CJRA DATA PROTECTION POLICY

Introduction

In order to operate, The Cambridge Jewish Residence Association (CJRA) needs to gather, store and use certain forms of information about individuals.
These can include members, suppliers, volunteers, business contacts and other people the CJRA has a relationship with or regularly needs to contact.
This policy explains how these data should be collected, stored and used in order to meet CJRA data protection standards and comply with the law.

Why is this policy important?

This policy ensures that the CJRA:
• Protects the rights of our members, volunteers and supporters
• Complies with data protection law and follows good practice
• Protects the Association from the risks of a data breach


Who and what does this policy apply to?

This applies to all those handling data on behalf of the CJRA, for example:-
• Committee members
• Members
• Suppliers
It applies to all data that the CJRA holds relating to individuals, which is primarily:
• Names
• Email addresses
• Postal addresses
• Phone numbers
• Jewish affiliation.

Roles and responsibilities
Everyone who has access to data as part of the CJRA has a responsibility to ensure that they adhere to this policy.
Data controller
The Data Controller for the CJRA is the Treasurer. They, together with the Committee, are responsible for why data are collected and how it will be used. Any questions relating to the collection or use of data should be directed to the Data Controller in writing.


Data Protection Principles

1. We fairly and lawfully process personal data

The CJRA will only collect data where lawful and where it is necessary for the legitimate purposes of the Association.
• A member’s name and contact details will be collected when they first join the Association, and will be used to contact the member regarding Association membership administration and activities. Other data may also subsequently be collected in relation to their membership, including about their payment history for fees and subscriptions.

• The name and contact details of committee members, employees, volunteers and contractors will be collected when they take up a position, and will be used to contact them regarding Association administration related to their role.
• An individual’s name and contact details will be collected when they make a booking for an event. This will be used to contact them about their booking and to allow them entry to the event.
• An individual’s name, contact details and other details may be collected at any time (including when booking for an event), with their consent, in order for the CJRA to communicate with them about Association activities.


2. We collect and use personal data only for specified and lawful purposes.

When collecting data, the CJRA will always explain to the subject why the data is required and what it will be used for, for example:-
“Please enter your email address in the form below. We need this so that we can send you email updates for Association administration including about events, subscriptions and other business.”
We will never use data for any purpose other than that stated or that can be considered reasonably to be related to it. For example, we will never pass on personal data to third parties without the explicit consent of the subject”.


3. We ensure any data collected are relevant and not excessive


The CJRA will not collect or store more data than the minimum information required for its intended purpose.
For example we need to collect email addresses and telephone numbers from members in order to be able to contact them about Association administration.

4. We ensure data is accurate and up-to-date

The CJRA will ask members, employees and volunteers to check and update their data. .Any individual will be able to update their data at any point by contacting the Data Controller. 

5. We ensure data is not kept longer than necessary

The CJRA will keep data on individuals for no longer than 12 months after our involvement with the individual has stopped, unless there is a legal requirement to keep records.

6. We process data in accordance with individuals’ rights

The following requests can be made in writing to the Data Controller:  
• Members, volunteers and supporters can request to see any data held on them.

• Members and supporters can request that any inaccurate data held on them is updated.

• Members and supporters can request to stop receiving any marketing communications.

• Members and supporters can object to any storage or use of their data that might cause them substantial distress or damage or any automated decisions made based on their data.

8. Transfer to countries outside the EEA


The CJRA will not transfer data to countries outside the European Economic Area (EEA), unless the country has adequate protection for the individual.