Privacy Policy

  The Morrab Library

 

GDPR/Data protection policy 

  1. Introduction 

1.1 The law 

1.2 Individuals rights 

1.3 Managing data protection 

 

  1. Description of processing

2.1 Lawful basis for processing personal data / Consent 

2.2 How we gather information

 

  1. Reasons/purposes for processing information

3.1 Providing and delivering services to members and visitors

3.2 How we use your information 

 

  1. Type/ classes of information processed

4.1 We process information relevant to the above reasons/purposes.

4.2 We also process sensitive classes of information

4.3 What we process personal information about 

4.4 Children’s data

 

  1. Who the information may be shared with

5.1 Other organisations and third parties 

5.2 Sharing your story

 

  1. Who had access to personal data  

6.1 Processing personal data

6.2 Subject to access 

 

  1. Not kept longer than necessary 

7.1 Data retention 

 

  1. Our commitment to data security: how we keep data safe

 

  1. Data breaches 

9.1 What is a data breach

9.2 Notifying a data breach

9.3 Informing an individual of a breach of their data

 

  1. Transfers 

 

  1. Introduction 

 

At The Morrab Library we are committed to keeping your personal data safe and protecting your privacy. This notice is made in light of the requirements of the UK General Data Protection Regulation (GDPR) procedures and the Data Protection Act 2018. The purpose of these laws is to protect the rights of individuals, where their data (personal information) is obtained, stored and processed.

 

This policy provides guidance to ensure The Morrab Library staff process personal data in a safe and secure way which complies with current legislation and best practices. This policy applies to those who handle personal data, which includes The Morrab Library staff, trustees and volunteers. 

 

1.1 The law

 

Data protection is essentially that area of the law that governs what may, and what may not, be done with personal information. Such personal information may be electronic form (stored on a computer) or manual form (stored in a manual filing system). 

 

The Morrab Library fulfils the legal requirements by registering our details with the Information Commissioner’s Office (ICO), adhering to the eight data protection principles and by educating all staff and volunteers in the correct use of personal data.  

 

The Data Protection Act lists the data protection principles in the following terms: 

 

  • Principle 1: Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless –

    (a) at least one of the conditions in Schedule 2 is met, and

    (b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

     

  • Principle 2: Personal data shall be obtained only for one or more specified and lawful purpose and shall not be further processed in any manner incompatible with that purpose or those purposes.

     

  • Principle 3: Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

     

  • Principle 4: Personal data shall be accurate and, where necessary, kept up to date.

     

  • Principle 5: Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

     

  • Principle 6: Personal data shall be processed in accordance with the rights of data subjects under this Act.

     

  • Principle 7: Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

 

  • Principle 8: Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

 

1.2 Individual’s rights 

 

All individuals that The Morrab Library holds data on, have the right to:

  • Be informed upon request of all the information held about them
  • Prevent the processing of their data for the purpose of direct marketing
  • The removal and correction of any inaccurate data about them

 

1.3 Managing data protection 

 

The Morrab Library has an appointed Data Protection Officer (DPO) and The Morrab Library Trustees support the DPO through provision of appropriate training and reporting mechanisms to the Operations SC.

 

  1. Description of processing

 

2.1 Lawful basis for processing personal data / Consent 

 

The Morrab Library’s lawful basis for processing personal data is consent. When you provide us with your personal information we will gain consent by asking you to select how we use your information and how we contact you. 

 

We adhere to the legal requirements around gaining consent by being specific, granular, clear, and prominent, opt- in, properly documented and easily withdrawn. 

 

2.2 How we gather information 

 

With consent, when you provide us with your personal information we will gain consent by asking you to select how we use your information and how we contact you. 

 

We collect personal information when you contact us directly or when you use our website to complete our web forms. We collect anonymous information including data on pages viewed, date and time and browser type for every visitor to our website. 

 

Indirectly, your personal information may be shared with us by independent service providers, event organisers and fundraising sites e.g. Just Giving, Donations Managers, PayPal, Jotform. You can visit these organisations directly to view their full privacy policies but they will not share your information with us without your consent. 

 

We also collect information when it is available from other public sources. We may collect personal data about you from the public domain, such as Companies house or the media.

 

These are some of the ways we collect personal data:

 

  • Through responses to fundraising campaigns
  • When you complete a membership registration form
  • When you complete a donation forms 
  • Donating on a fundraising page 
  • Ordering information and  archival material for research purposes
  • Processing gift aid
  • Contributing to our newsletters and  promotional platforms
  • Sending us an email
  • Writing to us 
  • Phoning us  
  • Completing our surveys 
  • Signing up to our events 
  • Signing up to receive our promotional materials
  • Signing up to volunteer with us
  • When you or your child enter a competition



  1. Reasons/purposes for processing information

 

3.1 Providing library and research services, facilities and information

 

We process personal information to enable us to provide  library, archives and information services for the benefit of our members and the general public in Cornwall and beyond as specified in our constitution; administer membership records; to fundraise and promote the interests of the charity; manage our employees and volunteers; maintain our own accounts and records. 

