Andover U3A

Scope of the Policy

This Policy applies to the work of the Andover U3A. The Policy explains the Andover U3A’s requirement to gather information for membership purposes. The Policy details how personal information will be gathered, stored and managed in line with data protection principles and the General Data Protection Regulation (GDPR).

This Policy is reviewed on an ongoing basis by Andover U3A Committee Members to ensure that we are compliant.

This Policy should be read in tandem with the Andover U3A's Privacy Policy.

Why this Policy exists

This Data Protection Policy ensures that the Andover U3A:

•   Complies with data protection law and follows good practice;

•   Protects the rights of members;

•   Is open about how it stores and processes members’ data;

•   Protects itself from the risks of a data breach.

General guidelines for Committee Members and Group Leaders

•   The only people able to access data covered by this Policy should be those who need to communicate with, or provide a service to, the Andover U3A members;

•   The Andover U3A should provide induction training to Committee Members and Group Leaders to help them understand their responsibilities when handling data;

•   Committee Members and Group Leaders should keep all data secure, by taking sensible precautions and following the guidelines in the Secure Processing section of this document;

•   Data should not be shared outside the Andover U3A unless with prior consent or there is a legal obligation;

•   Member information should be refreshed periodically to ensure accuracy, via the membership renewal process or when policy is changed;

•   Additional support should be requested from the Third Age Trust where uncertainties or incidents regarding data protection arise.

Data Protection Principles

The General Data Protection Regulation identifies key data protection principles:

Principle 1   Personal data shall be processed lawfully, fairly and in a transparent manner;

Principle 2   Personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;

Principle 3   The collection of personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;

Principle 4   Personal data held should be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;

Principle 5   Personal data, kept in a form which permits identification of data subjects, must be kept for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals;

Principle 6   Personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Lawful, fair and transparent data processing

The Andover U3A requests personal information from potential members for membership applications, and from members for subscription renewals. This information is used for sending communications to those members and potential members about activities in the Andover U3A. The forms used to request personal information contain a privacy statement informing both potential members and members as to why the information is being requested and what the information will be used for.

The lawful basis for obtaining and processing member information is Contract, as defined in the GDPR^[1]: this is due to the contractual relationship that the Andover U3A has with individual members. In addition members will be asked to provide consent for specific processing purposes.

Andover U3A members will be told who they need to contact should they wish to change their data holding and processing consents. Where these requests are received they will be acted upon promptly and the member will be informed when action has been taken.

Processed for specified, explicit and legitimate purposes

Members will be informed as to how their information will be used and the Committee of the Andover U3A will seek to ensure that member information is not used inappropriately. Appropriate use of information provided by members will include:

•   Communicating with members about the Andover U3A events and activities;

•   Group Leaders communicating with group members about specific group activities;

•   Adding members’ details to the direct mailing information for the Third Age Trust magazines – Third Age Matters and Sources – where consent for this has been given;

•   Sending members information about Third Age Trust events and activities;

•   Communicating with members about their membership and/or renewal of their membership;

•   Communicating with members about specific issues that may have arisen during the course of their membership.

The Andover U3A will ensure that Group Leaders are made aware of what would be considered appropriate and inappropriate communication. Inappropriate communication would include sending Andover U3A members marketing and/or promotional materials from external service providers.

The Andover U3A will ensure that members' information is managed in such a way as to not infringe an individual member’s rights, as defined in the GDPR, which include:

•   The right to be informed

•   The right of access

•   The right to rectification

•   The right to erasure

•   The right to restrict processing

•   The right to data portability

•   The right to object

Adequate, relevant and limited data processing

Members of the Andover U3A will only be asked to provide information that is relevant for membership purposes. This will include:

•   Name

•   Postal address

•   Email address

•   Telephone number

•   Gift Aid entitlement

Where additional information may be required, this will be obtained with the consent of the member, who will be informed as to why this information is required and the purpose that it will be used for.

Where the Andover U3A organises a trip or activity for which emergency contact information is provided, the member will be responsible for obtaining consent from the identified emergency contact.

