Remember My Baby Remembrance Photography 

Data Protection Policy

INTRODUCTION
Remember My Baby Remembrance Photography (“RMB”) is a charity dedicated to offering remembrance photography for those parents in the United Kingdom who experience the loss of a baby before, during or shortly after birth. As a charity, RMB has a responsibility to ensure that it uses personal data fairly, transparently, and above all in accordance with the law. As such, RMB has developed this Data Protection Policy (“Policy”), which is designed to help ensure that RMB meets its obligations under data protection law. Everyone in RMB is accountable for upholding the Policy’s requirements.
This Policy covers use of personal data about individuals whose personal data RMB processes as part of its activities, such as supporters, staff, volunteers, beneficiaries, members, trustees, health professionals, suppliers and sponsors (“Data Subjects”). We need to comply with the rules set out in this Policy about how we use personal data. No one is exempt from compliance with these rules.
This Policy does not form part of any employee, volunteer (or similar) contract and may be amended at any time. You will be notified of any significant changes.
RMB’s Trustees have overall responsibility for making sure that the charity complies with data protection law and this policy.
YOU ARE REQUIRED TO FAMILIARISE YOURSELF WITH THIS POLICY.

BACKGROUND
What is data privacy law?
Data privacy (or data protection) law gives people the right to control how their “personal data” (any information that relates to them, such as name, contact details, allegations of criminal activity etc.) is used. It also places obligations on organisations that use personal data. Personal data is interpreted broadly by regulatory authorities: any information from which a living individual can be identified (whether from that information alone or that information when combined with other information in RMB’s possession) will qualify as personal data.

Certain categories of personal data (known as “special categories of personal data”) will subject RMB to more strenuous obligations. These include data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership; genetic data, biometric data; or data concerning health or a person’s sex life or sexual orientation.

From 25 May 2018, all countries in the European Union are subject to the General Data Protection Regulation (which replaces EU Directive 95/46/EC) and existing local law will be substantially repealed.

The main pieces of data protection legislation that RMB is obliged to comply with are:

The General Data Protection Regulation (“GDPR”);
The Data Protection Act 2018; and
The Privacy and Electronic Communications Regulations 2003 (“PECR”).
The UK’s data protection authority, the Information Commissioner’s Office (“ICO”) also issues guidance and codes of practice on how data protection legislation should be interpreted and put into practice.

How does data privacy law affect RMB?
In brief, the majority of our operations necessitate processing personal data, and are therefore affected by data privacy law. RMB holds personal data on Data Subjects for a number of different purposes so that it can carry out its charitable activities. Examples include:

processing personal data about employees and volunteers (and prospective volunteers) to fulfil our obligations to administer the charity and fulfil our obligations to employees and volunteers;
handling beneficiaries’ personal data when we provide them with our services;
holding supporters’ contact details in order to share information on our work and events;
administering financial information so that we can process donations;
sending thank you letters to and communicating with donors;
promoting the work of the charity through case studies, stories and press articles;
communicating with health professionals and providing them with information and materials that they may have requested;
maintaining our membership list;
administering our Wall of Remembrance and Words of Appreciation;
provision of training sessions and conferences;
administering our social media accounts;
selling RMB merchandise such as wristbands and other products via our website;
processing applications from volunteers including volunteer photographers;
maintaining contact details of photographers that volunteer with us through our “Find a Photographer” function and administering the “Take a Break” form; and
receiving personal data about our supporters when they use our website or otherwise communicate with us.
What are we doing about it?
RMB treats compliance with applicable data privacy laws very seriously. We have developed this Policy in order to maintain the highest possible standards of compliance to ensure that Data Subjects whose personal data we process are properly protected, and that our internal procedures are designed to ensure compliance. We have developed this Policy to ensure that the personal data we collect and use is done so in accordance with applicable data privacy laws.

2.4. What are the consequences if we get it wrong?

Getting it wrong can have serious consequences for RMB, ranging from complaints from Data Subjects to fines from regulators, and bad publicity which may undermine our charitable work.

