DATA PROTECTION POLICY AND PRACTICE
Data Protection Policy
Wokingham U3A holds personal information on its members and is therefore a Data Controller within the meaning of the Data Protection Act 1998. Wokingham U3A is a “not for profit” organisation and as such is not required to register with the Information Commissioner’s Office but is obliged by law to conform to the Data Protection Principles.
In summary, the Data Protection Principles are that personal data shall be processed fairly and lawfully and having been obtained for a specific purpose shall not be further processed in any way which is incompatible with that purpose. The data must be kept up to date and must not be kept for longer than is necessary for that purpose. The number of people holding copies of the data must be kept to an absolute minimum.
Wokingham U3A will conform to the Data Protection Act to the best of its ability and has taken advice from the Third Age Trust on how best to achieve this.
Data Protection Practice
Wokingham U3A holds the minimum personal information on its members essential to the management of the U3A; this includes surname, forename, address, and telephone number (unless withheld). The U3A also holds information such as email address, subscription details and gift aid status.
The information above is held on the “Beacon” system which was developed specifically for U3As to manage their membership. All U3As using Beacon are co-hosted on the same server with comprehensive security arrangements to ensure that the data of each U3A is effectively isolated from that of all others. Beacon implements role based access controls so users are only given the minimum access required to perform their functions. Users access Beacon via an internet browser using secure (‘https’) connections.
Committee members have access to the Beacon membership system and, in general, this is limited to read only access. Exceptions to this are the Membership Secretary and/or Committee member(s) responsible for membership operations, (2) the Treasurer who is responsible for managing the financial information on the system and (3) the Beacon Administrators who are responsible for the configuring and managing access to the system. Due to the size of Wokingham U3A, in order to reduce the workload on an individual, the membership and treasurer functions may be performed by more than 1 person; where this is the case, all persons performing the function will be given the necessary access to the Beacon system.
In order to perform their function some committee members may download a subset of the data that is provided to Wokingham U3A onto their own private PCs. Example of such use will be generation of membership renewal letters, communications to New Members and information for the Groups Booklet. Where a committee member is granted the necessary access to download this data, it is a condition that they take reasonable precautions to protect the data and that the data is deleted once it is no longer required.
Wokingham U3A holds data for current members. In addition, records for members that have left Wokingham U3A have to be retained for a further 7 years in order to meet HMRC requirements on Gift Aid reporting. At the end of the 7-year period expired records are deleted.
Wokingham U3A also make use of secure “cloud” based storage provided by Google. This is used primarily to store monthly backup from the membership system and for archive of committee minutes, newsletters and group booklets.
Wokingham U3A members who need information held on the database should apply to one of the authorised holders of a database who will use her/his discretion on whether to provide it or not. For example, confirmation of membership would normally be provided but an address or telephone number might be withheld.
The membership data is used to generate mailing lists for distribution of information to the membership; examples of such communications are renewals information, AGM information and newsletters. Wokingham U3A committee requires that any company contracted to distribute such documents takes suitable precautions to secure the data, does not use the data for any other purpose than to distribute the information, and that the data is erased as soon as it is no longer required. A mailing list is also provided to the Third Age Trust for the mailing of ‘Third Age Matters’. Please refer to the Third Age Trust for information on how this information is used and secured.
Convenors of Groups may also hold information on members of their groups. Convenors should obtain members’ approval for holding such information and must conform to the Data Protection Act 1998.
The Wokingham U3A website holds the name, phone number and email addresses of all the group convenors. Access to this information is restricted to Wokingham U3A members via a username and password mechanism. It is the responsibility of the Wokingham U3A website administrator to ensure this information is up to date.
This policy and guidance was approved by the Committee of Wokingham U3A at its April 2017 meeting.
Pam Hares (Chairman)