BAPCR - The British Association of Paintings Conservator-Restorers

BAPCRtext

Shop Login Shop Logout

The British Association of Paintings Conservator-Restorers

 Data Protection and Information Security Policy

 

  1. Introduction

 

The British Association of Paintings Conservator-Restorers promotes and fosters the practice of paintings conservation in the UK and around the world. We are the longest established dedicated professional organisation for all conservator-restorers of paintings in the UK.

The BAPCR council seeks to provide an interesting and varied regular program of lectures and conferences in support of the professional development of its Members. We organise professional visits, training activities and workshops with leading professionals, helping our members develop their knowledge, skills and outlook. Fellows of the BAPCR are the Association’s own professionally accredited members, and the BAPCR also supports PACR accreditation (ACR).

The BAPCR is committed to engaging the public with the practice of painting conservation. We operate the Find a Restorer scheme, putting members of the public in touch with Fellows of the Association, and we answer all public enquiries.

 

  1. The processing of personal data

 

The BAPCR collects and uses personal information about staff, Council members, subscribers and Members. This information is collected so that the BAPCR can provide opportunities for all painting conservator-restorers to meet and share their knowledge from a variety of painting conservation backgrounds or specialisms. Conservators can learn about one another’s work through the pages of our journal and communicate easily via our social media platforms.

 

The purpose of this policy is to ensure the BAPCR (Council members, The Picture Restorer editorial team and staff) has identified how it will collect, secure, process, share and erase data in accordance with the requirements of the UK General Data Protection Regulation 2018.

 

This policy relates primarily to the personal data of individuals that would enable them to be identified directly or indirectly by an identifier such as name, membership number or address. The BACPR does not gather Sensitive Personal Data.

 

  1. The Regulator

 

The Information Commissioner’s Office is responsible for:

  • overseeing compliance with Data Protection legislation
  • supporting organisations to become compliant
  • enforcing the legal processing of data
  • investigating complaints where organisations are not compliant

 

Organisations that process personal information must register with the ICO and maintain a current record of the information it is processing, the legal basis for processing the information and who it is being shared with.

 

  1. Compliance with the Principles of GDPR

 

The BAPCR will ensure all information collected, processed, shared and stored complies with the principles of GDPR. This means Personal Identifiable Information (PII) will be:

  • processed lawfully, fairly and in a transparent manner
  • collected and used only for the legitimate purpose it was collected
  • only collected if required for the legitimate purpose
  • accurate and where required, rectified without delay
  • kept only as long as it is required in accordance with the BAPCR’s retention schedule
  • appropriately secured against unauthorised or unlawful processing, accidental loss, destruction or damage
  • processed in accordance with the rights of data subjects
  • processed in the UK and European Economic Area unless additional protection has been put in place

 

  1. The BAPCR’s commitment to the principles of GDPR

 

The BAPCR is committed to maintaining the GDPR principles at all times and will:

  • Inform individuals why their information is being collected
  • Inform individuals when their information is shared, why it is being shared and with whom
  • Check the quality and the accuracy of the information it holds
  • Only retain information for as long as it is required
  • Erase data securely when no longer required
  • Ensure safeguards are in place to protect personal information from loss, theft and unauthorised disclosure
  • Only share information when it is legally appropriate to do so
  • Enable access to individual records through its Subject Access Request process
  • Ensure all staff and Council members understand the BAPCR’s policies and procedures

 

  1. Responsibilities

 

All employees, Council members and any other individual handling personal information on behalf of the BAPCR have a responsibility to ensure that they comply with Data Protection legislation and the BAPCR’s policies.

 

The BAPCR ensures that all staff who are involved in processing personal data undertake training as part of their Induction and the BAPCR provides training to maintain a good level of awareness of the regulation.

 

  1. The legal basis

 

The BAPCR will comply with all relevant UK and European Union legislation, including:

 

  • Human Rights Act 1998
  • Data Protection Legislation (Data Protection Act 1998, GDPR, Data Protection Act 2018)
  • Freedom of Information Act 2000
  • Common law duty of confidence
  • Copyright, Designs and Patents Act 1988
  • Computer Misuse Act 1990
  • Health and Safety at Work Act 1974
  • Privacy and Electronic Communications (EC Directive) Regulations 2003

 

  1. Keeping Data Safe

 

Before introducing a new policy, procedure, system or database involving personal data the BAPCR will complete a Data Protection Impact Assessment (DPIA). The DPIA will identify any potential risks of harm to individuals through the misuse of their personal information, allowing these risks to be reduced. A DPIA will be conducted in all cases where processing is likely to result in a high risk to individuals.

 

  1. Provision of Individual Rights of the data subject

 

  • Right to be Informed

 

The BAPCR’s Privacy Notices explain what information is being processed, the legal basis for processing, the purpose of processing, who the information is shared with and the schedule detailing how long the information is held. The Privacy Notice is available on the BAPCR’s website.

 

  • Right of Access

Individuals have the right to request access to information relating to them. This right is called a Subject Access Request. An individual can request information by submitting a request in writing to the BAPCR.

 

An application on behalf of anyone lacking mental capacity who would otherwise have the right to request access to their records may be made where a nominated person making the application can provide a Lasting Power of Attorney or an Enduring Power of Attorney or proof of Court-appointed Deputyship.

