What information do we collect - Site and organisational information.
The Data Protection Officer for the RAF Air Cadets is Air Command Data Protection Officer at RAF High Wycombe.
5. The RAF Air Cadets administers all personal information in accordance with the regulations set out in the Data Protection Act 2018 and the General Data Protection Regulations (GDPR). The detailed legislation is at www.gov.uk/data-protection . We only gather the personal information that we need to run and administer the organisation, we will keep the data we hold securely at all times, primarily on the BADER IT system, and when we no longer have a need for the data we will securely destroy it.
6. Within the GDPR, the RAF Air Cadets use ‘Public Interest’ as the Lawful Basis for Processing cadet and volunteer information. The rationale for this is as follows: The RAF Air Cadets are established under a Royal Warrant and are funded with public money. We are a part of the Ministry of Defence (MoD) and operate under the regulatory framework of the MoD. Both cadets and volunteer staff are making a choice to join the RAF Air Cadets. We only take the personal information that is essential for us to enable the membership of the RAF Air Cadets. Thus, the giving of consent is irrelevant because if we do not have the personal information they cannot members of the RAF Air Cadets. By the same argument, if a cadet or volunteer chooses to remove their consent for us to hold and process their personal information they will have to leave the RAF Air Cadets as we cannot have people in the organisation who we do not know the name of and cannot communicate with.
7. The RAF Air Cadets will not normally pass any personal information to any 3rd parties without the clear and positive consent of those that the information relates to. We may share information when there is an issue that puts the safety of cadets or staff at risk or with law enforcement and government authorities where we are legally required to do so.
Data Protection Principles
8. Article 5 of the GDPR requires that personal data shall be:
a) processed lawfully, fairly and in a transparent manner in relation to individuals;
b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”
The GDPR provides the following rights for individuals:
The right to be informed. Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the GDPR.
The right of access. Individuals have the right to access their personal data and supplementary information.
The right to rectification. The GDPR includes a right for individuals to have inaccurate personal data rectified, or completed if it is incomplete.
The right to erasure. The GDPR introduces a right for individuals to have personal data erased. The right to erasure is also known as ‘the right to be forgotten’. Individuals can make a request for erasure verbally or in writing.
The right to restrict processing. Individuals have the right to request the restriction or suppression of their personal data. This is not an absolute right and only applies in certain circumstances.
The right to data portability. The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services.
The right to object. Individuals have the right to object to processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling); direct marketing (including profiling); and processing for purposes of scientific/historical research and statistics.