u3a

Stevenage

DATA PROTECTION AND PRIVACY POLICY

 

STEVENAGE U3A

Registered Charity Number 801069

2. Policy 

2.1  Scope of the policy 

This policy applies to the work of Stevenage u3a. The policy sets out the requirements that Stevenage u3a has to collect and process information for membership purposes. The policy details how personal information will be collected, stored and managed in line with data protection principles and the General Data Protection Regulation. The policy is reviewed on an ongoing basis by Stevenage u3a committee members to ensure that Stevenage u3a remains compliant. This policy should be read in tandem with Stevenage u3a's Privacy Policy. 

2.2  Why this policy exists 

This data protection policy ensures Stevenage u3a: 

  • Complies with data protection law and follows good practice  
  • Protects the rights of members 
  • Is open about how it stores and processes members’ data 
  • Protects itself from the risks of a data breach 

2.3  General guidelines for committee members and group leaders 

  • The only people able to access data covered by this policy should be those who need to communicate with or provide a service to Stevenageu3a members. 
  • Committee Members and group convenors should keep all data secure, by taking sensible precautions and following the guidelines below. 
  • Strong passwords must be used, and they should never be shared. 
  • Data should not be shared outside of the u3a unless with prior consent and/or for specific and agreed reasons. Examples would include Gift Aid information provided to HMRC or information provided to the distribution company for the Trust publications. 
  • Member information should be refreshed to ensure accuracy, via the membership renewal process or when policy is changed. 
  • Additional support will be available from the Third Age Trust where uncertainties or incidents regarding data protection arise. 

2.4  Data protection principles 

The General Data Protection Regulation identifies key data protection principles: 

  • Principle 1 - Personal data shall be processed lawfully, fairly and in a transparent manner  
  • Principle 2 - Personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes. 
  • Principle 3 - The collection of personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed; 
  • Principle 4 – Personal data held should be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;  
  • Principle 5 – Personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for the which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest , scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals;  
  • Principle 6 - Personal data must be processed in accordance a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.  

2.5  Lawful, fair and transparent data processing 

Stevenage u3a requests personal information from potential members and members for membership applications and for sending communications regarding members’ involvement with the u3a. Members will be informed as to why the  information is being requested and what the information will be used for. The lawful basis for obtaining member information is due to the legitimate interest relationship that the u3a has with individual members. In addition, members will be asked to provide consent for specific processing purposes such as the taking of photographs.

Stevenage u3a members will be informed they need to contact the Membership Secretary should they wish for their data not to be used for specific purposes for which they have provided consent. Where these requests are received, they will be acted upon promptly and the member will be informed as to when the action has been taken

2.6  Processed for specified, explicit and legitimate purposes  

Members will be informed as to how their information will be used and the Committee of Stevenage u3a will seek to ensure that member information is not used inappropriately. Appropriate use of information provided by members will include: 

  • Communicating with members about Stevenage u3a events and activities 
  • Group leaders communicating with group members about specific group activities 
  • Member information will be provided to the distribution company that sends out the Trust publication – Third Age Matters. Members will be informed and have a choice as to whether or not they wish to receive the publication. 
  • Sending members information about Third Age Trust events and activities 
  • Communicating with members about their membership and/or renewal of their membership 
  • Communicating with members about specific issues that may have arisen during the course of their membership 

Stevenage u3a will ensure that members' information is managed in such a way as to not infringe an individual members rights which include: 

  • The right to be informed  
  • The right of access  
  • The right to rectification  
  • The right to erasure  
  • The right to restrict processing  
  • The right to data portability  
  • The right to object  

2.7  Adequate, Relevant and Limited Data Processing

Members of Stevenage u3a will only be asked to provide information that is relevant for membership purposes. This will include: 

  • Name 
  • Postal address 
  • Email address 
  • Telephone number 
  • Gift Aid entitlement 
  • Magazine Wishes
  • Date Joined

Where additional information may be required such as health related information this will be obtained with the consent of the member who will be informed as to why this information is required and the purpose that it will be used for. 

2.8  Photographs 

Photographs are classified as personal data. Where group photographs are being taken members will be asked to step out of shot if they don’t wish to be in the photograph. Otherwise consent will be obtained from members in order for photographs to be taken and members will be informed as to where photographs will be displayed. Should a member wish at any time to remove their consent and to have their photograph removed then they should contact their Group Leader to advise that they no longer wish their photograph to be displayed.  

2.9  Accuracy of data and keeping data up-to-date 

Stevenage u3a has a responsibility to ensure members' information is kept up to date. Members will be asked to let the membership secretary know if any of their personal information changes. In addition, on an annual basis, the membership renewal process will provide an opportunity for members to inform Stevenage u3a as to any changes in their personal information. 

