General Data Protection Regulations (GDPR) Induction
“Making a Virtue out of Necessity”
The reputation and integrity of purpose are basic to the management of every charitable organisation. The MNA has always worked hard to be a trusted “friend” to all the other charities and organisations we have worked alongside. Our National, Regional and Branch structure is unique and our Constitution details our agreed objectives.
The General Data Protection Regulations – GDPR – are the biggest change in 25 years as to how every organisation is required to manage Personal Identifiable Information (PII).
GDPR significantly enhances and upgrades what the current Data Protection Act 1998 requires. The most important point is the new requirement for individuals to give their active consent for the MNA National and Branch Officers to hold their PII and how any member’s preferences can be modified, altered or even deleted at any time with the appropriate written notice.
GDPR came into force on 25th May 2018 and when we leave the EU – Brexit – it will continue in exactly the same form but under a new British Data Protection Bill 2019 (BDPB). This Bill is actually going through Parliament now.
National Officers and National Councillors began preparations for GDPR several months ago by undertaking an ‘Information Audit’. This was followed by a specialist firm undertaking cyber security upgrades and the appointment of the MNA National Chairman as the MNA’s Data Protection Officer (DPO).
As the DPO, he is committed to ensuring systems are in place for monitoring that your PII is maintained in a safe and secure environment. We have reviewed current procedures and policies to both improve our operations and refine what we need to do going forward. Additional Data Protection advice has been circulated to all National members and our MNA Guidelines updated to include Data Protection requirements to comply with the Regulations.
Any of your immediate concerns will be answered, by the DPO, providing you confirm any enquiries by written or electronic mail. All requests are best submitted on the MNA’s “Subject Access Request” (SAR) form. This method guarantees you free and easy access to your personal information through a simple written application. The MNA has 30 days, after receipt of the SAR, to supply you with the information you require. You may request the deletion or removal of some of your PII where there is no compelling reason for its continued processing. Any information you do request to be altered, in any way, will be completed within 9 days of receiving a written request.
The purpose for processing your PII is to support and advance a mutually beneficial arrangement.
The lawful basis of processing information is consent. PII applies to all MNA National members and MNA suppliers. PII includes names, addresses, dates of birth, email address, medals, awards and seatime experience which is already protected under the existing DPA. GDPR expands this to include those with ID numbers, descriptions, location and online data markers and much more.
GDPR requires the MNA National and Branch Officers to maintain proper records of all our processing activities in relation to PII and hold PII records in a technologically secure place that is protected from cyber attacks and theft.
We do reserve the right to amend our Compliance Data Protection Procedures, but any changes will be made with at least one month’s prior notice of any modifications.
Member’s PII is held in a cloud based cyber protected environment as well as on encrypted memory sticks. PII paper records held by National and Branch Officers must be held in a lockable filing cabinet or other secure arrangement. PII will never be passed to third parties without your express consent. The MNA have implemented agreed standards of technological and operational security in order to protect PII from loss, misuse or unauthorised alteration or destruction.
To protect member’s PII we will always ask for your consent before releasing any information, which will normally be in electronic format, unless required by law to do so.
The DPO will continue to follow the accepted practice of privacy by design and carry out regular Privacy Impact Assessments (PIA) for continued security.
PII, held with your consent, will be regularly reviewed but it is the members responsibility to make sure the information is correct and up to date. Most of you have now completed the update forms – thank you. When a member leaves the MNA, we will archive their details to support necessary historical information for a period of two (2) years. After that period all their PII will be deleted and destroyed.
The MNA will also delete all electronic PII, after a period of two years has elapsed, with the exception of any possible disputes.
MNA financial transactions and records will be deleted after seven (7) years.
MNA Data Protection Officer
MNA DATA PROTECTION PROCEDURES
TYPE OF INFORMATION
Member’s name, address, telephone and mobile numbers, email address(es) and medals, awards and seatime.
Photographs and videos of members.
Creating and managing the Association’s online membership database
Adding to recognition and awareness of seafarers and seafaring in both local and national promotional activities.
LEGAL BASIS FOR PROCESSING
Achieved through opt-in consent when completing the MNA’s Registration Form. Member may withdraw or change their consent details at any time by contacting the Data Protection Officer, John Sail, by either email, Subject Access Request (SAR) form or letter. It must be in a written format.
Consent by opt-in on the new MNA Registration Form. Members may withdraw their consent at any time by contacting the Data Protection Officer, John Sail, by email or letter. It must be in writing.
You have rights under the terms of the General Data Protection Regulations (GDPR)
- To access your personal data on request in writing.
- To be provided with information about how your data is processed.
- To have your personal data corrected, amended or deleted.
- To object to or restrict how your personal data is processed.
- To have your personal data transferred to yourself or to another business organisation in certain circumstances.
- You have the right to take any complaints about how your data is processed to the Information Commissioner, who has the final word in these matters.
Tel: 0303 123 1113
Information Commissioners Office
For more information contact:
MNA Data Protection Officer
Further relevant information is detailed in the MNA’s GDPR Policy.