What types of personal data does the organisation collect?
RMB collects personal data relating to Data Subjects:

Name;
Contact details including postal address, telephone number, mobile number and e-mail address;
Financial information relating to donations, gift aid declarations and giving history;
Name of parents, baby’s name, date of birth, gender and health information about the baby and the health condition of the mother;
Information from our private/closed Facebook groups for RMB volunteers and members.
When should Remember My Baby collect and use personal data?
Remember My Baby must only collect and use personal data in compliance with this Policy and the Rules set out below.

Would you like more information?
If you would like more information about data privacy and how the rules affect RMB, please contact the Data Protection Manager, Michele Selvey.

THE RULES
Ensuring Transparency

Rule 1: We must be transparent about the personal data that we hold on Data Subjects including describing the purposes for which we use personal data.

Understanding the Rule
Being open and transparent in the way we use and share personal data is an important step to demonstrate good data privacy practices. As an example, we are subject to this requirement in how we use personal data on beneficiaries, donors and volunteers, all of whom must therefore be told when we use their personal data.

Practical Steps
Data Subjects must be provided with information about fair processing where we collect and use personal data about them. For example, when families agree to be interviewed about their experiences, or where volunteer photographers agree to be listed in our directory – in each instance, suitable wording must be included to notify the individual of how we will use their information.

A list of the information that RMB is required to provide to Data Subjects is included in Appendix 1.

Collecting and using personal data for a lawful purpose only
Rule 2: We must only collect and use the minimum amount of personal data which is necessary for one or more legitimate business purpose which must be lawful and justifiable.

Understanding the Rule
We must only collect and use personal data (i) where it is relevant to our legitimate business purposes (e.g. in administering the charity), (ii) where we can rely on a lawful basis (or bases – please see section 3.2.3 below), (iii) where the purposes are identified in the data privacy notice provided to Data Subjects, and (iv) where the collection and use is within the individual’s expectations.

Practical Steps
When collecting personal data from Data Subjects, we must ensure that the data collection statement made available to those Data Subjects contains all of the purposes for which the personal data may be used.

In addition, when collecting personal data, we must only collect those details which are necessary for the purposes for which that personal data is being obtained. Any use of personal data must be for the identified purposes and any different or new purposes should have a lawful basis. Personal data that is not necessary for any legitimate business purpose should not be collected or accessed.  Remember My Baby will not use any personal data accessed through their role for any private interest.

Lawful bases
Whenever RMB processes Data Subjects’ Personal data, we must be able to show that we can rely on at least one lawful basis within the tables below:

Can we rely on consent?

In some circumstances, use of personal data requires us to obtain the relevant individual’s consent to the collection and use of their personal data. For instance, consent is often required in order to send marketing to individuals. But consent is not always an appropriate ground to rely on.

Consent is only valid if it is specific and informed so we must provide clear and unambiguous information on the purposes the personal data will be used for when we collect consent. Consent must also be genuine and freely given so individuals must have a real choice about whether to provide their consent and must not be under pressure to consent.

It is important that we obtain documented evidence of the declaration of consent (e.g. in writing or via the use of an opt-in procedure). Please use RMB’s “Consent to Take Photographs” form (wherever it is appropriate and possible to do so). Our use of personal data must not exceed the purposes set out in the consent declaration and should not be used for different purposes.

Relying on explicit consent

In order to use certain types of data – known as special categories of data – we may need to obtain explicit consent from individuals. Special categories of data require additional protection. Special categories of data are data revealing racial of ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and genetic data, biometric data for the purpose of uniquely identifying an individual, data concerning health or sex life or sexual orientation.

Explicit consent can be effectively obtained where an individual (or their parent or guardian in the case of a child) is presented with a proposal to either agree or disagree to a particular use of his or her personal data and actively responds to that proposal, either orally or in writing (which could be a wet ink signature on a piece of paper, or electronically through the use of an electronic signature, clicking icons or sending confirmatory emails). But the need for explicit consent means it is not possible to construe implied consent through a person’s actions.

What about the legitimate interest lawful basis?

