PROTOCOL DOCUMENT, incorporating a legitimate interest assessment, security policy and privacy notice.

This protocol should be considered along with the content of the General Data Protection Regulations


This PROTOCOL explains how the GDPR is implemented by the Web Site of the Regimental Association.
These regulations are to be implemented on the 25th May 2018 and apply to The Regimental Association web site.
All personal information (data) about a living individual which would lead to that individual being identified can only be lawfully held or handled in accordance with the Regulations.


Every person who has served in the Royal Regiment of Fusiliers, or in an antecedent Regiment which forms part of it, is a member of the Association and eligible to be a member of one or more Branches of it. This maybe summed up in the motto, 'Once a Fusilier, always a Fusilier'. The information about branch members, associate members and others who have an interest in this Regimental Family is also held and handled. Information is processed between all members, with other organisations and individuals within the Regimental Family, with organisations that share a military or the Regimental ethos or provide assistance and welfare to members, with the communities and organisations with whom the Association operates. None of this will be altered by the Regulations; individuals are given new rights and the Association new duties, but what we do is the same. Each individual has an on going legitimate interest in this.


1. Legitimate interest.
ARTICLE 6(1)(F) APPLIES. Legitimate interest is defined as: 'Processing is necessary for the purpose of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights or freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.'
2. Every member of the Association is bound to the others by what is termed the Regimental Family, which itself has common bonds of honour, integrity, loyalty, comradeship and friendship, welfare , the mutual good, and a wider interest in all things military and / or or for the benefit of the local communities . The Regiment has a longstanding and excellent reputation within the communities from which it has drawn its soldiers and those who have supported those soldiers.
3. THE DATA (also termed information) concerning an individual is obtained usually initially at association branch level from the individual, sometimes from another member of the branch, sometimes from another part of the Regimental Family or from an interested third party (an example being SSAFA). This is the way it has worked since the Association was formed and how all members and prospective members of branches will reasonably expect it to continue to work.
4. The information collected is not of a sensitive type, it is the minimum required to maintain contact. Including , full name, date of birth, postal address, telephone number, email address, and any rank or title and decorations (rank, title and decorations are held so that the individual is treated with courtesy and addressed in a proper military way).
5. The information has a minimum impact on the individual, it is information of a type that branches have obtained and processed since the formation of the Regiment and its branches. It is in the broader interest of the communities and society that some point of contact is maintained with veterans and association members; the information held is the minimum needed to facilitate this. The Association does keep this under ongoing review and is aware of the duties it has, the rights of the individual and the wishes of individuals. The Association therefore takes extra responsibility for considering and protecting the individual's interests. Based of such future reviews the Association will change this protocol as necessary.
6. The Association intention is not to use the information it has in a way which is harmful or intrusive to the individual and that is an important factor in this assessment. However information must be released sometimes by operation of the United Kingdom law with which the Association is compelled to comply.
7. The Association risk assessment has also considered, for current members how long ago the information was collected, how it has been held, kept secure, erased and corrected, and processed since. How secure the sources of information are, and found them to be reliable and secure sources. The personal relationship (in fact friendship) which exists between members and the chairperson and Secretary at branch level. For how long the Association centrally and through branches has held and processed the information of individuals. That in the past no complaint has arisen from information being held nor its processing. Once an individual joins the Army and then joins a Regimental Association the individual will know his / her information will be retained by the Army indefinitely and within the Association expect it be held and processed for the individual's life.
8. The Association will not hold nor process information for an individual who is termed a child under the GDPR. For individuals who are known to the Association as being vulnerable special care will be taken before a release of information about them, and as a minimum will carry out an assessment which is tailored to and specific to their interests and needs.
9. This assessment has considered the risk to the individual arising from the information held and processed. The risk could be physical, financial, emotional, the loss by the individual to control his information, economic and social disadvantage, the loss of GDPR rights, or any other adverse impact.
10. In summary and conclusion. The holding and processing of an individual's information is of the minimum information necessary to maintain contact. It is held and processed for the clear benefit of the individual and the wider communities and society. The individual has a reasonable expectation that to be a viable member he will need to give this information initially when expressing an interest to join a branch and that it will be held and processed. The individual is fully aware of his / her rights, how to exercise them and to whom to apply to exercise them.


