Basic GDPR Requirements.
The club interprets the requirements of the GDPR as follows:
(note – in GDPR terminology the word ‘process’ refers to the collection, storage and use or handling of personal data).
• The processing of personal data must be lawful, transparent and fair. • Data can be collected only for specified and legitimate purposes, and must not be processed for any additional purposes beyond those originally stated. • The data collected must be the minimum necessary for the purpose stated. • The data must be accurate and up-to-date. • Data must be held only for as long as is required for the stated purpose(s). • Data must be held securely and not passed to any agencies outside of those originally stated. When no longer required, the data must be disposed of securely.
Data collected by the club.
The club collects the contact details, ie names, postal addresses, email addresses and
telephone numbers (landline and/or mobile) of its members and prospective members. Members are asked to provide this information when joining BAW, or if their address information changes.
Ways in which the data is held.
Each committee member is issued with a printed register of all of this data.
Additionally the committee member responsible for email distribution of the club’s newsletter and other membership-wide information will hold the name and email address data on a usb stick. This data is used to generate the email mailing lists.
In the normal course of events, some members’ data may also be held on some committee members’ personal computing devices.
Club members who run group activities, eg the portrait group, may create and maintain attendance and payment status registers, and mailing lists for the signed-up members of the particular group.
Use to which the data is put.
The data gathered and held as described above will be used only for the purposes of communicating with club members, eg newsletters and details of specific events, and managing the finances of the club, including the creation of registers of payment of subscriptions and payment for participation in specific club activities.
Integrity and confidentiality (security)
The data is held and handled securely in such ways that loss or theft of the data
into the public domain is prevented as far as is reasonably possible.
In normal operation of the club, personal data held on any member will not be passed to third parties beyond the previously mentioned officers of the committee or organisers of activities. If in the course of organising some external event, eg an exhibition, it becomes necessary to pass contact details of a member or members to an outside agency, then permission must be obtained from the member(s) concerned before their personal data is released.
The only exception to this is in the case of a legal instruction to the club.
The data held on each member will be the minimum necessary for the club to carry out its functions of contacting, informing and reporting to the club members, and of
administering the operations, activities and finances of the club.
Lawfulness, fairness and transparency.
The extent of the data held, the purposes for which it is held, and who it may be passed to (usually various officers of the committee) will be made clear to the members. Each member’s agreement to the club’s holding and use of that data must be obtained, either when they join the club or when they renew their subscriptions.
Each club member has the right to request and be given a copy of the data which the club holds on him or her, and has the right to have it corrected if necessary. It is the responsibility of club members to provide accurate information.
Data will only be held when it is necessary to do so, and for as long as it is necessary to do so. If some change in the club’s constitution or operation makes the holding of some forms of data no longer necessary, that redundant data will be securely deleted. Also, when someone ceases to be a member of the club, personal data held on that person will be securely deleted.
The usual period that the club holds data is for fourteen months following the AGM at which a member does not renew membership. Data will be deleted promptly if the club is so requested by a leaving member.
The GDPR allows for long-term archiving, and the club maintains an archive of the names only of former members, and the years in which they were members.
Protections for non-members of the club.
When someone outside the club makes contact, and provides name, address and any other personal information, this data will be treated in accordance with GDPR principles. The data will be held securely, will not be passed to any third party without the express permission of the person whose data is held, will only be used for the purposes for which it was supplied, and will be deleted when no longer required.
The ‘A4 Folder’.
Members are invited to submit an A4 sheet describing their (artistic) interests and abilities, and these are held in a folder which may be made available for other members to view, or made available for public view at exhibitions and craft fairs. Any member may request the removal or updating of their A4 sheet at any time.
The following guidance applies principally to club committee members, but also to any club member who is organising an activity and therefore has a need to contact all or several club members via a common communication, eg email.
Members and new members will be asked to supply their names, postal addresses, email addresses and ‘phone numbers (landline and mobile). They will be asked to confirm that this information can be shared among the committee, and will be informed how it will be stored, and the time limit for disposal should they cease to be a member of the club.
Personal data may be held on sheets of paper, memory sticks, and (committee) members’ laptops, computers or tablets.
If the data is held on paper, then the holder must take all reasonable steps to keep it private and secure, for example by keeping it in a drawer or cupboard, locked if possible, when not in use. Transporting the data by public transport requires extra care (ie not to leave it on the bus!). When the data is no longer required, it should be shredded or burnt.
If the data is held on a memory stick, then ideally the stick should be encrypted. If this is not possible, then it should be kept in a drawer or cupboard, locked if possible, when not in use. When the data is no longer required, it should be deleted from the memory stick and overwritten if possible.
If the data is held on a computing device, then (a) access to that device should be by password or PIN, or fingerprint or facial recognition, and (b) the device should be protected by up-to-date security software. When the data is no longer required, it should be deleted from the computer, and if a ‘recycling bin’ is provided, this should be emptied after deletion of the data.
When sending out, for example, programme or other club information to members, by email, the people emailing out the data should be encouraged to ‘bcc’ (blind carbon copy) all recipients, otherwise immediately all recipients will see all other recipients’ email addresses, which would be a breach of privacy. This does not apply for small groups (eg the club’s committee) provided all recipients already know each others’ email addresses.
All of the club’s publications, eg newsletter and other notices, should take care not to reveal members’ personal data (eg telephone number, email address). If it is felt necessary to do so, the member or officer concerned must give his or her explicit permission before this can be done.
When communicating with non-members of the club, for example someone enquiring about future membership, or some other enquiry, any personal data that the person supplies should be held securely, not shared without permission, must only be used for the purposes for which it was supplied, and deleted when no longer required.
The Club’s Web Site.
It is implicit that anyone making contact via the web site gives permission for their email address to be used by officers of the club, to contact them.
Name, address and any other personal information supplied by a visitor to the web site must be treated as personal data in accordance with GDPR principles. The data must be held securely, must not be passed to any third party without the express permission of the person whose data is held, must only be used for the purposes for which it was supplied, and must be deleted when no longer required.
Appendix 1: Web Site Privacy Notice.
For reference the web site’s Privacy notice is appended below.
BAW Web Site – Privacy Notice
This web site, bawuk.org , is intended to enable members, potential members and visitors to Bexhill Artists Workspace (BAW) to view pictures of recent events, the club’s calendar of events, and photos of members’ art work. BAW does not collect or process any personal information from this web site, except that, if anyone gets in touch via the ‘Contact‘ form, their email address is visible to the web site administrator and any relevant officers of the association that the email is forwarded to.
The web site does not give any members’ email addresses, but it does give contact names and telephone numbers for people who are organising specific events, when these contacts are also given in the printed newsletter. It also shows photographs of events and artworks, and sometimes these contain recognisable images of club members and members of the public.
If any person wishes for any contact information, or for any photo showing themselves or their work, to be deleted, then please get in touch with the website administrator using the ‘contact’ form on the web site, and the offending image or information will be deleted.