EU data protection law specifically allows processing of personal data where an organisation can rely on the legitimate interest lawful basis. It is not always obvious what this means and when we can rely on it. However, if we wish to rely on the legitimate interest lawful basis we need to be able to satisfy the test below:

We must identify a legitimate interest for using personal data for a particular purpose. It could be our legitimate interest as an organisation or a third party’s legitimate interest. For example: combating fraud, protecting network security, suppressing details on our marketing lists, direct marketing by mail etc.
We must consider whether the processing of the personal data is necessary for satisfying that identified legitimate interest.  In other words, can we obtain the legitimate interest without processing personal data or could another less intrusive way be used.
We must balance the legitimate interest we have identified with the rights and freedoms of individuals whose personal data we will process. Are we sure that the rights and freedoms of individuals do not override the identified legitimate interest? In considering how to balance the different factors we must consider the nature of the various interests, the impact of the processing on individuals and on us, as well as the safeguards that we will put in place to reduce the risk to individuals.
We must always document the assessment we have carried out when considering the legitimate interest basis.

What about other lawful bases?

Contractual necessity – RMB can process a Data Subject’s personal data where it is necessary to do so for the performance of a contract to which the Data Subject enters into, for example fulfilling any orders that are made via our website, such as the sale of wristbands.

Legal obligation – we can process a Data Subject’s personal data where RMB needs to do so to comply with a legal obligation binding on it, for example, processing donations and any accompanying gift aid declarations.

Privacy Impact Assessments
Rule 3: Where the collection and use of personal data is likely to result in significant risks for the rights and freedoms of Data Subjects, we must carry out an assessment into the impact of the proposed collection and use on Data Subjects.

Understanding the Rule
Where we intend to use personal data in a more intrusive way we must carry out an initial assessment to consider whether the use is justified. Carrying out a PIA (also known as a Data Protection Impact Assessment) helps us identify and minimise the privacy risks associated with the use of personal data. Additionally, if we intend to collect and use personal data in a way that could result in discrimination, identity theft, fraud or financial loss, we should carry out an assessment using a PIA Screening Process. This would help to indicate whether or not we need to carry out a full PIA.

As part of the PIA, we must evaluate the origin, nature, particularity and severity of any risk to the privacy of Data Subjects.

Practical Steps
The Data Protection Manager should be informed of any PIA Screening Process. You must not proceed with the collection and use of personal data until you have provided the completed PIA Screening Process to the Data Protection Manager and received guidance on whether a full PIA is required or not.

Ensuring data quality
Rule 4: We must keep personal data accurate and up to date.

Understanding Rule Four
Processing inaccurate information can be harmful to Data Subjects and RMB. The main way of ensuring that personal data is kept accurate and up to date is by ensuring that the sources we use to obtain personal data are reliable.

Data Subjects should be actively encouraged to inform us when their personal data changes.

Practical Steps
Volunteers (and any employees) should be actively encouraged to update their details (e.g. change of address).

To practically ensure that personal data is accurate, it should generally be collected directly from Data Subjects affected.  All supporters, donors and other contacts should be actively encouraged to update their contact details by inviting them, when communication occurs, to notify us of any changes in their personal data.

5. Data retention

Rule 5: We must keep personal data only for as long as is necessary for a specific business purpose and ensure it is securely disposed of.

Understanding the Rule
Any personal data must only be kept where there is a business or legal need to do so. When we dispose of personal data, this must be done in a secure manner.

Legal statutes, regulations or contractual obligations may require that certain personal data be retained for a specified length of time, and it may also be prudent to keep certain personal data for a specific period so that we are able to defend properly any legal claims or manage an ongoing business relationship. In many cases there will not be a specific statutory retention period, and deciding how long a particular record should be retained for will require RMB to balance the possible need to have access to that record in the future, against the practical and legal requirement to maintain organised, accurate and relevant records which are not excessive. In particular, regularly cleansing and deleting records where we are no longer required to retain records, helps to reduce our risk in the long run.

Documents (including paper and electronic versions and email) containing personal data must not be kept indefinitely (other than copies of images) and must always be securely deleted and destroyed once they have become obsolete or when that personal data is no longer required. Personal data must not be retained simply on the basis that it might come in useful one day without any clear view of when or why. There are no specific minimum or maximum periods set out in data protection laws, but we must ensure that once records containing personal data are no longer needed, they are securely destroyed, and not simply retained indefinitely.

Practical Steps
We must follow all internal data retention policies in relation to:

The key applicable retention requirements from both an administrative and (where applicable) legal perspective
Procedures for ensuring that personal data is properly retained and securely destroyed
The process for suspending the destruction of documents in situations relating to pending, threatened or reasonably likely litigation, regulatory or governmental investigations
The responsibilities of those involved in retention activities relating to personal data.
More detail and guidance on how long RMB will retain personal data is included in the data retention schedule at Appendix 2 of this Policy.

