St Albans Lions Club Data Protection Policy Dec 2019
To operate, St Albans Lions Club (“the Club”) needs to gather, store and use certain forms of information about individuals. These can include members, suppliers, Friends of Lions/volunteers, attendees of events and potential attendees, community contacts and other people the Club has a relationship with or needs to contact regularly. This policy explains how this data should be collected, stored and used to meet the Club’s data protection standards and comply with the General Data Protection Regulations (GDPR). This document sets out how the Club has chosen to meet its obligations in relation to the recording and holding of personal data under the Data Protection Act and related legislation.
• the scope of the Data Protection policy
• the status of the Club under the Data Protection Act
• the rationale for recording and holding essential information about Club’s, its supporters ( Friends of Lions and and people who have purchased tickets), and suppliers
• the responsibilities of Club members who have access to the information
• the responsibility of Club members to keep their personal information up to date
• the arrangements agreed for reviewing this policy and assessing compliance and
• the impact of the General Data Protection Regulation (GDPR) with effect from 25 May 2018.
The policy applies to all those handling data on behalf of the Club, e.g. Club members, Friends of Lions/ volunteers and contractors/third-party suppliers. It applies to all data that the Club holds relating to individuals, including names, email addresses, postal addresses, telephone numbers, and any other personal information held.
STATUS OF THE CLUB UNDER THE DATA PROTECTION ACT
Under the Data Protection Act, organisations that process personal data must normally obtain a license from the Information Commissioner’s Office (ICO) in relation to the processing of those data, unless one of a number of specified exemptions apply. The Lions Board Members consider that the Club is exempt from the requirement to notify the ICO of its arrangements for processing personal data, because it is a non-profit organisation and the Lions Board Members believes the following criteria are met:
• The Club only processes information necessary to establish or maintain membership or for contact with it Friends of Lions/supporters; and
• the Club only processes information necessary to provide or administer activities for people who are Members or Friends of Lions/supporters of the organisation or have regular contact with it; and
• the Club only shares the information with people and organisations necessary to carry out the organisation’s activities; and
• the Club only keeps the information while the individual is a Member or supporter or as long as necessary for member/Friends of Lions/supporter administration.
DATA COLLECTION AND HANDLING ARRANGEMENTS
The Club will ensure that it handles the data it holds in line with the requirements of the Data Protection Act principles listed in Annex 1.
In particular, it will:
• fairly and lawfully process personal data in a transparent way: It will collect only data which it needs to establish or maintain details of membership or support, and to provide or administer activities for people who are members of the Club or have regular contact with it. It will request positive consent for information to be used for purposes other than to complete tasks expected as part of an individual’s Membership of, or relationship with, the Club;
• only collect and use personal data for specific, explicit and legitimate purposes and only use the data for those specified purposes: When collecting data, the Club will always provide a clear and specific privacy statement explaining to the subject why the data are required and the purposes for which they will be used.
• ensure any data collected are relevant and not excessive: The Club will not collect or store more data than the minimum information required for the intended purpose;
• ensure data are accurate and up-to-date: The Club will ask Members to speak to the Club Secretary if they would like to view, update or correct any data held on them. This is also included in the privacy statement given to new and existing members. Where updated information is provided, the Club’s records will be updated as soon as possible. The Club will also ensure that it explains to other parties (e.g. Friends of Lions/supporters & volunteers) how they can update the information held by the Club.
• ensure data are not kept longer than necessary: The Club will keep records for no longer than is necessary to meet the intended use for which they were gathered (unless there is a legal requirement to keep records). The storage and intended use of data will be reviewed in line with the Club’s data retention policy. When the intended use is no longer applicable (e.g. contact details for a member who has left the Club, or a former Friend, where the individual concerned no longer wishes to be contacted by the Club), the data will be deleted within a reasonable period.
• keep personal data secure: electronic data will be held securely with access given only to relevant Club members or, in some cases, a subset of Club members. Photographs will be held securely. Where it is necessary to hold paper records, these will be kept securely;
• not transfer data to countries outside the European Economic Area (EEA). Such transfer is legally permissible provided that the country concerned has adequate protection for the individual’s data privacy rights, but the Club does not consider that such transfers are necessary for its purposes.
