legitimate purposes {ie managing membership of a club} and not further processed in a manner
2.      Nor is it adequate, relevant and limited to what is necessary in relation to the purposes {ie managing membership of a club}
3.      It is not obvious that  this is fair and transparent {why is data being so widely shared, and specifically what data?}
4.      If data is being stored for 10 years and shared widely how is it accurate and, where necessary, kept up to date
5.      There is no mention of data-controller/data-processor agreements and it is vague {given the circumstance and nature of social media accounts + work and home details + professional life + personal relationships} as to processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss

DETAIL

Read the full text here. Would you sign an agreement that said this? What modifications would you suggest? Think of it as a “where’s wally” exercise for GDPR professionals.

1. Introduction
This Privacy Notice sets out how the [zzzzzzzz]  ( “ [zzzzzzzz] ”) deals with your personal data which we collect in the course of your use of this website and as a result of you interacting with The  [zzzzzzzz]  entities in other ways. We may collect certain information about you in the course of your use of this website and otherwise in your interaction and correspondence with us. We take privacy and security of your information seriously and will only use such personal information as set out in this privacy policy.

2. Collection of Information by Third Parties
The  [zzzzzzzz]  website contains links to other sites whose information practices may differ from those of The  [zzzzzzzz] . If you should visit such third party sites, you should ensure that you review the appropriate privacy notices as we have no control over information that is submitted to, or collected by, these third parties.

3. Who We Are – The  [zzzzzzzz]
Information which is collected as a result of your use of this website will be the responsibility of the  [zzzzzzzz] , who will act as data controller in relation to your personal data.
The  [zzzzzzzz]  is a members’ association for those with an active interest in Jersey  [zzzzzzzz]  issues.

4. Where And When we Collect your Data
We may collect and process your personal data from a variety of sources including:
• Your use of this website;
• Your interactions with our officers, committee and members;
• The information you provide us when you are applying to join the  [zzzzzzzz] ;
• When you interact with us on behalf of your own employer or institution;
• Your colleagues when they write to us on your behalf; and
• Information which we collect from our contact on social media (including but not limited to Twitter and Linkedin).

5. What Data We May Collect
We may collect and process the following types of personal data:
• Your work and home details, such as email address, postal address and/or telephone number (both landline and mobile);
• Your job title and professional qualifications;
• Details of your social media accounts;
• Details of your professional life including your occupation and professional interests;
• Details of your visits to our websites and applications including, but not limited to, traffic data, location data and other communication data, and the resources that you access;
• Details of your interactions with us, including any which occur electronically or in person;
• Details of your professional and personal relationships;

6. What we use your personal data for
The  [zzzzzzzz]  and/or persons acting on our behalf may process your personal data for a number of business purposes, (depending on the capacity in which you deal with the  [zzzzzzzz] ) which may include:
• to ensure the content on our websites and applications is presented in the most effective manner for you;
• to manage your membership of the  [zzzzzzzz]  and any training requirements which you may have from time to time;
• to ensure the protection of the interests and reputation of the  [zzzzzzzz] .
• to comply with our legal, tax and regulatory obligations;;
• for monitoring and assessing compliance with the  [zzzzzzzz] ’s policies and standards;
• for promotional and marketing materials and activities, including photos and videos;
• to provide you with requested products or services;
• in order to ensure the security and access of our systems, premises, platforms and secured websites and applications; and
• other purposes reasonably ancillary to the above
Many of the above ways in which we process data may be as a result of legal or regulatory obligations. Some may be based on your consent (which we will obtain at the time of collection and at appropriate other times).
Where we process data for our legitimate business interests, you have the right to object to such processing (see below in relation to your rights). Please bear in mind that if you do object this may affect our ability to carry out tasks above for your benefit.

7. When we may disclose your personal data
We may disclose your personal data to the following for the purposes
• To other  [zzzzzzzz]  members.
• To third party data processors who process your personal data on our behalf (such as our IT systems providers);
• To third parties service providers which are themselves data controllers such as professional advisors, banks and other service providers;
• To third parties in the course of providing membership benefits and products.
• To any national and/or international regulatory, enforcement or exchange body or court where we are required to do so by applicable law or regulation or at their request.
• To any central or local government department and other statutory or public bodies as required.

8. Data Security
The  [zzzzzzzz]  uses up-to-date data storage and security techniques to protect your personal information from unauthorised access, improper use or disclosure, unauthorised modification or unlawful destruction or accidental loss.
Any third parties we engage to process your personal information are obliged to respect the confidentiality of your information.

9. International Transfers
The personal data we collect from you may be processed in (including being accessed in or stored in) a country or territory outside your home country, including outside the European Economic Area (“EEA”).
Where we transfer data to another jurisdiction, which does not offer the same level of protection of personal data as may be enjoyed within your home country, we will ensure that your data is appropriately protected.

10. How we use cookies and other similar technology on our websites
This website uses cookies. A cookie is a small text file that a website saves onto your device when you visit the site. It enables our website to remember your actions and preferences over a period of time, so you don’t have to keep re-entering them when you come back to the site or browse from one page to another. It makes your experience with us more seamless.
Our pages use cookies to remember:
• Your display preferences, such as colour settings or font size.
• If you have already replied to any pop-ups that appear so that you won’t be asked again;
• If you have agreed (or not) to our use of cookies on this site;

Any videos embedded in our pages use a cookie to anonymously gather statistics on how you got there and what videos you visited.
Enabling these cookies is not strictly necessary for the website to work, but it will provide you with a better browsing experience. You can delete or block these cookies through your browser, but if you do that some features of this site may not work as intended.
The cookie-related information is not used to identify you personally and the pattern data is fully under our control.
These cookies are not used for any purpose other than those described here.

11. How Long We Retain Personal Data
We will retain your personal data for as long as necessary to fulfil the purpose for which it was collected.
Once those purposes are completed, we then have legal and regulatory obligations to fulfil in connection with data retention which we will need to fulfil.
Additionally, we may also retain personal data in some circumstances for a period of least ten years in order to ensure that we are able to answer and deal with any queries, complaints, tax enquiries or investigations or any legal proceedings which may arise.

12. Your rights
You have the right to apply for a copy of the personal data we hold about you and to have any inaccurate personal data about you rectified.
In some circumstances you may also have the right to ask us to erase your personal data or restrict its processing.
Where we process your data for our legitimate interests, you have the right to object to such processing.
Where our processing is based on consent, you may withdraw your consent by emailing membership@ [zzzzzzzz]
Please bear in mind that if you object to processing or withdraw your consent, this may affect our ability to deliver services to you.
Should you wish to discuss the exercise of any your rights, please contact us as set out below.

13. Contact information
If you have any questions in relation to this policy or  [zzzzzzzz]  within please contact us at:
[zzzzzzzz]

If you currently receive marketing information from us which you would prefer not to receive in the future please email us at [zzzzzzzz]

NEED SUPPORT WITH GDPR?        

Jersey Community Partnership and Association of Jersey Charities are looking to co-ordinate resources and suppliers, and there may be grant funding available.

Jersey Charities Q&A

Jersey Data Protectin  Association list of GDPR events

GDPR  Reform in the Channel Islands

EU Guidance Site

CONTACT

TimHJRogers@AdaptConsultingCompany.Com
+447797762051 Skype: timhjrogers TimHJRogers@gmail.com

No comments:

Post a Comment