Honouring Data Subjects’ rights
Rule 6: We must always be receptive to any queries, requests or complaints made by Data Subjects in connection with their personal data and adhere to our obligations under law.

Understanding the Rule
We will reply to queries and complaints within a reasonable time and to the extent reasonably possible concerning the processing of personal data by us. We are committed to facilitating the exercise of Data Subjects’ rights, which include the following:

Right of Access:
A Data Subject has the right to request a copy of any personal data that we hold about them (as data controller), as well as a description of the type of information that we are processing, the uses that are being made of the information, details of anyone to whom their personal data has been disclosed, and how long the data will be stored (known as a subject access request (“SAR”)).

If RMB is satisfied that it must comply with an SAR, the requested information must be provided to the Data Subject without delay and at the latest, within at least one month of receipt of the request (unless it is a particularly complex request, in which a further period of two months is permitted). However, where it is not possible from the content of the SAR to identify the relevant Data Subject or there is not enough information to identify the personal data in question, RMB is entitled to respond asking for further information.

Please contact the Data Protection Manager immediately if you receive an SAR from a Data Subject.

Right to rectification
A Data Subject has the right to have inaccurate data amended.

Right to erasure (also known as the right to be forgotten)
A Data Subject has the right to request that all of his or her personal data is erased (the right to be forgotten) in certain circumstances. However, even when those circumstances apply, there are exceptions which can allow a controller to refuse a right to erasure.

Right to restriction
A Data Subject has the right to restrict the processing of personal data.

Right to data portability
A Data Subject has the right to receive information relating to the processing of personal data in a commonly used format.

Right to object
A Data Subject has the right to object to the processing of data where the processing is based on either the conditions of public interest or legitimate interests.

Right not to be subject to automated decision-making based solely on automated processing which significantly affects the individual.
Some of the rights only apply in limited circumstances and exemptions may be available. If you have any questions about whether or how RMB needs to exercise/facilitate a Data Subject’s right, please speak to the Data Protection Manager.

Practical Steps
Where we receive a request from a Data Subject exercising one of their legal rights, we must handle it in accordance with our obligations under law. If a valid request concerns a change in that individual’s personal data, such information must be rectified or updated, if appropriate to do so. RMB must also comply with any requests to cease sending a Data Subject any direct marketing or promotional material about the charity.
Taking appropriate security measures
Rule 7: We must always take appropriate technical and organisational security measures to protect personal data.

Understanding the Rule
Personal data must be kept secure. Technical, organisational, physical and administrative security measures (both computer system and non-computer system related steps) are necessary to prevent the unauthorised or unlawful processing or disclosure of personal data, and the accidental loss, destruction of, or damage to personal data.

Where we fail to take appropriate security measures, we may suffer a data security breach and can then be required to notify a local regulator and the Data Subject(s) affected. If we fail to comply with these reporting requirements, we can receive a fine.

Practical Steps
We must monitor the level of security applied to personal data and take into account current standards and practices.

When considering what level of security is required in each particular case, a number of factors must be taken into account including:

The state of technological development
The cost of implementing any measures
The harm that might result from a breach of security
The nature of the information to be protected as special categories of data require greater security.
RMB will implement the following security procedures and monitoring processes that must be followed in relation to all personal data it processes:
Access to the database will be limited to co-founders, regional co-ordinators and other relevant volunteers (such as fundraising co-ordinators);
staff/volunteers should ensure that individual monitors do not show confidential information to passers-by and that they lock their computer when it is left unattended;
all computers and personal devices on which RMB’s personal data is accessed should be password protected and/or have a security pin. Any personal data that is accessed online, must be through a secure (and not open) wi-fi connection;
paper documents should be shredded; portable storage devices should have their contents be erased and be formatted, and any other media on which personal data is stored should be physically destroyed when they are no longer required;
personal data must always be transferred in a secure manner (the degree of security required will depend on the nature of the data – the more sensitive and confidential the data, the more stringent the security measures should be);
laptops, USB drives and other devices should be password protected and/or encrypted wherever possible;
desks and cupboards should be kept locked if they hold confidential information of any kind;
staff and volunteers must keep data secure when travelling or using it outside the offices.
If you become suspicious or are actually aware of any data security breach, you must immediately report the breach to the Data Protection Manager. When we become aware of a breach we can take protective measures that can effectively mitigate the consequences of the breach.

