UK GDPR and the UK Data Protection Act apply higher standards over how we respond to breaches and complaints, while greatly reinforcing the Rights that individuals have over their data.
If you suspect there has been any breach of personal data, including, then you MUST report to data.protection@libdems.org.uk immediately.
The Members' Data Protection Rules, included in the Party Constitution, require suspected breaches to be reported to the Party's Data Protection Officer, within 24 hours. The Party has only an additional 48 hours to report any breaches, which on review, meet the Information Commissioner's Office (ICO) reporting threshold.
Breaches include, but not restricted to:
Members are required in the Members' Data Protection Rules to report any breaches or face disciplinary procedures. Whilst the Federal Party is legally liable for any breaches under the legislation, our constitution allows for any fines to be shared with local parties if they are found to be responsible.
Individuals have a range of data protection rights:
Details can be found at ICO - Individual Rights.
If an individual makes a request that can be interpreted as falling under these rights, then they should only be handled legally by the Federal Party. There are specific requirements about how these requests are handled, for example, requiring proof of ID, and the formatting of the request and the reply. There are also situations in which we can refuse the request, or limit its scope. Therefore you should always pass these request on to the Federal Party.
Rights requests may take the form of any questions similar, but not restricted to:
If you receive any request of this nature, then you MUST report to data.protection@libdems.org.uk immediately.
Opt outs must be processed within 1 month of being received.
You can find out more about where Consent is required and recording Consent at Data Gathering and Consent.
The new legislation requires that Consent be granular. To that end, we are treating all of our emailing lists as separate. Consent for emailing should be managed within the bulk mailing tool you are using eg: Targeted Email. Opting into a local party mailing list does not imply that they want to opt into the Federal Party mailing list. Opting out of a local mailing list need only be reflected in that mailing list.
If you receive an opt-in for a Local Party, then you can add that email to a Ward or Branch specific email list. However you cannot do the opposite. An email addresses added to a Branch or Ward list should not be added to a Local Party list. In general opt-ins can flow down through the party structure, but not up.
Opt outs on the Federal Website at Federal Opt Out page will be reflected down to local party databases.
Online opt-ins should be processed directly into your Bulk Mail tool. If you have collected consent via a paper form, then this should be recorded in Connect, following the guidelines in Data Gathering and Consent.
If you receive an online opt-out, that should be driven from links generated by your email tool, so that the opt-out is reflected directly in the relevant mailing list. If you receive an opt-out to a Local Party list and you have also added the email to a Branch or Ward list, then you should reflect that opt-out into those lists as well.
If you receive an opt out via a letter or physical paper form, then you must record the removal of the opt in consent in Connect by answering No to the relevant consent question with the date the opt out request was received. The details can be found in Connect Quick Sheet 2.at Connect Quick Sheets.