West Oxford U3A Data Protection Policy
Scope of the policy
This policy applies to the work of West Oxford U3A (the “U3A”). The policy sets out the requirements that the U3A has to gather information for membership purposes.
The policy details how personal
information will be gathered, stored
and managed in line with data protection principles and the General
Data Protection Regulation. The policy is reviewed on an ongoing basis by the U3A Committee Members
to ensure that we are compliant. This policy should be read in tandem with West Oxford U3A's Privacy Policy.
Why this policy exists
This data protection policy ensures
the U3A:
•
Complies with data protection law and follows
good practice;
•
Protects the rights
of members;
•
Is open about how it stores and processes members data;
•
Protects itself from the risks of a data breach.
General guidelines for committee members and group conveners
•
The only
people able to access data covered by this policy
should be those who need to communicate
with or provide a service to the U3A members. •
The U3A will provide
induction training to committee members
and group conveners
to help them understand their responsibilities when handling data. •
Committee Members
and group conveners
should keep all data secure,
by taking sensible
precautions and following
the guidelines below. •
Strong passwords must be used and they should never be shared. •
Data should not be shared outside of the U3A unless
with prior consent
and for specific and agreed reasons.
Examples would include
Gift Aid information provided to HMRC or information provided to the distribution company
for the Trust publications.
•
Member information should be refreshed periodically to ensure accuracy, via the membership renewal process or when policy is changed. •
Additional support
will be support from the Third Age Trust where uncertainties or incidents regarding data protection arise.
Data protection principles
The General Data
Protection Regulation identifies key data protection principles:
Principle 1 - Personal data shall be processed lawfully, fairly and in a transparent
manner
Principle 2 - Personal
data must be collected for specified, explicit
and legitimate purposes
and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes
in the public interest, scientific or historical research
purposes or statistical purposes shall not be considered
to be incompatible with the initial purposes.
Principle 3 - The
collection of personal data must be adequate,
relevant and limited
to what is necessary
in relation to the purposes
for which they are
processed;
Principle 4 – Personal
data held should be
accurate and, where necessary,
kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having
regard
to the purposes for which they
are processed, are erased or rectified without delay;
Principle 5 – Personal
data must be kept in a form which
permits identification of data subjects for no longer than is necessary
for the purposes for the which the personal data are processed; personal data may be stored for longer periods insofar
as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals;
Principle 6 -
Personal data must
be processed in a manner that ensures appropriate security, including
protection against unauthorised or unlawful processing and against accidental loss, destruction or damage,
using appropriate technical or organisational measures.
Lawful, fair and transparent data processing
West Oxford U3A requests
personal information from potential members
and members for membership applications and for sending
communications about their involvement with the U3A. The
forms used to request personal
information will contain
a privacy statement
informing potential members
and members as to why the information is being requested and what the information will be used for. The lawful basis for obtaining member information is due to the
contractual relationship that the
U3A
has with individual members. In addition,
members will be asked to provide
consent for specific
processing purposes. U3A members will be informed
as to whom they
need to contact should they wish
their data not to be used
for specific purposes for which
they have provided consent. Where these requests are received they
will be acted upon promptly and the member will be
informed as to when the action has been taken.
Processed for specified, explicit
and legitimate purposes
Members will be
informed how their information will
be used and the Committee will seek to ensure that member
information is not used inappropriately. Appropriate use of information provided by members will include:
•
communicating with members about U3A events and activities;
•
group conveners communicating with group members
about specific group
activities;
•
consent will be sought
in order to add members
details to the direct mailing information for the Third Age Trust magazines
– Third Age Matters and Sources;
•
sending members information about Third Age Trust events and activities; •
communicating
with members about their membership and/or renewal of their membership;
•
communicating
with members about specific issues
that may have arisen during
the course of their membership.
The U3A will ensure that group conveners
are made aware of what would be considered
appropriate and inappropriate communication. Inappropriate communication would include sending
U3A members marketing and/or promotional materials from external service
providers.
The U3A will ensure that members' information is managed in such a way as not to infringe an individual member’s
rights which include:
•
The right to be informed;
•
The right of access;
•
The right to rectification;
•
The right to erasure;
•
The right to restrict
processing;
•
The right to data portability;
•
The right to object.
Adequate, relevant and limited data processing
Members of The U3A will only be
asked to provide
information that is
relevant for membership purposes. This will include:
•
Name
•
Postal address
•
Email address
•
Telephone number
•
Gift Aid entitlement
Where additional information may be
required such as health related
information this will be obtained
with the consent of the member, who will be informed
as to why this information is required and the purpose that it will be used for.
Where the U3A organises a trip or activity that requires next of kin information to be provided,
a legitimate interest assessment will have been completed in order to request this information.
Members will be
made aware that the assessment has been completed.
Photographs
Photographs are classified as personal data. Where group photographs are being taken members will be asked to step out of shot if they don’t wish to be in the photograph. Otherwise, consent will be obtained from members in order for photographs to be taken and members
will be informed as to where photographs will be displayed. Should a member
wish at any time to withdraw their consent and to have their photograph removed then they should contact
the
Secretary to advise that they no longer wish their photograph to be displayed.
Accuracy of data and keeping data up-to-date
The U3A has a responsibility
to ensure members' information is kept up to date. Members will be informed
to let the Membership Secretary
know if any of their personal information changes. In addition,
the annual membership renewal process will provide an opportunity
for members to inform the U3A of any changes
in their personal
information.
Accountability and governance
The U3A Committee
is responsible for ensuring that the U3A remains compliant with data protection requirements and
can evidence that it has. Where consent is required for
specific purposes
then evidence of this consent (either
electronic or paper) will be obtained and retained
securely. The U3A Committee will ensure that new members
joining the Committee receive an induction into the requirements of GDPR and the implications for their role. The U3A will also ensure that group conveners
are made aware of their responsibilities in relation to the data they
hold and process. Committee Members
shall also stay up to date with guidance and practice
within the U3A movement and shall seek additional input from the Third Age Trust National Office should any uncertainties arise. The
Committee will review data protection and who has access to information on a regular
basis as well as reviewing
what data is held. When Committee
Members and Group Conveners relinquish their roles, they will be asked to either pass on
data to those
who need it and/or delete
it.
Secure Processing
U3A Committee Members have a responsibility to ensure that data is both securely held and processed. This will include:
•
Committee members using strong
passwords
•
Committee members not sharing
passwords
•
Restricting access of sharing
member information to those on the Committee
who need to communicate with members on a regular
basis
•
Using password protection on laptops and other devices
that contain personal information
•
Using password protection or secure cloud systems when sharing data between
committee members and/or
group conveners
•
Paying for firewall security
to be put onto Committee
Members' laptops or other devices.
Subject Access Request
U3A members are entitled to request
access to the information that is
held by the U3A. The request
needs to be received in the form of a written request
to the Membership Secretary of the U3A. On receipt
of the request, the request
will be formally
acknowledged and dealt with
expediently. The U3A will provide a written response
detailing all information held on the member. A record shall be kept of the date
of the request and the date
of the response.
|