General Data Protection Regulation

I’ve had some things through the post from organisations I am a member of in relation to General Data Protection Regulation that come in to force in May.

Apparently as described by our RBL branch secretary, all organisations need to contact members, to say what information they hold and get their permission to say what they hold including ways of contacting them. As I understand it if organisations don’t contact all members by May, they could be in bother, if they don’t do this and continue to contact people.

After May all new joiners will have to indicate the ways they wish to be contacted. Again as I understand it this will also affect the tick boxes where you have to say that you don’t want them to contact you or pass your details to “selected 3rd parties”, now you have to say they can.
Has anything come out from HQAC regarding this? I would have thought they would have to contact all members as they hold lots of personal information on people and get their permission as to what information they hold and how members wish to be contacted after May.

I will imagine HQAC will say they are the MoD and it doesn’t apply, which is probably OK for employees, but not for volunteer staff and cadets.

Volunteer staff…
Would be the same as your employer sending you things in my book.

Some bits came out from my RC the other day so they should be coming down the CoC to people.

They are leaving it a bit late.

Anyway, all sqn staff are volunteers all DPA regulations and implementation should be done by the paid staff and not the unpaid sqn volunteers.

I had this mentioned at our Legion meeting and our PCC secretary has mentioned it as well, and it does seem the ATC could be in for a bit of a shock.

My details are on the disaster and sec standing orders in the main office for all to see. If this is right I can remove my details from these documents as can the others listed.

Might just have to wait and see what comes from the top, but with at May implementation date, the clock is ticking, given we have Easter before that.

1 Like

it is a good question however - this is a charity commission policy which i believe the RAFAC (as an MOD thus Government) do not fall under

see https://www.charitycommissionni.org.uk/news/gdpr-reminder-for-charities/

I too wear an RBL hat and questioned this but as it was explained it would seem this is purely a Charity thing.

if you are a member of a charity, donate regularly etc then it is relevant…for RAFAC business? not so much (unless part of the CWC)

I would assume that as a member of the RBL you would be considered to be a member of the charity, which is probably why its been mentioned at meetings.

I wonder though where do parents stand as subs are treated as donations and we sort of have charity status and claim gift aid? I bet HQAC sit around with their thumbs up their backsides until the last minute and then issue loads of forms that needed to be done three weeks beforehand.

1 Like

I’ve had an email today from the DofE relating exactly to this and I imagine there are many across the ATC who have.
Still waiting from the one from the ATC so I can opt out.

absolutely - Branches have Newsletters and events to promote and in the modern era email is the format of choice, of course in doing so if not BCC then the memberships emails are shown in the distribution.

this is an interesting point and one i haven’t considered. we certainly look after personal data (F3822A etc) in locked cabinets in locked rooms, but how else do we interact with parents?
in all my time i haven’t known a Squadron actively have a Squadron Mailing list for parents.
I have on occasions (counting on one hand) sent parents email ahead of an event, typically a camp with some points to note however with the introduction of FB to the Squadron community any parental interaction tends to be via the FB platform, which is not monitored, not audited or comes with any of the security we have with Bader email

The problem you can see is the ATC sleepwalking into a problem. This is what happened when the LASER Review was going on as apparently someone caught sight of the Children’s Act and there was panicky ‘oh pooh we need to do something about this’, hence the over 18 cadet fiasco we got and have been saddled with since.

I get the impression from what I have received is that you have to give positive consent for an organisation to contact you, before May. No consent, they are not able to contact you, even if you have previously received things from them. Even then you have to specify the method of contact. We have parents contact details on consent forms and until now we have assumed we can just contact them, I get the impression we cannot assume for much longer.

