GDPR - General Data Protection Regulations from May 25 2018
West Mercia Neighbourhood Watch Recommendations
As a Neighbourhood Watch Scheme Coordinator or Administrator this new legislation applies to you.
For your existing list of members you have time to get things in order, so long as you are not sharing the list with anyone else.
It is important that you keep your existing list safe and secure, but you have time to get confirmation from your scheme members that it is okay for you to continue to hold their personal data, for new members you must get a record of their acceptance with their application to join. see guidance below
What you need to know related to your scheme and the data you keep
The change to the law related to Data Protection will affect all of us, both a citizens and for those of us who collect and keep data about the members of our Neighbourhood Watch Schemes and Associations.
The recommendations made by West Mercia Neighbourhood Watch are aimed to provide scheme and association administrators with the maximum protection when handling personal data related to scheme of association members.
The information here is advisory, each scheme or association must choose the most appropriate policy for data protection of members personal information.
The advice given here is concise and deliberately strict to provide a simple set of guidelines to follow.
Neighbourhood Watch National have more detailed guidance which will provide more latitude in the data you can collect and what you can and cannot do with it, in relation to the new data protection legislation. National Neighbourhood Watch Guidance
In addition you can also review the details of the legislation on the Government website at ico.org.uk
If you collect personal data of your Neighbourhood Watch Scheme or Association members you are responsible
for keeping that information safe and private.
There are new rules that apply to all organisations that hold people’s personal details. GDPR applies whenever information relating to an identifiable, living individual - “personal data” - is processed, collected, recorded, stored or disposed of.
If you have collected details of members of a Neighbourhood Scheme or Association, you MUST take proper steps to ensure that it is secure and make sure that it is only used for the purpose for which the data was collected.
The law applies to the whole of the EU and will continue to apply in the UK after the UK exits the EU.
This law applies to both computer and paper records.
- Encourage your members to register with your scheme or association using the National Neighbourhood Watch Website, this means you do not need to keep your own list, you can see and email your members through the website.
- If you choose to keep your own list of scheme or association members, do not share the details with anyone else, without first obtaining their express permission to share their details with any named organisation. No Neighbourhood Watch Association or other official organisation should ask you for details of your members.
- Only keep enough information about members to allow you to administer your scheme or association.
- If someone leaves the scheme or association, securely destroy their personal details, and let them know you have done so, if possible.
- Advise your members to contact their local Police Safer Neighbourhood Team directly to register with them if they want to be added to any existing Police list of Neighbourhood Watch Scheme members.
- Get your members to confirm in writing (email is ok) at least once a year that they want to remain a member of your scheme or association, and that they consent to you keeping their personal contact details. If they do not respond assume they have withdrawn from your scheme. See point 2
- If you plan to retire as the administrator or coordinator for your scheme or association, either securely destroy all personal details you hold and let everyone know you have done so or pass the details to your successor. Your successor must contact all members in the list telling them they now hold the list and get them to confirm that they consent to the change and wish to remain members.
- If the privacy of your list of members is compromised you may need to report this to the ICO (Information Commissioner’s Office) as a ‘Breach Notification’, Neighbourhood Watch National can assist you to ascertain whether the risk is such that the breach needs to be notified. Therefore, in the first instance report the data breach to the Neighbourhood Watch Network office on
0116 4026111 as soon as you discover the breach
Here are the core principles you must consider.
Use of members details for direct marketing.
- Personal data shall be processed lawfully, fairly and in a transparent manner.
- Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
- Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
- Personal data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
- Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
- Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Direct marketing covers the promotion of aims and ideals as well as the sale of products and services. This means that the rules will cover not only commercial organisations but also not-for profit organisations (e.g. charities). In many cases organisations will need consent to send people direct marketing.
Neighbourhood Watch newsletters, especially if they are sponsored by local companies, may contain marketing material promoting local services. To demonstrate that recipients’ consent to receive this material has been knowingly and freely given, you should use opt-in boxes that clear and specifically records the consent of your members to receive the material, and you should be keep this information as part of any hard copy or electronic process that a new member completes to join your Scheme.
Organisations must stop sending direct marketing messages to any person who objects or opts out of receiving them.
Registering with the ICO
Anyone with CCTV should already be registered with the ICO (Information Commissioner’s Office).
Anyone collecting personal data on behalf of a Neighbourhood Watch Scheme or Association must consider if they need to be registered as a “data controller”. If there is a need to be registered, each organisational body must have someone registered as a data controller.
The below link will enable you to assess whether you need to register.
In order for a Neighbourhood Watch Association or scheme to be exempt from registering with the ICO it must:
- Only process information necessary to establish or maintain membership or support
- Only process information necessary to provide or administer activities for people who are members of their association or scheme or have regular contact with it.
- Only share the information with people and organisations necessary to carry out Neighbourhood Watch activities.
- Only keep the information while the individual is a member or supporter or as long as necessary for member/supporter administration.
You must make sure nobody other than authorised persons have access to the data, be it held on a computer or using paper records. Data must be protected by being physically locked away or by an up to date password and up to date anti-virus/malware protection for computer held records. Extra care should be taken if the data is accessible using a shared computer.
Data breach notifications
Requirements for all controllers and processors.
A personal data breach is more than just losing personal data. It means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
The controller must notify the Data Protection Authority within 72 hours of its discovery of a breach, unless the controller can demonstrate that the breach is unlikely to result in a risk to the rights and freedoms of individuals, for example, in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage. The controller is also required to notify affected data subjects if the breach is likely to result in a high risk to affected data subjects.
In the first instance contact Neighbourhood Watch National using the details above in Key point #8