This website uses cookies, to read our cookies policy in full please click here.

British Humane Association

Data Protection Policy

Introduction

The British Humane Association (BHA) is committed to protecting the rights and freedoms of data subjects and safely and securely processing their data in accordance with all of our legal obligations. We hold personal data about our donors, volunteers and trustees for a variety of charitable business purposes.

This policy sets out how we seek to protect personal data and ensure that the relevant individuals understand the rules governing their use of the personal data to which they have access in the course of their work. The BHA is not required to have a data protection officer and any questions with respect to the processing of personal data should be directed to the Chairman of the BHA.

Definitions

Charitable business purposes: We use personal data for the following purposes:

• To fundraise and promote the interests of the charity
• To inform you of news, events, activities and services running at BHA
• To maintain a list of people who have donated to us before, so that we can contact them again
• To maintain a list of people who have told us they do not wish to be contacted
• To buy data from third parties to reach potential new donors
• To keep information up to date
• To manage our volunteers and trustees and check references
• To maintain accounts and records (including Gift Aid processing).

We may also use personal data for related administrative, financial, regulatory and development purposes including:

• Compliance with legal and corporate governance obligations
• Ensuring safe working practices and managing volunteer access
• Monitoring volunteer conduct and disciplinary matters.

Personal data: means any information relating to an identified or identifiable natural person (‘data subject’). Personal data we gather may include phone number, address, email, educational background, job title, CV, and other similar details.

Special categories of personal data: include information about an individual's racial or ethnic origin, political opinions, religious beliefs, trade union membership, health, criminal offences, and genetic or biometric data. These are strictly controlled under this policy.

Data controller: the person or body that determines the purposes and means of processing personal data.

Data processor: a person or organisation that processes personal data on behalf of the controller.

Processing: any operation performed on personal data, such as collection, storage, retrieval, use, disclosure, or deletion.

Supervisory authority: the Information Commissioner’s Office (ICO).

Scope

This policy applies to the BHA Chairman, Trustees, administrative assistants and volunteers, who must comply with its terms. It may be supplemented or amended from time to time, with updates circulated before adoption.

The Principles

BHA complies with the data protection principles under the EU General Data Protection Regulation (GDPR):

1. Lawful, fair and transparent: Data must be collected and used legally and transparently.
2. Limited for its purpose: Data collected only for specific purposes.
3. Data minimisation: Only necessary data should be collected.
4. Accurate: Data must be accurate and kept up to date.
5. Retention: Data must not be stored longer than necessary.
6. Integrity and confidentiality: Data must be kept secure.

Accountability and Transparency

BHA ensures accountability and transparency in all personal data processing. Records must show how each principle is met. Compliance requires maintaining documentation, implementing technical and organisational measures, and ensuring privacy by design and default.

Our Procedures

Fair and lawful processing: Personal data must not be processed without consent or a lawful basis. Data subjects have the right to have any unlawfully processed data erased.

Controlling Data

BHA is classified as a data controller and maintains registration with the Information Commissioner’s Office.

Lawful Basis for Processing Data

We must establish one lawful basis when processing data:

1. Consent
2. Contract
3. Legal obligation
4. Vital interests
5. Public function
6. Legitimate interest

The BHA primarily uses consent as its lawful basis for processing donors’ personal data.

Responsibilities

Our responsibilities: include analysing personal data held, ensuring lawful consent procedures, detecting and reporting breaches, and securely storing data.

Your responsibilities: include understanding data protection obligations, avoiding misuse, reporting breaches, and complying fully with this policy.

Data Security and Storage

All personal data must be kept secure, whether on paper or electronically. Passwords, encryption, and secure servers must be used. Data should be backed up regularly and not stored on unsecured devices.

Data Retention

Personal data must be retained only as long as necessary for its purpose.

Rights of Individuals

Individuals have rights under GDPR, including access, correction, erasure, restriction, data portability, and objection. BHA must respect and facilitate these rights.

Privacy Notices

BHA provides clear, concise, and accessible privacy notices when personal data is collected, including details of processing, lawful basis, retention, and data subject rights.

Subject Access Requests

Individuals may request access to their personal data. Requests are handled free of charge within one month, extendable for complex cases.

Right to Erasure and Objection

Individuals can request deletion or object to processing where applicable. BHA will comply unless legal or public interest reasons require retention.

Third Parties and Contracts

Any third-party data controllers or processors engaged by BHA must sign GDPR-compliant contracts ensuring data protection obligations are met.

Criminal Offence Data

Approval from the Chairman is required before conducting any criminal record checks.

Monitoring and Reporting

Compliance with this policy is mandatory. Any breaches must be reported to the Chairman immediately. Breaches will be investigated and, if necessary, reported to the ICO.

Failure to Comply

Failure to comply with this policy may lead to disciplinary action, including dismissal. For any questions or concerns, please contact the Chairman.

May 2018