There are probably people in HQAC thinking we’re MOD it doesn’t apply and just carry on as normal. Which is what I get a sense of wrt CRBs in 2003/2004.

correct - or at least how I understand it to.
with the addition of WHAT information is held.
“you made store my name, email and postal address but only email me” for example

looking at the GDPR website in more detail i have found the following

Children
You should start thinking now about whether you need to put systems in
place to verify individuals’ ages and to obtain parental or guardian
consent for any data processing activity.
For the first time, the GDPR will bring in special protection for children’s
personal data, particularly in the context of commercial internet services
such as social networking. If your organisation offers online services
(‘information society services’) to children and relies on consent to collect
information about them, then you may need a parent or guardian’s
consent in order to process their personal data lawfully. The GDPR sets
the age when a child can give their own consent to this processing at 16
(although this may be lowered to a minimum of 13 in the UK). If a child is
younger then you will need to get consent from a person holding ‘parental
responsibility’ This could have significant implications if your organisation offers online
services to children and collects their personal data. Remember that
consent has to be verifiable and that when collecting children’s data your
privacy notice must be written in language that children will understand.

taken from https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf

as i read it, we should have parental consent to manage details we hold on SMS and elsewhere IF we are classed as a charity and report to/overseen by the Charity Commission.

This is not exactly true based on my understanding. There are set reasons to allow the processing/use of data, one of which is consent as above. Another reason is to protect the interests of the individual - so that would seem to cover NOK contact information given on consent forms, and you probably have a legal obligation as we are dealing with minors.

There is also the one that is “processing is necessary for the purposes of the legitimate interests pursued by the controller”. If you are sending parents information about things their children are doing, I imagine that would be a legitimate interest of the organisation as it is necessary for things to run smoothly.

1 Like

Does this mean that I can say you can only phone we between 17:00hrs and 21:00hrs as between 07:30 to 17:00 in working or traveling to work and my boss doesn’t like it.

So it would seem there is an annoucement via Email

summarised as

The final details of the changes are currently being debated by the House of Lords but there will be some impact on the RAF Air Cadets…
…The 2018 Data Protection Act also includes a right to erasure, also known as ‘the right to be forgotten’…a request to erase the personal information about an individual would result in that individual having to leave the organisation.

Interestingly there is no mention about gaining consent for said information to be held.

Only yesterday one group got in contact with me I am a member of asking me to confirm the personal details they hold on me and requested that I confirm it may continue to be held…

How can they say that. This sounds like typical HQAC teddy throwing, that I am sure would need to have something.

This is what I’ve had and no mention of having to cease membership, should I want to be forgotten. The only contact details they need are postal address.

For staff - they’re volunteers so details are needed to be held (same as an employer would).

For cadets - service records, medical forms, etc that may be needed during the course of a cadet career.

For parents - mainly NOK for the cadets so contact details needed.

Civ Com - Trustees & members of various squadrons so they need to know how to contact people.

Think you’re making a mountain out of a molehill on this one!

3 Likes

What’s new there?:roll_eyes:

2 Likes

The thing is this isn’t really new. Organisations have a right to hold and process personal information where is it necessary for the functioning of the organisation, which it clearly is. If an individual really wanted to “be forgotten” then they could leave, but I am not sure that would grant the instant right as it would still be considered reasonable to keep hold of the basic data for a specified time frame for legal reasons. Imagine someone demanding to be forgotten, and then making a claim for damages the next week - oh sorry, we have no record of you at all.

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-erasure/

The main thing to do is to make sure the data being stored is actually required, it is stored properly and you know where it is kept. Don’t get your knickers in a twist over ridiculous situations.

I know, God forbid someone thinks about things and not just accept the same old line from HQAC.

But what do they need at a functional level to contact people?
The most they need is a postal address and phone number. Might not fit with the modern way, but that’s life.
If you are on an activity information is on consent forms.
Then there is people having their names. photos and other details displayed for all to see. I’ve always been uneasy about this.

If other organisations are OK with people selecting how they are contacted and what information is held, why would the ATC be so, by the tone of the email, anti. They have the opportunity to get ahead of the game, but as they seemingly need permission to go to the toilet or just blow their noses, that won’t happen.

Our Legion meeting is tomorrow so it will be interesting to see what they are doing. I spoke to the secretary last week and he said that the Legion are changing membership applications and the branch returns, which has a lot of personal details on. Our church is going to remove the electoral roll from noticeboards and not naming people on displayed PCC minutes and getting specific permissions from people about what contact details they can publish / use on websites. Even at work, photo boards are being taken down and replaced by name only boards.

The gist of this is requiring positive permission to hold / use information.

Completely wrong on that one. The organisation will need a reasonable amount of personal information including your criminal record history (or hopefully lack of), as it’s a safeguarding issue.

Don’t want to be DBS checked? Goodbye.

3 Likes