What is GDPR?
The GDPR (General Data Protection Regulation) is a new regulation which will replace the Data Protection Act 1998 (DPA). It will come into effect in the UK from Friday 25 May 2018.
The primary objective of the GDPR is to strengthen data protection for all individuals within the EU by giving them control over their personal data.
It provides principles and regulations on how data is collected, processed, stored and transferred.
The regulation applies if the Data Controller (organisation that collects data from EU residents) or Data Processor (organisation that processes data on behalf of the Data Controller or the data subject (person)) is based in the EU.
According to the European Commission, personal data is: "any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address."
Your relationship with Good Things Foundation under the GDPR
This guidance outlines what GDPR means for your relationship as a delivery organisation for Good Things Foundation. It should not be taken as legal guidance and as an organisation, you should have your own processes and policies in place to ensure compliance with GDPR. The Office of the Information Commissioner has some great guidance as a starting place - read it here.
For the data we ask you to collect for us as part of a funded contract and/or for the data that is input into our systems:
- We are the Data Controller of learner data because we determine the purposes and means of the processing of personal data.
- You are the Data Processor because you collect and process information that is defined as personal data on our behalf.
If you decide to use any of the data collected whilst working with us in another context and for reasons not already outlined to the learner then you will become the Data Controller of that data.
However, even as a Data Processor you still have legal obligations to fulfil under GDPR.
Informing learners of what happens with their data
If a learner enters their own data onto any of our systems on their own, they will be made aware of the above at the point they enter their data into our systems.
If a tutor enters a learner’s data onto our system on their behalf, the tutor must make the learner aware of the above at the point they enter the learner’s data onto our systems.
Keeping data up-to-date and useful
GDPR puts much stronger obligations on organisations to ensure that personal data is up-to-date.
Equally, we should not be keeping any personal data for any longer than is useful to us. With this in mind we will be removing any learner records automatically within certain timescales unless otherwise specified this will be:
- Any data collected as part of a funded contract - 1 year after the contract we have with our funder expires or 2 years after the last learner activity (whichever is later).
- Any data collected not as part of a funded contract - 2 years after the last learner activity in the system.
If you feel that any learner details are no longer useful in shorter timescales than specified above, please contact us and we can remove any records.
To ensure that data collected is up-to-date we ask you not to take personal data out of the systems and use it elsewhere unless on a temporary basis ensuring that it is securely destroyed.
Under GDPR learners have the following additional rights. Here's a guide as to what you need to do if a learner wants to exercise any of these rights:
1) The right of access to data
Learners have a right to request the personal information we hold about them and what we do with this information. If a learner wants to know all the personal data that we hold about them then please contact us and we will be able to provide this within 30 days.
2) Right to be forgotten
Learners have the right to request that we erase all the personal information we hold on them. If a learner no longer wishes their data to be in our system then please contact us and we will remove them from the system. However, please be aware that if that learner counts towards any funded contracts that are currently in progress this learner will no longer count.
3) Right to restrict processing
Individuals have a right to request that we restrict the processing of their personal information that we have on our systems.
4) Right to object to processing and/or withdraw consent
Individuals have the right to object to the processing of their data in general. If a learner no longer wants us to process their data that we have on our systems, please contact us.
Where do we store data and how secure is it?
Our learner data is stored in secure data centres in the Republic of Ireland. All data is encrypted in transit and on the servers.
Most learner data is stored within this core system, however, in the course of our work, we sometimes need to extract data to cloud services such as Google G Suite, MailChimp or Survey Monkey which may mean some personal data is transferred outside the EU. However, we are signed up to the US/EU privacy shield for these services which covers usage in this respect.
We also have a wholly owned subsidiary in Australia that can access our systems and currently has access to organisation data but not learner data.
Note: If you keep paper copies it’s your responsibility to keep it secure. We recommend not keeping it unless you need to do so as part of a project or contract.
For questions, please contact us and we'll try to answer as best we can.