General Data Protection Regulation ( GDPR ) Policy Document
The Ulster Federation of Credit Unions will make sure that decision makers and key people within each of our affiliated credit unions are aware that the law changed on the 25th May 2018 to the GDPR. To ensure the changes are understood by our volunteers and staff, we have supplied each of our affiliated credit unions with a Data Protection Booklet which has been updated for GDPR.
2. Communicating privacy information
The Ulster Federation of Credit Unions will ensure that our affiliated credit unions are aware that under the GDPR they need to explain to their members the lawful basis for processing the data, their data retention period and the fact members now have a right to complain to the ICO if they think there is a problem with the way in which their credit union is handing their data.
3. Information we hold
Information our affiliated credit unions hold about their members will not be disclosed to anyone outside the Ulster Federation of Credit Unions, other than:
4. Products and Services
The personal information our affiliated credit unions request from their members is required to enable them to effectively provide or administer a product or service for said members. The information may be held on a computer database and/or in any other way and will be treated confidentially.
5. Credit Scoring and Credit Reference Agencies
Our affiliated credit unions may use automated credit scoring methods to access a members application. Credit Scoring takes into account information provided directly by the member, any information we may hold about the member, and any other information we may obtain from other organisations.
6. Individuals’ Rights
The GDPR includes the following rights for individuals:
7. Financial Crime Prevention
In order to prevent and detect fraud, money laundering or criminal activity and to trace those responsible our affiliated credit unions will take the following steps:
Our affiliated credit unions will not offer an online service to persons less than sixteen years of age. We recognise that GDPR has special protection for children’s personal data and our affiliated credit unions will obtain suitable consent from a parent or guardian to process their personal data lawfully. The GDPR sets the age when a child can give their own consent to this processing at sixteen years of age. The Ulster Federation of Credit Unions recognises that any privacy notice must be written in language that children will understand.
9. Data Breaches
The Ulster Federation of Credit Unions recognises that the GDPR introduces a duty on all organisations to report certain types of data breach to the ICO, and in some cases, to individuals. The Ulster Federation of Credit Unions will ensure our affiliated credit unions are aware that where there is a risk to the rights and freedoms of individuals, if, for example, it could result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage, such a breach should be notified to the ICO.
10. Data Protection by design and Data Protection Impact Assessments
As a responsible trade body, we will familiarise our affiliated credit unions with guidance the ICO has produced on PIA’s as well as guidance from the Article 29 Working Party, and provide guidance for our affiliated credit unions as and when required.