Scope of the Policy
General Guidelines for Committee Members and Group Conveners
◾ The only people able to access data covered by this policy should be those who need to communicate with or provide a service to the members of CEDU3A
◾ Committee members and Group conveners should keep all data secure, by taking sensible precautions, for example using strong passwords, never to be shared
◾ Data should not be shared outside of the CEDU3A unless with prior consent and/or for specific and agreed reasons
◾ Member information should be refreshed periodically to ensure accuracy, via the membership renewal process or when policy is changed
Data Protection Principles
The General Data Protection Regulation 2018 identifies key data protection principles:
◾ 1 – Personal data shall be processed lawfully, fairly and in a transparent manner
◾ 2 : Personal data can only be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
◾ 3 : The collection of personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
◾ 4 : Personal data held should be accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that is inaccurate, is deleted or corrected without delay
◾ 5 : Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes
◾ 6 :Personal data must be processed in accordance a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures
◾ 7 : As the holder of the data CEDU3A is responsible for, and be able to demonstrate compliance with the General Data Protection Regulation 2018
Lawful, Fair and Transparent Data Processing
CEDU3A requests personal information from potential members and members for membership applications and for sending communications about their involvement with the U3A. The forms used to request personal information will contain a privacy statement informing potential members and members as to why the information is being requested and what the information will be used for. The lawful basis for obtaining member information is due to the contractual relationship that the CEDU3A has with individual members. In addition members will be asked to provide consent for specific processing purposes. CEDU3A members will be informed as to who they need to contact should they wish for their data not to be used for specific purposes for which they have provided consent. Where these requests are received they will be acted upon promptly and the member will be informed as to when the action has been taken.
Processed for Specified, Explicit and Legitimate Purposes
Members will be informed as to how their information will be used and CEDU3A will seek to ensure that member information is not used inappropriately. Appropriate use of information provided by members will include:
◾ Communicating with members about CEDU3A events and activities
◾ Communicating with group members about specific group activities
◾ Communicating with members about their membership and/or renewal of their membership
◾ Communicating with members about specific issues that may have arisen during the course of their membership
◾ Sending members information about Third Age Trust events and activities
CDEDU3A will ensure that Group conveners are made aware of what would be considered appropriate and inappropriate communication. Inappropriate communication would include sending U3A members marketing and/or promotional materials from external service providers.
CEDU3A will ensure that information is managed in such a way as to not infringe an individual members rights. These include:
◾ The right to be informed
◾ The right of access
◾ The right to rectification
◾ The right to erasure
◾ The right to restrict processing
◾ The right to data portability
◾ The right to object
Adequate, Relevant and Limited Data Processing
Members of CEDU3A will only be asked to provide information that is relevant for membership purposes. This will include:
◾ Postal address
◾ Email address
◾ Telephone/mobile number
◾ Any information volunteered by a member to assist in the activities of CEDU3A, e.g. skills and experience
Where additional information may be required such as health related information this will be obtained with the consent of the member who will be informed as to why this information is required and the purpose that it will be used for.
Photographs are classified as personal data. Where group photographs are being taken members will be asked to step out of shot if they don’t wish to be in the photograph. Otherwise consent will be obtained from members in order for photographs to be taken and members will be informed as to where photographs will be displayed. Should a member wish at any time to remove their consent and to have their photograph removed then they should contact CEDU3A to advise that they no longer wish their photograph to be displayed.
Accuracy of Data
CEDU3A has a responsibility to ensure members’ information is kept up to date. Members will be informed to let the Membership Secretary know of any changes to their personal information. In addition, on an annual basis, the membership renewal process will provide an opportunity for members to inform CEDU3A as to any changes in their personal information.
Accountability and Governance
The officers of CEDU3A are responsible for ensuring that CEDU3A remains compliant with data protection requirements and can provide evidence that it has. Where consent is required for specific purposes then evidence of this consent (either electronic or paper) will be obtained and retained securely. CEDU3A will ensure that new members joining its organising Committee receive an induction into the requirements of GDPR and the implications for their role.
CEDU3A will also ensure that Group conveners are made aware of their responsibilities in relation to the data they hold and process. Committee members shall also stay up to date with guidance and practice within the U3A movement and shall seek additional input from the Third Age Trust National Office should any uncertainties arise. The Committee will review data protection and who has access to information on a regular basis as well as reviewing what data is held. When Committee members and Group conveners relinquish their roles, they will be asked to either pass on data to those who need it and/or delete data.
CEDU3A Committee Members have a responsibility to ensure that data is both securely held and processed. This will include:
◾ Using strong passwords
◾ Not sharing passwords
◾ Restricting access of member information to only those on the Committee who need to communicate with members on a regular basis
◾ Using password protection on laptops and PCs that contain personal information
◾ Using password protection or secure cloud systems when sharing data between committee members and/or group conveners
◾ Paying for firewall security to be put onto Committee members’ laptops or other devices.
Subject Access Request
Members are entitled to request access to the information that is held by CEU3A. The request needs to be received in the form of a written request to the Membership Secretary. On receipt, the request will be formally acknowledged and dealt with within one month unless there are exceptional circumstances as to why the request cannot be granted. CEDU3A will provide a written response detailing all information held on the member. A record shall be kept of the date of the request and the date of the response.
Data Breach Notification
Were a data breach to occur action shall be taken to minimise the harm. This will include ensuring that all CEDU3A Committee members are made aware that a breach has taken place and how the breach occurred. The Committee shall then seek to rectify the cause of the breach as soon as possible to prevent any further breaches. The Chair of the CEDU3A shall notify U3A National Office within 24 hours of the breach occurring. A discussion will take place between the Chair and National Office as to the seriousness of the breach, action to be taken and, where necessary, the Information Commissioner’s Office would be notified. The Committee shall also contact the relevant U3A members to inform them of the data breach and actions taken to resolve the breach.
Where a U3A member feels that there has been a breach by the U3A, a Committee member will ask the member to provide an outline of the breach. If the initial contact is by telephone, the committee member will ask the U3A member to follow this up with an email or a letter detailing their concern. The alleged breach will then be investigated by members of the Committee who are not in any way implicated in the breach. Where the committee needs support or if the breach is serious they should notify National Office. The U3A member should also be informed that they can report their concerns to National Office if they don’t feel satisfied with the response from the U3A. Breach matters will be subject to a full investigation, records will be kept and all those involved notified of the outcome.