DATA PROTECTION REGULATIONS.
ASSOCIATION WEB SITE THIS APPLIES TO ALL AREAS OF THE ASSOCIATION
PROTOCOL DOCUMENT, incorporating a legitimate
interest assessment, security policy and privacy notice.
This protocol should be considered along with
the content of the General Data Protection Regulations
This PROTOCOL explains how the GDPR is implemented
by the Web Site of the Regimental Association.
These regulations are to be implemented on the 25th May 2018 and apply
to The Regimental Association web site.
All personal information (data) about a living individual which would
lead to that individual being identified can only be lawfully held or
handled in accordance with the Regulations.
Every person who has served in the Royal Regiment
of Fusiliers, or in an antecedent Regiment which forms part of it, is
a member of the Association and eligible to be a member of one or more
Branches of it. This maybe summed up in the motto, 'Once a Fusilier, always
a Fusilier'. The information about branch members, associate members and
others who have an interest in this Regimental Family is also held and
handled. Information is processed between all members, with other organisations
and individuals within the Regimental Family, with organisations that
share a military or the Regimental ethos or provide assistance and welfare
to members, with the communities and organisations with whom the Association
operates. None of this will be altered by the Regulations; individuals
are given new rights and the Association new duties, but what we do is
the same. Each individual has an on going legitimate interest in this.
LEGITIMATE INTEREST ASSESSMENT.
1. Legitimate interest.
ARTICLE 6(1)(F) APPLIES. Legitimate interest is defined as: 'Processing
is necessary for the purpose of the legitimate interests pursued by the
controller or by a third party except where such interests are overridden
by the interests or fundamental rights or freedoms of the data subject
which require protection of personal data, in particular where the data
subject is a child.'
2. Every member of the Association is bound to the others by what is termed
the Regimental Family, which itself has common bonds of honour, integrity,
loyalty, comradeship and friendship, welfare , the mutual good, and a
wider interest in all things military and / or or for the benefit of the
local communities . The Regiment has a longstanding and excellent reputation
within the communities from which it has drawn its soldiers and those
who have supported those soldiers.
3. THE DATA (also termed information) concerning an individual is obtained
usually initially at association branch level from the individual, sometimes
from another member of the branch, sometimes from another part of the
Regimental Family or from an interested third party (an example being
SSAFA). This is the way it has worked since the Association was formed
and how all members and prospective members of branches will reasonably
expect it to continue to work.
4. The information collected is not of a sensitive type, it is the minimum
required to maintain contact. Including , full name, date of birth, postal
address, telephone number, email address, and any rank or title and decorations
(rank, title and decorations are held so that the individual is treated
with courtesy and addressed in a proper military way).
5. The information has a minimum impact on the individual, it is information
of a type that branches have obtained and processed since the formation
of the Regiment and its branches. It is in the broader interest of the
communities and society that some point of contact is maintained with
veterans and association members; the information held is the minimum
needed to facilitate this. The Association does keep this under ongoing
review and is aware of the duties it has, the rights of the individual
and the wishes of individuals. The Association therefore takes extra responsibility
for considering and protecting the individual's interests. Based of such
future reviews the Association will change this protocol as necessary.
6. The Association intention is not to use the information it has in a
way which is harmful or intrusive to the individual and that is an important
factor in this assessment. However information must be released sometimes
by operation of the United Kingdom law with which the Association is compelled
7. The Association risk assessment has also considered, for current members
how long ago the information was collected, how it has been held, kept
secure, erased and corrected, and processed since. How secure the sources
of information are, and found them to be reliable and secure sources.
The personal relationship (in fact friendship) which exists between members
and the chairperson and Secretary at branch level. For how long the Association
centrally and through branches has held and processed the information
of individuals. That in the past no complaint has arisen from information
being held nor its processing. Once an individual joins the Army and then
joins a Regimental Association the individual will know his / her information
will be retained by the Army indefinitely and within the Association expect
it be held and processed for the individual's life.
8. The Association will not hold nor process information for an individual
who is termed a child under the GDPR. For individuals who are known to
the Association as being vulnerable special care will be taken before
a release of information about them, and as a minimum will carry out an
assessment which is tailored to and specific to their interests and needs.
9. This assessment has considered the risk to the individual arising from
the information held and processed. The risk could be physical, financial,
emotional, the loss by the individual to control his information, economic
and social disadvantage, the loss of GDPR rights, or any other adverse
10. In summary and conclusion. The holding and processing of an individual's
information is of the minimum information necessary to maintain contact.
It is held and processed for the clear benefit of the individual and the
wider communities and society. The individual has a reasonable expectation
that to be a viable member he will need to give this information initially
when expressing an interest to join a branch and that it will be held
and processed. The individual is fully aware of his / her rights, how
to exercise them and to whom to apply to exercise them.
1. ARTICLE 5(1)(f) sets out the GPDR requirements
for integrity and confidentiality of personal information as follows:
'Processed in a manner that ensures appropriate security of data including
protection against unauthorised or unlawful processing and against accidental
loss, destruction or damage, using appropriate technical or organisational
2. THE RISK analysis is that personal information can be misused, used
for crime, cyber crime, fraud, terrorism, international terrorism or otherwise
unlawfully used, be subject to unauthorised use, or lost, destroyed or
damaged. These are a real risk for all organisations however large or
small. The Association does not hold sensitive personal Information nor
information on children, and the information held is the minimum. The
risk is mitigated by using appropriate physical, technical and organizational
measures within the Association. The following are the core factors in
this assessment: confidentiality, integrity, availability and resilience.