• seek assurance that third-party suppliers used by the Club to process data on the Club’s behalf themselves comply with the statutory data protection requirements. By treating the data it collects in this way, the Club will ensure that it continues to comply with the exemption for registration with the ICO, and ensure that it complies with the wider requirements of the Data Protection Act and the GDPR. The information held consists predominantly of personal contact details to enable the Club to communicate effectively with its Members, Friends of Lions/supporters and other parties. Sensitive data, defined in the Data Protection Act as data about individuals’ racial or ethnic origin, beliefs, health, sexual life and criminal convictions are NOT required or recorded. Some personal contact details about each member are collected by the Secretary, on behalf of the Club, when new members join the Club. This information is held by the Club so it can make contact with Club Members and Friends of Lions on a day-to-day basis to communicate important information relating to meetings & events. The information held consists of members’ or Friends of Lions’ name, home address, telephone numbers & email address. Confirmation will be obtained from new members that they consent to the Club holding these data and using them for the purposes indicated.
INDIVIDUALS’ RIGHTS OVER THEIR PERSONAL DATA
The Club will respect and uphold individuals’ rights over their personal data, including:
• Right to be informed: whenever the Club collects data, it will provide a clear and specific privacy statement explaining why they are being collected and how they will be used.
• Right of access: individuals can request to see the data the Club holds on them and confirmation of how they are being used. Requests should be made in writing to the Secretary and will be complied with free of charge and within one month. Where requests are complex or numerous this may be extended to two months.
• Right to rectification: individuals can request that their data be updated where they are inaccurate or incomplete. The Club will remind Members periodically to ensure they inform the Secretary of any changes to their personal details. Any requests for data to be updated will be processed within one month. Other communication methods will ensure that individuals are clear on how their information can be updated or corrected.
• Right to object: individuals can object to their data being used for a particular purpose. In all marketing communications, the Club will always provide a way for an individual to withdraw consent. Where the Club receives a request to stop using data it will comply unless it has a lawful reason to use the data for legitimate interests or contractual obligation.
• Right to erasure: individuals can request for all data held on them to be deleted. The Club’s data retention policy will ensure data are not held for longer than is reasonably necessary in relation to the purpose it was originally collected. If a request for deletion is made the Club will comply with the request unless (i) there is a lawful reason to keep and use the data for legitimate interests or contractual obligation or (ii) there is a legal requirement to keep the data.
• Right to restrict processing: individuals can request that their personal data be ‘restricted’ – that is, retained and stored but not processed further (e.g. if they have contested the accuracy of any of their data, the Club will restrict the data while it is verified). Though unlikely to apply to the data processed by the Club, the Club will also ensure that rights related to portability and automated decision-making (including profiling) are complied with where appropriate.
HOW THE CLUB OBTAINS CONSENT
The Club will communicate periodically with consenting Friend of Lions/supporters for marketing purposes. This includes contacting them to promote events, updating them about group news, fundraising and other service and social activities. We will ensure that:
• positive consent is received from individuals to receive these communications and
• a clear and specific explanation is given of what the data will be used for.
• an option exists for a recipient to withdraw their consent.
Data collected will be used only in the way described and consented to (e.g. the Club will not use email data to market third-party products or services). Friends of Lions have already provided consent to being contacted by email as part of the Friends of Lions Scheme. An explanation will be given to new Friends of the purpose for which their data are being collected and how to update their contact details or to stop receiving Friends of Lions information.
COOKIES ON THE CLUB’S WEBSITE
DATA RETENTION ARRANGEMENTS
A periodic review of all data will take place to establish if the Club still has good reason to keep and use the data held at the time of the review. The review will be led by a Board Member. As a general rule, a data review will be held every two years after the last review. Data in scope to be reviewed will include:
• data within digital documents (e.g. word documents, spreadsheets) stored on personal devices held by Members;
• data stored on third party online services (e.g. Dropbox, Mail Chimp);
• any physical data stored at the homes of Members.
Criteria for review of data.
The following criteria will inform the Club’s decision about what data to keep and what to delete:
Are the data stored securely?
No Action Necessary
Update storage protocol in line with Data Protection Policy
Does the original reason for having the data still apply?
Continue to use
Delete or remove data
Are the data being used for its original intention?
Continue to use
Delete/remove or record lawful basis for use and get consent if necessary
Is there a statutory requirement to keep the data?