 

3.2 How we use your information 

Where you have given consent we will use your personal information in a number of ways including: 

  • To invite you to upcoming events 
  • To provide information about our services, products, campaigns and work
  • To process  research requests  and materials that we receive from you  
  • To invite you to participate in surveys and on advisory panels
  • To process donations we may receive from you
  • For administrative purposes, including contacting you for an event you have registered to attend. 
  • For internal record keeping relating to donations, fundraising, complaints and feedback. 
  • For the circulation of stock

 

  • To manage participation in competitions or events

 

  1. Type/classes of information processed

 

4.1 We process information relevant to the above reasons/purposes. This may include:

  • personal details
  • family details
  • membership details
  • goods and services
  • financial details
  • education and employment details
  • visual images, personal appearance 

 

4.2 We also process sensitive classes of information that may include:

  • physical or mental health details
  • racial or ethnic origin
  • offences and alleged offences
  • criminal proceedings, outcomes and sentences
  • trade union membership

 

4.3 What we process personal information about 

 

We process personal information about:

  • members
  • staff, volunteers
  • benefactors
  • supporters
  • complainants, enquirers
  • advisers
  • representatives of other organisations

 

4.4 Children’s data 

Where appropriate we will seek consent from a parent or guardian before collecting information about children (anyone aged 18 or under). Information is usually collected when children attend our events or enter a competition. We may collect names and ages of children to allow us to record the amount of support we have received. 

 

  1. Who the information may be shared with

 

5.1 Other organisations and third parties 

 

We sometimes need to share the personal information we process with other organisations. Where this is necessary we are required to comply with all aspects of the Data Protection Act (DPA). What follows is a description of the types of organisations we may need to share some of the personal information we process with for one or more reasons.

 

  • If we run an event or competition in partnership with another named organisation your details may need to be shared.
  • We sometimes used external companies for mail service, such as the posting of our mailings.

 

We ensure we adhere to the legal requirements and best practice by using secure data transfer services and gaining informed consent when you register your information. 

 

5.2 Sharing your story 

 

Some people choose to tell us about their experiences to help contribute to our various campaigns and work. They may volunteer in our educational programmes, give talks at events, contribute to our newsletters, sit on an advisory panel and contribute to our publications. 

 

 

  1. Who had access to personal data  

 

6.1 Processing personal data

 

This policy operates on a “need to know” basis and apart from staff and volunteers at The Morrab Library; no-one will have access to member or visitor information unless it is relevant to the service or their work. Whenever The Morrab Library staff and volunteers process personal data, they will ensure that:

 

  • If for any reason registration of the information is withdrawn they must stop using the particular data immediately.
  • They must ensure that appropriate records are maintained and safe and are only used for their intended purpose. 
  • Information must be collected and processed in a prudent and lawful manner and should be kept up to date and accurate at all times
  • The information should only be retained for the period necessary, and for the purpose for which it is held. 

 

6.2 Subject to access 

 

All individuals that The Morrab Library hold data on are entitled to make a ‘subject access’ request.  Individuals have the right to ask for a copy of the information we hold about them (for which we may charge a small fee).  Individuals can also ask for a description of their personal data, the reasons it is being processed, and whether it will be given to any other organisations or people. 

 

Email requests are not accepted, individuals must provide a description of the information they want and proof of identity by post. The Morrab Library will respond to requests within all applicable timeframes (in accordance with the Information Commissioner’s Office guidelines).

 

In certain circumstances (e.g. where required or permitted by law) we might not be able to provide you with access to some of your personal information, but where appropriate we will notify you of the reasons for this.

 

  1. Not kept longer than necessary 

 

7.1 Data retention 

 

We discourage the retention of data for longer than it is required. All personal data will be deleted or destroyed by us after it is no longer required for its intended purpose and/or no longer required to be kept by law.

 

  1. Our commitment to data security: how we keep data safe

 

All Morrab Library computers have a log in system and our Database is password protected, which allows only authorised staff to access personal data. Passwords on all computers are changed regularly, at six month intervals. All personal and financial data in paper form is kept in locked filing cabinets and can only be accessed by The Morrab Library staff. 

 

We use secure systems to store information. And we keep it only for as long as is necessary for the purposes for which it was intended, or for as long as we are legally required to keep it.

 

Personally identifiable information is stored on our server and is not publicly accessible. Further, personally identifiable information is only accessed by The Morrab Library staff on a “need to know” basis. To prevent unauthorised access, maintain data accuracy, and ensure the correct use of information, we have put in place appropriate physical, electronic, and managerial procedures to safeguard and secure the information we collect online.

 

  1. Data breaches

 

9.1 What is a data breach 

 

A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.  This means that a breach is more than just losing personal data. 

 

Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of data. 

 

9.2 Notifying a data breach

 

A notifiable breach has to be reported to the Operations SC or if serious the Information Commissioner within 72 hours. If the breach is sufficiently serious to warrant notification to the public, The Morrab Library must do so without undue delay. 

 

What information must a breach notification contain? 

  • The nature of the personal data breach including where possible:
  • the categories and approximate number of individuals concerned; and
  • the categories and approximate number of personal data records concerned;
  • The name and contact details of the data protection officer  or other contact point where more information can be obtained;
  • A description of the likely consequences of the personal data breach; and 
  • A description of the measures taken, or proposed to be taken, to deal with the personal data breach and, where appropriate, if the measures taken to mitigate any possible adverse effects. 

 

9.3 Informing an individual of a breach of their data

 

Where a breach is likely to result in a high risk to the rights and freedoms of individuals, those concerned directly will be notified by a senior member of the charity staff. A ‘high risk’ means the threshold for notifying individuals is higher than for notifying the relevant supervisory authority. 

 

  1. Transfers

It may sometimes be necessary to transfer personal information overseas. When this is needed information may be transferred to countries or territories around the world. 

Any transfers made will be in full compliance with all aspects of the data protection act.

 

As at 8 December 2023