Data Protection Policy

 

 

Context & Overview

Introduction:

Eastleigh & District Allotment Cooperative Association Ltd (EDACA) needs to gather and use certain information, or data, about its members.

 

EDACA is registered as an Industrial and Provident Society (IPS), a form of mutual organisation. This allows EDACA to conduct its activities for the benefit of its members. The concept of membership necessitates EDACA having a record of its members’ and other member details necessary for members to benefit fully from membership. This data is of a personal nature pursuant to the data protection Acts.

 

This policy describes the personal data that EDACA must and may be collected about members and how it is handled and stored to meet its legal obligations.

Why this policy exists

This data protection policy ensures EDACA:

·        Complies with the data protection law and follows good practice,

·        Is open about how it stores and processes individual’s data,

·        Protects the rights of its officers and members,

·        Protects itself from the risks of a data breach.

Data protection law

The Data Protection Act 1998 describes how organisations must collect, handle and store personal information, or data. The General Data Protection Regulations (GDPR) 2018, effective 25th May 2018, harmonises and evolves this previous UK law with EU laws for consistency.

 

These rules apply regardless of how data is stored, e.g. paper, electronically etc.

 

To comply with the law, personal data must be collected and used fairly, stored safely and not disclosed unlawfully.

 

The Act and Regulations are underpinned by important principles; stating personal data must:

1.      Be obtained only for specific, lawful purposes,

2.      Be adequate, relevant and not excessive,

3.      Be accurate and kept up to date,

4.      Be held no longer than necessary,

5.      Be processed fairly and lawfully,

6.      Be processed in accordance with the rights of data subjects,

7.      Be protected in appropriate ways,

8.      Not be transferred outside the European Economic Area (EEA) unless that country or territory also ensures an adequate level of protection.

Key policy details:

This version was issued on 10 May 2018.

The policy will be reviewed at least annually and if amended the newer version will be published superseding this version.

People, risks and responsibilities.

Policy scope

This policy applies to:

·        all officers, committee members and volunteers of EDACA.

 

It applies to all information held relating to identifiable individuals, e.g. members, even if that information technically falls outside of the Act or Regulations. It can include:

·        Names of individuals

·        Contact details (e.g. Postal addresses, Email addresses, Telephone numbers)

·        Plus any other information relating to individuals

·        (See Personal Data to be collected by EDACA for details)

Data Protection risks

This policy helps to protect EDACA from some very real security risks, including:

·        Breaches of confidentiality, e.g. information being given out inappropriately,

·        Failing to offer choice, e.g. all individuals should be free to choose how the company uses data relating to them,

·        Reputational damage, e.g. the company could suffer if hackers successfully gained access to sensitive data.

Responsibilities

All EDACA volunteers have some responsibility for ensuring data is collected, stored and handled appropriately.

 

Any volunteer handling personal data must ensure it is handled and processed in line with this policy and data protection principles.

 

However the following roles have key areas of responsibility:

·        The EDACA Committee is authorised by the membership to be ultimately responsible for ensuring EDACA meets its legal obligations.

·        The Committee shall nominate a Committee member who is responsible for Data Protection (DPM) whose responsibilities include:

o       Keeping the Committee updated about data protection responsibilities,

o       Reviewing regularly all data protection procedures and related policies,

o       Ensuring volunteers are aware of their data protection responsibilities,

o       Handling data protection questions from those covered by the policy,

o       Dealing with requests from individuals to see the data EDACA holds about them (aka “subject access requests”),

o       Ensuring all systems, services and equipment used for storing EDACA’s personal information meet acceptable security standards,

o       Performing regular audits that data is being managed properly.

·        The Membership Secretary, whose responsibilities include:

o       Collating and maintaining a member “database” holding all personal data

·        The General Secretary (and/or Publicity Secretary or other such role contacting members), whose responsibilities include:

o       Approving any data protection statements attached to communications,

o       Addressing any third party data protection queries from non members,

o       Where necessary working with other volunteers and third parties to ensure any marketing initiatives abide by data protection principles.

·        The Treasurer, whose financial responsibilities require reconciling member numbers and category to ensure the accounts reflect subscriptions correctly.

General volunteer guidelines

·        The only people able to access data covered by this policy should be those who need it to fulfil their roles. An indicative list of roles needing access to some or all of the information is provided herein, see Volunteer roles needing access to personal data for details.

·        Data should not be shared informally. When access to personal data is required volunteers can request it from the information “keeper”.

·        EDACA will support volunteers to help them understand their responsibilities when handling personal information

·        Volunteers should keep all data secure by taking sensible precautions and following the guidelines below.

·        Where passwords are used they should be “strong” and should not be shared.

·        Personal data should not be disclosed to unauthorised people either within EDACA or externally.