RMB must report data security breaches (other than those which are unlikely to be a risk to individuals) to the ICO within 72 hours of becoming aware of the data security breach. A data security breach may have occurred where personal data has been compromised in some way (for example through sending it outside the control of RMB, or misplacing a laptop in a public place which contains personal data).

RMB is also required to notify affected individuals where a data security breach is likely to result in a high risk to the rights and freedoms of these individuals. The obligation to notify may not be required in certain circumstances where the personal data is encrypted or RMB has taken subsequent measures to ensure that the high risk to individuals is not likely to materialise.

Adopting Privacy by Design
Rule 8: We must adopt privacy by design and privacy by default in all systems, databases, tools and features we build to collect and use personal data.

Understanding the Rule
Taking account of the particular circumstances of the data collection and use, the cost of implementing measures and the risks to Data Subjects, we must implement measures (such as pseudonymisation) that reflect data protection principles when we design systems, databases, tools and features to process personal data.

Practical Steps
We must ensure that any privacy settings are by default set to the most privacy protective setting. We must ensure that the minimal amount of personal data is collected and used through our technology.

As far as possible we should employ pseudonymised, encrypted or anonymised datasets to reduce risk to Data Subjects’ privacy.

Using subcontractors/ suppliers
Rule 9: We must ensure that providers of services to us also adopt appropriate and equivalent security measures.

Understanding the Rule
Under EU data protection law, where a provider of a service has access to our personal data (e.g. as a payroll provider) we must impose strict contractual obligations dealing with the purposes and ways our personal data may be used and the data security of that information. This includes service providers who host data on our behalf.

RMB currently uses the following suppliers and service providers (although this may be subject to change):

PayPal
Stripe
Active Campaign
Box
Zenfolio
Mailchimp
Practical Steps
We must always carry out appropriate due diligence which considers the supplier’s security measures for processing personal data, and general ability to comply with its obligations under data protection law, before we engage a supplier.

We must always enter into a written contract with any supplier or consultant that processes personal data on our behalf. Where you are unsure how to proceed, contact the Data Protection Manager for advice on how to implement a suitable data processing agreement.

Disclosing personal data to third parties
Rule 10: We must only disclose personal data to third parties where we have the consent of the Data Subject, where required by law or where the third party is a subcontractor that has a need to know the information to perform its services and has entered into a contract with us containing the appropriate data privacy and security provisions.

1.Understanding the Rule

At times, we may disclose personal data to suppliers, contractors, service providers and other selected third parties.

Prior to disclosing personal data to any third parties, we will take reasonable steps to ensure that: (i) the recipient of such information is identified; and (ii) where appropriate or required by law, the third party is contractually committed to complying with this Data Protection Policy and/ or our instructions concerning the use of personal data as well as implementing appropriate security measures to protect personal data, limiting further use of personal data, and complying with applicable laws.

In certain circumstances, we may be required to disclose personal data to third parties when required by law, when necessary to protect our legal rights, or in an emergency situation where the health or security of a Data Subject is endangered. Prior to such disclosures, we must take steps to confirm that the personal data is disclosed only to authorised parties and that the disclosure is in accordance with this Data Protection Policy and applicable law.

Practical Steps
If you receive a request from a third party asking you to disclose personal data to them, you should contact the Data Protection Manager unless it is a business as usual request i.e. it is the type of request that you typically receive in connection with your role which you regularly comply with and involves no significant disclosure of personal data.

Ensuring adequate protection for international transfers
Rule 11: International transfers of personal data are subject to certain legal restrictions and therefore we must ensure that all transfers are subject to adequate protection through putting contracts or internal policies in place.

Understanding the Rule
The law may restrict international transfers of personal data to countries that do not ensure an ‘adequate’ level of data protection. Adequacy can be achieved through a number of mechanisms such as contracts or internal policies, and international transfers should only be allowed where appropriate mechanisms are utilised, in order to protect the personal data being transferred.

