Background
The General Data Protection Regulation (GDPR) came into force on 25 May 2018, from which point all companies based in, or doing business in the EU, must comply with it. More information about the GDPR and what duties it imposes on companies, as well as what extra rights it gives to individuals, can be found on the Information Commissioner’s Office website. The GDPR is enshrined in UK law through the Data Protection Act 2018.
What we’re doing to protect your data
Three Rings CIC takes the safety of personal data very seriously. Among other measures, we encrypt all traffic to and from the Three Rings application at 3r.org.uk, log all actions taken by users within the system, and follow a higher standard of encryption than the UK requires for online banking services.
The Three Rings application, and all data stored in it, as well as all offsite backups, are stored exclusively within the United Kingdom and the European Union. Three Rings processes data in accordance with our Terms and Conditions and our Privacy Policy.
Our Data Protection Officer can be reached on dpo@threerings.org.uk.
How we help our clients comply with the GDPR
Per-property access control
Client organisations can fine-tune exactly what data they store about their volunteers and who has access to see and/or edit each type of information, via the Admin > Properties panel. This makes it easier for an organisation to collect, maintain, and control volunteer personal data in accordance with their existing data policy and the arrangements and agreements they have with their own volunteers. For further details, see the documentation.
Role-based segregation
If required, an organisation can configure Three Rings so that not just the visibility of properties, but of entire groups of volunteers, can be restricted from other groups, as described in the documentation. This can be used, for example, to allow “applicants” to see nobody else within an organisation, and to be hidden from all of that organisation apart from members of the “recruitment” team.
Data deletion reminders
Three Rings automatically produces reminders if an organisation has closed a volunteer’s account but has not yet chosen to delete that volunteer’s personal information. There may be legitimate reasons for an organisation to retain personal data on former volunteers, but (without the kind of reminders Three Rings provides) there is always a risk that such data is retained for longer than is reasonable. By providing reminders, Three Rings helps ensure that organisations remember to treat the personal data of former volunteers in an appropriate, legally-compliant, manner. You can easily delete all of the personal information associated with the account at any time, without needing to wait for a reminder.
Privacy Policy tool
The Admin>Privacy function is designed to help streamline the publication of your organisation’s data collection policy, including who to contact in the event of any queries such as subject access requests, for your volunteers to see. Although Three Rings CIC cannot offer legal advice, the Privacy Policy tool provides some basic statements to help your organisation formulate and publish your Privacy Policy to your volunteers: we strongly recommend that you adapt these in line with your organisation’s needs, and the legal advice you receive in respect of data management and privacy law.
The statements you provide here are made available to your volunteers through their My Account page, and are also shared with members of the Three Rings Support Team so they can accurately respond to any questions sent to them directly from your volunteers about the data stored and processed by your organisation.
If your organisation has never completed the Privacy Policy, you’ll get a Maintenance Task to remind you to do so. If you have completed it, but it’s been a long time since you last updated it, you’ll get a Maintenance Task to remind you to revisit it, so you can make sure that it’s still current.
Personal information report
To help organisations streamline the handling of Subject Access Requests, and other personal data/privacy queries by their volunteers, an Admin-only report can be accessed in Stats. This concisely collates all of the machine-readable data the application holds on behalf of an organisation, relating to a specific volunteer. It is only available to volunteers whose Role grants them Admin rights.
For organisations who store all, or most, of their volunteer data on the Three Rings application, this may complete the vast majority of the work involved in that organisation’s processing of a Subject Access Request (although certain information, such as non-machine-readable information stored in Filestore Uploads, may still need manual retrieval, as well as any paper or electronic records not stored within Three Rings).
Individual volunteers at an organisation will be able to view their own Personal Information Report via the My Account page.
Property privacy view
Volunteers can easily determine who will can see personal data stored on their Directory profile, with a ‘Privacy Button’ which identifies which Properties are visible to what Roles. This is designed to support individual volunteers in making informed choices when deciding what information to share.
User-driven account deletion
To make it easier for volunteers to exercise their “right to be forgotten”, Three Rings offers an option for volunteers to delete their own Three Rings account and all personal data connected to it, available via the My Account page. To minimise the risk of disruption to organisations where they volunteer, and the possibility of accidental deletion, volunteers are required to confirm their intention and supply their password, in order to exercise this option. This only deletes information for which Three Rings is the Data Controller, and not any data held by your organisation.