·        Personal data should be regularly reviewed and updated if it is found to be out of date. If no longer required it should be deleted and disposed of or managed using the data retention and ageing approach outlined herein.

·        Volunteers should request help from the DPM if they are unsure about any aspect of data protection.

 

Data storage

These rules describe how and where personal data should be safely stored. Questions about storing information safely can be directed to the DPM.

 

If personal data that is stored on paper, or is stored normally electronically but has been printed out for some reason, then:

·        It should be kept in a secure place where unauthorised people cannot see it.

·        When not required the paper or files should be kept safe, e.g. in a locked drawer.

·        Paper records or printouts should be shredded and disposed of securely when no longer required.

 

When personal data is stored electronically it must be protected from unauthorised access, accidental deletion and malicious hacking attempts:

·        Data should be protected by encryption, and/or the use of strong passwords. Passwords should be changed regularly and should not shared between volunteers.

·        Data stored on removable media, e.g. CD, DVD, memory stick, should be locked away securely when not being used.

·        Data should only be stored on designated and protected drives and computers and should only be uploaded to an approved cloud computing service.

·        Personal information should be backed up frequently with backups checked regularly.

·        Personal data should not be saved/stored on computers, laptops or other mobile devices (e.g. tablets or smart phones) without ensuring appropriate security, both physically and by protecting from unauthorised access.

·        Any computers containing personal information should be protected by appropriate security measures, e.g. anti-virus, firewall, encryption, etc.

 

Data use

Personal data is of no value to EDACA unless it can make use of it. However when such personal data is accessed/used it is at greatest risk of loss, corruption or theft:

·        When working with personal data volunteers should ensure computer screens or paper versions are secured when left unattended,

·        Personal data should not be shared informally.

·        Personal data should not be sent by email unless protected

·        Use bcc if sending email to a group of members unless prior approval to show their addresses has been obtained.

·        Personal data must be encrypted before being transferred electronically.

·        Personal information should never be transferred outside of the EEA.

·        Volunteers should not save copies of personal data to their own computers. Always access and update the central copy of the data.

 

Data accuracy

EDACA is required to take reasonable steps to ensure personal data is kept accurate and up to date.

It is the responsibility of all volunteers working with personal data to take reasonable steps to ensure it is kept as accurate and up to date as possible.

·        Personal data will be held in as few places as necessary.

·        Volunteers should take every opportunity to ensure personal data is updated, e.g. checking member details upon renewal.

·        EDACA will provide the means for members to provide updated personal data, e.g. via renewal forms, contact details for the membership secretary.

·        Personal data should be updated as inaccuracies are found, e.g. removing phone numbers found that can no longer be reached.

 

Data retention and ageing

EDACA intends to minimise the retention of personal data.

 

EDACA treats data in two ways: current and historical.

·        Current data – this is the personal data of members for the current year (October – September) and the previous year until the accounts for the previous year are approved by EDACA, normally at the AGM. Current data may be accessed by volunteers performing roles as defined herein.

·        Historical data – this comprises the personal data of members for previous years, the transition from Current to Historical being the approval of accounts for that year. Historical data is only accessed by volunteers performing roles as an exception, e.g. treasurer investigating accounts queries.

 

Historical data is retained for at least as long as the legal requirement to do so.

 

EDACA seeks to retain Historical data for its statistical purposes, which may require it to be transformed. The rights relating to subject access requests is not affected.

 

Subject access requests

All individuals who are the subject of personal data held by EDACA are entitled to:

·        Ask what information EDACA holds about them and why,

·        Ask how to gain access to it,

·        Be informed how to keep it up to date,

·        Be informed how the company is meeting its data protection obligations.

 

If a member contacts EDACA requesting this information it is called a “subject access request”.

 

Subject access requests from individuals should be made, e.g. by email, to the DPM.

 

EDACA is entitled to charge per subject access request.  A charge of £5 will be made. The DPM aims to provide the relevant information within 14 days.

 

The identity of anyone making a subject access request will be verified before handing over any information.

 

Disclosing data for other reasons

In certain circumstances the Act and Regulations allows personal data to be disclosed to law enforcement agencies without the consent of the data subject.

 

Under these circumstances EDACA will disclose requested data. However the DPM will ensure the request is legitimate, seeking assistance from the committee and even taking legal advice where necessary.

 

Providing Information

EDACA aims to ensure that individuals are aware that their data is being processed, and that they understand:

·        How the data is being used,

·        How to exercise their rights.

To these ends EDACA has a privacy statement, setting out how data relating to individuals is used. The privacy statement is in a following section

 

Volunteer roles needing access to personal data

The following roles have been identified as needing access to some/all member personal data:

 

Role

Access to what data

Why

Membership Secretary

All required data

To be able to maintain central record.

All optional data

To be able to maintain central record.

