Who We Are
We are Kettering Constituency Labour Party, the local Labour Party organisation for the UK Parliamentary Constituency of Kettering which includes the Borough of Kettering and its surrounding towns and villages.
We are commonly known as Kettering Labour, and we work hard to get our Candidates elected to public office, and are enthusiastic to serve the local communities in which we live in order to make our society fairer for the many, not the few.
Within our Party we have a number of different “groups” – this includes our Membership, it includes our Executive Committee, Campaigning Group, Working Parties that may be set up to focus on specific issues, our Diversity Group and Unions Group, and Councillor Groups at County and Borough Council levels of local government.
We understand how important your privacy is and recognise that we are being trusted with protecting any information that is shared with us, so the purpose of this privacy notice is to give you clear information about how we collect and use your personal data.
We think it’s important that you read this privacy notice in full. This is so that you understand what data we collect about you, how it is collected, how we use and look after that data, what privacy rights you have and how the law protects you.
Basic Information & How to Contact Us
This privacy notice aims to give you information on how Kettering Labour collects and processes your personal data through your use of our website, including any data you may provide when you use our website, join the Party, contact us over the phone, by email or in writing or sign up to any of our mailing lists.
For all of our data collection, the organisation that is responsible for personal data – is Kettering Constituency Labour Party although some data may be shared from our parent organisation, The Labour Party – especially for membership information that is provided to The Labour Party by members joining or updating personal information. You can contact us by emailing us at firstname.lastname@example.org – this will forward the e-mail to the Chair and the Secretary. If you’d prefer, you can also write to us at Data Protection, Kettering Constituency Labour Party, The Yards, 12b Market Street, Kettering, NN16 0AH.
Aims and Objectives of this Policy
This policy sets out how Kettering Labour Party handles data.
This policy has been created to ensure that there is good governance around how data is collected, stored, processed and accessed.
The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals and organisations within the European Union that comes/came into force from 25th May 2018. It is a harmonised regulation across the EU, and replaces previous local legislation of EU Member States.
GDPR applies not only to those within the EU, but to any person or organisation that collects, stores, processes or accesses the data of any individual or organisation within the European Economic Area (EEA).
The aim of this policy is to provide Kettering Labour Party with a framework in which to work with data that protects the data that we work with, the people whose data we are working with, and the people who are working with that data.
If you have a question, query or complaint regarding data protection then please e-mail email@example.com or write to Data Protection, Kettering Constituency Labour Party.
There are some basic principles to GDPR and our Data Policy will meet these principles.
Any data that is collected, stored, processed or accessed must be obtained with the consent of the person or organisation whose data it is. This consent must be given freely and fairly, however there are circumstances where lawful processing can take place without specific consent – for example to fulfil an order, deliver a contract, for governance or compliance auditing or where a court of law instructs us to do something.
Kettering Labour Party needs to hold details of its members in order to know who its members are, to ensure that they can receive the rights of membership (such as attending AGMs, All Member Meetings where resolutions are voted on, and Selection of Candidate Process Meetings) and to ensure that their membership can be maintained or cancelled as they wish (such as notifying them of membership fees due or lapsing, or being able to accept their membership resignation).
Collecting, storing, processing and accessing data is therefore required in order to maintain the membership contract or relationship, but Kettering Labour Party will only handle data without additional specific consent for purposes that are critical to maintain the membership contract or relationship.
What we will do:
- Collect information via the national Labour Party when someone joins the party. This information will be passed to Kettering Labour Party.
- This information will be able to be accessed by members of the Executive Committee and those that take up positions/roles on the committees of a Branch or Group that a member belongs to. People holding these roles may need to contact members regarding their membership.
- Add the member to a mailing list for all member notifications – this will be used to notify members of specific meeting notifications. The information that will be added is first name, last name and membership number. Members will have the ability to remove themselves from this mailing list, but in doing so won’t automatically receive AGM notifications, All Member Meeting notifications and notifications for Selection of Candidate Process Meetings. This all member notifications list will not be used to send any other type of communication.
- The Executive Committee will send a welcome e-mail to new members joining which will include instructions on how to join other relevant mailing lists – this will include a general Kettering Labour newsletter list, specific Branch lists, and lists for Groups. Those lists will require specific consent to join, and that consent will be recorded. This is covered elsewhere in this document.
Role / Position Holder Data
Data belonging to a role or position holder – someone who is on any committee (Executive, Branch, Group or Working Party) or is a Candidate or Councillor – will necessarily need to have some data about themselves collected, stored, processed and accessed by members of the Party in relation to the role or function that they are carrying out as it would be impossible for them to carry out their role and discharge its duties if people did not know who they were and how to contact them.
