Data Protection

               West Oxford U3A Data Protection Policy

Scope of the policy

This policy applies to the work of West Oxford U3A (the “U3A”). The policy sets out the requirements that the U3A has to gather information for membership purposes. The policy details how personal information will be gathered, stored and managed in line with data protection principles and the General Data Protection Regulation. The policy is reviewed on an ongoing basis by the U3A Committee Members to ensure that we are compliant. This policy should be read in tandem with West Oxford U3A's Privacy Policy.


Why this policy exists

This data protection policy ensures the U3A:

              Complies with data protection law and follows good practice;

              Protects the rights of members;

              Is open about how it stores and processes members data;

              Protects itself from the risks of a data breach.


General guidelines for committee members and group conveners

                     The only people able to access data covered by this policy should be those who need to communicate with or provide a service to the U3A members.

                    The U3A will provide induction training to committee members and group conveners to help them understand their responsibilities when handling data.


                    Committee Members and group conveners should keep all data secure, by taking sensible precautions and following the guidelines below.


                    Strong passwords must be used and they should never be shared.

                    Data should not be shared outside of the U3A unless with prior consent and for  specific and agreed reasons. Examples would include Gift Aid information provided to HMRC or information provided to the distribution company for the Trust publications.

                    Member information should be refreshed periodically to ensure accuracy, via the membership renewal process or when policy is changed.


                    Additional support will be support from the Third Age Trust where uncertainties or incidents regarding data protection arise.

Data protection principles

The General Data Protection Regulation identifies key data protection principles:

Principle 1 - Personal data shall be processed lawfully, fairly and in a transparent manner

Principle 2 - Personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes.

Principle 3 - The collection of personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;

Principle 4 Personal data held should be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;

Principle 5 Personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for the which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals;

Principle 6 - Personal data must be processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Lawful, fair and transparent data processing

West Oxford U3A requests personal information from potential members and members for membership applications and for sending communications about their involvement with the U3A. The forms used to request personal information will contain a privacy statement informing potential members and members as to why the information is being requested and what the information will be used for. The lawful basis for obtaining member information is due to the contractual relationship that the U3A has with individual members. In addition, members will be asked to provide consent for specific processing purposes. U3A members will be informed as to whom they need to contact should they wish their data not to be used for specific purposes for which they have provided consent. Where these requests are received they will be acted upon promptly and the member will be informed as to when the action has been taken.

Processed for specified, explicit and legitimate purposes

Members will be informed how their information will be used and the Committee will seek to ensure that member information is not used inappropriately. Appropriate use of information provided by members will include:

                    communicating with members about U3A events and activities;

                    group conveners communicating with group members about specific group activities;

                    consent will be sought in order to add members details to the direct mailing information for the                               Third Age Trust magazines Third Age Matters and Sources;

                    sending members information about Third Age Trust events and activities;

                    communicating with members about their membership and/or renewal of their membership;

                    communicating with members about specific issues that may have arisen during the course of their membership.

The U3A will ensure that group conveners are made aware of what would be considered appropriate and inappropriate communication. Inappropriate communication would include sending U3A members marketing and/or promotional materials from external service providers.

The U3A will ensure that members' information is managed in such a way as not to infringe an individual member’s rights which include:

              The right to be informed;

              The right of access;

              The right to rectification;

              The right to erasure;

              The right to restrict processing;

              The right to data portability;

              The right to object.


Adequate, relevant and limited data processing

Members of The U3A will only be asked to provide information that is relevant for membership purposes. This will include:


              Postal address

              Email address

              Telephone number

              Gift Aid entitlement

Where additional information may be required such as health related information this will be obtained with the consent of the member, who will be informed as to why this information is required and the purpose that it will be used for.

Where the U3A organises a trip or activity that requires next of kin information to be provided, a legitimate interest assessment will have been completed in order to request this information.

Members will be made aware that the assessment has been completed.


Photographs are classified as personal data. Where group photographs are being taken members will be asked to step out of shot if they don’t wish to be in the photograph. Otherwise, consent will be obtained from members in order for photographs to be taken and members will be informed as to where photographs will be displayed. Should a member wish at any time to withdraw their consent and to have their photograph removed then they should contact the Secretary to advise that they no longer wish their photograph to be displayed.

Accuracy of data and keeping data up-to-date

The U3A has a responsibility to ensure members' information is kept up to date. Members will be informed to let the Membership Secretary know if any of their personal information changes. In addition, the annual membership renewal process will provide an opportunity for members to inform the U3A of any changes in their personal information.

Accountability and governance

The U3A Committee is responsible for ensuring that the U3A remains compliant with data protection requirements and can evidence that it has. Where consent is required for specific purposes then evidence of this consent (either electronic or paper) will be obtained and retained securely. The U3A Committee will ensure that new members joining the Committee receive an induction into the requirements of GDPR and the implications for their role. The U3A will also ensure that group conveners are made aware of their responsibilities in relation to the data they hold and process. Committee Members shall also stay up to date with guidance and practice within the U3A movement and shall seek additional input from the Third Age Trust National Office should any uncertainties arise. The Committee will review data protection and who has access to information on a regular basis as well as reviewing what data is held. When Committee Members and Group Conveners relinquish their roles, they will be asked to either pass on data to those who need it and/or delete it.

Secure Processing

U3A Committee Members have a responsibility to ensure that data is both securely held and processed. This will include:

                    Committee members using strong passwords

                    Committee members not sharing passwords

                    Restricting access of sharing member information to those on the Committee who need to communicate with members on a regular basis

                    Using password protection on laptops and other devices that contain personal information

                    Using password protection or secure cloud systems when sharing data between committee members and/or group conveners

                    Paying for firewall security to be put onto Committee Members' laptops or other devices.

Subject Access Request

U3A members are entitled to request access to the information that is held by the U3A. The request needs to be received in the form of a written request to the Membership Secretary of the U3A. On receipt of the request, the request will be formally acknowledged and dealt with expediently. The U3A will provide a written response detailing all information held on the member. A record shall be kept of the date of the request and the date of the response.

Registered charity no. 1108125