MCAI Privacy Notice
1st May 2018
Below are the principles of the General Data Protection Regulation (GDPR), which MCAI complies with:
Data is processed, lawfully, fairly, and in a transparent manner in relation to individuals
Data is collected for specified, explicit, and legitimate purposes and is not further processed in a manner that is incompatible with these purposes.
Data is adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
Data is accurate and, where necessary, kept up to date;
Data is kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
Data is processed in a manner that ensures appropriate security of the personal data, including protection against un-authorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
In addition, the data controller is responsible for, and be able to demonstrate, compliance with the principles.
What does MCAI’s compliance with these principles mean in practice?
MCAI is defined as the data controller under the General Data Protection Regulations.
MCAI is registered with the Information Commissioner's Office (ICO).
Who has access to data?
In practice, only a limited number of key people within MCAI (our two part-time Finance Managers and our Honorary Executive and Finance Director) have access to financial data. These people have received training in how to process data and are familiar with the stipulations of the General Data Protection Regulations.
What data we hold
MCAI holds the minimal amount of data that we need in order to fulfil our statutory obligations (such as with the HMRC). In practice, if you are someone who has donated funds to MCAI, this means that we have your name, address, and email address (if you have opted to receive email communications from us).
MCAI holds onto the names and email addresses of people who have actively opted to receive email communications from us. MCAI does not routinely send regular email communications and such communications are only sent occasionally.
How long to we hold onto data?
We hold on to data for the minimum time necessary to fulfil our legal requirements with OSCR and HMRC.
MCAI holds onto the names and email addresses of people who have opted to receive email communications from us until an individual who has opted in informs us that he/she wants to opt-out of receiving such communications.
How do we store the data?
MCAI holds data in a secure database that can only be accessed by the people who need to access the data.
We also have paper forms (such as gift aid form or donor forms) that are held securely with limited access.
How do we destroy data?
Once MCAI no longer needs to hold onto specific data, if in paper form, this data is shredded and if in electronic form, this data is deleted. Data marked for destruction is never copied or stored.
MCAI never shares data with other organisations.
MCAI relies on supporters, staff, and volunteers to inform us of any changes to personal information (address, or email address) as we do not actively ask about changes to personal information. Once we have received updated information, we will update our databases as soon as practically possible to make sure that the out of date information is destroyed.
Any individual has the right to contact MCAI if they wish to find out if we hold any personal data on them and what information we may hold.
This information is given free of charge to the individual on request.
The individual has the right to request that we not hold any data on them and MCAI will comply with this request as long as doing so does not obstruct our legal obligations to other authorities (such as the HMRC).
Please note that any complaints will go through MCAI’s complaint system, which means that it will be discussed with MCAI Trustees.
Updates to this Privacy Notice
MCAI may make updates to this Privacy Notice if necessary, for example, if we make any changes to our data protection policies and procedures in order to further strengthen data protection. Any changes will comply with the principles of the GDPR and the updated Privacy Notice will continue to be published on our website.