The processing and accessing of this data may therefore need to be put into directories within Kettering Labour, the wider regional and national Labour Party, local government organisations, public websites and with members of the public.
Kettering Labour will explain this to role or position holders up front, and will remind them annually.
Kettering Labour Party may need to collect, store, process or access data of other people or organisations. When this happens, consent will be sought before collecting data. Access to that data will be restricted to those people that need access to it. We are awaiting further guidelines from the national Labour Party on this subject, and until that guidance is received we will not collect, store, process or access the data of private individuals that are not members.
The Right to be Informed
When Kettering Labour has the need to collect data of a person or organisation, the person collecting that data on behalf of Kettering Labour will:
- Explain that they are collecting the data for Kettering Labour.
- Specifically what data is being collected.
- Why it is being collected.
- Who will have access to it – this can include groups or positions/roles.
- That we will normally not share this data with any other person or organisation outside of the Labour Party, unless compelled to by law or to help with specific incidents (eg to help a resident their information might need to be shared with the local authority).
- Where data is shared to anyone else outside of Kettering Labour, they will be informed of who that data is shared with.
- How long it will be kept for.
- Who they can contact if they wish to complain or raise a query.
If appropriate for specific data collection tasks, Kettering Labour may put this information on a web site and provide a link to this information online or on a leaflet or other printout, or they may provide this information directly on a leaflet or other printout.
The Right of Access
Kettering Labour will confirm what data is held about a person or organisation if they request to know. Requests should be made to the Secretary of the Executive Committee and Kettering Labour will confirm the data that is held within one month.
Upon receiving a request for confirmation of data held, the Secretary will ask other Executive Committee members, Branch committee members and Group committee members for confirmation of data that is held for that person or organisation within 7 days.
Copies of all data should be provided to the Secretary within 7 days, and the Secretary will provide the person or organisation with the data within a further 7 days. The total time for the process is 21 days, allowing 9 days for extraordinary circumstances (such as holidays or sickness) at any stage of the process.
The Right to Rectification
If a person or organisation tells us that data we hold about them is incorrect, we will correct it.
The Right to Erasure / The Right to be Forgotten
If a person or organisation tells us that they wish to be forgotten or that they withdraw consent for us to hold their data, then this request should be made to the Secretary.
The Secretary will ask other Executive Committee members, Branch committee members and Group committee members to remove any data that they have for the person or organisation within 7 days and to confirm the same.
The Secretary will record the name of the person or organisation making the request, and will confirm with them that data has been removed within a further 7 days.
If data needs to be kept for legal or governance reasons (and this includes recording that the request has been made and that it has been actioned), or because a court has issued an instruction that requires data to be retained, then this is allowed. In such a case any retained data will be reviewed annually to see if it still needs to be retained, and if it doesn’t then it will be removed at that point.
The Right to Restrict Processing
If a person or organisation asks us to stop processing their data, but doesn’t ask for it to be removed, then we will stop using it. An example scenario is where someone asks us to remove them from a mailing list – in that case we will remove their subscription to the mailing list but we will still store that they were a member of the mailing list and the fact that they have been removed, along with the date stamp of that removal, but we will not send them new mail.
The Right to Data Portability
If a person or organisation asks us for a copy of the data that they have provided to us, we will provide it in a machine readable format. This means that we will provide a CSV of their data from our mailing lists, MembersNet and any other database that we use as Kettering Labour.
The Right to Object
If a person or organisation objects to us using their data, then we will stop using it unless there is a compelling reason to do otherwise. Compelling reasons are those laid out in the Lawful Processing section above.
Rights Related to Automated Decision Making and Profiling
Kettering Labour does not use automated decision making or profiling of people or organisations based on data collected, stored, processed or accessed.
Accountability and Governance
Where data is collected Kettering Labour will record consent or permission to use the data collected. How this is done will be dependent upon the collection method:
- Mailing lists: The data collected will be recorded with a log of the time and date, and where practical an e-mail confirmation link will be used that requires the person or organisation providing the data to click on the link to confirm consent.
- Websites: A log of the time and date will be made of any forms submitted, and consent will be sought for any cookie or analytics use.
- Paper-based collection: The time and date will be recorded when data is collected. If it occurs in a canvassing session, the start and end date and time along with the name of the person collecting the information will be recorded for that session alongside the data collected and verbal consent will always be obtained. Where possible and practical, signed consent will be requested (eg helping a resident with a specific issue).
