Merry Go Round Toy Libraries
- Charity: means Merry Go Round Toy Libraries, a registered charity
- GDPR: means the General Data Protection Regulation
- Responsible Person: means the Toy Library Co-ordinator
- Data protection principles
Merry Go Round Toy Libraries recognises that the previous Data Protection principles remain largely unchanged and are of utmost importance. GDPR requires the Toy Libraries to ensure our data processing is:
- Lawful, fair and transparent
- That personal data is collected for specified, explicit and legitimate purposes and not further processed in an incompatible way
- That personal data is adequate, relevant and limited to what is necessary to achieve the purposes for which it was collected
- That personal data is accurate and kept up to date, and that we take reasonable steps to rectify or erase inaccurate data
- That personal data is not kept in identifiable form for longer than necessary
- That personal data is processed in a way that ensures security of the data and protects it from unauthorised use
- That we can demonstrate compliance with the Principles
- General provisions
- This policy applies to all personal data processed by the Charity
- The Responsible Person shall take responsibility for the Charity’s ongoing compliance with this policy
- This policy shall be reviewed at least annually
- Registration with the Information Commissioner’s Office
Merry Go Round, like most charities and not-for-profit organisations, qualifies for exemption from registering with the Information Commissioners because it was established for not-for-profit making purposes and does not make a profit. We must:
- Only process information necessary to establish or maintain membership or support
- Only process information necessary to provide or administer activities for people who are members of the organisation or have regular contact with it
- Only share the information with people and organisations necessary to carry out the organisation’s activities. Important - if individuals give us permission to share their information, this is alright
- Only keep the information while the individual is a member or supporter or as long as necessary for member/supporter administration
- Lawful, fair and transparent processing
- This Policy shall be reviewed at least annually.
- Individuals have the right to access their personal data and any such requests made to the charity shall be dealt with in a timely manner.
- Lawful purposes
- Each new member is asked to fill in an online form on the toy library’s Lend-Engine site with contact details, number of children and whether joining as a group member or a family member. This information is needed for members to make toy bookings and join the toy library, and to receive reminders about overdue toys and information about our services. Members are also asked to fill in optional monitoring information about ethnicity, disability or developmental needs. This information is used by us when we buy more toys, and for statistics for grant applications. It does not identify individual children or adults in any way.
- All details given are confidential, kept securely and not passed on to third parties. They are only used in connection with the toy library
- Email addresses are also added to a separate mailing list for information about our services, closure dates, fundraisers etc.
- Copies of information are destroyed within two years of membership lapsing.
- Every email sent from our separate mailing list includes information on how to unsubscribe from this list.
- Merry Go Round members can send a blank email from the email address we hold to firstname.lastname@example.org. Spinning Top members can email email@example.com.
- Data minimisation
- The Charity shall ensure that personal data are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
- The Charity shall take reasonable steps to ensure personal data is accurate.
- Members are asked to update their information when membership is renewed.
- Archiving / removal
- 24 months after a membership lapses or is cancelled, their loan and payment history will be retained, but personal contact information will be removed. Any monitoring information retained will be anonymous. We collate monitoring information from the previous year every April and use it to create reports for our Annual Report which is sent to funders and members and for informing grant applications.
- Email addresses on the separate mailing list are kept until members ask to be unsubscribed.
- Personal data is stored securely on the Lend-Engine site.
- Email addresses are securely stored in an online database with password access control. The software is automatically updated. Changes are backed up 4 times a day.
- Access to personal data is limited to toy library staff and IT support and is not shared externally.
- In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, the Charity shall promptly assess the risk to people’s rights and freedoms and if appropriate report this breach to the ICO (more information on the ICO website).
- Online payments
- Payments made to the toy libraries through Loan-Engine use an integrated payment system called Stripe. The link to information about their use and protection of information is at https://stripe.com/gb/privacy
END OF POLICY
Policy last updated July 2020