We are sure that, like us, you have received countless emails and letters over the past month or two prompted by the introduction of the EU's new data protection law, the General Data Protection Regulation or GDPR.
All organisations that process personal data now have to comply with the requirements of the GDPR, and at Narcolepsy UK we are committed to doing so.
In this post, we would like to outline our approach to data protection and to explain what you should do if you have any concerns about the ways in which we deal with your personal data.
Narcolepsy UK exists to support people with narcolepsy and those around them, and to interact with others such as physicians with an interest in narcolepsy. We use personal data only to help us pursue those objectives, and the data that we store is only the data that we believe we may legitimately process in order for us to pursue those objectives. In the terminology of GDPR, the legal basis on which we will process your personal data is primarily that it is in our “legitimate interest” to do so. In addition, we will in future – whenever practicable – obtain the consent of people whose data we hold.
Specific ways in which we may use your personal information are:
to enable us to send you information, by email or other means, about our activities and other information that we feel may be of interest to you;
to enable us to respond to requests from you for information or assistance;
to enable your use of services available on our website;
to enable us to deal with enquiries and complaints made by or about you relating to our activities or our website.
Please note that, other than in very specific circumstances (essentially where we are legally obliged to do so, or in connection with legal proceedings), we will not without your express consent provide your personal information to any third parties for any purpose. If at any time we feel that it may be beneficial to you or to others for your personal information to be disclosed to a third party, we will contact you and request your consent to such disclosure. Your personal information will not be disclosed unless you do consent to us doing so. The only reason we can think of at present why we might consider sharing information with third parties in this manner is to help with research into narcolepsy.
We consider it reasonable to assume that you have provided us with your personal information because you have an interest in narcolepsy. Given that narcolepsy is a life-long condition, we will continue to store your personal information unless you request us to delete it or we become aware of circumstances that mean it is no longer appropriate or necessary for us to retain it.
That said, it is our intention to conduct a data review each year, and any data that has not been used in the six preceding calendar years will at that point be destroyed.
Under GDRP, you have a number of rights in relation to your personal information, specifically:
To erasure: This is often referred to as the “right to be forgotten”. Essentially, this means that you can ask for your personal data to be removed from our records. If you notify us that you wish to exercise this right, we will promptly remove your details from our database. However, if we hold your details in a case file relating to advice or assistance that we have provided to you, we will retain that case file until it is destroyed in accordance with our data retention policy.
To be informed: You have the right to know what data we hold about you, and for what purpose. Upon request, we will provide that information to you.
Of access: You have the right to see what data we hold about you. Upon request, we will show you.
To object: You have the right to object to your data being processed by us. Should you exercise that right, we will promptly remove your details from our database. However, if we hold your details in a case file relating to advice or assistance that we have provided to you, we will retain that case file until it is destroyed in accordance with our data retention policy.
Of correction: You have the right to insist that any inaccuracies in the personal data we hold about you are rectified. Upon request, we will promptly correct any inaccuracies.
To data portability: You have the right to take a copy of the personal data that we hold about you. In view of the limited data that we will hold about you, this is unlikely to be of any value to you but we will endeavour to assist with any request for a copy of your personal data.
To restrict processing: You can insist that only data that is necessary is processed and retained by us. Should you feel that we hold any data that is necessary you should contact us and we will endeavour to address your concerns.
Automated data processing control: You have the right not to be subject to a decision based on automated processing. We will not make any such decisions.
If you wish to exercise any of the above rights, you should contact us, in which case we will endeavour to address your concerns. Ideally, you should contact us via our dedicated data protection email address: firstname.lastname@example.org. Failing that, you may contact us by post at:
P O Box 701
Finally, please be assured that we will take reasonable technical and organisational precautions to prevent the loss, misuse or alteration of your personal information.