A data breach is the unintended loss of data, access to data by someone that shouldn’t have access to it or data being damaged/incorrect.
If any person within Kettering Labour suspects a data breach then they have a duty to inform the Chair or Secretary within 24 hours of the suspected breach. They must use all communication methods at their disposal, and if they cannot contact the Chair or Secretary then they must contact the regional or national party.
Upon the Chair or Secretary being informed, they will notify relevant members of the Executive Committee to confirm the data breach, and if a data breach is confirmed then they will contact the regional party and the relevant regulatory authorities such as the Information Commissioner’s Office within 48 hours of the breach being identified by the first person.
Also within 48 hours of the breach being identified by the first person, those people or organisations whose data has been breach must be notified of the nature of the breach, what this means, what is going to be done to rectify the situation and how we will stop the situation happening in the future.
The law allows for 72 hours for us to notify the regulatory authorities and the people or organisations whose data has been breached. By working to 48 hours, we allow extra time “in case something goes wrong” or otherwise adds complications or delays. The 72 hour requirement is absolute and so we cannot breach that without the prospect of serious financial penalties.
Transfer of Data
We will not normally transfer data outside of the Labour Party.
We receive data from the national party about members, and may receive data about other people or organisations from regional or national party, other local Constituency parties, MPs, Candidates or local authorities and their suppliers/customers/partners.
We host our mailing lists on the MailChimp platform, further information is below. This platform has been agreed with the Data Protection Officer, Jordan Hall, at The Labour Party. It has been chosen for MailChimp’s commitment to data protection. This includes being legally compliant with the EU-US Privacy Shield Framework, totally committed to GDPR compliance, and providing secure services to do the same.
We will not transfer data to any party without specific consent from, and informing the person or organisation whose data it is of the transfer ahead of the transfer of data.
Individual governments can pass exemptions from specific rights of the GDPR. This has to be for specific purposes such as national security or law enforcement. Where this occurs, Kettering Labour will comply with the relevant laws as required, and will also review this document regularly to ensure it is suitable for any exemptions that get put in place in the future.
Collecting, Storing, Processing and Accessing Data
Kettering Labour will only collect data where absolutely necessary and to carry out specific, pre-identified tasks. The minimum amount of data to complete those tasks will be collected.
At the point of data collection, the person or organisation whose data is being collected will be informed as laid out in the “Right to be Informed” section above.
Storing and Processing Data
Data will only be stored and processed in a secure manner in the minimum number of places required to store that data in order for the purpose of its collection to be met.
The preferred method for storing data will be in centralised tools provided by Kettering Labour, the regional party or the national party.
No member of Kettering Labour will store data on any member of the party, member of the public or other organisation on their own computer or in any other format (physical or digital) without the prior consent of the Executive Committee and that consent must be fore a specific task and a specified pre-agreed time limit.
Where this consent is granted it must be in writing from the Secretary or Chair and the consent, person it is granted to, specific task, time limit and nature of the data being used will be recorded by the Secretary and held for a period of six years after the time limit has expired.
It is the responsibility of the member granted the consent to remove that data after the task is completed or the time limit expires, and they should report the time and date that this removal took place with the Secretary who will keep a record of the removal alongside original consent for a period of six years after the time limit has expired.
Where consent is obtained and data is stored in compliance with that consent, multiple copies of the data should not be stored unless absolutely necessary to complete the specific task at hand.
Where consent is obtained and data is stored then transfer of data to other people, groups or organisations must not take place unless the consent specifically allows for this and the people or organisations whose data it is have been informed.
Data that is e-mailed should be carefully considered and if possible no personally identifiable information should be e-mailed unless absolutely necessary to complete a task. Where that information does need to be e-mailed, only the bare minimum of information should be sent, and there must be consent from the person or organisation whose data it is for this specific task, as well as consent from the Executive Committee as outlined above. If possible data will at least be sent in a password protected file, such as an Excel file or Zip file and the password will be provided to the recipient by a means other than e-mail (an example may be by phone).
Access of data will be restricted to those that absolutely necessarily need to access it to complete pre-identified and specific tasks.
Where centralised tools are being used then they will be used to restrict access to data. Usernames and passwords should be required as a bare minimum, and passwords that are used should be unique and complex, and it is the responsibility of each person using those credentials to protect them. They should not write them down or store them in an unsecure manner.
Where tools allow for the use of a “multi-factor authentication option”, this should be used. This could be an additional requirement to click a link in an e-mail to logon, or the use of a one-time password or code using technology such as an Authenticator application.
