The data that members provide on their application forms are kept in documents that are held and processed electronically. This means that the Association is subject to the Data Protection Act.
Under the Act, the data that members provide are not classed as “sensitive data”, and because we are a not-for-profit organisation that does not use CCTV, we do not have to register with the ICO (Information Commissioner’s Office). Nevertheless, under the Act, we have responsibilities of care to uphold. This document outlines our policies.
For more information, the ICO website is here: https://ico.org.uk/
What data do we keep?
We are only allowed to keep data that are necessary for our association activities. We keep the
Name and postal address
Telephone number(s) – optional
Email address – optional
We will endeavour to maintain accurate records, but we rely on members keeping us up-to-date.
Members can at any time ask the Secretary for a copy of their recorded data. To request this, send an email to firstname.lastname@example.org.
What is the data used for?
The data are only used for legitimate Association uses; these include:
Communication between committee members and other members as part of the daily running of the
Association; notification of Association meetings, the minutes of those meetings; the provision of seed catalogues.
What is the data NOT used for?
We will not disclose your data to other members or to third parties or use it on behalf of third parties. For example, members may sometimes be lobbied to advertise a service or product that might be useful to other members of the association. We will not use your addresses to do this (no “spam” allowed). Such requests from third parties can however be placed on the Allotment web site or the Facebook page, so that members can benefit from these offers.
Who has access to the data?
Only those who need access to the data have access. The following committee members have access to all the member data:
Chairman, Secretary, Treasurer, Lettings secretary.
The Seed secretary only has access to names and postal addresses for the purpose of distributing seed catalogues.
What happens when a member leaves the Association?
We do not keep data that is not needed for operation of the Association. The data for members who leave is held for at most 6 months, after which time it will be deleted from our records. We keep the data for a short period in the event that we need to communicate with a member who has recently left.
How do we protect the data?
The Data Protection Act does not specifically define the level of protection required for personal data, but rather recommends protection that is appropriate depending on the sensitivity of the data and the risks that might be incurred in the event of a security breach. The data that we keep is not classed by the Act as sensitive (examples of sensitive information are bank account details, ethnicity etc.). We therefore assume that the risks that we are exposed to are no greater than the risks of an individual providing the same data to a friend for social purposes.
The Secretary responsible for mass emails across the membership has a Gmail account (email@example.com) used for the purpose which has a strong password. All email traffic to the Secretary is on this account and not on a personal email account. This account contains members’ email data. Mass emails to the membership are sent blind (Bcc) so that addresses are not exposed.
Encryption and passwords.
The data are held in documents on committee members’ personal computers. The members are expected to take the usual precautions regarding security. The documents themselves, mostly spreadsheets, are not encrypted.
There is sometimes a need to transmit a copy of all the data between committee members. Under these circumstances any document will be encrypted and the password communicated by telephone. This is to mitigate the risk that the document is sent to the wrong recipient.
Mobile (“smart”) phones are sometime used for email purposes. Phones are vulnerable to loss and theft so if they are used for Association business they must at least use a 4-character PIN.
Spreadsheets containing multiple records will not be kept on phones.
Who is responsible for the implementation of this policy?
A nominated member of the committee is responsible for ensuring that this policy is adhered to. The Secretary has this responsibility (firstname.lastname@example.org)
Version 1 (8th August 2017)