ALTON U3A DATA PROTECTION POLICY
SCOPE OF THE POLICY
WHY THIS POLICY EXISTS
This data protection policy ensures that the U3A:
•Complies with data protection law and follows good practice.
•Protects the rights of members.
•Is open about how it stores and processes member’s data.
•Protects itself from the risks of a data breach.
GENERAL GUIDELINES FOR COMMITTEE MEMBERS AND GROUP LEADERS
•The only people able to access data covered by this policy should be those who need to communicate with or provide a service to the members of the U3A.
•Data should not be shared informally or outside of the U3A
•The U3A will provide induction training to committee members and group leaders to help them understand their responsibilities when handling personal data.
•Committee Members and group leaders should keep all data secure, by taking sensible precautions and following the guidelines below.
•Strong passwords must be used and they should never be shared.
•Personal data should not be shared outside of the U3A unless with prior consent and/or for specific and agreed reasons.
•Member information should be reviewed and consent refreshed periodically via the membership renewal process or when policy is changed.
•U3As should request help from National Office if they are unsure about any aspect of data protection.
DATA PROTECTION PRINCIPLES
The General Data Protection Regulation identifies 8 data protection principles.
Principle 1 – Personal data shall be processed lawfully, fairly and in a transparent manner
Principle 2 – Personal data can only be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
Principle 3 – The collection of personal data must be adequate, relevant and limited to what is necessary compared to the purpose(s) data is collected for.
Principle 4 – Personal data held should be accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that are inaccurate are erased or rectified without delay.
Principle 5 – Personal data which is kept in a form which permits identification of individuals shall not be kept for longer than is necessary.
Principle 6 – Personal data must be processed in accordance with the individuals’ rights.
Principle 7 – Personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Principle 8 – Personal data cannot be transferred to a country or territory outside the European Union unless that country or territory ensures an adequate level of protection for the rights and freedoms of individuals in relation to the processing of personal data.
Lawful, fair and transparent data processing
The U3A requests personal information from potential members and members for the purpose of sending communications about their involvement with the U3A. The forms used to request personal information will contain a privacy statement informing potential members and members as to why the information is being requested and what the information will be used for. Members will be asked to provide consent for their data
to be held and a record of this consent along with member information will be securely held. U3A members will be informed that they can, at any time, remove their consent and will be informed as to who to contact should they wish to do so. Once a U3A member requests not to receive certain communications this will be acted upon promptly and the member will be informed as to when the action has been taken.
Processed for Specified, Explicit and Legitimate Purposes
Members will be informed as to how their information will be used and the Committee of the U3A will seek to ensure that member information is not used inappropriately.
Appropriate use of information provided by members will include:
•Communicating with members about the U3A’s events and activities
•Group leaders and secretaries communicating with their group members about specific group activities.
•Adding member’s details to the direct mailing information for the Third Age Trust magazines – Third Age Matters and Sources.
•Sending members information about Third Age Trust events and activities.
•Communicating with members about their membership and/or renewal of their membership.
•Communicating with members about specific issues that may have arisen during the course of their membership.
The U3A will ensure that group leaders are made aware of what would be considered appropriate and inappropriate communication. Inappropriate communication would include sending U3A members marketing and/or promotional materials from external service providers.
The U3A will ensure that members’ information is managed in such a way as to not infringe an individual members rights which include:
•The right to be informed.
•The right of access.
•The right to rectification.
•The right to erasure.
•The right to restrict processing.
•The right to data portability.
•The right to object.
Adequate, Relevant and Limited Data Processing
Members of the U3A will only be asked to provide information that is relevant for membership purposes. This will include:
•Gift Aid entitlement, subscription preferences and emergency contact details.
Where additional information may be required, such as health-related information, this will be obtained with the specific consent of the member who will be informed as to why this information is required and the purpose that it will be used for.
Where the U3A organises a trip that requires next of kin information to be provided, the U3A will require the member to gain consent from the identified next of kin. The consent will provide permission for the information to be held for the purpose of supporting and safeguarding the member in question. Were this information to be needed as a one off for a particular trip or event then the information will be deleted once that event or trip has taken place unless it was to be required – with agreement – for a longer purpose. The
same would apply to carers who may attend either a one-off event or on an ongoing basis to support a U3A member with the agreement of the U3A.
There may be occasional instances where a members’ data needs to be shared with a third party due to an accident or incident involving statutory authorities. Where it is in the best interests of the member or the U3A in these instances where the U3A has a substantiated concern then consent does not have to be sought from the member.
Accuracy of Data and Keeping Data up to Date
The U3A has a responsibility to ensure members’ information is kept up to date. Members will be informed to let the membership secretary know if any of their personal information changes. In addition, on an annual basis the membership renewal forms will provide an opportunity for members to resubmit their personal information and reconfirm their consent for the U3A to communicate with them.
Accountability and Governance
The U3A Committee are responsible for ensuring that the U3A remains compliant with data protection requirements and can evidence that it has. For this purpose, those from whom data is required will be asked to provide written consent. The evidence of this consent will then be securely held as evidence of compliance.
