Personal data relates to a living individual who can be identified from that data.  Identification can be by way of the information alone or in conjunction with any other information in the data controller’s possession, or that is likely to come into such possession.  The processing of personal data is governed by the UK General Data Protection Regulation (2021) and The Data Protection Act 2018 (DPA), which contains equivalent regulations and protections to GDPR (‘GDPR’).

• The right to be informed - To be provided with clear and concise information about what we do with your personal data.

• The right of access – To request a copy of your personal data.

• The right to rectification – To allow you to have inaccurate personal data rectified or incomplete personal data completed.

• The right to erasure - To have your personal data erased at any time.  This is also known as the ‘right to be forgotten’.

• The right to restrict processing – To have the freedom to restrict the processing of your personal data in certain circumstances that limit the way that we use your data.

• The right to data portability - To view the personal data you have provided to a controller in a structured, commonly used and machine-readable format.  It also gives you the right to request that a controller transmit this data directly to another controller.

• The right to object - To ask us to stop processing any of your personal data.

• Rights related to automated decision-making and profiling - To protect your rights if we carry out solely automated decision-making that has legal or similarly significant effects on you.

You have the right to lodge a complaint with the Information Commissioner’s Office (ICO).

GBNI is registered with the Information Commissioner’s Office as, ‘The Girls’ Brigade Northern Ireland Ltd’ (‘GBNI’).  This Privacy Policy outlines how we decide the personal data you provide to us, is processed and for what purposes it is used.  GBNI, as the data controller, will take care to preserve, respect and protect your privacy.  We do not process personal data unless it is expressly provided to us voluntarily.  We do not share, sell, or otherwise provide personal data to third-party organisations in any way.  

GBNI may change this Privacy Notice from time to time by updating it on the GBNI website.  You should check the website periodically to ensure that you agree with any changes.

We comply with our obligations under GDPR by keeping personal data up to date; by storing and destroying it securely; by not collecting or retaining excessive amounts of data; by protecting personal data from loss, misuse, unauthorised access and disclosure; and by ensuring that appropriate technical measures are in place to protect personal data.
 
We use personal data for the following purposes:

• Administer membership records.

• Manage our volunteers (including AccessNI applications).

• Provide medical assistance, if needed.

• Provide our membership with training opportunities.

• Develop and provide age-appropriate programme resources.

• Provide a range of suitable competitions.

• Administer a number of Award Schemes.

• Promote the values and interests of the organisation.

• Maintain accurate accounts and records; and

• Inform you of upcoming news, events, activities and services.

GBNI primarily relies on the following legal bases for processing particular data:

Legitimate Interest – For the processing of members' details for GBNI business purposes regarding programmes, resources, training, regulations and general management of the organisation, across company, district and national levels.  For the processing of registered customers' details to allow us to provide the best possible service to our customers with the goods and services they require.

Legal Obligation – Under the law we must hold accurate accounting records for the purposes of HMRC and other funding bodies.

Consent – We annually review the consent given by our membership so that we hold up-to-date records to assist with the management and administration of the organisation, again across all company, district and national levels.

Collection and use of personal information.

At Company Level

The local church where a GB company operates acts as the data controller for the processing of personal data at company level.  Captains and leaders of the GB company, act as the data processors and must follow the church’s guidelines and policies when processing personal data on the church’s behalf.

When the GB company is off-site from the local church and is carrying out activities under the authority of GBNI, then GBNI acts as the data controller for the processing of personal data, such as outings, camps and attending GBNI events either at district or at national level.  District Office Bearers act as the data processor and must follow GBNI guidelines and policies when processing personal data on the district's behalf.

Personal data is provided to the GB company voluntarily through parental consent (namely, a parent/carer/legal guardian express agreement).  A GB member aged 13+ is considered capable of giving consent themselves and will not require express agreement from a parent/carer/legal guardian.

The Parental Annual Consent Form asks for name, address, date of birth, GP name and contact details, medical information and treatment, emergency contact details for two people, intimate care consent, communication/IT consent for older girls and recognition of our Safeguarding Policy.  GB companies will use this information only for the administration and management of their GB company.  GB companies are not permitted to use any of this information for any other purpose than what the form intends.  Only Sub-Officers, below 18 years of age, may have partial data enclosed on this form entered into the GBNI My Brigade system.  See the National Level section of this document to understand how GBNI processes personal data to be compliant with GDPR.

When a GB member attends an activity outside of the church premises, they are required to submit, where appropriate, a Consent Form for day trips, activities etc. or a Consent Form for overnight stays, camps etc. to the leader-in-charge prior to the activity.  These Consent Forms ask for the name, address, date of birth, GP’s name and contact details, medical information and treatment and emergency contact details for two people.  GB companies will use this information only for the administration required for the named activity on the form.  GB companies are not permitted to use any of this information for any other purpose than what the form intends.  The leader-in-charge of the company brings the forms to the activity and keeps them with her at all times.  At a GBNI/district event, organisers should never come into contact with this personal data, other than for health and safety or safeguarding reporting. 

All leaders are also asked to complete a Leader Annual Consent Form which asks for their name, address, date of birth, GP’s name and contact details, medical information and treatment, emergency contact details for one person, communication/IT consent and sign up to the GBNI eNews.  GB companies will use this information only for the administration and management of their GB company.  Partial data enclosed on this form may be entered into the GBNI My Brigade system.  See the National Level section of this document to understand how GBNI processes personal data to be compliant with GDPR.

The above-written consent is processed on behalf of the local church which acts as the data controller.  The GB company must ensure to follow the church’s guidance and policies when processing personal data under GDPR.  No personal data should be shared with any third party without clear written consent.

Due to the historical nature of GB and the desire to keep photos and video recordings, GBNI has re-evaluated how it collects photo consent across all areas of GBNI.  Please refer to the ‘Use of photographs, videos and sound recordings’ section of this document for full details.

GB companies will only keep personal data for as long as is necessary to fulfil the purposes for which it was collected (e.g. annual registration) and to satisfy any legal, accounting, or reporting requirements.

GB companies are not permitted to store personal data forever; they only hold GB members’ data for as long as it is legally able to do so.  However, sometimes a GB company will keep personal information for historical reasons (e.g. photographs, badges and attendance records) but you will always have a right to ask for it to be destroyed.

In determining the appropriate retention period for personal data, we require our GB companies to consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which they process your personal data and whether they can achieve those purposes through other means, and the applicable legal requirements.

Each GB company must put in place appropriate security measures to prevent personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. 

GB companies may occasionally have to share some data regarding GB members with service providers such as:

• Section leaders - To share emergency details and any medical requirements.

• Girls’ Brigade Headquarters (GBHQ’) (e.g. registration to GBNI level activities, health and safety, safeguarding reporting and use of photographs).

• A new GB company, if a member wishes to transfer to another GB company.

• District Office Bearers.

• The Duke of Edinburgh’s Award Office.

• Designated Church Officers for Health and Safety and Safeguarding.

• Safeguarding Trusts.

• PSNI.

• Department of Education and Education Authority for funding purposes.

• GB companies are not permitted to share your personal data with any third-party organisations.
   

At District Level

GBNI acts as the data controller for the processing of personal data at district level.  District Office Bearers act as the data processor and must follow GBNI guidelines and policies when processing personal data on the district's behalf.