Where consent has been provided for people to store or process data outside of centralised tools, this should be done so securely. Any computer that is storing information should be password protected and ideally on an encrypted disk drive.
Any paper copy of data, or any portable computer or portable disk drive (including USB keys) must be locked in a secure environment (ideally in a locked cupboard, drawer or safe) when not in use.
Supporting Our Role / Position Holders
Internal training for those collecting, storing, processing or accessing data will be provided. This could be in written form, or online training, but Kettering Labour will also run an in-person session at least once a year, or offer training from other bodies (such as from the regional or national party).
The regional or national party may also provide other training online or through in-person sessions.
Those that collect, store, process or access data are expected to undertake training before using data, and are expected to retake training at least once every two years.
MembersNet is the authority for membership data, and access will be granted to role and position holders as laid out in the national party’s policies and rule books.
Ownership, management and support of MembersNet is provided by the national party.
Kettering Labour E-Mail
E-mail accounts will be provided to role and position holders on the Kettering Labour e-mail platform. This can be accessed via a website, and is encrypted using SSL technology.
E-mail accounts will be provided with “@ketteringlabourparty.org” e-mail addresses, and should not be forwarded to other addresses. Some role and position holders may have had e-mails forwarded to other accounts previously, but this will stop from the 24th May 2018.
The e-mail platform is operating on our Virtual Private Server hosted by SiteGround and will be regularly patched and updated to keep it secure.
Kettering Labour will provide access to a mailing list platform called MailChimp. This is an external mailing list platform provided by a third party company, and its use has been approved by The Labour Party Data Protection Officer, Jordan Hall.
Access to this platform is encrypted using SSL certificates and security plugins, and anyone that needs to send e-mails will need be given an “Author” role on our MailChimp account. Relevant Executive Committee Role Holders will be given the “Manager” or “Admin” role on our MailChimp Account.
Members will normally be required to sign-up with opt-in consent in order to join a MailChimp mailing list. New Members can be added, but will receive an opt-in request before their subscription is confirmed.
Authors will be able to create e-mails to send, but they will need to be checked and approved by a Manager or Admin in order for them to be sent.
There is one notification mailing list for all members hosted on the MailOut platform. This is owned by the Executive Committee and is for AGM notifications, All Member Meeting notifications and Candidate Selection Process Meeting notifications. This list will have members joined to it when they join the party and will not ask for annual re-confirmation. This is necessary in order to deliver meeting notifications to fulfil the membership relationship/contract such as AGMs, meetings where resolutions get voted on and meetings where Candidates are selected. That said, we will allow members to remove themselves from this list if they so wish with an unsubscribe link on every e-mail. When someone leaves the party, they will be removed from this list.
Every e-mail sent through MailChimp will have an imprint for Kettering Labour, as well as the ability for subscribers to the mailing list to remove themselves through an unsubscribe link.
Those who own a MailChimp site will be required to login to the administrative back-end with a username and password, as well as an additional, second factor authentication. This will be done using an SMS text code, or security questions.
Relevant members of the Executive Committee will have access to MailChimp lists, but will normally only use them for communications, support, governance and auditing purposes.
MailChimp is a data processor in its own right, annually re-certifies to the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework. Additionally they are committed to GDPR Compliance including helping their users and customers achieve compliance in relation to their services.
The national Labour Party have a new platform that is due for release called Organise that will allow communication with members. It is Kettering Labour’s intention to retire ReachOut and move to Organise once this platform is released and tested, subject to it meeting requirements of being encrypted using SSL technology and being GDPR compliant.
Kettering Labour uses a public-facing website to provide the community with relevant news and information. This is built on WordPress software and hosted on our Virtual Private Server.
Access to this website – both public facing and the private, is encrypted using SSL certificates. Access to the administrative back-end is restricted to those that need to post or administer the site and requires login with a username and password, as well as an additional, second factor authentication. This will be done using either a one-time password using Authenticator technology, or an e-mail link.
We use Google Analytics and will use the IP anonymisation ability built into Google Analytics.
The software used for our website, and it’s plugins and themes, will be regularly patched and updated to maintain security.
The national party have a new platform that is due for release for websites that is also built on. It is Kettering Labour’s intention to migrate our website to this platform once it is released and tested, subject to it meeting requirements of being encrypted using SSL technology, being secured to our satisfaction and supporting the critical components in use on our current website.
National Labour Party Tools
Other tools provided by the national party are their responsibility for ownership, management and support of, as well as compliance with GDPR. Any member having access to such tools will be responsible for ensuring that they undertake relevant training and adhere to any user access policies or requirements.