Version 1: September 2019
Kensal Rise Library (“KRL”) is a small independent charity with its primary purpose being to operate a library in Kensal Rise, London. This policy explains how KRL complies with the GDPR (General Data Protection Regulations) and UK Data Protection Act 2018 (collectively ‘GDPR’), which affects how KRL manages all personal data.
KRL takes data protection seriously. It takes all reasonable steps to ensure data collected is treated appropriately and confidentially as well as complying with current legislation.
In this note reference is made to “Stakeholders”. This term includes Library Card Holders, Volunteers, Trustees and other parties whose personal data KRL may process at some point.
B: Why is the data needed?
In order to operate the lending functions of the library, KRL needs to hold information on the library users in its database. The information is taken by a KRL team member when the Library Card Application form is submitted by the applicant (either online or in person). This database holds:
The data is used to operate the applicant’s Library Card Account (and that of any children) and to contact the applicant in case of overdue or lost items.
KRL’s Library System (see below) also keeps records of all items borrowed and returned. Bank and credit card data is not kept.
KRL regards this data as being lawfully processed under a “legitimate interest” (as defined by GDPR).
KRL is wholly dependent on the community for support as it receives no regular funding from Brent Council or central government. KRL therefore relies heavily on its Donors and needs to keep records of their donations to express appreciation for their support and, (where specifically agreed by the Donor completing a Gift Aid form) to collect Gift Aid refunds from HMRC.
KRL manages a database of its Donors. The information on this Donor database is:
* Sent to HMRC for Gift Aid Claims.
KRL also keeps signed Gift Aid forms and copies of Standing Order mandates in order to be able to respond to queries by both HMRC and the relevant banks.
KRL regards this information as being lawfully processed under ‘legitimate interest’ (as defined by GDPR)
In order to be able to inform KRL’s users and also others who have expressed interest about the library, KRL sends emails and other communications from time to time using databases.
The information on these databases may include the information listed above that is held within the membership, donor and children’s activities databases.
KRL regards this data as being lawfully processed under a “legitimate interest” (As per GDPR) or under explicit consent for email marketing (as defined by the Privacy in Electronic Communication Regulations).
Information kept about equality and diversity for monitoring purposes is not data for the purposes of GDPR as it is not linked to
KRL Regards this data as falling under “legitimate interest” (a) and “consent” (b, c).
C. How data is stored
The application form completed by each applicant, is stored a) on a secure webserver, if completed online b) in a locked cabinet, if completed on paper.
The data from the application form is entered into Library System, which stores the data securely
The data is held on a dedicated file on a KRL account on an internet service, into the Library System, which store the data securely, and in the KRL email system.
Requests for information are stored a) on a secure webserver, if completed online b) in a locked cabinet, if completed on paper.
Volunteer data is stored online on the Three Rings management system. Any paper data such as application forms are filed and locked in a secure cabinet. Some of the contact data, such as shifts, is shared amongst all the volunteers openly and further security is considered unnecessary.
D. How long is data stored by KCL
The general policy is to remove data when it is no longer needed. KRL reviews the data retention policy as necessary.
1. Library Lending Functions
KRL is not always informed when a Library Card holder decides to end their interest in KRL. If KRL is told, then the Card Holder is deleted from the system. Details are retained while borrowed items or money is outstanding.
The Donor database is updated for new donors, new standing orders and new Gift Aid forms. People are mainly removed at their request on moving away or on death. Gift Aid data will be retained for at least 6 tax years in line with HMRC guidelines.
The KRL Events databases are constantly updated as new cards are issued or recipients decide to leave KCL or just the databases. They will also be removed from email databases on direct request or if they “unsubscribe”.
The volunteer data may be retained for 6 years after a volunteer leaves in case of questions or requests for references.
E. Rights of Stakeholders (inc Library Card Holders) with Data held by KCL
Any person may ask to see the data that KRL holds on them and request corrections.
Any person may ask for their data at KRL to be deleted. It should be noted that
Applications to see data or for deletion should be made in writing by post or email to KRL at the address below. KRL will need to verify identity in order to release information.
Note: Applications made by telephone or in person at the library cannot be accepted; volunteers are not all authorised to handle or access data.
Address to arrange viewing or deleting data: by email to firstname.lastname@example.org or in writing to The Library Manager, Kensal Rise Library, Bathurst Gardens, London NW10 5JA.
 Including loans of books and any other items such as DVDs and the use of the public computers.
 Required in order to try to limit issue of material unsuitable for children. This is not guaranteed.
 The original signed Standing Order Mandate is sent to the Donor’s bank and is retained by them.