The Association of Notetaking Professionals (ANP) holds the information provided on membership application forms and registration forms in electronic or paper formats. The computerised electronic format is saved on a USB memory stick(s) for transfer to new ICO (Information Commissioners Office) regulated committee members.
The information is processed to enable ANP to provide a service and information to members, to promote the services, to maintain accounts and records, to support, improve and develop the association and to support and manage volunteers.
The data is used for good governance, accounting, managing and auditing our operations; the data includes your personal information such as your photograph, name, address, telephone numbers and email addresses. Sensitive personal information such as that included on the Ethnicity Form is collected for potential use in funding applications. The content of this is anonymised if it is used. The data held will be reviewed to comply with changes in the law and cover policies, procedures, contracts and agreements, retention, security and data sharing. This policy and a covering letter to new committee members, duly countersigned by them, will be handed over along with the USB memory stick(s) and the signed handover document will be stored in paper format and as a scan on the USB memory stick.
The data, other than that on the public register, may be shared with other committee members as required, only for conducting the business of the association and with ICO auditors. This may include information required for privacy notices or records of consent. Controllers and Processors are advised to consult the ICO and GDPR websites for their own training concerning their duties and responsibilities. In certain circumstances, formal training funding can be sought from the ANP committee. The data controller and processor(s) will be nominated at each AGM and members will be notified.
The electronically stored data and USB memory stick(s) will be password protected as a minimum method of protection. The devices used to access the data will also be password protected by the individual owners.
Members have the right to confirmation that their data is being processed and can request verbally or in writing, access to their personal data and other supplementary information held about them. Members can communicate with Committee members directly or via the ANP email addresses: email@example.com and firstname.lastname@example.org which are regularly reviewed by committee members. Members can contact ANP to request that information be removed from the publicly available register. Members can request ‘the right to be forgotten’ –to have their personal data erased and expect such changes to be done within a month of the request.
Sub-processors will have written authorisation from the controller to access personal and sensitive data. The sub-processor includes the person or company managing the data on the ANP website. If the Data controller and Processors change, members will be notified.
The data processor is responsible for taking appropriate measures to ensure the security of processing, and in the event of any breach, the person(s) involved will be advised of such breach and an impact assessment will be undertaken . The processors also have direct responsibilities and liabilities under the GDPR. The Controller and processors will cooperate with the supervisory authorities such as the ICO when required to do so.
Those with access to the personal data of members must tell the Data controller or processor if they are asked to do anything infringing the GDPR or other data protection law of the EU or a member state. Resolution of breaches will be discussed and managed by agreement of the elected committee and relevant experienced external resources as required.
Historical information may be stored for administrative record keeping but not used without specific consent. Data is retained for a year after non- renewal of membership and longer where the Act permits, after which specific consent is sought for the type of information a member will allow to be retained. Members have the right to object to how their personal data is retained. Personal data other than that which is publicly available on the register is not used for any direct marketing purposes.
The DPIA (Data Protection Impact Assessment ) now part of this policy, reflects that the information members provide to the ANP is designed to attract and inform potential clients of the qualifications, skills and contact information of professional notetakers. It is designed to encourage and enhance the development of employment prospects and development of professionalism and communications of members. Members are expected to maintain their own security of their own electronic equipment used for their work and are signposted to the relevant data protection acts and organisation. The risk of abuse of their personal data held by ANP is limited; members have undertaken training in professionalism as part of their qualification; members working in the field of education and registered with DSA-QAG comply with undertakings required for training and policies and are responsible for the security of themselves and the data they hold in relation to their work in the knowledge that some of their personal data is in the public domain at their own request. Members can have information linked to them on the Google forum deleted upon written request; members can share any concerns with other members by using the forum and any subsequent actions taken are the responsibility of the relevant member.
By signing the relevant forms and submitting them to the ANP committee, after membership has been accepted, members have consented to the sharing of the information on the Registration Form and have access to a restricted communication forum being the ANP GoogleGroup and use of the forum is entirely voluntary. The sub-processor manages the registration and deletions of those having access to the forum, following a request to so do from a Committee member and takes appropriate security measures to maintain the restricted access.