Data Protection Policy - Kenton & District u3a

Please click here to download this document as a pdf.

1. Introduction

This document has been adapted to meet the particular needs of this u3a.

2. Policy

2.1 Scope of the policy

This policy applies to the work of Kenton & District u3a. The policy sets out the requirements that Kenton & District u3a has for collecting and processing information for its various purposes. The policy details how personal information will be collected, stored and managed in line with data protection principles and the UK General Data Protection Regulation. The policy is reviewed on an ongoing basis by Kenton & District u3a committee members to ensure that Kenton & District u3a remains compliant. This policy should be read in tandem with Kenton & District u3a’s Privacy Policy.

2.2 Why this policy exists

This data protection policy ensures Kenton & District u3a:

Complies with data protection law and follows good practice
Protects the rights of its members

Is open about how it stores and processes its members’ data
Protects itself from the risks of a data breach

2.3 General guidelines for committee members and group convenors

The only people able to access the data covered by this policy are those who need it to manage or communicate with or provide a service to Kenton & District u3a members.
Kenton & District u3a will provide or make available to committee members and group convenors induction training to help them understand their responsibilities when handling data.

Committee Members and group convenors shall keep all data secure, by taking sensible precautions and following the guidelines below.
Strong passwords shall be used, and they should never be shared.
Data shall not be shared outside of Kenton & District u3a unless there is prior consent or there is a specific and agreed legitimate reason. Examples would include but are not limited to Gift Aid information provided to HMRC or information provided to the distribution company for the Trust publications or a legal requirement..
Member information shall be refreshed periodically to ensure accuracy, via the membership renewal process or when policy is changed.
Additional support will be available from the Third Age Trust where uncertainties or incidents regarding data protection arise.

2.4 Data protection principles

The UK General Data Protection Regulation identifies key data protection principles:

Principle 1 – Personal data shall be processed lawfully, fairly and in a transparent manner
Principle 2 – Personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial legitimate purposes.
Principle 3 – The collection of personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;

Principle 4 – Personal data held should be accurate and, where necessary, kept up to date; steps must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without unnecessary delay;
Principle 5 – Personal data must kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for the which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest , scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the UK GDPR in order to safeguard the rights and freedoms of individuals;
Principle 6 – Personal data must be processed in accordance with a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

2.5 Lawful, fair and transparent data processing

Kenton & District u3a requests personal information from potential members and members for membership applications and for sending communications regarding members’ involvement with the u3a. Members and potential members will be informed as to why the information is being requested and what the information will be used for. The lawful basis for obtaining member information is the legitimate interest and contractual relationship that the u3a has with individual members. In addition, members will be asked to provide consent for specific processing purposes such as the taking of photographs. Kenton & District u3a members will be informed as to who they need to contact should they wish their data not to be used for specific purposes for which they have provided consent. Where these requests are received, they will be acted upon promptly and the member will be informed as to when the action has been taken.

2.6 Processed for specified, explicit and legitimate purposes

Members will be informed as to how their information will be used and the Committee of Kenton & District u3a will seek to ensure that member information is not used inappropriately. Appropriate use of information provided by members will include but is not limited to:

Communicating with members about Kenton & District u3a events and activities
Group convenors communicating with group members about specific group activities
Member information will be provided to the distribution company that sends out the Trust publication – Third Age Matters. Members will be informed and have a choice as to whether or not they wish to receive the publication.

Sending members information about Third Age Trust events and activities
Communicating with members about their membership and/or renewal of their membership
Communicating with members about specific issues that may have arisen during the course of their membership

Kenton & District u3a will ensure that group convenors are made aware of what would be considered appropriate and inappropriate communication. Inappropriate communication would include but is not limited to sending u3a members marketing or promotional materials from external service providers.

Kenton & District u3a will ensure that members’ information is managed so as to not infringe an individual member’s rights which include:

The right to be informed
The right of access
The right to rectification
The right to erasure
The right to restrict processing

The right to data portability
The right to object

2.7 Adequate, Relevant and Limited Data Processing

Members of Kenton & District u3a will only be asked to provide information that is relevant for membership, communication and management purposes. This will include but is not limited to:

Name

Postal address
Email address
Telephone number
Gift Aid entitlement

Where additional information isrequired such as health related information this will be obtained with the consent of the member who will be informed as to why this information is required and the purpose or purposes that it will be used for.

