MEDICAL OFFICERS OF
SCHOOLS ASSOCIATION

Professionals providing healthcare for
children and young people in schools.

MEDICAL OFFICERS OF SCHOOLS ASSOCIATION
Privacy Policy May 2018


On May 23rd 2018, a new UK Data Protection Act gained Royal Assent and was followed two days later by the implementation of an EU directive, the General Data Protection Regulation (GDPR). These have substantially changed how organisations like MOSA must handle an individual’s data, and the changes are now included in MOSA’s revised Privacy Policy which is laid out below.

For any organisation that handles, or processes, data – and this includes collecting, storing and using data – there are now extensive new requirements and responsibilities in place. The organisation must be clear about what data it holds, why that data is needed, how it is used and who has access to it; it must have procedures in place to allow the individual to request and to view the data relating to them and to have a policy to notify and mitigate any data breach. An individual has the right to view in its entirety the data that the organisation holds about them, to have that data held securely and to have it amended or removed entirely.

MOSA has always taken the privacy of information about its members very seriously and this revised policy takes into account these new changes.

PLEASE READ THIS PRIVACY POLICY CAREFULLY

1. Definitions

Data subject” means an individual who is the subject of personal data or the individual whom particular personal data is about and is a living individual able to be identified or distinguished from others.
Personal data” means any information relating to a “data subject”.

2. What personal information does MOSA hold about its members?

Essentially the data that the organisation holds is in three areas: -
a) The information on the MOSA website – www.mosa.org.uk
b) The information on WebCollect.
c) The information associated with the use of the Yahoo discussion forum – “the MOSA
forum”.
There are consent boxes on the membership application form requesting consent to store data in the following three areas: -

a) MOSA website: -

On the website, collected data pertaining to members is displayed in the following format: -

  • Title
  • Surname and forename
  • Email address

Storage of data

Data collected as above is stored within the administrative section of www.mosa.org.uk

How is this data documented and protected?

  • A list of members with their name and the school at which they work is available in the password-protected membership area of the website at: - http://www.mosa.org.uk/member-list.asp
  • Data is protected by being stored in the password-protected administration section of the website.
  • Only certain roles in MOSA can see some or all of this data.

Currently: -

  • Honorary secretary
  • Honorary editor
  • Executive secretary
  • PA to the honorary programme secretary event coordinator role
  • The website designer at www.ftscomputing.co.uk

For how long is the data retained?

The member’s details will be removed completely by the executive secretary from the administrative section of the website and thus from the members’ list when a member requests termination of their membership.
The members’ list will be crosschecked against the active membership list on Web Collect quarterly.

Is there a function or reason for every piece of data that is collected?

Members use their email address as their user name in order to access the members’ area of the website.

How is information about an individual removed from the Association’s records?

The member’s details will be removed completely from the administrative section of the website and thus from the members’ list when a member requests termination of their membership. This is performed by the executive secretary by clicking “delete” against that member’s name on the administrative page of the website.
The members’ list will be crosschecked against the active membership list on WebCollect quarterly.

b) WebCollect: -

On WebCollect, data is collected from either a membership application form or from an event booking form.

Membership application form

Data collected from this is as follows: -

  • Title
  • Surname and forename
  • Address
  • Telephone number - home/work/mobile
  • Email address
  • Date of birth (not compulsory)
  • If the applicant is in a group who are the other members of the group
  • Job title
  • Qualifications
  • Name of professional body
  • Professional registration number
  • Name and address of school.

Event booking form

Data collected from this is as follows: -

  • Title
  • Surname and forename
  • Address
  • Email address
  • Telephone number - home/work/mobile
  • Date of birth (not compulsory)
  • If the member is in a group who are the other members of the group
  • Job title
  • Name of school.

Storage of data

Data collected as above is stored within WebCollect

How is this data protected and documented?

  • WebCollect is a password-protected, online membership system which has a privacy notice at https://webcollect.org.uk/help-topic/privacy-notice
  • Each individual member has his or her own password.
  • Only certain roles in MOSA can see some or all of the data.

Currently: -

  • Honorary secretary creator role
  • President administrator role
  • Honorary treasurer accountant role
  • Honorary programme secretary event coordinator role
  • Executive secretary creator role
  • PA to the honorary programme secretary event coordinator, administrator and accountant roles

For how long is the data retained?