3. Only those authorised have access to the information. The information
for a few individuals is held centrally but for most it is held within
a branch. The information maybe be held and processed by computer, on
paper (written, typed or copies) or electronically (an example being by
email) or otherwise.
4. Those authorised are termed Compliance Officers, and they will be the
custodians of the information held on individuals either centrally or
5. Personal information maybe held and processed (including deletion and
the correction of errors) only by a Compliance Officer within the scope
of their authority and in Compliance with the GDPR. It is the duty of
the Compliance Officer to ensure personal information is complete and
up to date based on the representations of the individual concerned. The
Compliance Officer may as necessary delegate to another this duty.
6. Disposal of IT , computers, electronic equipment and paper documents
must be such that all personal information is permanently removed from
the device and cannot be recovered from it but is saved or backed up to
another device in current use, to preserve the information.
7. Computers, paper records and electronic devices are secured under the
control and possession of the Compliance Officer. Computers and electronic
devices will be password protected. The assessment is that given the nominal
nature of the information held and processed and fully considering the
risks, that this level of security is appropriate.
8. Each Compliance Officer will ensure the personal information is accessible,
useable, and if lost is recoverable so as to prevent loss or distress
to others and compliance with GDPR.
9. The security measures are subject to ongoing review and analysis. This
protocol can changed as necessary to ensure continuing effective security
measures are in place.
10. Any breach of the GDPR will be self reported to the Information Commissioners
Office as required by GDPR.
11. In summary. On considering the risk analysis and the minimal information
held and processed the security measures are appropriate but are subject
to ongoing review.
1. The Association keeps personal information
on individuals and does not hold sensitive information. Individuals will
reasonably expect their information will be held, processed and passed
within the Association as set out in this Protocol including its branches
and the wider Regimental family for Regimental matters, including events,
clubs, welfare and for marketing of Regimentally and military connected
2. The Association is also part of local communities and operates with
other organisations (including those for welfare such as SSAFA and the
ABF) for the benefit of the Regiment, its history and traditions, and
the Association members and individuals will reasonably expect their information
to be shared with these.
3. This privacy notice may be given verbally, in paper printed format,
by a paper copy being displayed or provided to be read, or by email, to
the individual concerned.
4. The Association looks to individuals to provide personal information
about themselves. Sometimes personal information will be supplied by 3rd
parties (an example being SSAFA).
5. Personal information will not otherwise be passed on to others unless
the law says it must be.
6. Personal Information will not otherwise be sold, rented, nor swopped
with a marketing company,
7. Personal Information will not be used for profiling nor large scale
analysis of data.
8. The Compliance Officer will use reasonable action to confirm with the
individual the accuracy of information received from a third party which
is about that individual.
9. The Compliance Officer will routinely review the relevance and accuracy
of the information held.
10. The GDPR gives rights to an individual whose information is held and
processed. These are fully set out on the web site of the Information
11. As a summary, the GDPR provide the following rights for individuals
concerning the information held on them:
1. The right to be informed; of the collection
and use of the individual's information.
2. The right of access; being access by the individual to personal and
any supplementary information held to allow the individual to be aware
of and verify the lawfulness of its handling.
3. The right of rectification of inaccurate information, which request
maybe made verbally, in writing or electronically as appropriate; to add
to or change or correct the information held.
4. The right to erase, which request maybe made verbally, in writing or
electronically as appropriate. This is also referred to as the 'right
to be forgotten' being the deletion of information.
5. The right to restrict processing, which request maybe made verbally,
in writing or electronically as appropriate ; for personal information
to be suppressed or given a restricted distribution.
6. The right to data portability; being the use by the individual of his
/ her information to obtain other services from third parties.
7. The right to object; the Association will not handle information for
direct marketing, or research, except as set out in this Protocol.
8. Rights in relation to automated decision making and profiling; the
Association will not use automated decision making nor profiling.
12. Only the individual whose information is
the subject of a request to exercise a right may make the request. The
Compliance Officer who receives a clear and unambiguous request directly
from an individual will comply or reply promptly but usually within one
month in any event.
1. The Association operates through branches and each branch keeps its
own information about individuals, either on computers or on paper or
electronically (such as on emails). Accordingly the Chairperson and the
Secretary of each branch are both the controllers and the processors,
and Compliance Officers, for the information held by their branch, although
from time to time they may delegate these responsibilities. For information
held centrally by the Association the Chairperson and Deputy Chairperson
are jointly the controllers and processors, and Central Compliance Officers
but may from time to time delegate these responsibilities.
2. Each Branch Compliance Officer must ensure that each individual within
their branch is fully aware of the contents of this Protocol, and the
identity and how to contact each Branch Compliance Officer. Each Central
Compliance Officer will ensure that each individual whose information
is centrally held is fully aware of the contents of this Protocol and
the identity and how to contact each Central Compliance Officer.
3. Any breach of the Regulations will be self reported to the Information
Commissioners Office in accordance with GDPR.
4. This protocol requires no further action by the individual unless that
individual wishes to exercise one or more of the rights given by the Regulations.
Each individual is urged to ensure that information held about him or
her is accurate and up-to-date.
5. This Protocol is subject to ongoing review and revision.
Dated 14th May 2018.