This is a guide to current UK legislation and how it relates to your use of personal information with the Insight system. This is an introduction only and should not be relied upon – for full information please visit the web site of the Information Commissioner at www.informationcommissioner.gov.uk
Who does it apply to?
Because your organisation is storing personal information on a computer, it is defined by law as a Data Controller, and must abide by legislation laid out in the Data Protection Act. This applies even if you are not using the
Insight system - any stored list of personal information (for example in a spreadsheet, word processor or database) means the Data Protection Act applies to you.
The Insight system supplies some functionality that makes it easier for you to comply - for example people can update their own personal information which means they have adequate access to the information stored about them, they can ensure the information is accurate and they are able to monitor the purposes for which it is used. However you must make sure that your use of the
Insight system remains within the law - for example your database has a specific purpose which is for the administration of your organisation, selling this database to a third-party without individual's explicit consent would be illegal.
There are eight principles put in place by the Data Protection Act 1998 to make sure that personal information is handled properly by Data Controllers
The data must be:
fairly and lawfully processed;
processed for limited purposes;
adequate, relevant and not excessive;
not kept for longer than is necessary;
processed in line with your rights;
not transferred to countries without adequate protection.
By law data controllers have to keep to these principles.
Please also see our section on the GDPR
What are the responsibilities of Endis?
As the suppliers of the computer system which you are using, Endis is termed the Data Processor. As the person for whom information is collected, and who controls the purposes to which the information is used, your organisation is the Data Controller.
Endis will provide the functionality you require to be compliant with the law - for example collecting and storing data safely and securely - but ultimately your organisation is responsible for its own compliance. Your organisation retains ownership of the information stored in the Insight system, and Endis will not use this information for any other purpose without your permission. However when a user registers on your web site or views the terms and conditions of the site they are asked an opt-in question as to whether they are happy for Endis to also use their information.
What does your organisation need to do?
When implementing your site, the most important consideration in terms of data protection is in putting together your address book. Members who register through the web site are explicitly agreeing to use the site and to be listed in the system, by agreeing to the site terms and conditions. If you import an existing set of data into the address book, you need to ensure these people are given the same options.
If you already have an address book that you wish to import into Insight, this information should have been collected with the individual's consent (e.g. small print at the bottom of a personal details form that says this information will be stored on computer for office use). Because you are changing the use of that information - by using it on the web site address book, you need to ask permission for the change of use.
Explaining the change of use is best done at the same time you are explaining the benefits of your new web site, as the phrase "on the internet" can raise unnecessary fears if poorly understood. For example, if your web site is announced in a meeting or advertised in an email then explain the benefits of moving the address book online (more accurate, accessible, people can update their own details, printed versions available), explain that it's secured with passwords and only members of the organisation can access it, and if anyone has any objections to this they can opt out by managing their own privacy settings.