Keep the data at least until the statutory minimum no longer applies
Delete or remove the data unless there is a reason to keep the data under other criteria
Are the data accurate?
Continue to use
Ask the subject to confirm/update details
Where appropriate do we have consent to use the data?
Continue to use (could be implied by previous use)
Can the data be anonymized?
Continue to use
How data will be deleted
If the review identifies data which no longer need to be held by the Club then:
• physical data will be destroyed safely and securely, including by shredding;
• all reasonable and practical efforts will be made to remove data stored digitally;
• priority will be given to any instances where data are stored in active lists (e.g. where it could be used) and to any sensitive data held.
Where deleting the data would mean deleting other data that we have a valid lawful reason to keep (e.g. on old emails) then the data may be retained safely and securely but not used.
Data stored by the Club may be retained based on statutory requirements for storing data other than data protection regulations. This might include but is not limited to:
• Gift Aid declarations records
• Details of payments made and received (e.g. in bank statements and accounting records)
• Board meeting minutes
• Contracts and agreements with suppliers/customers
• Insurance details
When a member leaves the Club and all administrative tasks relating to their membership have been completed, any data held on them will be deleted. Data will be removed from all email mailing lists unless consent has been given. Individuals who have signed up to receive the Club’s Newsletter or mailings will continue to receive this unless and until they unsubscribe. All other data will be stored safely and securely and reviewed as part of the next periodic review.
Mailing list data
If an individual opts out of a mailing list, their data will be removed as soon as is practically possible. All other data will be stored safely and securely and reviewed as part of the next periodic review.
Friends of Lions/volunteer and freelancer data
When a Friend of Lions/volunteer or freelancer stops working with the Club and all administrative tasks relating to their work have been completed any potentially sensitive data held on them will be deleted. Unless consent has been given, data will be removed from all email mailing lists. All other data will be stored safely and securely and reviewed as part of the next periodic review.
All other data will be included in the periodic review.
RESPONSIBILITIES OF COMMITTEE MEMBERS WHO COLLECT, MANAGE OR HANDLE DATA
• Maintain accurate and up to date records of Club Members & Friends of Lions/volunteers, as detailed above.
• Ensure that data are collected from new members and that they are made aware of the Data Protection Statement included in the Annex to this policy and that they provide their consent for their data to be used.
• Ensure personal data held are maintained securely and access granted only as appropriate e.g. to other Members
• Update the membership database as required and reissue periodically to Board members who require a copy;
• Remind Club Members & Friends of Lions/volunteers from time to time to inform the Secretary of any change to contact details;
• Ensure details of former members are deleted when they leave the Club unless they agree for the Club to remain in contact
• Maintain records of payment of subscriptions paid by Club members
• Ensure these records are kept up-to-date and deleted when no longer required
RESPONSIBILITY OF INDIVIDUAL MEMBERS OF THE CLUB
Each new Member of the Club will be asked to complete a Personal Details form once accepted as a Member. This form will be kept by the Secretary in order to add the new members’ contact details to the Member Database. The form includes an explanation of the reasons for collecting the data and that contact details will be added to the Club’s Member Database, using the statement listed in Annex 3, and asks for Members’ consent to these data being used. Individual members are responsible for providing only that information to the Club that they are prepared to have stored in accordance with this policy. All members are responsible for notifying the Secretary in the event of any change of personal details. Personal information held by the Club about Members will be respected and not divulged by the choir to a third party without individuals’ consent.
Each new member of the Friends of Lions will be asked for their details and consent to hold their data and this will be added to a Friends of Lions/volunteers list kept by the Secretary.
The Board is responsible for reviewing this policy on a regular basis and for assessing whether the Club is complying with its provisions. The policy will be reviewed by the Club every two years. When the policy is reviewed the Trustees/Committee will consider, amongst other things:
• Is the policy still appropriate given the data collected and the way in which they are stored?
• Are we complying with the terms of the policy?
• Do we still only collect data we need?
• Do we still explain to members and supporters how we plan to use their data, when we collect it?
• Do we use the data for purposes other than for which they were collected?
• Do we still have arrangements to enable the data to be reviewed and updated where necessary?
• Do we only keep data for as long as we need them?
• Do we have arrangements to ensure that any sensitive data are kept appropriately secure?
Date last reviewed and agreed by Club: Dec 2019
Scheduled date of next review: Dec 2021