DATA PROTECTION POLICY
General Statement of the Mosque’s Duties and Scope
The Mosque is required to process relevant personal data regarding members of staff, volunteers, membership applicants, parents, pupils and their siblings, as part of its operation and shall take all reasonable steps to do so in accordance with this Policy.
Data Protection Controller
The Mosque has appointed Badar Butt as the Data Protection Controller (DPC) who will endeavour to ensure that all personal data is processed in compliance with the new General Data Protection Regulations (GDPR).
The Principles:
The Mosque shall so far as is reasonably practicable comply with the Data Protection Principles (the Principles) contained in the Data Protection Act to ensure all data is:-
- Fairly and lawfully processed
- Processed for a lawful purpose
- Adequate, relevant and not excessive
- Accurate and up to date
- Not kept for longer than necessary
- Processed in accordance with the data subject’s rights
- Secure
- Not transferred to other countries without adequate protection
Definition
The Mosque is ‘Kingston Muslim Association’, which is registered with the Charities Commission and as such does not additionally cover any subsidiaries and affiliated bodies where the Data Protection Act applies.
- Parental consent includes the consent of a guardian.
- Data Subject, an individual who is the subject of the personal data.
Personal Data
Personal data covers both facts and opinions about an individual where that data identifies an individual. For example, it includes information necessary for employment such as the member of staff’s name and address and details for payment of salary or a pupil’s attendance record and exam results. Personal data may also include sensitive personal data as defined in the Act.
Processing of Personal Data
Consent may be required for the processing of personal data unless processing is necessary for the performance of the contract of employment or KMA membership. Any information which falls under the definition of personal data and is not otherwise exempt will remain confidential and will only be disclosed to third parties with appropriate consent from the data subject.
Pupils consent to process their data and disclose it to parents is implicit when they reach the age of 18. If a pupil wishes to revoke or change consent they must agree a specific agreement on how their data is to be processed with the data processor.
The Mosque processes some personal data for direct promotion and fund-raising purposes, data subjects have the right to request an opt-out to these activities, which will be respected.
Sensitive Personal Data
The Mosque may, from time to time, be required to process sensitive personal data. Sensitive personal data includes data relating to medical information, gender, religion, race, sexual orientation, trade union membership and criminal records and proceedings.
Rights of Access to Information
Data subjects have the right of access to information concerning them, held by the Mosque. Any data subject wishing to access their personal data should put their request in writing by completing the Data subject access request form. The Mosque will endeavour to respond to any such written requests as soon as is reasonably practicable and in any event, within 40 days for access to records and 21 days to provide a reply to an access to Data Protection Policy.
Exemptions
Certain data is exempted from the provisions of the Data Protection Act which includes the following:-
- National security and the prevention or detection of crime
- The assessment of any tax or duty
- Where the processing is necessary to exercise a right or obligation conferred or imposed by law upon the Mosque, including Safeguarding and prevention of terrorism and radicalisation
Accuracy
The Mosque will endeavour to ensure that all personal data held in relation to all data subjects is accurate. Data subjects must notify the data processor of any changes to information held about them. Data subjects have the right in some circumstances to request that inaccurate information about them is erased. This does not apply in all cases, for example, where records of mistakes or corrections are kept, or records which must be kept in the interests of all parties to which they apply.
Enforcement
If an individual believes that the Mosque has not complied with this Policy or acted otherwise than in accordance with the Data Protection Act, the member of staff should utilise the Mosque grievance procedure.
Data Security
The Mosque will take appropriate technical and organisational steps to ensure the security of personal data.
All staff will be made aware of this policy and their duties under the Act.
The Mosque and therefore all staff and volunteers are required to respect the personal data and privacy of others and must ensure that appropriate protection and security measures are taken against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to all personal data.
An appropriate level of data security must be deployed for the type of data and the data processing being performed. In most cases, personal data must be stored in appropriate systems.
External Processors
The Mosque must ensure that data processed by external processors, for example, service providers, Cloud services including storage, web sites etc. are compliant with this policy and the relevant legislation.
Secure Destruction
When data held in accordance with this policy is destroyed, it must be destroyed securely in accordance with best practice at the time of destruction.
Retention of Data
The mosque may retain data for differing periods of time for different purposes as required by law or best practices. Other statutory obligations, legal processes and enquiries may also necessitate the retention of certain data.
The Mosque may store some data such as registers, photographs, test results, achievements, books and works etc. indefinitely in its archive.
CCTV
The Mosque owns and operates a CCTV network for the purposes of crime prevention, detection and Safeguarding.
Where a data subject can be identified, images must be processed as personal data.