IT and Data Protection Policy of the Bahá’í Council for England

The purpose of this policy is to set out what is required by those who collect and store data in any format for the business of the Council.

The Council has interpreted the data protection principles in the following way:

Personal details can be kept on the personal computers of individuals who work for or on behalf of the Council, providing the requirements outlined in section 5 are complied with.
Membership details for Bahá’ís can be held on a database without specific consent being sought.
Non-Bahá’ís (as defined by any person who is not registered by the National Office) must be advised in writing if their personal (identifiable) details are to be stored on any database, and given the opportunity to opt out of this. Personal details of non-Bahá’ís should be kept to a minimum.
They will need to be informed what data is being kept, why the data is being collected, and who will have access to it. As noted above, they will need to be given the opportunity to opt out of this.
The individuals should be contacted if there is to be a change. Again, they will need to be given the opportunity to opt out at this stage if they object to the proposed change.
Each database owner should have a mechanism for ensuring that up-to-date information is stored, and is not kept longer than necessary.
If personal details are to be transferred, then the Records Officer should be contacted at the National Bahá’í Centre and advice sought.

Storage of data:

All data (on computers and paper records) must be stored safely and securely.
The database may not be installed on a computer that is not owned by the Agency user - i.e. not at their place of work as an employee.
For computers and other digital devices, the data should be protected by a password, and the computer should be kept up-to-date with current antivirus software, and should be backed up frequently – at least on a weekly basis. More critical data should be backed up daily.
Paper records should be kept in a locked filing cabinet. If the paper records are critical, then copies can be scanned in and kept on a computer with the safeguards outlined above.

Disposal of data:

Paperwork should be disposed of using a cross-cut shredder
CDs on which data has been transferred/stored should be shredded
Obsolete hard drive should be physically destroyed (reformatting alone is not sufficient)