Data protection policy
The General Data Protection Regulations (GDPR)
The Data Protection Act 2018 came into force on 25th May 2018. This is the UK law which applies the European Union’s General Data Protection Regulation (GDPR). There are rules set out in law which all organisations, including community groups, must follow in order to help protect people’s data and privacy. Therefore, Kidlington Gardening Society (the Society) will have to comply with these regulations.
What data will KGS collect and store?
KGS will collect and store the minimum amount of personal data required to allow it to function as a gardening society. This information will usually be restricted to:
Consent
Consequently, individual members will be informed about the use and storage of data, procedure for removing information, etc. so they can make an informed decision regarding consent. To use consent as a basis for using data, KGS will keep a clear record of who has given their consent and for what purpose.
Privacy
When KGS collects personal data, or uses someone’s data to contact them, it must be made clear to them why KGS has their data, what KGS is using it for, and what their rights are. This means that KGS must provide them with a privacy notice.
A privacy notice is a piece of written information which tells people why you need or have their data. It should include:
Storing personal data
The Society recognises that personal data must be stored securely.
Computers and the like on which data is stored must be password protected and have up-to-date software to protect them from malware and viruses.
Information stored on paper must be filed securely.
If personal data is stored on the internet (e.g. attached to emails, in Google Drive, in Dropbox, etc.), the service provider should also be compliant with GDPR.
Committee
The members of the Committee regularly communicate with each other on matters pertaining to the organisation of the Society. This is different from contact with the wider membership, but it is still important to protect their (committee members’) privacy and arrangements should be in place to ensure that this is the case. These to include that:
Sharing personal data with third parties
No personal data will be shared with any third parties without the specific consent of the member(s) involved.
Deleting personal data
Personal data will not be kept indefinitely; it must be deleted once the purpose of its collection ceases. Steps will be taken to ensure deleted data cannot be re-accessed in any way.
Also, a person’s data will be deleted when requested by them and, to this end, details of who to contact to facilitate this should be readily available, e.g. on website, newsletters, etc. Emails to lists of contacts should end with information of how to unsubscribe from the list
Members’ right to their personal data
Members have a right to a copy of their personal data held by the Society and what it is being used for. If requested, it must be provided within one month.
When requested, members have the right to have their personal information amended or deleted within one month of a request.
Review
This policy will be reviewed every two years.
The Data Protection Act 2018 came into force on 25th May 2018. This is the UK law which applies the European Union’s General Data Protection Regulation (GDPR). There are rules set out in law which all organisations, including community groups, must follow in order to help protect people’s data and privacy. Therefore, Kidlington Gardening Society (the Society) will have to comply with these regulations.
What data will KGS collect and store?
KGS will collect and store the minimum amount of personal data required to allow it to function as a gardening society. This information will usually be restricted to:
- Name of Member
- Address of Member
- Contact details – telephone, email or other
- Emergency contacts in cases of emergency e.g. Member being taken ill at a meeting, outing or other function organised by the Society
- Date of joining the Society
Consent
Consequently, individual members will be informed about the use and storage of data, procedure for removing information, etc. so they can make an informed decision regarding consent. To use consent as a basis for using data, KGS will keep a clear record of who has given their consent and for what purpose.
Privacy
When KGS collects personal data, or uses someone’s data to contact them, it must be made clear to them why KGS has their data, what KGS is using it for, and what their rights are. This means that KGS must provide them with a privacy notice.
A privacy notice is a piece of written information which tells people why you need or have their data. It should include:
- What the data will be used for
- What legal basis we have for using the data
- How long the data will be kept
- Whether the data will be shared with a third party
- Information that individuals can request to have their data removed
Storing personal data
The Society recognises that personal data must be stored securely.
Computers and the like on which data is stored must be password protected and have up-to-date software to protect them from malware and viruses.
Information stored on paper must be filed securely.
If personal data is stored on the internet (e.g. attached to emails, in Google Drive, in Dropbox, etc.), the service provider should also be compliant with GDPR.
Committee
The members of the Committee regularly communicate with each other on matters pertaining to the organisation of the Society. This is different from contact with the wider membership, but it is still important to protect their (committee members’) privacy and arrangements should be in place to ensure that this is the case. These to include that:
- Personal data will not be passed on to other people without specific consent.
- Personal data will not be used for anything other than Society business without specific consent.
- If someone leaves the committee everyone will delete their details, and vice versa, unless specific consent is given to keep them.
- Other people’s contact details will not be put on group publicity without specific consent.
Sharing personal data with third parties
No personal data will be shared with any third parties without the specific consent of the member(s) involved.
Deleting personal data
Personal data will not be kept indefinitely; it must be deleted once the purpose of its collection ceases. Steps will be taken to ensure deleted data cannot be re-accessed in any way.
Also, a person’s data will be deleted when requested by them and, to this end, details of who to contact to facilitate this should be readily available, e.g. on website, newsletters, etc. Emails to lists of contacts should end with information of how to unsubscribe from the list
Members’ right to their personal data
Members have a right to a copy of their personal data held by the Society and what it is being used for. If requested, it must be provided within one month.
When requested, members have the right to have their personal information amended or deleted within one month of a request.
Review
This policy will be reviewed every two years.