 

Only information relating to the individual will be disclosed as part of a subject access request.

 

Any information that may prejudice the prevention and detection of crime may be exempted from disclosure. There are also a number of other exemptions which may be applied and these will be explained on an individual basis.

 

If you would like to exercise your individual rights, please contact the BAPCR Secretary by emailing BAPCRsecretary@gmail.com

Requests will be acknowledged within 5 days and processed within 1 month of receipt.

Where a request may be considered complex the applicant will be notified of this within the initial 1-month period and a response will be provided within a further 2 months.

 

  • Right to object

 

Data subjects have the right to object to their information being processed if they do not believe there is a legitimate legal basis for processing or their data is being shared without a legitimate purpose.

 

  • Right to rectification

 

Individuals have the right to have any personal data rectified if it is incorrect. This includes the need to ensure that the data held is complete.

 

  • Right to restriction

 

Individuals have the right to request the temporary restriction of the processing and access to their data. This might apply when:

 

  • the accuracy of data is being established,
  • confirming the validity of an objection to the BAPCR processing the data.
  • data has been processed unlawfully but the data subject does not want it erased.
  • it is no longer required by the BAPCR but the individual has requested the information be retained in connection with a legal claim.

 

The right to restrict data does not apply if the BAPCR requires the information in connection with a legal claim of there is a legal basis for continuing to process the data.

 

  • Right of erasure

 

Where there is no justification for the continued use of an individual’s data, they may ask for it to be erased. Data may be erased when:

  • It is no longer required for the purpose for which it was collected
  • Consent for the original processing has been withdrawn
  • It has been processed without a legitimate legal basis
  • There is a legal requirement to erase the data

 

The BAPCR will decline a request for erasure when:

  • A legitimate legal basis exists for processing the data
  • The data is required for historic, statistical or archiving activities
  • The data is required in connection with a legal claim

 

  • Right to portability

 

Where data is held electronically, forms part of a contract and consent for processing has been given by the individual – individuals can ask for their data to be transferred electronically to another organisation.

 

  • Automated Processing

 

The BAPCR does not use IT systems to make automatic decisions based on personal data.

 

  1. Data Protection Breach

 

The BAPCR will take all preventable steps to hold and process individual data securely. In the unlikely event of a breach, the BAPCR has a data breach management process which all staff are aware of and have received appropriate training so they can recognise and react appropriately to a data breach. All breaches of Data Protection legislation will be reported to the BAPCR’s Data Protection Officer who will ensure the process is adhered to and ensure breaches are reported to the ICO where necessary.

 

  1. Information security

 

Information that is confidential but doesn’t relate to an individual or individuals includes the following:

 

  • BAPCR business or corporate records containing organisationally or publicly sensitive information
  • Any commercially sensitive information such as information relating to commercial proposals or current negotiations
  • Politically sensitive information
  • Information relating to security, investigations and proceedings
  • Any information which, if released, could cause problems or damage to individuals, the public, the BAPCR or another organisation. This could be personal, financial, reputation or legal damage.

 

It applies to all employees, Council members, Members and The Picture Restorer editorial team who handle information for which the BAPCR is responsible. It forms the basis of contractual responsibilities in contracts with Data Processors where reference is made to the BAPCR’s Data Protection and Information Security Policy.

 

The BAPCR will maintain the confidentiality, integrity and security of all data ensuring it is gathered, secured, stored, shared and erased in accordance with the data protection regulation. The BAPCR will review its data protection policies as part of its governance process.

 

Information systems will be checked regularly for technical compliance with relevant security implementation standards.

 

Operational systems are subjected to technical examination to ensure that hardware and software controls have been correctly implemented.

 

  1. Management of Information

 

The BAPCR will manage information in accordance with the principles and procedures within this policy and other relevant policies and standards. The following principles apply to how we handle information in the BAPCR:

 

  • All identifiable personal information is treated as confidential and will be handled in accordance with the relevant legal and regulatory protocols.
  • All identifiable information relating to staff is confidential except where national policy on accountability and openness requires otherwise.
  • Procedures will be maintained to ensure compliance with Data Protection legislation, The Human Rights Act 1998, the common law duty of confidentiality, the Freedom of Information Act 2000 and any other relevant legislation or statutory obligation.
  • Information is recorded, used and stored to protect integrity so that it remains accurate and relevant at all times.

 

  1.    BAPCR records

 

BAPCR will create and maintain adequate staff, Council members and Member records to meet its business needs and to account fully and transparently for all actions and decisions. Such records can be used to provide credible and authoritative evidence where required; protect legal and other rights of the BAPCR, its staff and those who have dealings with the BAPCR; facilitate audit; and fulfil the BAPCR’s legal obligations.

 

Records will be managed and controlled effectively to fulfil legal, operational and information needs and obligations in the most cost-effective manner, in line with the BAPCR’s records management procedures.

 

  1.  Contacts

 

In the first instance, if you would like to exercise your individual rights, please contact our Secretary by emailing BAPCRsecretary@gmail.com

The Data Protection Officer for the BAPCR is:

Roger Simmons – GDPR Practitioner and DPO
07704 838 512
rsimmonsltd@gmail.com

Office of the Information Commissioner
The Information Commissioners
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
www.ico.gov.uk

Menu Title