Data will be removed completely from WebCollect when a member requests termination of their membership.
Regarding event booking information, this will be kept for non members in order only to send them follow up information such as hand-outs and links to presentations on the MOSA website, attendance certificates and invitations to future meetings.

Is there a function or reason for every piece of data that is collected?

The basic data requested for joining the Association is required to identify and then contact the individual applicant and to ensure that the application is bona fide.
The collection of information about professional registration is to accord with the requirements of the Rules of the Association which state that membership is open to any healthcare professional currently or previously registered with an appropriate professionally recognised body; thus, to confirm that registration, the name of a potential member’s professional body and their registration number is required.

How is information about an individual removed from the Association’s records?

After application to the hon. secretary, the executive secretary will remove the relevant data of any individual from the WebCollect system by clicking REMOVE on that individual’s membership page.

c) MOSA Forum: -

For the MOSA forumhttps://uk.groups.yahoo.com/neo/groups/mosaforum/info - which is part of Yahoo! Groups, an online discussion board, the following data is collected: -

  • Surname and forename
  • Email address

Storage of data

Data collected as above is stored within Yahoo! Groups online. This is a CLOSED group and the Yahoo! Groups privacy policy is at: -
https://policies.oath.com/ie/en/oath/privacy/index.html

How is this data documented and protected?

Only owners of the Group can see the data in its entirety and there is password-protected access open only to: -

  • Honorary secretary
  • Executive secretary

For how long is the data retained?

The member’s details will be removed completely from the Yahoo! Membership list by the executive secretary when a member requests termination of their membership.
The list will be crosschecked against the active membership list on Web Collect quarterly.

Is there a function or reason for every piece of data that is collected?

Members use their email address as their user name in order to access the Group which then enables them to send or receive emails to and from respectively other members.

How is information about an individual removed from the Association’s records?

The member’s details will be removed completely from the members’ section of the Yahoo! Group when a member requests termination of their membership of the Association. This is performed by the executive secretary by clicking “delete” against that member’s name on the administrative page of the website.
The list of members in the Yahoo! Group will be crosschecked against the active membership list on WebCollect quarterly.

3. Does MOSA share members’ personal information with other organisations?

The only occasion when MOSA may share information is when a joint educational meeting is being arranged with another organisation, e.g. the Boarding Schools Association, the Royal College of General Practitioners, when a list of the names of members who have applied to attend may be sent to that particular organisation.
For employees of the Association, officers of the Association who are paid e.g. an honorarium or members who are paid a fee for work carried out for the Association, relevant information may be forwarded to a statutory authority e.g. HMRC.

4. Members’ withdrawal of their consent

Members can withdraw the consent that they have provided previously for MOSA to use their data by contacting the executive secretary of MOSA on mosa.execsec@gmail.com

5. Is members’ personal data transferred outside the UK or the EEA?

MOSA is a UK-based organisation and there are no circumstances envisaged when members’ personal information might be transferred outside the European Economic Area.

6. What should members do if their personal information changes?

Members should inform the executive secretary of MOSA on mosa.execsec@gmail.com so that the Association’s records can be updated as soon as possible.

7. Do members have to provide their personal information to the Association?

MOSA uses members’ personal information as described above and it would be impossible for the officers, MOSA Council and the executive secretary to run the Association if certain information was not provided. Where the provision of certain information is optional e.g. dates of birth, this will always be made clear.

8. For how long is members’ personal information retained by the Association?

This is described above.

9. What are members’ rights under data protection laws?

All members of MOSA have the following rights under data protection laws although they may not apply in all circumstances: -

  • The right to be informed how their personal information is being processed by the Association – the “right of access”. [See Subject Access Request Policy]
  • The right to object to how the Association processes their personal information.
  • The right to restrict how the Association processes their personal information.
  • The right to request that inaccurate personal information is rectified – the “right of rectification”.
  • The right to have their personal information erased – the “right to be forgotten” or the “right of erasure”.
  • The right to withdraw consent – where the Association process personal information based on previously given consent, members have the right to withdraw that consent at any time.
  • The right to “data portability” that is the right of members to obtain, move, copy and transfer their personal data, for their own purposes, easily across different services and from one IT environment to another in a safe and secure way without affecting its usability.
  • The right to lodge a complaint with the ICO – details below.

