Farnham (Building Preservation) Trust (FBPT) needs to keep certain information on its members, and trustees to carry out its day to day operations, to meet its objectives and to comply with legal obligations.
FBPT is committed to ensuring any personal data will be dealt with in line with the General Data Protection Regulations (2018). To comply with the law, personal information will be collected and used fairly, stored safely and not disclosed to any other person unlawfully. The aim of this policy is to ensure that everyone handling personal data is fully aware of the requirements and acts in accordance with data protection procedures. This document also outlines key data protection procedures. This policy covers trustees members and contractors.
In line with the GDPR 2018 principles, FBPT will ensure that personal data will:
• Be obtained fairly, lawfully and transparently and shall not be processed unless certain conditions are met*
• Be obtained for a specific and lawful purpose
• Be adequate, relevant but not excessive
• Be accurate and kept up to date
• Not be held longer than necessary
• Be processed in accordance with the rights of data subjects
• Be subject to appropriate security measures
*The definition of ‘Processing’ is obtaining, using, holding, amending, disclosing, destroying and deleting personal data. This includes some paper based personal data as well as that kept on computer.
FBPT processes the following types of personal information (additional information may be collected and processed when necessary):
• contact details (email, address and phone numbers) for Trustees, members and contractors
• details of the projects being undertaken by FBPT
• references from other heritage organisations
• project details of contractors
• bank account numbers where appropriate
Personal information is kept in the following forms:
• held electronically on computers
• held on backup drives by Trustees, members and contractors
• held on paper files which are within locked premises.
Groups of people within the organisation who will process personal information are:
• Trustees, members and contractors
Overall responsibility for personal data in a not for profit organisation rests with the governing body. In the case of FBPT, this is the Board of Trustees. The Board is responsible for:
• understanding and communicating obligations under the GDPR
• identifying potential problem areas or risks
• annually renewing latest guidance about data protection.
We will ensure that:
• Anyone wanting to make enquiries about handling personal information knows what to do;
• Queries about handling personal information will be dealt with swiftly and politely.
• Any disclosure of personal data will be in line with procedures.
Before personal information is collected, we will consider:
• what the minimum amount of data that is needed to provide our services to an individual
• how long we need the data for
• security for that information and who has access to it
• how the data will be processed
We will inform people whose information is gathered about the following:
• to whom any enquiries or comments about personal data should be addressed to
We will take the following measures to ensure that personal information kept is accurate:
• keep regular contact with Trustees, members and contractors to ensure information is up to date.
FBPT takes steps to ensure that personal data is kept secure at all times against unauthorised or unlawful loss or disclosure. Any unauthorised disclosure of personal data to a third party by a Trustee or member may result in possible penalties for a Trustee, including removal from the Board.
Anyone whose personal information we process has the right:
1. To be informed
2. Of access
3. Of rectification
4. Of erasure / the right to be forgotten
5. To restrict processing
7. To object
Individuals have a right under the GDPR to access personal data being kept about them by FBPT. Any person wishing to exercise this right should apply in writing to the FBPT at either firstname.lastname@example.org or Belfry House, Old Lane, Dockenfield, Farnham, Surrey GU10 4HQ.
We then have one calendar month to respond unless the request is considered to be particularly onerous. In those circumstances, the data subject will be informed that an extension has been added to the time allowed to fulfil the request. The following information will be required before access is granted:
• Full name and contact details of the person making the request
• Their relationship with the organisation
• Any other relevant information
We may also require proof of identity before access is granted
This policy will be reviewed at intervals of every 2 years to ensure it remains up to date and compliant with the law.
Approved 27th June 2018