The General Data Protection Regulations (GDPR) require organisations holding identifiable personal data to comply with a number of principles to protect individuals. The main relevant points are:
- Data must be collected for fair and lawful processing. The purpose of the data collection must be identified and the data must not be used for other purposes
- The holder must ensure privacy of personal data, and take measures to ensure no unauthorised processing can take place (for example, by passing it on to others)
- The data must be adequate for the purpose, accurate, limited to the data necessary for the stated purposes, and kept only as long as it is relevant for this purpose
In our context, individuals must consent to the data being held and must be aware of the purposes for which they are held. They must also understand how to withdraw consent. It is also a requirement of the GDPR that organisations holding personal data have an identifiable data protection policy.
This policy describes
- The personal data held by the Committee
- The purpose of the data and how they will be used
- The control and security measures taken to ensure compliance with data protection principles
The Committee holds the following personal data: contact details for communication with residents of the area; financial records required for audit and accounting purposes; and details relating to individuals who hire the hall or use its facilities.
Confidentiality
It is an important policy of the committee that no personal or contact details, however obtained, are passed on to others outside the committee without the explicit consent of the individuals concerned at the time. Committee members asked by a resident about contacting another individual for a legitimate reason should pass on the request and gain consent before any personal details are shared.
When sending an email to multiple people Committee members must use the bcc (blind copy) field to maintain confidentiality of email addresses.
Communication Data
The Committee holds limited personal data for the purposes of communicating information that may be of interest to or may affect residents of the area. In some cases, communications may include news about fundraising events or activities (such as lotteries) run by the Committee or other local organisations. The Committee may occasionally use the contact details for direct fundraising appeals.
In most cases only personal email addresses are held, but telephone numbers and house addresses may also be retained for contact purposes.
Individuals must explicitly request to be included on this contact list, giving consent for their data to be used for this purpose. In each communication, individuals should be informed of how to remove their consent.
Finance Data
The Committee holds information about named individuals who have made donations or payments to the hall. The data is held by the treasurer for the purpose of providing an audit trail for the accounts, and includes the date and amount received, payment method and, in some cases if required, contact details.
Further details of cheque payments are retained for a period to provide details in the event of a complication with the payment (e.g. as evidence of payment received or cheques lost).
Finance data is made available to members of the committee as appropriate and is made available to the independent examiner of the accounts for audit purposes.
Names of individuals donating to the hall must not be made public without the specific consent of the individual on each occasion.
Data Relating to Users of the Hall Facilities
Individuals using hall facilities must complete forms confirming acceptance of the terms and conditions of use. These include contact details as required to facilitate the booking. These forms are retained securely by the booking clerk and data required for processing payments is passed on to the treasurer and incorporated into the finance data described above.
Booking forms are retained for as long as necessary to provide evidence in the event of future issues arising from the use of the hall, for example for insurance purposes.