The new General Data Protection Regulation (GDPR) comes into force in the UK on 23rd May 2018.
All RCS staff and volunteers who handle people’s personal information will need to know what are the changes in our members’ and clients’ data protection rights.
They need to know what are their new responsibilities when they handle any personal information – this includes the personal information of members and clients, staff and volunteers.
The first RCS GDPR training session takes place on 13th April 2018 and some of the key resources discussed at that training session are available here.
For more information about data protection at RCS, to ask a data protection question or to report a data protection issue, please contact
the RCS Data Protection Officer, Gill Swash at firstname.lastname@example.org.
List of resources:
Powerpoint Presentation GDPR training April 18
RCS Data Protection Policy Data Protection policy 2018 ratified
RCS Subject Access Request policy and procedure Subject Access Request Policy March 2018 RATIFIED
DRAFT Data Breach policy and procedure DRAFT RCS Data Breach policy 13-04-2018
Your questions answered:
With the proviso that I am not a GDPR expert, to the best of my knowledge, below are the answers to the questions you wrote:
- Does GDPR apply to dead people?
According to the GDPR definitions :
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
On the subject of dead people, Recital 27 of the Act makes it clearer :
“This Regulation does not apply to the personal data of deceased persons. 2Member States may provide for rules regarding the processing of personal data of deceased persons.”
- If I am told data about me is being shared with a third party can I say no?
To answer this question you have to know what is the legal basis for processing the data? The answer depends on what is being shared, by whom and with whom.
If your data is being shared with a third party as part of a contract you have signed, or in order to comply with the law or if it is in your vital interests that information is shared, then you cannot say no. If none of these situations apply and your data being shared without your consent you could say no. Even if you have consented in the past, under GDPR you can withdraw your consent.
RCS relies on consent as its legal basis for processing almost all personal data, so an RCS member would be able to object to their data being shared with a third party. – unless of course they had broken the law or were unconscious and in urgent need of medical attention, when different legal bases would apply.
- How will RCS cope with GDPR when supporting people with dementia or limited capacity?
This is an interesting one. There is a lengthy guide to consent which if brief on the subject of capacity to consent. It states:
“The GDPR does not contain specific provisions on capacity to consent, but issues of capacity are bound up in the concept of ‘informed’ consent.
Generally, you can assume that adults have the capacity to consent unless you have reason to believe the contrary. However, you should ensure that the information you provide enables your intended audience to be fully informed.
It may be that you do have reason to believe that someone lacks the capacity to understand the consequences of consenting and so cannot give informed consent. If so, a third party with the legal right to make decisions on their behalf (eg under a Power of Attorney) can give consent. “
It leaves a lot of questions unanswered and this is an area where we will have to be vigilant and look out for further guidance.
This emphasises how important it is that our privacy notices are easy to understand and why RCS staff need to be ready to sit down with new members and explain to them what it is we are asking them to consent to.
- Paper copies of personal information. Where and how are these stored currently and what if there is a fire! Is there a secondary back up?
RCS stores the signed copies of membership forms and consent forms in locked filing cabinets in the RCS office in Malpas OPAL club premises. If these forms were destroyed in a fire the information we need to continue to provide OPAL Services is held on computer, (albeit not in precisely the same format) so the loss of joining forms would not stop our services from running. However, we would need to register the disaster as a data breach and set about informing data subjects and the ICO. In practical terms we would certainly have to ask members to sign new consent forms as we need evidence that we have consent to process their data.
- Subject access policy: What is undue effort and what is sufficiently well defined personal data?
- Undue effort: means where the amount of effort required to make the information available in a permanent form is out of proportion to the value of the information to the data subject.
- Sufficiently well defined personal data: means that if RCS receives a subject access request, one of the first tasks is for us to make sure that the data subject has given us enough information for us to be sure we know what information we are being asked to provide and can get it right first time.