Data protection policy
To carry out its statutory and administrative functions The Association of NMH Providers collect, hold and process personal information of our members (data subjects). We recognise the right to confidentiality and security of personal information and therefore take all reasonable steps to comply with the principles of the Data Protection Act 1998, General Data Protection Regulation (GDPR) 2018 and Human Rights Act 1998 (article 8).
Data protection principles
Personal data is processed lawfully
We obtain personal data from a variety of sources. In some cases, data is obtained directly
from an individual. In other cases, we obtain it from a third party. In each case, we ensure
that we have established a lawful basis for processing personal data.
Personal data is processed for limited purposes
We only process personal data for the purposes for which it was collected. In most cases,
this will be for sharing information and collecting membership fees.
Our privacy notices set out what data we collect, on what basis we process it and why. If we want to process the personal data for other reasons, we ask permission.
Personal data is processed in a transparent manner
When we collect personal data, we notify the individual of what data we collect, on what
basis we are processing it and why.
Personal data is adequate, relevant and limited to what is necessary
We limit the collection of personal data to that which is necessary for our purposes.
Personal data is accurate and, where necessary, kept up to date
We make regular contact with individuals to ensure we have up to date information.
Personal data is kept no longer than necessary
We have established retention periods for personal data following the expiry of which
personal data is destroyed unless we have legal obligation to retain it for longer or the
individual requests that we retain it.
Personal data is handled securely and confidentially
All board members in have had data protection training.
Information is stored on a cloud-based system that meets security measures in line with the GDPR.
Personal data is only transferred to third parties if required by law or otherwise permitted
Transfers of personal data to third parties are made in limited circumstances with a
preference that individuals provide their data directly to third parties where this necessary.
In almost all cases, transfers to third parties are done to facilitate continuation of the association
or for compliance with a legal obligation such as tax authority reporting.