GDPR and the UK Data Protection Act apply higher standards over how we respond to breaches and complaints, while greatly reinforcing the Rights that individuals have over their data.
If you suspect there has been any breach of personal data, including, then you MUST report to [email protected] immediately. The Members' Data Protection Rules, included in the Party Constitution require breaches to be report within 24 hours. The party has only an additional 48 hours to report any breaches to the Information Commissioner's Office (ICO).
Breaches include, but not restricted to:
- Data being accessed by someone who is not a member of the Party and has not signed a Data Protection Agreement with us
- Data being exposed on websites
- Hacking of any databases or systems you use
- Emails being sent with recipients in the To: or Cc: field.
- Sending email attachments that are not encrypted
- Any loss of data, for example:
- Loss of CDs, disks or drives with data
- Loss of laptops with data
- Loss of devices with data and / or MiniVAN
- Loss of paper records
- Loss of canvass sheets
Members are required in the Members' Data Protection Rules to report any breaches or face disciplinary procedures. Whilst the Federal Party is legally liable for any breaches under the legislation, our constitution allows for any fines to be shared with local parties if they are found to be responsible.
Subject Rights Requests
Individuals have a range of data protection rights. The UK Data Protection Act provides the following rights for individuals:
- The right to be informed
- The right of access (Subject Access Request)
- The right to rectification
- The right to erasure (Right to be Forgotten / Deleted)
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling
Details can be found at ICO - Individual Rights.
If any individual makes any requests that can be interpreted as falling under these rights, then they can only be handled legally by the Federal Party. There are specific requirements about how these requests are handled, for example, requiring proof of ID, and formatting of the request and the reply. There are also situations in which we can refuse the request, or limit its scope. Therefore you should always pass these request on to the Federal Party.
Rights requests may take the form of any questions similar, but not restricted to:
- What data do you hold on me
- Delete me / my data from your database
- Stop processing my data
- Download of data you have on me
- Data you hold is wrong
- Stop profiling me
If you receive any request of this nature, then you MUST report to [email protected] immediately.
Opt outs must be processed within 1 month of being received.
You can find out more about where Consent is required and recording Consent at Data Gathering and Consent.
Granularity of Consent
The new legislation requires that Consent be granular. To that end, we are treating all of our emailing lists as separate. Consent for emailing should be managed within the bulk mailing tool you are using, whether that is Nation Builder, Prater Raines or Mailchimp. Opting into a local party mailing list does not imply that they want to opt into the Federal Party mailing list. Opting out of a local mailing list need only be reflected in that mailing list.
If you receive an opt-in for a Local Party, then you can add that email to a Ward or Branch specific email list. However you cannot do the opposite. An email addresses added to a Branch or Ward list should not be added to a Local Party list. In general opt-ins can flow down through the party structure, but not up.
Opt outs on the Federal Website at Federal Opt Out page will be reflected down to local nations on Nation Builder, Prater Raines and Mailchimp accounts. (Note as time of writing these processes have not yet been set-up).
Handling Opt Outs
Online opt-ins should be processed directly into your Bulk Mail tool. If you have collected consent via a paper form, then this should be recorded in Connect, following the guidelines in Data Gathering and Consent. The email address can then be added to your email tool.
If you receive an online opt-out, that should be driven from links generated by your email tool, so that the opt-out is reflected directly in the relevant mailing list. If you receive an opt-out to a Local Party list and you have also added the email to a Branch or Ward list, then you should reflect that opt-out into those lists as well.
If you receive an opt out via a letter or physical paper form, then you must record the removal of the opt in consent in Connect by answering No to the relevant consent question with the date the opt out request was received. The details can be found in Connect Quick Sheet 2.5 at Connect Quick Sheets. You must also reflect the opt out in your Bulk Mail tool within 28 days of the opt out request being received.