Data Protection and Confidentiality Policy – May 2018
This policy sets out the basis on which the European Association of Mental Health in Intellectual Disability (EAMHID) will collect, store and use personal information. It is written in accordance with the General Data Protection Regulation (GDPR)–(EU) 2016/679. Any questions regarding the management of personal data should be directed to the treasurer.
In the course of its activities EAMHID will collect, store and use personal data, including information about:
- Current and past members;
- Conference delegates;
- Others with whom it communicates;
EAMHID is committed to the lawful and correct treatment of personal information and it is our policy to comply with data protection legislation at all times.
This policy applies to:
- Members of the Executive Board;
- Officers of the Board;
- Anyone engaged to carry out work on behalf of or in association with EAMHID;
This Policy sets out EAMHID’s rules on data protection and the eight data protection principles contained in it. These principles specify the legal conditions that must be satisfied in relation to obtaining, using, transporting, storing and destroying personal data.
This policy may be changed by EAMHID at any time. It is a condition of membership or other association with EAMHID that those who obtain, use, transport, store or destroy personal data adhere to the rules of this Policy. Any breach of this Policy will be taken seriously and will be referred to the Executive Board for action.
Anyone who considers that the Policy has not been followed in respect of personal data about themselves or others should raise the matter with the Treasurer and the President.
Data protection principles
Anyone processing personal data must comply with the six data protection principles set out within the GDPR Regulations.
These provide that personal data must be:
- Used lawfully, fairly and with transparency;
- Collected and used for specified, explicit and legitimate purposes;
- Used in a way that is adequate, relevant and not excessive;
- Kept for no longer than is necessary, and only used for the specified purposes for which it is agreed the data can be held;
- Used and kept in a way that ensures security and protection of the individuals data;
- And that the organisation can demonstrate compliance with all the principles of accountability as set out within the GDPR Regulations;
Fair and lawful processing
This Policy is intended not to prevent the necessary processing of personal data, but to ensure that it is done fairly and without adversely affecting the rights of the individual.
For personal data to be processed lawfully, certain specific conditions have to be met. These include, among other things, requirements that the data subject has consented to the processing, or that the processing is necessary for the legitimate interest of EAMHID or the party to whom the data is disclosed. In many cases, the individual can give implied consent if he or she is informed of all the subsequent uses of the personal data when it is collected.
We do not collect sensitive personal data (e.g. data relating to physical or mental health or racial or ethnic origin).
Processing for specified purposes
Personal data should not be disclosed to anyone who does not reasonably require the information for the purpose for which it was collected. In addition, no personal information should be disclosed if the reasons for that person requesting the information appear unclear or doubtful.
Adequate, relevant and non-excessive
Personal data should be adequate and not excessive for the purposes for which it is processed and it should be kept accurate and up to date. Care should be taken when requesting or keeping information about individuals. Requests from members, associates or other individuals to update personal records shall be dealt with promptly and cross-referenced to any other files containing personal information.
Personal data must be accurate and kept up to date. Information which is incorrect or misleading is not accurate and steps should therefore be taken to check the accuracy of any personal data at the point of collection and at regular intervals afterwards. Inaccurate or out-of-date data should be destroyed.
Retention of personal data
Personal data should not be kept longer than is necessary for the purpose. This means that data should be destroyed or erased from EAMHID records where the data is no longer required for any legitimate or reasonable purpose of the Association.
Processing in line with individual rights
Data must be processed in line with individuals’ rights as laid out within the GDPR Regulations. EAMHID recognises the importance of these rights. Individuals have a right to:
- be informed about what data is held by the organisation;
- have access to the information held upon request;
- require that mistakes are rectified promptly;
- have their data erased (to be forgotten) where this data is not held under legal requirement;
- restrict processing of the data to only that needed;
- make data available and portable;
- give the right to object to the how the data is used;
Dealing with Subject Access Requests (SAR)
A formal request from an individual for information held by EAMHID about them must be made in writing. Anyone who receives a written request should forward it to the Treasurer promptly. EAMHID will deal with all Subject Access Requests promptly and within one calendar month.
When receiving telephone enquiries, care should be taken about disclosing any personal information held on EAMHID records. In particular the person receiving the call should:
- check the caller’s identity to make sure that information is only given to a person who is entitled to it;
- suggest that the caller put their request in writing where the caller’s identity is uncertain and where their identity cannot be checked;
- refer to another officer of the Executive Board for assistance in difficult situations;
Data Protection Officer
The Data Protection Officer is the Treasurer.
EAMHID must ensure that appropriate security measures are taken against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to, personal data.
EAMHID has put in place procedures and technologies to maintain the security of all personal data from the point of collection to the point of destruction. Personal data may only be transferred to a third-party data processor, such as an events management organisation or publishers, if they agree to comply with those procedures and policies, or if they put in place adequate measures themselves.
Security procedures include:
- Data to be held on secure PCs or storage with encryption;
- Secure lockable desks and cupboards – Desks and cupboards should be kept locked if they hold confidential information of any kind (Personal information is always considered confidential);
- Methods of disposal – Paper documents should be shredded and/or placed in sealed confidential waste bins. DVDs and CDs should be physically destroyed when they are no longer required;
- Equipment -Data users should ensure that their screens do not show confidential information to passers-by and that they log off from their laptop/PC when it is left unattended;
- Data users should not leave laptops, phones or PDAs unattended;
- Non-disclosure agreements for contractors;
Personal data outside the EEA
Personal data should not be transferred outside the EU unless:
- the individual concerned has given informed consent;
- contracts are in place to ensure there will be adequate protection for the personal data;
- the transfer is permitted under data protection legislation;