2.10 Accountability and governance 

Stevenage u3a are responsible for ensuring that the u3a remains compliant with data protection requirements and can evidence that it has. Where consent is required for specific purposes then evidence of this consent (either electronic or paper) will be obtained and retained securely. Stevenage u3a will ensure that new members joining the Committee receive an induction into the requirements of GDPR

and the implications for their role. Stevenage u3a will also ensure that group leaders are made aware of their responsibilities in relation to the data they hold and process. Committee Members will stay up to date with guidance and practice within the u3a movement and will seek advice from the Third Age Trust National Office should any uncertainties arise. Stevenage u3aCommittee will review data protection requirements on an ongoing basis as well as reviewing who has access to date and how data is stored and deleted. When Committee Members and Group leaders relinquish their roles, they will be asked to either pass on data to those who need it and/or delete data.  

2.11 Secure Processing 

Stevenage Committee Members have a responsibility to ensure that data is both securely held and processed. This will include: 

  • Committee members using strong passwords 
  • Committee members not sharing passwords 
  • Restricting access of sharing member information to those on the Committee who need to communicate with members on a regular basis 
  • Using password protection on laptops and PCs that contain personal information 
  • Using password protection, a membership database or secure cloud systems when sharing data between committee members and/or group leaders 

2.12  Subject Access Request 

U3a members are entitled to request access to the information that is held by Stevenage u3a. The request needs to be received in the form of a written request to the Membership Secretary . On receipt of the request, the request will be formally acknowledged and dealt with expediently (the legislation requires that information should generally be provided within one month) unless there are exceptional circumstances as to why the request cannot be granted. Stevenage u3a will provide a written response detailing all information held on the member. A record shall be kept of the date of the request and the date of the response. 

2.13  Data Breach Notification 

Were a data breach to occur action will be taken to minimise the harm. This will include ensuring that all Stevenage u3a Committee Members are made aware that a breach has taken place and how the breach occurred. The Committee shall then seek to rectify the cause of the breach as soon as possible to prevent any further breaches. The Chair of Stevenage u3a will contact National Office as soon as possible after the breach has occurred to notify of the breach. A discussion will take place between the Chair and National Office as to the seriousness of the breach,

action to be taken and, where necessary, the Information Commissioner's Office would be notified. The Committee shall also contact the relevant u3a members to inform them of the data breach and actions taken to resolve the breach.  

Where a u3a member feels that there has been a breach by the u3a, a committee member will ask the member to provide an outline of the breach. If the initial contact is by telephone, the committee member will ask the u3a member to follow this up with an email or a letter detailing their concern. The alleged breach will then be investigated by members of the committee who are not in any way implicated in the breach. Where the committee needs support or if the breach is serious, they should notify National Office. The u3a member should also be informed that they can report their concerns to National Office if they don't feel satisfied with the response from the u3a. Breach matters will be subject to a full investigation, records will be kept and all those involved notified of the outcome. 

DATA PROTECTION POLICYAMENDMENTSSIGNED BY TRUSTEES ONFOR REVIEW ON
Version 1  New policy19,4,18 
Version 2Data collected changed17.5.21 
Version 3Re-Write based on new guidelines3.11.253.11.26

PRIVACY POLICY

STEVENAGE U3A

REGISTERED CHARITY  NUMBER 801069

Privacy

Stevenage u3a treats your privacy rights seriously. This Privacy Policy sets out the basis on which we collect and use personal data about you.

In relation to the u3a website, the policy applies to both the members of the u3a and visitors to the site.

  • Personal Data

In this Privacy Policy, where we use the words personal data we use these words to describe information that is about you and which identifies you.

IN THIS PRIVACY POLICY:

The word Trust means The Third Age Trust (Charity number 288007). The word TATTL means Third Age Trust Trading Limited (company number 11899419.

The Beacon System means the membership data system operated by TATTL.

This Policy describes:

  • who is responsible for the personal data that we collect about you;
  • the personal data we collect about you;
  • how we will use it;
  • who we may disclose it to; and
  • Your rights and choices in relation to your personal data
  • All policies are published on the Web site and are available to view in the black book at the weekly open meetings.

 This is to make sure you have a full picture of how we collect and use your personal data.

Who is responsible for the personal data that we collect?

We are the data controller for the purposes of data protection law, in respect of your personal data collected and used by us.

How do we use the personal data we collect about you?

Purposes

We use your personal data for a variety of different purposes during the course of us providing services to you. The purposes for which we use your personal data are set out below.  Under data protection law, we can only use your personal data if we have a legal basis to do so. Examples of where we have a legal basis to process your personal data, includes when:

•      we have your consent;

•      it is necessary to enter into or perform a contract we have with you (or to take steps at your request prior to entering into that contract);

•      it is necessary to comply with a legal obligation; or

•      it is in our legitimate interests to process your personal data.

Legal Basis

We have set out our reasons for using your personal data in the table below under the heading Legal Basis. Where we rely on our legitimate interests, we have set out those interests in the table below.

PurposeLegal Bases
To set up and manage your membershipContract Legitimate interests
To manage membership information on the Beacon systemContract Legitimate interests
To administer, plan and manage our U3ALegitimate interests
To monitor, develop and improve the provision of our U3A activityLegitimate interests
To communicate with you about our U3A products, services, activities and eventsContract Legitimate interests
To communicate with you about Trust products, services, activities and eventsContract Legitimate interests
To deliver Trust publications including Third Age MattersContract Legitimate interests
To comply with any legal or regulatory obligations (including in connection with a court orderLegal obligation
To enforce or apply the agreements concerning you (including agreements between you and us).Contract Legitimate interests
To manage any issues, complaints, feedback and enquiries.Consent Contract Legitimate interests
To manage Gift aidConsent

Automated processing

We do not use your personal data to make any automated decisions that might affect you.