General Secretary

Contact details

EDACA correspondence

Publicity Secretary

Contact details

EDACA correspondence

Treasurer

Numbers of members in each membership class

Ensuring final accounts are correct.

Volunteers handing new or renewals of membership, incl. EDACA site reps

All required data

To ensure member records are complete

All optional data

To ensure member records are complete

 

This list may be amended over time and an updated policy reflecting this approved.

 

Personal Data to be collected by EDACA

The following personal data has been identified as being either:

·        Required - i.e. without it the applicant cannot be a member of EDACA, or

·        Requested - i.e. an applicant may be a member without providing this information but may not enjoy all the benefits of membership that would accrue had the member provided it.

 

This approach deals with the opt-in requirements of the GDPR.

 

The current personal data for subscription year Oct 2017 – September 2018 is considered transitional and covered by the previous legislation with a presumed opt-in as the member has already provided the information. A full opt-in will be implemented for the year 2018-19 and thereafter.

 

The information types sought are:

 

Personal Data type

Required / requested

Why

Name (forename(s) & surname)

Required

 

To uniquely identify the member.

Courtesy title

Requested

To permit more personal contact addressing

Contact details:

Address

Required

EDACA correspondence

Email

Requested

Preferable means to communicate with member

Phone number

Requested

Urgent communication

Over 60

Requested

Members qualifying for the over 60 reduced subscription need to attest to eligibility and allow this data to be recorded as personal data. The member’s date of birth is not requested.

Allotment details

Requested

To help understand membership at various allotment sites.

 

This list may be amended over time and an updated policy reflecting this approved.

 


Privacy statement

This privacy statement describes how EDACA uses and protects any information that you give EDACA.

EDACA is committed to ensuring that your privacy is protected. Should we ask you to provide certain information by which you can be identified then you can be assured that it will only be used in accordance with this privacy statement.

EDACA may change its approach from time to time by updating this statement. You should check the privacy statement from time to time to ensure that you are happy with any changes. This policy is effective from the date shown.

What we collect

EDACA requires some information to have a record of its members.

EDACA will seek to collect the following information for members, actual or prospective:

·         Name (forename, surname)

·         Courtesy title, e.g. Mr, Mrs etc)

·         Contact information, postal address, email address

·         Other information relevant to members to benefit from EDACA membership, e.g. over 60 membership subscription discount.

What we do with the information we gather

EDACA uses the personal information for:

·         Internal record keeping.

·         Improving the services EDACA provides to its members

·         Enabling EDACA to contact you by postal mail, emails or phone to members with information which it knows you need as a member, e.g. subscription renewal notice,  or may find interesting, e.g. seed catalogues.

Security

EDACA is committed to ensuring that your information is secure. In order to prevent unauthorised access or disclosure, it has put in place suitable physical, electronic and managerial procedures to safeguard and secure the information we collect.

How we use cookies (website only)

The EDACA website may use cookies. A cookie is a small file which asks permission to be placed on your computer's hard drive. Once you agree, the file is added and the cookie helps analyse web traffic or lets you know when you visit a particular site. Cookies allow web applications to respond to you as an individual, for example by tailoring its operations to your needs, likes and dislikes by gathering and remembering information about your preferences.

Using cookies helps identify which pages are being used. This helps EDACA analyse data about webpage traffic and improve the website or tailor it to customer needs. The information is only used for statistical analysis purposes and then deleted.

Overall, cookies help EDACA provide you with a better website by enabling us to monitor which pages you find useful and which you do not. A cookie in no way gives us access to your computer or any information about you, other than the data you choose to share with us.

You can choose to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. This may prevent you from taking full advantage of the website.

Links to other websites

The EDACA website may contain links to other websites of interest. However, once you have used these links to leave the EDACA website, you should note that we do not have any control over that other website. Therefore, EDACA cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites and such sites are not governed by this privacy statement. You should exercise caution and look at the privacy statement applicable to the website in question.

Controlling your personal information

You may choose to restrict the collection or use of your personal information in the following ways:

·         whenever you are asked to fill in a form indicate whether or not you allow the information to be used for direct marketing purposes

·         if you have previously agreed to EDACA using your personal information for direct marketing purposes, you may change your mind at any time by writing to or emailing us at the designated contact address.

·         EDACA will not sell, distribute or lease your personal information to third parties unless we have your permission or are required by law to do so.

·         EDACA may use your personal information to send you promotional information of interest about third parties if you indicate you permit this.

You may request details of personal information which we hold about you under the Data Protection Act 1998 or General Data Protection Regulation. A fee of £5 will be payable. If you would like a copy of the information held on you please write to the designated contact address.

If you believe that any information we are holding on you is incorrect or incomplete, please contact EDACA as soon as possible at the designated contact address. We will promptly correct any information found to be incorrect.