Practical Steps
We must not transfer any personal data across borders without checking whether a legal restriction is in place. This includes if you are dealing with service providers or third parties based in another country and we are transferring personal data to them or allowing them to remotely access our systems/ data. When in doubt about the lawfulness of any transfer, please contact the Data Protection Manager on how to proceed.

Special categories of personal data
Rule 12: We must only use special categories of data if it is absolutely necessary for us to use it and, in most circumstances, we should obtain explicit consent from Data Subjects to use their special categories of data.

Understanding the Rule
Special categories of data are information revealing a Data Subject’s racial or ethnic origin, political opinions, religious or other beliefs, trade union membership, processing of genetic data or biometric data (for the purpose of uniquely identifying an individual), health and sex life or sexual orientation. Since this information is more intrusive, we must only use it where absolutely necessary and usually with the explicit consent of the Data Subject affected.

The proposed collection and use of special categories of data should be heavily scrutinised and challenged before proceeding. The consent from Data Subjects to our use of their special categories of data must be genuine and freely given.

We can only hold and make available special categories of data on an individual without their explicit consent if we have another lawful basis under applicable law. This may be the case, for example, where we hold information about an employee’s health where this is necessary to exercise any obligation conferred by law on us in connection with employment.

Practical Steps
We must always assess whether special categories of data are essential for the proposed use – why do we need it?
We must only collect special categories of data when it is absolutely necessary in the context of our business – why do we need it?
Application (or other) forms used to collect special categories of data must include suitable and explicit wording expressing the individual’s consent.
Consent must be demonstrable. Therefore, when it is collected verbally it must be recorded in such a form as to prove that the requisite information was provided to the individual and their response was able to be verified.
Where consent is not relied upon, we must take steps to ensure that there is another lawful basis under applicable law for the collection and use of such information.
The Data Protection Manager should be informed of any planned significant use of special categories of data to verify the legitimacy of such use. The Data Protection Manager is entitled to ask further questions and will work with you to mitigate any potential risks in this regard.
Collecting children’s data
Rule 13: We should only collect personal data of children when strictly necessary and, if we are relying on consent as the lawful basis, we may need to obtain verifiable parental consent.

Understanding the Rule
Children merit additional protection under data protection law.

Practical Steps
We must obtain consent from a child’s parent to process their personal data where applicable.
We must ensure any privacy notices provided to children are age appropriate.
Direct marketing
Rule 14: We must obtain consent from Data Subjects to use their details for direct marketing where the law requires. We must always allow customers to opt out of receiving marketing information.

Understanding the Rule
In the context of electronic marketing (e.g. by email, SMS or telephone where the number is registered on the Telephone Preference Service), the default position is that we must obtain prior consent from Data Subjects before sending marketing to them.

One of the key data protection rights is that Data Subjects have the right to object to the use of their personal data for direct marketing purposes and we must always notify Data Subjects of their right.

Practical Steps
We must ensure we collect valid consent from Data Subjects before sending them
e-marketing. This is not something that the charity undertakes in any event given the very sensitive nature of our service and the people we support.

We must ensure that the data privacy notice made available when personal data is collected includes the relevant opt-out mechanisms regarding marketing communications. Examples of this wording is contained in Appendix 1 of this Policy.

Honouring Opt-outs
Rule 15: We must always suppress from marketing initiatives the personal data of Data Subjects who have opted-out of receiving marketing information.

Understanding the Rule
It is essential that Data Subjects’ choices are accurately identified when direct marketing campaigns are carried out. A failure to comply with a Data Subject’s opt-out choice (e.g. by sending a mailing to a Data Subject who has previously indicated to us that he or she does not wish to receive mailings) is likely to lead to complaints from the Data Subject and possible scrutiny or enforcement action being taken by the ICO and potentially the Fundraising Regulator.

Practical Steps
When sending direct marketing, including appeals, newsletters and information about events etc. we must take all necessary steps to prevent the sending of marketing materials to Data Subjects who have opted-out. This may include keeping a “do not contact” list.

4. COMPLYING WITH THE RULES

Why is it important that I comply with the Rules?
It is important that everyone within RMB complies with the Rules since we are all responsible for data privacy compliance. A failure to comply with the Rules could expose us to regulatory and/ or legal action which could mean the payment of compensation, damages and/ or fines as well as other remedies.