Who may we disclose your Personal data to?

 We may share your personal data with:

the Third Age Trust and

Third Age Trust Trading Limited and

 our service providers and business partners.

We may also disclose your personal data to other third parties, for example:

if we or substantially all of our assets are acquired by a third party (or are subject to a reorganisation within our corporate group), personal data held by us will be one of the transferred assets; and

if we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or in order to enforce or apply our the agreements concerning you (including agreements between you and us).

Where will we transfer your personal data?

If we transfer personal data outside the UK or the European Economic Area (EEA), we will implement appropriate and suitable safeguards to ensure that such personal data will be protected as required by applicable data protection law.

How long will we keep your personal data?

 Retention periods

We will keep your personal data for different periods depending on the nature of the information, the purpose for which it was collected, any legal obligation and/or business reason to retain.

 Extensions

Please note that the above retention period may be extended where we need to preserve and use personal data for the purposes of bringing or defending a legal

claim.  In such cases, we will continue to hold and process your personal data for as long as is necessary to deal with the legal proceedings.

Your rights

You have certain rights with respect to your personal data.  The rights will only apply in certain circumstances and are subject to certain exemptions.  Please see the table below for a summary of your rights.

Details of who to contact to exercise these rights can be found in paragraph below. 


 		Summary of your rights
Right of access to your personal dataYou have the right to receive a copy of your personal data that we hold about you and information about how we use it, subject to certain exemptions. 
Right to rectify your personal dataYou have the right to ask us to correct your personal data that we hold where it is incorrect or incomplete. To ensure the information we hold is accurate and up to date, member's need to inform the U3A as to any changes to their personal information. You can do this by contacting the membership Secretary. On an annual basis you will have the opportunity to update your information, as required, via the membership renewal process. Should you wish to view the information that the U3A holds on you, you can make this request by contacting the membership secretary. There may be certain circumstances where we are not able to comply with this request. This would include where the information may contain references to other individuals or for legal, investigative or security reasons. Otherwise we will usually respond within one month of the request being made.
Right to erasure of your personal dataYou have the right to ask that your personal data be deleted in certain circumstances.  For example: where your personal data is no longer necessary in relation to the purposes for which it was collected or otherwise used.if you withdraw your consent and there is no other legal ground for which we rely on for the continued use of your personal data; riif you object to the use of your personal data (as set out below); if we have used your personal data unlawfully; orif your personal data needs to be erased to comply with a legal obligation.
Right to restrict the use of your personal dataYou have the right to suspend our use of your personal data in certain circumstances.  For example: where you think your personal data is inaccurate but only for so long as is required for us to verify the accuracy of your personal data; the use of your personal data is unlawful and you oppose the erasure of your personal data and request that it is suspended instead; we no longer need your personal data, but your personal data is required by you for the establishment, exercise or defence of legal claims; or you have objected to the use of your personal data and we are verifying whether our grounds for the use of your personal data override your objection.
Right to data portabilityYou have the right to obtain your personal data in a structured, commonly used and machine-readable format and for it to be transferred to another organisation, where it is technically feasible. The right only applies: to personal data you provided to us;where we rely on the following legal bases:consent; or for the performance of a contract; and when the use of your personal data is carried out by automated (i.e. electronic) means.
Right to object to the use of your personal dataYou have the right to object to the use of your personal data in certain circumstances and subject to certain exemptions. For example: where you have grounds relating to your particular situation and we use your personal data for our legitimate interests (or those of a third party);    if you object to the use of your personal data for direct marketing purposes; and   where we use your personal data to take a decision which is based solely on automated processing where that decision produces a legal effect or otherwise significantly affects you.
Right to withdraw consentYou have the right to withdraw your consent at any time where we rely on consent to use your personal data.
Right to complain to the relevant data protection authorityYou have the right to complain to the relevant data protection authority, which is in the case of us, the Information Commissioner's Office (ICO), where you think we have not used your personal data in accordance with data protection law. The ICO's contact details are: Information Commissioner's Office Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF
  •  

Third party links

Our Website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for how they handle your personal data. When you leave our Website, we encourage you to read the privacy notice of every website you visit.

 Changes to our privacy policy

This Privacy Policy is available on Stevenage u3a website or for viewing in the black book available at the weekly open meetings

 Queries regarding this policy or use of data

If you have any questions regarding this Privacy Policy or the way we use your personal data, please contact us through your group leader or via the web site.

PRIVACY POLICYAMENDMENTSSIGNED BY TRUSTEES ONFOR REVIEW ON
Version 1  New policy19.4.18 
Version 2Data principals corrected.  Data collected changed17.5.21 
VersionRe-write based on new guidelines3.11.253.11.26

.Policies and Links