When Kenton & District u3a organises a trip or activity that requires next of kin information to be provided, a legitimate interest assessment will have been completed in order to request this information. Members will be made aware that the assessment has been completed.

2.8 Photographs

Photographs are classified as personal data. Where group photographs are being taken members will be asked to face away from the camera or to step out of shot if they don’t wish to be in the photograph. Otherwise consent will be obtained from members in order for photographs to be taken and members will be informed as to where photographs will be displayed. Should a member wish at any time to remove their consent and to have their photograph removed then they should contact the Kenton & District u3a Committee Chair to advise that they no longer wish their photograph to be displayed.

2.9 Accuracy of data and keeping data up-to-date

Kenton & District u3a has a responsibility to ensure members’ information is kept up to date. Members will be informed to let the membership secretary know if any of their personal information changes. In addition, on an annual basis, the membership renewal process will provide an opportunity for members to inform Kenton & District u3a of any changes in their personal information.

2.10 Accountability and governance

Kenton & District u3a Committee is responsible for ensuring that the u3a remains compliant with data protection requirements and can evidence that it has. Where consent is required for specific purposes then evidence of this consent (either electronic or paper) will be obtained and retained securely. Kenton & District u3a Committee will ensure that new members joining the Committee receive an induction training into the requirements of UK GDPR and the implications for their role. Kenton & District u3a will also ensure that group convenors are made aware of their responsibilities in relation to the data they hold and process. Committee Members will stay up to date with guidance and practice within the u3a movement and will seek advice from the Third Age Trust National Office should any uncertainties arise. Kenton & District u3aCommittee will review data protection requirements on an ongoing basis as well as reviewing who has access to data and how data is stored and deleted. When Committee Members and Group Convenors relinquish their roles, they will be asked either to pass on data to those who need it and delete their copies of the data.

2.11 Secure Processing

Kenton & District u3a Committee Members have a responsibility to ensure that data is both securely held and processed. This will include:

Committee members using strong passwords

Committee members not sharing passwords
Restricting access of sharing member information to those on the Committee who need to communicate with members
Using password protection on laptops, tablets, phones and PCs that contain personal information
Using password protection, a membership database or secure cloud systems when sharing data between committee members and/or group conveners
Providing firewall security software for Committee Members’ laptops or other devices.

2.12 Subject Access Request

u3a members are entitled to request access to their personally identifiable information that is held by Kenton & District u3a. The request needs to be received in the form of a written request to the Membership Secretary of Kenton & District u3a. On receipt of the request, the request will be formally acknowledged and dealt with expediently (the legislation requires that information should generally be provided within one month) unless there are exceptional circumstances as to why the request cannot be granted. Kenton & District u3a will provide a written response to the member detailing all the information held on the member. A record shall be kept of the date of the request and the date of the response.

2.13 Data Breach Notification

Were a data breach to occur action will be taken to minimise the harm. This will include ensuring that all Kenton & District u3a Committee Members are made aware that a breach has taken place and how the breach occurred when known. The Committee shall then seek to rectify the cause of the breach as soon as possible to prevent any further breaches. The Chair of Kenton & District u3a will contact National Office as soon as possible after the breach has occurred to notify them of the breach. A discussion will take place between the Chair and National Office as to the seriousness of the breach, action to be taken and, where necessary, the Information Commissioner’s Office shall be notified in accordance with current regulations. The Committee shall also contact the relevant u3a members to inform them of the data breach and actions taken to resolve the breach.

Where a member of the u3a feels that there has been a breach by the u3a, the member will ask a Committee Member to provide an outline of the breach. If the initial contact is by telephone, the Committee Member will ask the u3a member to follow this up with an email or a letter detailing their concern. The alleged breach will then be investigated by members of the committee who are not in any way implicated in the breach. Where the committee needs support or if the breach is serious, they shall notify National Office. The u3a member should also be informed that they can report their concerns to National Office if they don’t feel satisfied with the response from their u3a. Breach matters will be subject to a full investigation, records will be kept and all those involved notified of the outcome.