Data Protection & Privacy Policy
Next review date: March 2027
INTRODUCTION
This document outlines how West Lothian u3a intends to comply with statutory UK legal requirements for safeguarding personal and private information.
The West Lothian u3a Data Protection Policy was developed in April 2016 by a subcommittee of the full committee. The final version was agreed at a Committee Meeting held on 1 August 2016.
This policy is reviewed on an ongoing basis by the u3a Trustees to ensure that West Lothian u3a is compliant.
POLICY REVIEW DATES:
April 2018: to comply with the new General Data Protection Regulations (GDPR).
June 2019: To adopt ‘Legitimate Interest Assessment’ as the Lawful Basis for our Data Protection and Privacy Policy.
March 2022: To take account of the Beacon management system.
It was also determined that the policy should be reviewed in five years’ time, or sooner if circumstances require.
This policy is available to view on our West Lothian u3a website.
1. AIMS OF WEST LOTHIAN u3a DATA PROTECTION POLICY
In accordance with the Data Protection Act we will process personal data in accordance with the law. We aim to balance the rights of individuals with regard to how their information is processed with the legitimate need of our organisation to use this information.
The process of personal information is only for the following purposes:
• Establishing or maintaining membership.
• Providing or administering activities for individuals who are members.
• Sharing with the company that oversees the distribution of magazines produced by our parent body, The Third Age Trust.
• Processing members’ Gift Aid Declaration forms.
The type of data held is only that necessary to undertake the purposes above, i.e., names, addresses, telephone numbers, e-mail address and emergency contact details.
2. OBLIGATIONS UNDER THE ACT
As a u3a we do not need to register with the Information Commissioner’s Office (ICO), but we must still comply with other requirements of the Act and remain subject to penalties if offences occur. All processing will be in compliance with the Eight Data Protection Principles.
3. THE EIGHT DATA PROTECTION PRINCIPLES
Below is a summary of requirements for processing personal data:
1. Personal data shall be processed fairly and lawfully and in a transparent manner.
2. Personal data can only be collected for one or more specified and lawful purposes and shall not be further processed in any manner incompatible with that purpose or those purposes.
3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
4. Personal data shall be accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that are inaccurate are erased or rectified without delay.
5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
6. Personal data shall be processed in accordance with the rights of data subjects under this Act.
7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss, destruction or damage to personal data.
8. Personal data shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of protection for the rights and freedoms of individuals in relation to the processing of personal data.
4. PROCEDURES
The u3a committee is responsible for ensuring that the u3a remains compliant with data protection requirements and can evidence that it has done so.
• West Lothian u3a joined the Beacon system in March 2020. This is a secure online management system ‘designed by u3as, for u3as’.
• An Administrator, with full access to Beacon, will be appointed from the Trustees, and will assign privileged access to the Chairperson, Membership Secretary, Secretary, Groups’ Coordinator, Treasurer and Group Leaders.
• The u3a will provide induction training to Trustees and group leaders to help them understand their responsibilities when handling personal data.
• Members’ paperwork (application forms/ renewal forms/ Gift Aid Declaration Forms) will be stored in a secure location.
• The Membership Application Form and Renewal Form will include a Data Protection and Privacy Statement and will obtain permission to hold members’ data.
• Where the u3a requires ‘Emergency Contact’ details to be provided, the u3a will require the member to gain consent from the identified person. The consent will provide permission for the information to be held for the purpose of supporting and safeguarding the member in question.
• On an annual basis, members will have the opportunity to check/update their information via the membership renewal form.
• The Membership Renewal date is 1 September and members have until 31 December to renew. After that date they will no longer be a member of West Lothian u3a. However, their details will remain on Beacon for seven years, and then be removed. (Records must be retained for up to seven years to comply with HMRC and OSCR regulations for their associated financial transactions, including Gift Aid.) Members’ corresponding paperwork will be shredded immediately.
• All e-mails sent by Trustees or group leaders to more than one member must use the BCC system, ensuring no other e-mail addresses are visible. (NOTE: this does not apply to e-mails between Trustees or to an Interest Group where all members have agreed to have access to all other members’ details).
• u3a members are entitled to request access to the information that is held by the u3a. The request needs to be received in the form of a written request to the Membership Secretary. The request will be formally acknowledged and dealt with within 30 days unless there are exceptional circumstances. A record shall be kept of the date of the request and the date of the response.
• If a u3a member contacts the u3a to say they feel that there has been a data breach by the u3a, a Trustee will ask the member to provide an outline of their concerns. If the initial contact is by telephone, the Trustee will ask the u3a member to follow this up with an email or letter detailing their concern. The concern will then be investigated by Trustees who are not in any way implicated in the breach. Where the committee needs support or the data breach is serious – the National Office will be notified.
Document updated: 07/03/2022