The U3A Committee shall ensure that new members joining the Committee receive an induction into how data protection is managed within the U3A and the reasons for this. Committee Members shall also stay up to date with guidance and practice within the U3A movement and shall seek additional input from the Third Age Trust National Office should any uncertainties arise. The Committee will review data protection and who has access
to information on a regular basis as well as reviewing what data is held.
The committee members of the U3A have a responsibility to ensure that data is both securely held and processed. This will include:
•Committee members using strong passwords.
•Committee members not sharing passwords.
•Restricting access of sharing member information to those on the Committee who need to
communicate with members on a regular basis.
•Using password protection on laptops and PCs that contain or access personal information.
•Using password protection or secure cloud systems when sharing data between committee members and/or group convenors.
Subject Access Request
U3A members are entitled to request access to the information that is held by the U3A. The request needs to be received in the form of a written request to the Membership Secretary of the U3A. On receipt of the request, the request will be formally acknowledged and dealt with within 14 days unless there are exceptional circumstances as to why the request cannot be granted. The U3A will provide a written response detailing all
information held on the member. A record shall be kept of the date of the request and the date of the response.
Data Breach Notification
Were a data breach to occur action shall be taken to minimise the harm by ensuring all committee members are aware that a breach had taken place and how the breach had occurred. The committee shall then seek to rectify the cause of the breach as soon as possible to prevent any further breaches. The Chair of the U3A shall contact National Office within 24 hours of the breach occurring to notify of the breach. A discussion would
take place between the Chair and National Office as to the seriousness of the breach, action to be taken and, where necessary, the Information Commissioner’s Office would be notified. The committee shall also contact the relevant U3A members to inform them of the data breach and actions taken to resolve the breach.
If a U3A member contacts the U3A to say that they feel that there has been a breach by the U3A, a committee member will ask the member to provide an outline of their concerns. If the initial contact is by telephone, the committee member will ask the U3A member to follow this up with an email or a letter detailing their concern.
The concern will then be investigated by members of the committee who are not in any way implicated in the breach. Where the committee needs support or if the breach is serious they should notify National Office. The U3A member should also be informed that they can report their concerns to National Office if they don’t feel satisfied with the response from the U3A. Breach matters will be subject to a full investigation, records will be kept and all those involved notified of the outcome.
Policy adopted July 2018
What personal information do we collect?
When you express an interest in becoming a member of Alton U3A you will be asked to provide certain information. This includes:
• your name
• home address
• email address
• telephone number(s)
• your subscription preferences
• emergency contact number
How do we collect this personal information?
All the information collected is obtained directly from you. This is usually at the point of your initial registration. The information will be collected via membership forms or online contact forms. The lawful basis for collecting and storing your information is due to the contractual relationship that you, as a member, have with the U3A. In order to inform you about the groups, activities and events that you can access as a member we need to store and process a certain amount of personal data.
How do we use your personal information?
We use your personal information:
• To provide our U3A activities and services to you
• For administration, planning and management of our U3A
• To communicate with you about your group activities
• To monitor, develop and improve the provision of our U3A activity
• To make contact with nominated third parties in case of an emergency
We’ll send you messages by email, post, other digital methods and telephone to advise you of U3A activities.
Who do we share your personal information with?
We may disclose information about you, including your personal information
• Internally – to committee members and group conveners – as required to facilitate your participation in our U3A activities
• Externally – with your consent for products or services such as direct mailing for the the Trust magazines (Third Age Trust and Sources)
• If we have a statutory duty to disclose it for other legal and regulatory reasons
Where we need to share your information outside of the U3A we will seek your consent
and inform you as to who the information will be shared with and for what purpose.
How long do we keep your personal information?
We need to keep your information so that we can provide our services to you. In most instances information about your membership will not be stored for longer than 12 months after you cease to be a member. The exceptions to this are instances where there may belegal, regulatory or insurance circumstances that require information to be held for longer.
Where this is the case member/s will be informed as to how long the information will be held for and when it is deleted.
How your information can be updated or corrected?
To ensure the information we hold is accurate and up to date, member’s need to inform the U3A as to any changes to their personal information. You can do this by contacting the membership secretary in writing at firstname.lastname@example.org or at 10 Will Hall Close Alton GU34 1QP On an annual basis you will have the opportunity to update your information, as required, via the membership renewal process. Should you wish to view the information that the U3A holds on you, you can make this request by contacting the membership secretary – as detailed above. There may be certain circumstances where we are not able to comply with this request. This would include where the information may contain references to other individuals or for legal, investigative or security reasons. Otherwise we will usually respond within 14 days of the request being made.
How do we store your personal information?
We have in place a range of security safeguards to protect your personal information against loss or theft, as well as unauthorised access, disclosure, copying, use or modification. Your membership information is held centrally on a database/spread sheet (whichever applies). Contact details of group members are also held by group leaders and/or group secretaries.
Availability and changes to this policy
This policy is available on our website . This policy will be reviewed from time to time. If we make any material changes we will make members aware of this via the website, email and on the U3A notice board at the Community Centre.
If you have any queries about this policy, need it in an alternative format, or have any complaints about our privacy practices, please contact us via the chairman whose details appear in The Blue Book.
Policy adopted: July 2018