What happens if I breach a Rule?
If you breach a Rule, even inadvertently, you must immediately inform the Data Protection Manager even if you are not certain whether the breach is serious. You should always voluntarily tell us of any serious breaches since we will consider any deliberate cover up or attempts to mislead us about a breach as a serious disciplinary matter.

Additionally, you should note that knowingly or recklessly obtaining or disclosing personal data may be a criminal offence and could also result in damages or compensation claims against you.

Auditing compliance with the Rules
We will conduct periodic audits to ensure compliance with the Rules. All employees, volunteers and anyone else working on RMB’s behalf must participate with such audits and any outcomes, including remediation plans.

Are there exceptions to compliance with the Rules?
In limited circumstances, such as co-operating in criminal or other government investigations or inquiries, it may be appropriate for RMB to obtain an exception from compliance with part or all of these Rules. All such exception requests must be approved by the Data Protection Manager.

Who enforces data protection law?
Data protection law is usually enforced by data protection regulators and the courts. In the UK, the data protection regulator is the Information Commissioner’s Office with powers to serve notices on us and to conduct assessments of our operations. Ultimately and for the most serious breaches, we can be fined.

TRAINING ON THE RULES
We require all relevant employees, volunteers and anyone else working on RMB’s behalf to receive training on the Rules.

Further information is available from Michele Selvey.

IMPLEMENTATION
This Policy is effective from 1st September 2018.

7. MAINTENANCE AND CONTACT

The review and maintenance of this Policy is the responsibility of the Data Protection Manager. Queries and feedback should be directed to Michele Selvey.

Date:

DATE OF NEXT REVIEW:

VERSION 0.1

1.– data collection statements: guidance

Article 13 GDPR requires data controllers such as RMB to provide Data Subjects with the following information about how their data is held and used by the charity:

Who will be holding their information, i.e. RMB – including contact details;
Why RMB is collecting their information and what RMB intends to do with it (for example, to process donations or send mailing updates about our activities);
The legal basis for collecting the personal data (for example, if RMB is relying on their consent, or on legitimate interests or on another legal basis);
If RMB is relying on legitimate interests as a basis for processing what those legitimate interests are;
Whether the provision of their personal data is part of a statutory or contractual obligation and details of the consequences of the Data Subject not providing that data;
The period for which their personal data will be stored or, where that is not possible, the criteria that will be used to decide that period;
The existence of the rights of individuals (please see section 3.6 above for the rights that must be referred to);
Details of people or organisations with whom RMB will be sharing their personal data;
Where relevant, the fact that RMB will be transferring their personal data outside the EEA and details of relevant safeguards;
The right to lodge a complaint with the Information Commissioner’s Office;
The right to withdraw consent if consent is the lawful ground that has been relied upon; and
The existence of any automated decision-making including profiling in relation to that personal data.
RMB aims to achieve this by using its Privacy Policy, which is available on the website and made available prior to any Data Subject providing RMB with their personal data or, where the personal data is collected from a third party, as soon as reasonably possible thereafter.

Where RMB obtains personal data about a Data Subject from a source other than the Data Subject, RMB must provide information (in addition to the information set out above) on:

The categories of personal data; and
Information on the source of the personal data and whether this is a publicly available source.
This information must be provided within one month of obtaining the personal data, or on first communication with the relevant Data Subject if made sooner.

The fair processing information can be provided in a number of places including on web pages and on application and consent forms. RMB must ensure that the fair processing information is concise, transparent, intelligible and easily accessible.

2.Data retention schedule
Type of Data/ Document

Retention Period

Reason

Photographs/images taken as part of our remembrance photography services

Indefinitely

This is so that we have a copy if the parents of a baby/babies ever request further copies, if for example, their own copies have been lost of destroyed.

Personal data relating to the name and contact details of the parents.

Indefinitely

For the same reason as above

Volunteer data

For as long as the person is a volunteer with the charity. If they step down or cease to be a volunteer, their data will be deleted.

So that we are able to administer our volunteer programme and communicate with volunteers.

Donor data and financial information including gift aid declarations

Seven years from the data of the donation

In order to comply with financial and HMRC reporting requirements