Ad hoc financial data may be obtained, with the consent of the member, in order to reimburse expenses incurred by that member in relation to an Andover U3A trip or activity.

Any such additional information or financial data will be deleted once the trip or activity is complete.

Photographs

Where group photographs are being taken members will be asked to step out of shot if they do not wish to be in the photograph. Consent will be obtained from members in order for photographs to be displayed. Should a member wish at any time to remove their consent and to have their photograph removed, they should contact the relevant Group Leader to advise that they no longer wish their photograph to be displayed.

Accuracy of data and keeping data up-to-date

The Andover U3A has a responsibility to ensure members' information is kept up to date. Members will be requested to let the Membership Secretary know if any of their personal information changes.

In addition, on an annual basis, the membership renewal process will provide an opportunity for members to inform the Andover U3A as to any changes in their personal information.

Accountability and Governance

The Andover U3A Committee are responsible for ensuring that the Andover U3A remains compliant with data protection requirements and evidencing this. Where consent is required for specific purposes then evidence of this consent (either electronic or paper) will be obtained and retained securely, and will be disposed of when no longer required.

The Andover U3A Committee will ensure that new members joining the Committee receive an induction into the requirements of GDPR and the implications for their role.

The Andover U3A will also ensure that Group Leaders are made aware of their own individual responsibilities in relation to the data they hold and process.

Committee Members will also stay up to date with guidance and practice within the U3A movement and will seek additional input from the Third Age Trust National Office should any uncertainties arise.

The Committee will review data protection and access to information on a regular basis as well as reviewing what data is held. When Committee Members and Group Leaders relinquish their roles, they will be asked to pass on data to those who need it and delete all copies of the data they hold.

Secure Processing

The Andover U3A Committee Members have a responsibility to ensure that data is both securely held and processed. This will include:

•   Committee Members and Group Leaders using strong passwords to prevent unauthorised access to laptops, PCs and other devices that contain personal information;

•   Committee Members and Group Leaders not sharing passwords;

•   Restricting access to membership information to those on the Committee who need to communicate with members on a regular basis;

•   Using password protection when transferring data between Committee Members or when transferring data to Group Leaders.

Subject Access Request

Andover U3A members are entitled to request access to their personal information that is held by the Andover U3A. The request should be submitted in writing to the Membership Secretary of the Andover U3A. If the data is required electronically, this should be stated in the request.

On receipt of the request, that request will be formally acknowledged and dealt with within 30 days unless there are exceptional circumstances or legal reasons as to why the request cannot be granted.

The Andover U3A will provide a written response, detailing all information held on the member. The data will be provided in electronic format if this requirement was included in the original request. A record will be kept of the date of the request and of the response.

Data Breach Notification

If a data breach occurs, action will be taken to minimise the harm. This will include ensuring that all Andover U3A Committee Members are made aware that a breach has taken place and how the breach occurred. The Committee will then seek to rectify the cause of the breach as soon as possible to prevent any further breaches.

The Chair of the Andover U3A will notify the U3A National Office within 24 hours of becoming aware of it. A discussion will take place between the Chair and the U3A National Office as to the seriousness of the breach, action to be taken and, where necessary, the Information Commissioner's Office will be notified. The Committee will also contact the relevant Andover U3A members to inform them of the data breach and actions taken to resolve the breach.

Where an Andover U3A member feels that there has been a breach by the Andover U3A, that Andover U3A member should inform a member of the Andover U3A Committee. The Committee Member will ask the Andover U3A member to provide an outline of the breach. If the initial contact is by telephone, the Committee Member will ask the Andover U3A member to follow this up with an email or a letter detailing their concern.

Breach matters will be subject to a full investigation, records will be kept and all those involved notified of the outcome.

Policy Review Date

Annually, with details of changes to be included in the Spring Newsletter; details of major changes to be included in the Agenda for the AGM.

Footnote

1 EU GDPR Article 6(1)(b): “processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”

---

Andover U3A Data Flow Diagram

v1.1 dated 21 November 2019

The following diagram is a pictorial representation of data flows and processing within the Andover U3A.