The CHIRP Charitable Trust holds personal data in the form of names, addresses and contact details of members of the Trust, reporters and recipients of FEEDBACK. We are required to ensure compliance with the EU General Data Protection Regulations (GDPR), which are designed to ensure more robust security and more transparency in the use of personal data.
The GDPR places specific legal obligations on CHIRP. We will have legal liability if we are responsible for a breach of confidential data. Members, reporters and recipients of FEEDBACK newsletters have a right to request sight of the data we hold on them, how it is used and, if necessary, to request that data is removed from our systems.
CHIRP’s policy is to hold the minimum amount of data necessary to operate an independent confidential reporting programme. Data on members of the Trust are held for the duration of membership and contact details for recipients of FEEDBACK are held until a reader unsubscribes. Data on reporters is held until the case file is closed, at which point the data is erased within 30 days.
For the most part, CHIRP operates a ‘paperless office’ in a serviced office building with controlled access. Clear desk procedures and lockable security containers provide physical security. Electronic data is held at a remote site using industry standard security procedures. CHIRP will promptly inform anyone affected should any breach occur.
CHIRP will not circulate any personal information to third parties without prior consent.
WHAT WE HOLD
We currently hold data which is pertinent to GDPR in 4 areas:
Members of the Trust (Trustees and Advisory Board Members)
Names, addresses and contact details are held electronically. Career profiles and photographs of the Trustees are held and posted on the CHIRP website. Personal bank account details are held for some Trustees. Dates of birth are held for Trustees whose duties include operating the Trust’s bank accounts. The names of the Trustees are also held in hard copy on annual audit reports.
Reporters personal details provided in reports
Reports submitted to CHIRP include personal details: name, address, email address and phone number.
The majority of reports are received electronically. Reports received in hardcopy are scanned for processing electronically and the hard copy destroyed. Personal details are only kept whilst the report is open and are deleted on closing; report data and correspondence with reporters are disidentified of personal information for storage in the database.
Reporter’s personal information is not shared with anyone outside of the CHIRP salaried staff and contractors without the reporter’s specific permission.
Address lists for emailing FEEDBACK
FEEDBACK is mailed electronically to lists of licence holders provided by the CAA. Licence holders opt in to receiving FEEDBACK (3rd party safety information) by ticking a box on their licence applications to the CAA. The lists are e-mailed to CHIRP in encrypted format and deleted after the details have been uploaded to MailChimp for distribution.
FEEDBACK is also e-mailed to anyone who asks to be added to the distribution list. E-mail addresses of these recipients are stored electronically by CHIRP.
Comments on FEEDBACK are encouraged. Personal details of commentators are deleted after the comment has been relayed to the relevant Advisory Board and a reply sent to the commentator.
CHIRP holds the names, addresses, contact numbers and e-mails, ages, bank details, tax and salary information, as well as working records, for members of staff and contractors. The information is accessible
only by the Chief Executive and Administration Manager.
It is noted too that every staff member and contractor holds personal information which comes under the jurisdiction of the GDPR, in the form of e-mails and transactional records. All staff and contractors are required to read and sign a security brief annually. All e-mails contain a standard confidentiality notice.
The GDPR requires that public authorities and large-scale data processing organisations designate a Data Protection Officer to take responsibility for data protection compliance. The size and structure of CHIRP does not justify a dedicated post. However, data security has been identified as a risk for the Trust. The Trustees review this risk and the procedures for protecting against it annually.
Members of the Trust who meet regularly. Nevertheless, the privacy of members will be protected by using the BCC facility on e-mail distributions for meetings.
The GDPR includes the following rights for individuals: The right to be informed; the right of access; the right to rectification; the right to erasure; the right to restrict processing; the right to data portability; the right to object; and the right not to be subject to automated decision-making including profiling.
We are confident that current CHIRP procedures fulfil the GDPR and we do not operate any data profiling processes. We will regularly review our procedures to ensure they cover areas such as the deletion of personal data and will provide individuals with the data we hold on them, if requested, in electronic format. The Chief Executive will make any final decisions about deletion or release of information.
The demonstration of the Right to Be Informed will be fulfilled by a MailChimp distribution. This CHIRP data policy will also be available on the CHIRP website. Any further updates will be communicated in a similar manner.
SUBJECT ACCESS REQUESTS
We acknowledge that individuals have a right to seek access to information held in CHIRP databases or if they think there is a problem with the way we are handling their data. We will comply with any such request within the new statutory one month period. However, we can refuse or charge for requests that are manifestly unfounded or excessive.
Individuals will have the right to have their personal data deleted when they believe it is being held without a practical or lawful basis. If we refuse a request, we must tell the individual why and that they have the right to complain to the ICO and to seek a judicial remedy. We must do this, at the latest, within one month.
There is a requirement to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity. This is unlikely to affect CHIRP.
DATA PRIVACY IMPACT ASSESSMENT (DPIA)
CHIRP systems, using remote offsite servers fulfil the GDPR recommended ‘privacy by design’ approach. ‘Data Protection Impact Assessments’ will be carried out if a new technology is being deployed; or if there
is processing on a large scale of the special categories of data held. While this is unlikely to directly affect CHIRP, we will work with our IT contractors to ensure that awareness of this is included in any future development programmes.
BREACHES OF DATA
Should we become aware of any personal data breach, we will notify members, reporters, recipients of FEEDBACK, staff members and contractors rapidly as possible, notifying the ICO if a breach is likely to result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage to those concerned.