PRIVACY NOTICE AND DATA PROTECTION POLICY

General Data Protection Policy (GDPR)

Beth Shalom Reform Synagogue (BSRS) is committed fully to compliance with the requirements of the Data Protection Act 1998. The 1998 Act applies to all organisations that process data to their employees, as well as to others e.g. customers and clients. It sets out principles, which should be followed by those who process data; it gives rights to those whose data is being processed. To this end, BSRS endorses fully and adheres to the eight principles of data protection, as set out in the DPA.

  1. Data must be processed fairly and lawfully.
  2. Data must only be obtained for specified and lawful purposes.
  3. Data must be adequate, relevant and not excessive.
  4. Data must be accurate and up to date.
  5. Data must not be kept for longer than necessary.
  6. Data must be processed in accordance with the “data subject’s” (the individual’s) rights.
  7. Data must be securely kept.
  8. Data must not be transferred to any other country without adequate protection in place.

These principles must be followed at all times when processing or using personal information. Therefore, through appropriate management and strict application of criteria and controls, BSRS will:

  • observe fully the conditions regarding the fair collection and use of information
  • meet its legal obligations to specify the purposes for which information is used
  • collect and process appropriate information only to the extent that it is needed to fulfil our operational needs or to comply with any legal requirements
  • ensure the quality of information used
  • ensure that the information is held for no longer than is necessary
  • ensure that the rights of people about whom information is held can be fully exercised under the DPA (i.e. the right to be informed that processing is being undertaken, to access one’s personal information; to prevent processing in certain circumstances, and to correct, rectify, block or erase information that is regarded as wrong information)
  • take appropriate technical and organisational security measures to safeguard personal information
  • ensure that personal information is not transferred abroad without suitable safeguards.

Status of this Policy

The Data Protection Legislation is not intended to prevent the processing of personal data, but to ensure that it is done fairly and without adversely affecting the rights of the data subject.

This Policy sets out the basis on which we process any personal data that we collect from data subjects.

The Policy does not form part of the formal contract of employment for staff but it is a condition of employment that staff will abide by the rules and policies made by BSRS from time to time. Any failure to follow the Data Protection Policy may lead,
therefore, to disciplinary proceedings.

If you have any queries, issue, concerns or problems in relation to our Privacy Policy, please contact Aurore Karat at

Staff Responsibilities

All staff are responsible for:

  • checking that any information that they provide to BSRS in connection with their employment is accurate and up to date.
  • informing BSRS of any changes to the information that they have provided, e.g. changes of address, either at the time of appointment or subsequently. BSRS cannot be held responsible for any errors unless the employee has informed it of such changes.

Data Security

We will take appropriate security measures against unauthorised or unlawful processing of personal data, and against the accidental loss of, destruction or damage to personal data. We will maintain data security by protecting the confidentiality, integrity and availability of personal data.

  • Confidentiality: Only people who are authorised to use the data can access it. Personal information is not disclosed either orally or in writing or via Web pages or by any other means, accidentally or otherwise, to any unauthorised third party.
  • Integrity: Personal data should be accurate and suitable for the purpose for which it is processed.
  • Availability: Authorised users should be able to access the data if they need it for an authorised purpose.

Staff should note that unauthorised disclosure will usually be a disciplinary matter, and may be considered gross misconduct in some cases. Personal information should be kept in a locked filing cabinet, drawer, or safe. If it is computerised, be coded, encrypted or password protected both on a local hard drive and on a network drive that is regularly backed up. If a copy is kept on removable storage media, that media must itself be kept in a locked filing cabinet, drawer, or safe.

Subject Consent

In many cases, BSRS can only process personal data with the consent of the individual. In some cases, if the data is sensitive, as defined in the DPA (and to which special rules apply), express consent must be obtained.

Subject Access

Data subjects may request details of personal information which we hold about them under the DPA. This request should be made in writing. The requested information will normally be provided within 40 days of the request. 

If a data subject believes that any information held on him or her is incorrect or incomplete, then they should write to or email the Designated Data Controller as soon as possible. BSRS will promptly correct any information found to be incorrect.

Disclosure

We may share personal data we hold on any member of BSRS where it is necessary for our legitimate purpose. We currently share information on data subjects with:

  • KVT BusinessCare Ltd, our administrator, who provide a data processing servicing to BSRS. Contact for KVT: Val Nurse, KVT, Unit 1, Chapelton Lodge, East Winch Road, Blackborough End, King’s Lynn, Norfolk PE32 1SF
  • Movement for Reform Judaism (MRJ), the umbrella organisation which provides service that one synagogue alone cannot offer. These include our Youth Movement (RYS-Netzer), Young Adults, Jenerations (Students), Rabbinic Court (Beit Din), national and regional events and activities (e.e. Chagigah, Northern Chagigah, Sha’arei Chagigah). Personal data shared with MRJ will not be passed on to any other organisation or be used to send you any fundraising material.
  • Jewish Joint Burial Society, who provides funeral services for Jewish people and non-Jewish partners. We send JJBS information regarding personal details of our members and their children under the age of 21 (name, gender, address and date of birth). This data is required under contract to ensure that JJBS is able to provide a burial for our members. This information is processed to enable JJBS to estimate their future liabilities. It is never used for marketing purposes and is not passed onto any third party. Members who terminate their membership with BSRS can request to be forgotten by JJBS but if they wish to re-join and JJBS have no prior information, they may lose some of their membership rights and their right to a future discounted non-member funeral.
  • HRMC, as we claim gift aid on some donations.

Changes to this policy

We reserve the right to change this policy at any time. Where appropriate, we will notify data subjects of those changes.

Conclusion

This policy sets out this organisation’s commitment to protecting personal data and how that commitment is implemented in respect of the collection and use of personal data.

last updated 31/05/2018