The Fellowship of the Phoenix (hereafter referred to as the Fellowship) is committed to protecting personal data and respecting the rights of our data subjects. The Fellowship values the personal information entrusted to us and we respect that trust, by complying with all relevant laws, and adopting good practice.
| WHO: | Members, Seekers, or Visitors (hereafter referred to as data subjects):We will handle your personal information in line with this policy and the procedures therefore derivedEmployees, volunteers or trustees Processing personal information on behalf of the organization, you are required to comply with this policy. If you think that you’ve accidentally breached the policy it’s important that you contact the Elder Scribe immediately so that we can take swift action to try and limit the impact of the breach. Anyone who breaches the Data Protection Policy may be subject to disciplinary action, and where that individual has breached the policy intentionally, recklessly or for personal benefit they may also be liable to prosecution or to regulatory action. MagistersAs leader of a temple you are required to make sure that any procedures that involve personal data follow the rules set out in this Data Protection Policy. |
| WHAT: | We process personal data to help us: Maintain a list of our members, seekers, and visitors Recruit, support, and manage staff and volunteers Maintain our temple accounts and records Promote our services Maintain the security of property and premises Respond effectively to enquirers and handle any complaints Any fundraising events that might require this information. This policy has been approved by the Elder Council who are responsible for ensuring that we comply with all our legal obligations. It sets out the legal rules that apply whenever we obtain, store, or use personal data. |
| WHERE: | What personal information do we process? In the course of our work, we may collect and process information (personal data) about many different people (data subjects). This includes data we receive direct from the subject, for example, where they complete forms or contact us. We may also receive information about data subjects from other sources including, for example, previous employers. We process personal data in both electronic and paper form and all this data is protected under data protection law. The personal data we process can include information such as names and contact details, emergency contacts, and visual images of people. Processing for specified purposes: We’ll only process personal data for the specific purposes explained in our privacy notices or for other purposes specifically permitted by law. We’ll explain those other purposes to data subjects unless there are lawful reasons for not doing so. Data will be adequate, relevant and not excessive: We’ll only collect and use personal data that’s needed for specific purposes which will normally be explained to the data subjects in the privacy notices. We’ll not collect more than is needed to achieve those purposes. Accurate data: We’ll make sure that personal data held is accurate and, where appropriate, kept up-to-date. The accuracy of data will be checked at the point of collection. |
| WHEN: | [date policy was enacted / further revisions] |
| WHY: | We are committed to protecting personal data from being misused, getting into the wrong hands as a result of poor security or being shared carelessly, or being inaccurate, as we’re aware that people can be upset or harmed if any of these things were to happen. This policy sets out the measures we’re committed to taking as an organization and what each of us will do to ensure we comply with the relevant legislation. To that end we insure that all personal data is: Processed lawfully, fairly and done transparentlyProcessed for specific, explicit and legitimate purposes and not in a manner that’s incompatible with those purposes Adequate, relevant and limited to what is necessary for the purposes for which it’s being processed Accurate and, where necessary, up-to-dateNot kept longer than necessary for the purposes for which it’s being keptProcessed in a secure manner, by using appropriate technical and organizational means Processed in keeping with the rights of data subjects regarding their personal data. Never sold or used for purposes other than those of the Fellowship. |
| HOW: | The Elder Scribe, as Data Protection Officer, is responsible for advising the Fellowship, its staff, and members about their legal obligations under data protection law, monitoring compliance with data protection law, dealing with data security breaches, and with the development of this policy. Any questions about this policy or any concerns that the policy has not been followed should be referred to scribe@fellowshipofthephoenix.org. Before you collect or handle any personal data as part of your work (paid or otherwise) for the Fellowship, it’s important that you take the time to read this policy carefully and understand exactly what is required of you, as well as the organization’s responsibilities when we process data. Our procedures will be in line with the requirements of this policy, but if you’re unsure about whether anything you plan to do, or are currently doing, might breach this policy you must first speak to the Data Protection Officer. Security of personal data: We’ll use appropriate measures to keep personal data secure at all points of the processing. Keeping data secure includes protecting it from unauthorized or unlawful processing or from accidental loss, destruction or damage.Security measures will include technical and organizational security measures. In assessing what measures are the most appropriate we will take into account the following, and anything else that is relevant:The quality of the security measure The costs of implementation The nature, scope, context and purpose of processingThe risk to the rights and freedoms of data subjects The risk which could result from a data breach.Measures may include:Technical systems security Measures to restrict or minimize access to dataMeasures to ensure our systems and data remain available, or can be easily restored in the case of an incident Organizational measures such as policies, procedures, training and auditsRegular testing and evaluation of the effectiveness of security measures. Dealing with data protection breaches: Where staff or volunteers, [or contractors working for us], think that this policy has not been followed, or data might have been breached or lost, this will be reported immediately to the Data Protection Officer.We will keep records of all personal data breaches. If said breach is likely to result in a risk to any person, the Data Protection Officer is required to notify the individual within 72 hours from when someone in the organization becomes aware of the breach.This can include situations where, for example, bank account details are lost or an email containing sensitive information is sent to the wrong recipient. Informing data subjects can enable them to take steps to protect themselves and/or to exercise their rights. Data subjects’ rights: We’ll process personal data in line with data subjects’ rights, including their right to:Request access to any of their personal data held by us (known as a Subject Access Request) Ask to have inaccurate personal data changed Restrict processing, in certain circumstances Object to processing, in certain circumstances, including preventing the use of their data for direct marketingData portability, which means to receive their data, or some of their data, in a format that can be easily used by another person (including the data subject themselves) or organization Not be subject to automated decisions, in certain circumstancesWithdraw consent when we are relying on consent to process their data.If a colleague receives any request from a data subject that relates or could relate to their data protection rights, this will be forwarded to the Elder Scribe immediately.We will act on all valid requests as soon as possible, and at the latest within one calendar month, unless we have reason to, and can lawfully extend the timescale. This can be extended by up to two months in some circumstances. All data subjects’ rights are provided free of charge. Any information provided to data subjects will be concise and transparent, using clear and plain language. Classes of data subjects and associated rightsVisitorsWe reserve the right to collect contact information for visitors and individuals who come into contact with the FellowshipSuch data is protected and viewable only by members of the Elder Council and any appropriate temple level Councils unless active consent of the individual is given to share with the general membership.Visitors cannot view details on any other user, with the exception of those members who serve in a public capacity.Visitor data will be deleted at the request of the individual.SeekersWe reserve the right to collect contact information. as well as information on temple interactions on Seekers (those who have expressed interest in the Fellowship but are not yet a member).Such data is protected and viewable only by Council members as well as the associated temple members.Seekers have the elevated rights to view contact details of members within the associated templeSeeker data will be deleted at the request of the individual.MembersWe reserve the right to collect the above data, as well as emergency contacts, food allergies, and other membership details as determined by the Elder Council.Such data is protected and viewable only by appropriate partiesContact/General information is viewable to all members, unless the individual chooses to make some portion private (in which case they would be viewable only by council).Medical information is collected only for emergency purposes and is only viewable by Magisters and Guardians.Contact and membership details are required, but all other information is voluntary.When leaving the organization, members have the right to request deletion of their data.The Fellowship retains the right to keep former members’ names, birthdates, ROP and exit dates as well as associated temple. |