Copyright Hatfield Local History Society. March 2016
Hatfield Local History Society Data Protection Policy (effective 25 May 2018)
Version 1.0 (25 May 2018) 1 / 4
The General Data Protection Regulation (GDPR) is an EU Regulation that passed into UK law on 25 May 2018. It affects the ways in which organisations process “personal data”, meaning any information relating to an identifiable person. The Information Commissioner’s Office (ICO) has powers to fine organisations in breach of the regulation. For full details of the regulation, see the ICO web site (www.ico.org.uk).
This document describes how Hatfield Local History Society (HLHS) complies with the GDPR.
In order to function, HLHS collects, records and uses the contact details of its members. It also receives personal data from members of the public via contact forms on the HLHS website. The only purposes for which the data is used are:
• communication with members (announcements and reminders)
• administration (membership status, attendance at HLHS events)
• responding to website contact forms (e.g. book purchase requests).
The data held about each member of HLHS comprises:
• Home & mobile telephone numbers
• Email address
• Membership status.
The data held about members of the public who submit a website contact form comprises:
• Address (optional)
• Email address
• Enquiry information.
Sensitive personal data
The “controller” under the terms of the GDPR is HLHS. In practise, it is the members of the HLHS committee who collect, manage and control the membership data.
Lawful basis for processing
HLHS’s lawful basis for holding personal data is “Legitimate Interests”. Hatfield Local History Society Data Protection Policy (effective 25 May 2018)
Version 1.0 (25 May 2018) 2 / 4
The GDPR defines “legitimate interests” as applicable where an organisation uses people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a reasonable justification for the processing.
HLHS members provide a positive “opt in” for their data to be used. This is via the new-
A positive “opt in” is also included on each of the contact forms on the HLHS website.
The Six Principles of Data Protection
The GDPR requires that personal data shall be:
• processed lawfully, fairly and in a transparent manner
• collected for specified, explicit and legitimate purposes only
• adequate, relevant and limited to what is necessary
• accurate and up to date
• kept for no longer than is necessary, other than for archiving purposes
• secured from unauthorised or unlawful processing and against accidental loss, destruction or damage.
Communicating with HLHS members
The HLHS committee communicates with members by post, email or telephone. This is to inform members of forthcoming events and to issue reminders. Individual email addresses are kept invisible by use of “blind copy” or “mail merge”.
Communicating with members of the public
Each website contact form received (e.g. book purchase request) is responded to by post, email or telephone using the contact details provided.
Collecting the data
HLHS collects personal data by the following means:
• new member application forms
• annual membership renewal forms
• event application forms (e.g. coach trips)
• event attendance forms (e.g. attendance at talks)
• contact forms on the HLHS website.
Membership data is held in an Excel spreadsheet on a committee member’s home computer. Forms are delivered to members on paper or as email attachments. Members may return the attachments with their personal data filled in. These emails are unencrypted. However, on receipt, they are only held in the secure Mailboxes of relevant committee members. This is also true for contact forms submitted via the HLHS website. Hatfield Local History Society Data Protection Policy (effective 25 May 2018)
Version 1.0 (25 May 2018) 3 / 4
Committee members use a variety of computing devices. Mobile devices such as laptops and tablets shall only be used if they have been set up with a login password. For fixed devices (e.g. desk computers in the home), this requirement is optional. Personal data stored on secure home devices need not be additionally encrypted except where emailed.
The membership spreadsheet contains data on members for the current year. Membership data from previous years is also retained for archiving purposes. Forms completed by members may also be retained for archiving purposes.
The GDPR includes a number of rights for individuals. Those relevant to HLHS are:
• the right to be informed
• the right of access
• the right to rectification
• the right to erasure.
As described under “Consent” above, HLHS members provide a positive “opt in” for their data to be used. Alongside a tick-
Please confirm by ticking the box that you permit Hatfield Local History Society to hold your personal data. The data will be used solely for the legitimate interests of the society, namely for announcements, reminders and administration. It will not be shared with any other organisation.
Similar wording is provided at the foot of each contact form on the HLHS website:
Please confirm by ticking the box that you permit Hatfield Local History Society to hold your personal data. The data will be used solely for the legitimate interests of the society in order to deal with your enquiry. It will not be shared with any other organisation.
Subject Access Request (SAR)
Under the GDPR, individuals have the right to know what data an organisation is holding about them. A subject access request (SAR) is simply a written request made by the individual concerned and sent to the relevant member or members of the HLHS committee. The request does not have to be in any particular form. SARs must be processed free of charge and within 30 days.
Only adults may join the HLHS. HLHS does not hold any data about children. Children who attend individual events may only do so if accompanied at all times by a parent or guardian. Hatfield Local History Society Data Protection Policy (effective 25 May 2018)
Version 1.0 (25 May 2018) 4 / 4
In the event of a data breach, the GDPR introduces a requirement to notify the ICO and the affected individuals. This only applies where the breach is likely to result in a risk to the rights and freedoms of individuals leading, for example, to discrimination, damage to reputation, financial loss and so on.
This is not applicable to the HLHS, which only stores basic contact details.
Data Protection Impact Assessment (DPIA)
The ICO recommends that organisations should conduct a DPIA at the start of each new project where personal data is involved. For HLHS in practise, a DPIA was carried out in order to produce this Data Protection Policy. The results of the DPIA are given in the sections above.
Should HLHS decide to hold additional personal data or use the existing data in additional ways, then a new DPIA would be required.