The National Association of Funeral Directors (NAFD) is registered under the Data Protection Act with the Information Commissioner’s Office (ICO). Registration Number: Z5417695
GENERAL STATEMENT OF THE ASSOCIATION’S DUTIES AND SCOPE
As part of its operation, the Association is required to process relevant personal data regarding its members, members of staff, elected representatives, volunteers, students, complainants and members of their families. The Association shall take all reasonable steps to do so in accordance with this Policy.
DATA PROTECTION CONTROLLER
The Association has appointed the Chief Executive as the Data Protection Controller (DPC) who will endeavour to ensure that all personal data is processed in compliance with this Policy and the Principles of the Data Protection Act 1998. The Association recognises The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) adopted 27 April 2016, the two-year transition period and the application date of 25 May 2018 and is actively working towards compliance with that directive.
The Association shall so far as is reasonably practicable comply with the Data Protection Principles (the Principles) contained in the Data Protection Act and revised within the General Data Protection Regulation 2018. These governing principles are: Lawfulness, Fairness and Transparency. We will establish a proper legal basis for holding and processing personal data, ensuring data is properly obtained, that the data has all necessary consents and that the purpose(s) for usage are clearly stated.
The data subject is entitled to know what data we have, what we are using it for, is able to opt out, can request a copy of the data we hold and can request to be forgotten. Purpose Limitation. NAFD will only collect personal data for specific purposes. These purposes will be explained clearly to the data subject in detail and all agreed by the data subject.
Data will not be processed in a manner which is incompatible with those declared purposes which have been agreed by the data subject. Data Minimisation. NAFD will take a minimalist approach and will only ask for and keep data required for a stated purpose and nothing more.
We will not hold and/or process data which is not relevant or which is unnecessary for the purpose. Accuracy. NAFD will actively manage data to ensure that it is both accurate and up-to-date. We will correct inaccurate data where possible and where this is not possible it will be deleted.
Storage Limitation. NAFD will only hold personal data for as long as is necessary to fulfil the purpose for which it was collected. Integrity and Confidentiality. NAFD will implement appropriate technical and organisational measures to ensure compliance with the GDPR with a specific focus on (i) Information Technology (IT)- the use of passwords and a need to ensure limited access (need to know) and (ii) Human Resources- staff training and support. Data will not be transferred to other countries without adequate protection
- The Association is ‘The National Association of Funeral Directors’ (NAFD), and additionally covers subsidiaries and affiliated bodies where the Data Protection Act applies (this includes local & regional associations and NAFD Ventures Ltd).
- The Association’s representatives include all elected and appointed members of the Association’s committees and regional & local associations.
- Data Subject means an individual who is the subject of the personal data.
Personal data covers both facts and opinions about an individual where that data identifies an individual. For example, it includes information necessary for employment such as a person’s name and address, details for payment of salary or a student’s examination result. Personal data may also include sensitive personal data as defined in the Act.
PROCESSING OF PERSONAL DATA
Consent may be required for the processing of personal data unless processing is necessary for the performance of the contract of employment or some other legitimate interest. Any information which falls under the definition of personal data and is not otherwise exempt, will remain confidential and will only be disclosed to third parties with appropriate consent.
SENSITIVE PERSONAL DATA
The Association may, from time to time, be required to process sensitive personal data. Sensitive personal data includes data relating to medical information, gender, religion, race, sexual orientation, trade union membership and criminal records and proceedings.
RIGHTS OF ACCESS TO INFORMATION
Data subjects have the right of access to information held by the Association, subject to the provisions of the Data Protection Act 1998. Any data subject wishing to access their personal data should put their request in writing to the Data Protection Controller (DPC). The Association will endeavour to respond to any such written requests as soon as is reasonably practicable and, in any event, within 30 days of the request. The information will be imparted to the data subject as soon as is reasonably possible after it has come to the Association’s attention and in compliance with the relevant Acts.
Certain data is exempted from the provisions of the Data Protection Act which includes the following circumstance:
- National security and the prevention or detection of crime
- The assessment of any tax or duty
- Where the processing is necessary to exercise a right or obligation conferred or imposed by law upon the Association, including Safeguarding and prevention of terrorism and radicalisation
The above are examples only of some of the exemptions under the Act. Any further information on exemptions should be sought from the DPC.
The Association will endeavour to ensure that all personal data held in relation to all data subjects is accurate. Data subjects must notify the data processor of any changes to information held about them. Data subjects have the right in some circumstances to request that inaccurate information about them is erased. This does not apply in all cases, for example, where records of mistakes or corrections are kept, or records which must be kept in the interests of all parties to which they
If an individual believes that the Association has not complied with this Policy or acted otherwise than in accordance with the Data Protection Act, the member of staff should notify the DPC. Members of staff are also able to utilise the Association’s grievance procedure.
The Association will take appropriate technical and organisational steps to ensure the security of personal data.
All staff will be made aware of this policy and their duties under the Act.
The Association and therefore all staff, agents, representatives and officers are required to respect the personal data and privacy of others and must ensure that appropriate protection and security measures are taken against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to all personal data.
An appropriate level of data security must be deployed for the type of data and the data processing being performed. In most cases, personal data must be stored in appropriate systems and be encrypted when transported offsite. Other personal data may be for publication or limited publication within the Association, therefore having a lower requirement for data security.
The Association must ensure that data processed by external processors, for example, service providers, Cloud services including storage, web sites etc. are compliant with this policy and the relevant legislation.
When data held in accordance with this policy is destroyed, it must be destroyed securely in accordance with best practice at the time of destruction.
RETENTION OF DATA
The Association may retain data for differing periods of time for different purposes as required by statute or best practices. Individual functions (e.g. Education, Complaints etc.) will incorporate these retention times into the processes and manuals. Other statutory obligations, legal processes and enquiries may also necessitate the retention of certain data.
The Association may store some data such as membership records, photographs, exam results, achievements, publications and works etc. indefinitely in its archive.
The Welsh Government has today (22 December) announced gathering restrictions in Wales, to take effect…
From today (10 December), face coverings are not only now required by visitors to places…
England, Wales and Scotland In England, Wales and Scotland, there are now no legal limits…