Roding Valley

RVU3A Data Protection Policy

Scope of the Policy
This policy applies to the work of the Roding Valley U3A, hereafter known as RVU3A. The policy sets out the requirements that RVU3A has to gather information for membership purposes. The policy details how personal information will be gathered, stored and managed in line with data protection principles and the General Data Protection Regulation (GDPR). The policy is reviewed on an ongoing basis by the RVU3A committee members to ensure that we are compliant. The policy should be read in tandem with RVU3A's Privacy Policy.

Why this Policy exists
This data protection ensures RVU3A

  • Complies with data protection law and follows good practice
  • Protects the rights of members
  • Is open about how it stores and processes members data
  • Protects itself from risks and data breach

General Guidelines for Committee Members and Convenors

  • The only people able to access data covered by this policy should be those that need to communicate with or provide a service for RVU3A members.
  • RVU3A will provide induction training to committee members and to convenors to help them understand their responsibilities when handling data.
  • Committee members and convenors should keep all data secure, by taking sensible precautions and following the guidelines below.
  • Strong passwords must be used, and they should never be shared.
  • Data should not be shared outside RVU3A unless with prior consent and/or for specific and agreed reasons such as to the Third Age Trust for mailing their magazine and to HMRC for Gift Aid verification. Also note that RVU3A uses third party processors when printing the newsletters.
  • Membership information should be refreshed periodically to ensure accuracy, via the membership renewal process or when the policy is changed.
  • Additional support will be sought from the Third Age Trust where uncertainties or incidents regarding data protection arise.

Data Protection Principles
General Data Protection Regulation identifies key protection principles.

  • Principle 1 - Personal data should be stored lawfully, fairly in a transparent manner.
  • Principle 2 - Personal data must be collected for specific, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes, further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes not to be incompatible with the initial purposes.
  • Principle 3 - The collection of personal data must be adequate, relevant and limited to what is necessary to the purposes for which they are processed.
  • Principle 4 - Personal data held should be accurate, and where necessary, kept up to date; every reasonable step must be taken to ensure that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
  • Principle 5 - Personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to the implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedom of individuals.
  • Principle 6 - Personal data must be processed in accordance and in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing amd against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Lawful, fair and transparent data processing
RVU3A requests personal information from potential members and members for membership applications and for sending communications about their involvement with the U3A. The forms used for personal information will contain a privacy statement informing potential members and members as to why the information is being requested and what the information will be used for. The lawful basis for obtaining member information is due to the contractual relationship that the U3A has with individual members. Members will be informed as to who they need to contact should they wish for their data not to be used for specific purposes. Where these requests are received they will be acted upon promptly and the member will be informed as to when the action has been taken.

Processed for specific, explicit and legitimate purposes
Members will be informed as to how their information will be used and the Committee will seek to ensure that member information is not used inappropriately. Appropriate use of information provided by members will include:

  • Communicating with members about U3A events and activities
  • Sending information to members about U3A and Third Age events and activities
  • Communicating with members about their membership and/or renewal of their membership
  • Communicating with members about specific issues that may have arisen during their membership

RVU3A will ensure that members' are made aware of what would be considered appropriate and inappropriate communication. Inappropriate communication would include sending members marketing and/or promotional material from external service providers.

RVU3A will ensure that members' information is managed in such a way as to not infringe an individual member's rights which include:

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object

Adequate, relevant and limited data processing
Members of RVU3A will only be asked to provide information that is relevant for membership purposes.
This will include:

  • Name
  • Postal Address
  • Email address
  • Telephone Numbers

Where additional information may be required such as health related information, this will be obtained with the consent of the member, who will be informed as to why this information is required and the purpose that it will be used for.

Where RVU3A organises an activity that requires next of kin information to be provided, a legitimate interest assessment will have been completed in order to request this information. Members will be made aware that the assessment has been completed.

Photographs
Photographs are classified as personal data. Where group photographs are being taken members will be asked to step out of shot if they do not wish to be in the photograph. Otherwise consent will be obtained from members for photographs to be taken and members will be informed as to where the photographs will be displayed. Should a member wish at any time to have the photograph removed they should then contact the Secretary to advise that they no longer wish their photograph to be displayed.

Accuracy of data and keeping data up to date
RVU3A has a responsibility to ensure members' information is kept up to date. Members will be asked to let the Membership Secretary know if any of their contacts or contacts' personal information changes. In addition, on an annual basis, the membership renewal process will provide an opportunity for members to inform the RVU3A as to any changes in their personal information.

Accountability and Governance
RVU3A is responsible for ensuring that the U3A remains compliant with data protection requirements and can evidence that it has. Where consent is required for specific purposes then evidence (either electronic or paper) will be obtained and retained securely. The Committee will ensure that new members joining the Committee and new Convenors receive an induction into the requirements of GDPR and the implications for their role. Committee Members shall stay up to date with guidance and practice within the U3A movement and shall seek additional input from the Third Age Trust National Office should any uncertainties arise. The Committee will review data protection and who has access to information on a regular basis as well as reviewing what data is held. When Committee Members and Convenors relinquish their roles, they will be asked to either pass on data to those who need it and/or delete data.

Secure Processing
RVU3A Committee Members and Convenors have a responsibility to ensure that data is securely held and processed. This will include:

  • Using strong passwords
  • Not sharing passwords
  • Restricting access of sharing member information to those on the Committee who need to communicate with members on a regular basis.
  • Convenors using blind copy when emailing their group members unless prior permission has been given from them to send open emails.
  • Using password protection on Laptops and PCs that contain personal information.
  • Using password protection on secure cloud systems when sharing data between Committee Members.
  • Paying for firewall security to be put on Committee Members laptops or other devices.

Subject Access Request
RVU3a members are entitled to request access to the information that is held. The request need to be received in the form of a written request to the Membership Secretary of the RVU3A. On receipt of the request, the request will be formally acknowledged and dealt with expediently and within 7 days unless there are exceptional circumstances as to why the request cannot be granted. The Membership Secretary will provide a written response detailing all the information held on the member. A record shall be kept of the date of the request and the date of the response.

Data Breach Notification
Were a data breach to occur action shall be taken to minimise the harm. This will include ensuring that those members affected by the breach are aware that the breach has taken place and how the breach occurred. The Committee shall then seek to rectify the cause of the breach as soon as possible to prevent any further breaches. A discussion will take place between the Chair and the National Office as to the seriousness of the breach, action to be taken and, where necessary, the Information Commissioner's Office would be notified. The Committee shall also contact the relevant RVU3A members to inform them of the data breach and the actions taken to resolve the breach.
Where a members feels that there has been a breach by RVU3A, a Committee member will ask the member to provide an outline of the breach. If the initial contact is by telephone, the Committee member will ask the member to follow this up with an email or letter detailing their concern. The alleged breach will then be investigated by members of the Committee who are not in any way implicated in the breach. Where the Committee needs support or if the breach is serious they should notify National Office. The RVU3A member should also be informed that they can report their concerns to National Office if they don't feel satisfied with the response. Any breach will be subject to a full investigation, records will be kept and all those involved notified of the outcome.

Policy agreed: 18th March 2019

Policy review : March 2020