10. Changes to this privacy policy

MOSA may change this policy from time to time in order to reflect changes in the law and / or privacy practices. Members are encouraged to check this policy for changes from time to time when they visit the Association’s website – www.mosa.org.uk

11. Contacting MOSA or the Information Commissioner’s Office

Members may contact the Association by emailing the hon. secretary on mosa.honsec@gmail.com or the executive secretary on mosa.execsec@gmail.com
The Information Commissioner’s Office may be contacted by using the email facility at https://ico.org.uk/global/contact-us/email/ or by ringing the ICO’s helpline, 0303 123 1113.

Subject Access Request (SAR) Policy

If a member contacts the Association to request access to the personal information that is held about them, the following procedure will be followed: -

  • Requests in writing will be made to the executive secretary of MOSA by emailing mosa.execsec@gmail.com, by letter, (fax) or social media and will be responded to and completed within 20 working days.
  • The individual making the request will provide sufficient information to allow confirmation of their identity and to allow a search for the requested information.
  • Identity will be confirmed by sight of a passport or photo driving licence and a utility bill or bank statement for confirmation of the requestor’s address.
  • The information will be screened by MOSA in case some of that which has been retrieved may not be disclosable due to exemptions.
  • Legal advice should be sought before applying exemptions which may include: -
    • Previously given references
    • Publicly available information
    • Crime and taxation
    • Management information such as restructuring or redundancies
    • Negotiations with the requestor
    • Regulatory activities
    • Legal advice and proceedings
    • Personal data of third parties
  • A check will be made whether all the information can be disclosed, and where in some cases documents and emails may contain the personal information of other individuals who have not given their consent, this information must be redacted before the SAR is sent to the requestor.
  • All SARs will be logged to include the date of receipt, the identity of the requestor and / or the data subject, a summary of the request, an indication if MOSA can comply and the date the information is sent to the data subject.

Data Breach Policy

A personal data breach is a “breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.
Examples include: -

  • Access by an unauthorised third party
  • Deliberate or accidental action – or inaction – by a member of MOSA who has responsibility for data protection
  • Sending personal data to an incorrect recipient
  • Electronic devices containing personal data being lost or stolen
  • Alteration to personal data without permission
  • Loss of availability of personal data

MOSA takes the security of personal data very seriously and those members of the Association who hold personal data about other members by virtue of their role in the Association or are responsible for data security have reviewed their own data security.
The consequences of a personal data breach can have a range of effects on individuals, depending on the circumstances, and may include: -

  • Loss of control of personal data
  • Discrimination
  • Identity theft or fraud
  • Financial loss
  • Damage to reputation
  • Loss of confidentiality of personal data
  • Damage to property
  • Social disadvantage

In the case of a data breach that is likely to result in a risk to the rights and freedoms of a member of MOSA, the breach must be reported to the individual concerned and the ICO without undue delay and where feasible not later than 72 hours after the Association has become aware of the breach. It will be the responsibility of those in the Association who are responsible for data security to report the breach to the ICO within the 72 hour timeframe.
If the ICO is not informed within this time frame, MOSA will give the reasons for the delay when the breach is reported.
When notifying the ICO of a breach, MOSA will: -

  • Describe the nature of the breach including the categories and approximate number of the data subjects and personal data records concerned
  • Communicate the names and contact details of those in the Association responsible for data security
  • Describe the likely consequences of the breach
  • Describe the measures taken, or proposed to be taken, to address the breach and the measures to mitigate any possible adverse effects.

When notifying the individual of a breach, MOSA will: -

  • Communicate the names and contact details of those in the Association responsible for data security
  • Describe the likely consequences of the breach
  • Describe the measures taken, or proposed to be taken, to address the breach and the measures to mitigate any possible adverse effects.

MOSA would not need to communicate with an individual if the following apply: -

  • The Association has implemented appropriate technical and organisational measures (e.g. encryption) such that those measures have rendered the personal data unintelligible to any person not authorised to access it;
  • The Association has taken subsequent measures to ensure that the high risks to the rights and freedoms of individuals is no longer likely to materialise, or
  • It would involve a disproportionate effort.
  • HOWEVER, the ICO must still be informed even if the above measures are in place.

All data breaches must be recorded whether or not they are reported to individuals. The record will help to identify system failures and should be used as a way to improve the security of all the personal data held by the Association.