On 25 May 2018, the EU General Data Protection Regulation (GDPR) came into effect. The GDPR attempts to protect individuals’ privacy by mandating that all organisations holding or processing personal data be accountable for protecting the confidentiality, integrity, and availability of that data.
The NDAR (the Association) understands the importance of the GDPR for protecting the rights of its members, officers and other individuals with whom the Association has contact. The Association takes these obligations seriously and in order to prepare for the introduction of the GDPR, it has reviewed its processes and developed this policy governing how and why we may collect, store and publish personal data.
This policy has been developed to ensure:
- Association members and other individuals interacting with the Association have a clear understanding of how the Association may collect and use their personal information.
- All Association officers are aware of their responsibilities with respect to collection, storage and usage of personal data.
- The Association has good governance processes in place to monitor our compliance with the GDPR.
Data Protection Officer
Consistent with ICO guidance, upon implementation of this Policy, the Association will appoint a Data Protection Officer. The Data Protection Officer will have a “watching brief” to ensure:
- the Association and its officers are made aware of and encouraged to observe good data collection, management and usage practices (as laid out in these Policies & Procedures),
- will be informed in the event of any suspected data breaches within the Association, and
- will be the first point of contact in the case of any statutory or subject access requests.
Under normal circumstances, this function should not be particularly onerous and will be incorporated into the “duties” of an existing association officer, as agreed by the Standing Committee. In order to avoid any conflicts, the Association should avoid assigning Data Protection Officer responsibilities to an officer with significant personal data handling responsibilities, such as a Branch Secretary or the Treasurer, Report Secretary or Webmaster.
Information about Members
As a membership based organisation the Association collects and maintains a database(s) of basic information on all our members. This data may include the member’s name, address, email, phone number, subscription payment, nomination and bellringing history information. This information is used to communicate with members, prepare the annual report, and otherwise meet any other operational requirements of the Association (such as maintaining insurance policies, reclaiming gift aid tax refunds and maintaining peal records). It also allows the Association to maintain a historical record of membership.
Upon becoming a member of the NDAR and at annual membership renewal, members should be made aware / reminded of the reasons why we collect this information and their rights as detailed below.
Information about Non-Members
The Association will also, on occasions, collect information other on non-member individuals, such as for some Tower Correspondents, Parish Affiliation Scheme contacts and newsletter subscribers. The Association obligations towards the information of these individuals will be similar to the obligations for members. However, given the “informal” relationship the Association has with these individuals, when collecting non-member information there must be a clear written agreement (such as by email) as to why the Association is collecting that information and how it will be used.
Management of Information
The Association and its officers will, at all times, take good care to observe the confidentiality of member data in the collection, storage and usage of that data (such as using password protected and preferably encrypted files with member information, always using “blind copy” on mass emailings, etc…). If any officers are in doubt about what measures are appropriate, they should consult with the Association Data Protection Officer.
Any suspected breaches of data confidentiality should be brought to the attention of the Association’s Data Protection Officer so that appropriate management actions can be agreed and taken.
Publishing Personal Information
The Association will never publish contact information (such as in the annual report and on the website) of members without the explicit written consent of those members.
However, it should be noted that it is convention for the Association to publish all members’ names and individual Association peal records in the annual report (both printed and electronic forms) and that the Association will continue to do this unless explicitly asked not to do so by any individual member.
All Association officers members should also be aware that where any individuals are identified in other public forums (such as any published meeting minutes, branch newsletters and social media sites), the individuals should be aware that they are going to be potentially identified and given the option to not be identified.
The Association will never disclose or sell membership personal data to third parties, unless as required to meet its statutory obligations.
Publishing Officer Information
Members who become an officer of the Association will, in many cases, need to have contact details published in order to carry out their duties effectually. Upon becoming an Officer they must be asked for, and provide, written consent as to which contact details they wish to have published in the annual report, Association website and other relevant media.
Members will at all times have a right to opt permanently not to receive communications (by one or more means of communication). If they express a wish not to do so – the process for expressing such a wish should be simple, clearly defined and their wish be complied with. In the case of new members, the right to opt out of communications should be made clear when they join the Association and we initially collect their contact information (also see below).
Communications with our members will regularly remind them of their rights not to receive communications and how to go about exercising that right if they wish. For example, periodic emails from Branch Secretaries to their members should make these rights clear.
Any non-member (including former Association members) will also have the right at any time to request that all data held on the Association databases on them, where feasible, be deleted. i.e. they have a right to be “forgotten”.
Approval and Future Update of this Policy
This policy was approved at the 2018 AGM on 5 May 2018.
Future updates (for example to accommodate future regulatory changes) will be agreed by the Standing Committee with amendments presented at subsequent AGMs for approval.