Lymington

Data Protection Policy

SCOPE OF THE POLICY

This policy applies to the work of Lymington u3a. The policy sets out the measures that Lymington u3a takes to collect and process information for membership purposes. The policy details how personal information will be collected, stored and managed in line with data protection principles and the General Data Protection Regulation. The policy is reviewed on an ongoing basis by Lymington u3a committee members to ensure that Lymington u3a remains compliant. This policy should be read in tandem with Lymington u3a's Privacy Policy.

WHY THIS POLICY EXISTS

This data protection policy ensures Lymington u3a:

  • Complies with data protection law and follows good practice
  • Protects the rights of members
  • Is open about how it stores and processes members data
  • Protects itself from the risks of a data breach.

General guidelines for committee members and group leaders

  • The only people able to access data covered by this policy are those who need to communicate with or provide a service to Lymington u3a members.
  • Lymington u3a will provide advice to committee members and group leaders to help them understand their responsibilities when handling data.
  • Committee Members and group leaders should keep all data secure, by taking sensible precautions and following the guidelines below.
  • Strong passwords must be used and they should never be shared.
  • Data should not be shared outside of u3a unless with prior consent and/or for specific and agreed reasons. Examples would include Gift Aid information provided to HMRC or information provided to the distribution company for Third Age Trust publications.
  • Member information should be refreshed periodically to ensure accuracy.
  • Additional support will be available from the Third Age Trust where uncertainties or incidents regarding data protection arise.

DATA PROTCTION PRINCIPLES

The General Data Protection Regulation identifies key data protection principles:

  • Principle 1 – Personal data shall be processed lawfully, fairly and in a transparent manner
  • Principle 2 – Personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes.
  • Principle 3 – The collection of personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
  • Principle 4 – Personal data held should be accurate and, where necessary, kept up to date; reasonable steps must be taken to correct or erase inaccurate or misleading personal data;
  • Principle 5 – Personal data must kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals;
  • Principle 6 – Personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
  • Principle 7 – Organisations must take responsibility for what they do with personal data, and have appropriate measure and records in place to be able to demonstrate compliance.

LAWFUL, FAIR and TRANSPARENT DATA PROCESSING

Lymington u3a requests personal information from potential members and members for membership applications and for sending them communications regarding their involvement with u3a. Members will be told why the information is being requested and what the information will be used for. The lawful basis for obtaining member information is due to the legitimate interest relationship that u3a has with individual members. Lymington u3a members will be informed as to whom they need to contact should they wish for their data not to be used for specific purposes for which they have provided consent. Where these requests are received, they will be acted upon promptly and the member will be told when the action has been taken.

Processed for specified, explicit and legitimate purposes

Members will be informed as to how their information will be used and the Committee of Lymington u3a will seek to ensure that member information is not used inappropriately. Appropriate use of information provided by members will include:

  • Communicating with members about Lymington u3a events and activities.
  • Group leaders communicating with group members about specific group activities.
  • Member information will be provided to the distribution company that sends out the Trust publication, Third Age Matters. Members will be given a choice as to whether or not they wish to receive the publication.
  • Sending members information about Third Age Trust events and activities.
  • Communicating with members about their membership and/or renewal of their membership.
  • Communicating with members about specific issues that may have arisen during the course of their membership.

Lymington u3a will ensure that group leaders are made aware of what would be considered appropriate and inappropriate communication. Inappropriate communication would include sending u3a members marketing and/or promotional materials from external service providers.

Lymington u3a will ensure that members' information is managed in such a way as not to infringe an individual members rights, which include:

  • The right to be informed
  • The right of access
  • he right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object.

Adequate, relevant and limited data processing

Members of Lymington u3a will only be asked to provide information that is relevant for membership purposes. This will include:

  • Name
  • Postal address
  • Email address
  • Telephone number
  • Gift Aid entitlement.

Where additional information may be required, such as health related information, this will be obtained with the consent of the member who will be informed as to why this information is required and the purpose that it will be used for.