1. ARTICLE 5(1)(f) sets out the GPDR requirements for integrity and confidentiality of personal information as follows: 'Processed in a manner that ensures appropriate security of data including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. '
2. THE RISK analysis is that personal information can be misused, used for crime, cyber crime, fraud, terrorism, international terrorism or otherwise unlawfully used, be subject to unauthorised use, or lost, destroyed or damaged. These are a real risk for all organisations however large or small. The Association does not hold sensitive personal Information nor information on children, and the information held is the minimum. The risk is mitigated by using appropriate physical, technical and organizational measures within the Association. The following are the core factors in this assessment: confidentiality, integrity, availability and resilience.
3. Only those authorised have access to the information. The information for a few individuals is held centrally but for most it is held within a branch. The information maybe be held and processed by computer, on paper (written, typed or copies) or electronically (an example being by email) or otherwise.
4. Those authorised are termed Compliance Officers, and they will be the custodians of the information held on individuals either centrally or at branch.
5. Personal information maybe held and processed (including deletion and the correction of errors) only by a Compliance Officer within the scope of their authority and in Compliance with the GDPR. It is the duty of the Compliance Officer to ensure personal information is complete and up to date based on the representations of the individual concerned. The Compliance Officer may as necessary delegate to another this duty.
6. Disposal of IT , computers, electronic equipment and paper documents must be such that all personal information is permanently removed from the device and cannot be recovered from it but is saved or backed up to another device in current use, to preserve the information.
7. Computers, paper records and electronic devices are secured under the control and possession of the Compliance Officer. Computers and electronic devices will be password protected. The assessment is that given the nominal nature of the information held and processed and fully considering the risks, that this level of security is appropriate.
8. Each Compliance Officer will ensure the personal information is accessible, useable, and if lost is recoverable so as to prevent loss or distress to others and compliance with GDPR.
9. The security measures are subject to ongoing review and analysis. This protocol can changed as necessary to ensure continuing effective security measures are in place.
10. Any breach of the GDPR will be self reported to the Information Commissioners Office as required by GDPR.
11. In summary. On considering the risk analysis and the minimal information held and processed the security measures are appropriate but are subject to ongoing review.


1. The Association keeps personal information on individuals and does not hold sensitive information. Individuals will reasonably expect their information will be held, processed and passed within the Association as set out in this Protocol including its branches and the wider Regimental family for Regimental matters, including events, clubs, welfare and for marketing of Regimentally and military connected items.
2. The Association is also part of local communities and operates with other organisations (including those for welfare such as SSAFA and the ABF) for the benefit of the Regiment, its history and traditions, and the Association members and individuals will reasonably expect their information to be shared with these.
3. This privacy notice may be given verbally, in paper printed format, by a paper copy being displayed or provided to be read, or by email, to the individual concerned.
4. The Association looks to individuals to provide personal information about themselves. Sometimes personal information will be supplied by 3rd parties (an example being SSAFA).
5. Personal information will not otherwise be passed on to others unless the law says it must be.
6. Personal Information will not otherwise be sold, rented, nor swopped with a marketing company,
7. Personal Information will not be used for profiling nor large scale analysis of data.
8. The Compliance Officer will use reasonable action to confirm with the individual the accuracy of information received from a third party which is about that individual.
9. The Compliance Officer will routinely review the relevance and accuracy of the information held.
10. The GDPR gives rights to an individual whose information is held and processed. These are fully set out on the web site of the Information Commissioner's Office
11. As a summary, the GDPR provide the following rights for individuals concerning the information held on them:

1. The right to be informed; of the collection and use of the individual's information.
2. The right of access; being access by the individual to personal and any supplementary information held to allow the individual to be aware of and verify the lawfulness of its handling.
3. The right of rectification of inaccurate information, which request maybe made verbally, in writing or electronically as appropriate; to add to or change or correct the information held.
4. The right to erase, which request maybe made verbally, in writing or electronically as appropriate. This is also referred to as the 'right to be forgotten' being the deletion of information.
5. The right to restrict processing, which request maybe made verbally, in writing or electronically as appropriate ; for personal information to be suppressed or given a restricted distribution.
6. The right to data portability; being the use by the individual of his / her information to obtain other services from third parties.
7. The right to object; the Association will not handle information for direct marketing, or research, except as set out in this Protocol.
8. Rights in relation to automated decision making and profiling; the Association will not use automated decision making nor profiling.

12. Only the individual whose information is the subject of a request to exercise a right may make the request. The Compliance Officer who receives a clear and unambiguous request directly from an individual will comply or reply promptly but usually within one month in any event.


1. The Association operates through branches and each branch keeps its own information about individuals, either on computers or on paper or electronically (such as on emails). Accordingly the Chairperson and the Secretary of each branch are both the controllers and the processors, and Compliance Officers, for the information held by their branch, although from time to time they may delegate these responsibilities. For information held centrally by the Association the Chairperson and Deputy Chairperson are jointly the controllers and processors, and Central Compliance Officers but may from time to time delegate these responsibilities.
2. Each Branch Compliance Officer must ensure that each individual within their branch is fully aware of the contents of this Protocol, and the identity and how to contact each Branch Compliance Officer. Each Central Compliance Officer will ensure that each individual whose information is centrally held is fully aware of the contents of this Protocol and the identity and how to contact each Central Compliance Officer.
3. Any breach of the Regulations will be self reported to the Information Commissioners Office in accordance with GDPR.
4. This protocol requires no further action by the individual unless that individual wishes to exercise one or more of the rights given by the Regulations. Each individual is urged to ensure that information held about him or her is accurate and up-to-date.
5. This Protocol is subject to ongoing review and revision.

Dated 14th May 2018.