Photographs

Photographs are classified as personal data. Where posed group photographs are being taken, members are at liberty to step out of shot if they do not wish to be in the photograph. Members who remain in shot when photographs are taken will be assumed to have given their consent. Should a member wish at any time to withdraw their consent and to have their photograph removed from public view, they should contact the Newsletter Editor via the “Contact” page of our website to advise that they no longer wish their photograph to be displayed.

Newsletter

The newsletter will be distributed to members in electronic or hard copy format, and may be issued by e-mail, collected at the monthly meeting or sent by post.

Accuracy of data and keeping data up-to-date

Lymington u3a has a responsibility to ensure members' information is kept up to date. Members should inform Lymington u3a via the “Contact” page of our website if any of their personal information changes. From time to time, the Lymington u3a Committee will provide an opportunity for members to update their personal information.

Accountability and governance

Lymington u3a Committee is responsible for ensuring that u3a remain compliant with data protection requirements and can evidence that it has done so. Where consent is required for specific purposes, then evidence of this consent (either electronic or paper) will be obtained and retained securely. Lymington u3a Committee will ensure that new members joining the Committee have access to information on the requirements of GDPR and its implications for their role. Lymington u3a will also ensure that group leaders are made aware of their responsibilities in relation to the data they hold and process. Committee Members will stay up to date with guidance and practice within the u3a movement and will seek advice from the Third Age Trust National Office should any uncertainties arise. Lymington u3a Committee will review data protection requirements on an ongoing basis as well as reviewing who has access to data and how data are stored and deleted. When Committee Members and Group Convenors relinquish their roles, they will be asked either to pass on data to those who need it or delete data.

Secure Processing

Lymington Committee Members have a responsibility to ensure that data is both securely held and processed. This will include:

  • Committee members using strong passwords
  • Committee members not sharing passwords with those who have no need for the data held
  • Restricting access to information on members to those on the Committee who need to communicate with members on a regular basis
  • Using password protection on laptops and PCs that contain personal information
  • Using password protection or secure cloud systems when sharing data between committee members and/or group leaders
  • Paying for firewall security to be put onto Committee Members' laptops or other devices as appropriate
  • Data will only be retained during the membership of the person concerned or for a maximum of 12 months after the membership has lapsed, except in the case of Gift Aid, where it will be kept as required by current legislation and regulations.
  • Obsolete data will be securely disposed of, including wiping or destruction of computer hard drives when machines are disposed of.
  • When a committee member holding personal data leaves post, all data will be securely handed over to his/her successor or permanently deleted.

Subject Access Request

Lymington u3a members are entitled to request access to the information that is held by Lymington u3a, by means of a written request. Receipt of the request will be formally acknowledged and dealt with expediently (the legislation requires that information should generally be provided within one month) unless there are exceptional circumstances as to why the request cannot be granted. Lymington u3a will provide a written response detailing all information held on the member. A record shall be kept of the date of the request and the date of the response.

Data Breach Notification

Were a data breach to occur, action will be taken to minimise the harm. This will include ensuring that all Lymington u3a Committee Members are made aware that a breach has taken place and how the breach occurred. The Committee shall then seek to rectify the cause of the breach as soon as possible to prevent any further breaches. The Chair of Lymington u3a will contact National Office as soon as possible after the breach has occurred to notify them of the situation. A discussion will take place between the Chair and National Office as to the seriousness of the breach, action to be taken and, where necessary, the Information Commissioner's Office would be notified. The Committee shall also contact the relevant u3a members to inform them of the data breach and actions taken to resolve the breach.

Where a u3a member feels that there has been a breach by u3a, a committee member will ask the member to provide an outline of the breach. If the initial contact is by telephone, the committee member will ask the u3a member to follow this up with an email or a letter detailing their concern. The alleged breach will then be investigated by members of the committee who are not in any way implicated in the breach. Where the committee needs support or if the breach is serious, they should notify National Office. The u3a member should also be informed that they can report their concerns to National Office if they do not feel satisfied with the response from u3a. Breach matters will be subject to a full investigation, records will be kept and all those involved notified of the outcome.

This policy was revised in October 2020.

DOWNLOAD or PRINT THIS POLICY